CONTENTS
POLITICS-FIRST-SEPT-OCT-2016-FINAL
POLITICS-FIRST-SEPT-OCT-2016-FINAL
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
politics first | Special Section: Cyber Crime<br />
ADVERTORIAL<br />
98<br />
Interpol and the Nigerian police were delighted this July when<br />
they arrested “Mike” – his full details were not published – who<br />
is suspected of being the mastermind of a $60 million operation<br />
running online scams and frauds across the world from his base in<br />
the southern Nigerian city of Port Harcourt.<br />
“Mike” and his gang had reportedly been hacking into and<br />
hijacking the email systems of small businesses and using these<br />
fake fronts to defraud individuals and other businesses out of<br />
money; in one case as much as $15 million.<br />
Sadly, even with Mike potentially out of the picture, cyber crime<br />
is still big business, in the UK and elsewhere. Whereas traditional<br />
crime rates have been falling across Western Europe for two<br />
decades, cybercrime has expanded exponentially.<br />
The Office for National Statistics believes there were almost six<br />
million computer misuse and fraud offences in England and Wales in the<br />
year to the end of March 2016, of which 3.8 million were fraud offences -<br />
suggesting cyber-fraud is the most common type of crime.<br />
The Culture, Media and Sport Select Committee, of which I am a<br />
member, looked into the issue following the TalkTalk hack.<br />
TalkTalk, one of our country’s leading telecoms and internet<br />
providers, was the victim of a hack in October 2015, in which<br />
around 160,000 customers’ personal and banking details were<br />
stolen, potentially to be passed on to allow criminals to access bank<br />
accounts or to pose as the victims and use their data elsewhere<br />
online. TalkTalk has insufficient protection for its computer and data<br />
systems and these were too easily defeated by the hackers.<br />
There is also a further tricky conflict to resolve: TalkTalk was itself the<br />
victim of a crime. But it is also responsible for the safe keeping of a huge<br />
amount of personal data for its customers. Where does the balance lie<br />
between treating individuals or organisations as victims, and making<br />
them share some of the blame when an attack is successful? Metropolitan<br />
Police Commissioner Sir Bernard Hogan-Howe started such a debate<br />
this March when he suggested that customers should not be refunded<br />
by banks if they fail to protect themselves from cybercrime. Perhaps that<br />
should go for companies, too, who do not keep their security up-to-date?<br />
Certainly in the case of TalkTalk, we proposed a duty to undertake<br />
an annual audit of cyber security with a named individual – a board<br />
director – taking the responsibility to sign that audit off in the annual<br />
report and accounts.<br />
Christian<br />
Matheson,<br />
a member of the Culture,<br />
Media and Sport Select<br />
Committee and Labour MP<br />
for City of Chester<br />
Cyber crime: the new and potent<br />
criminal battleground<br />
It was also clear to our committee that TalkTalk was not alone in<br />
suffering cyber attacks. Other telecoms providers regularly have to fend<br />
off unwanted approaches. In another inquiry, into broadband provision<br />
in the UK, my committee was concerned at how uneasily the industry<br />
sat together. Yet whereas vigorous commercial competition must remain<br />
at the heart of the industry, surely in terms of security, collaboration<br />
between providers must be promoted? I would expect telecoms providers<br />
– and banks, and utilities and other businesses holding large amounts of<br />
personal financial data – to share best practice with each other on how to<br />
defend against cyber attacks. In terms of security, the competition is not<br />
the other providers, but the criminals.<br />
There is one other complicating factor for government to consider.<br />
I sat on the bill committee for the Investigatory Powers Bill, which<br />
brings in the new requirement for internet and telecoms service providers<br />
to retain all users’ data and web browsing habits for a year.<br />
The stipulation is to help in urgent investigations into serious crimes,<br />
such as the disappearance of a child. But it does rather offer a plump<br />
target to hackers and thieves and puts yet further obligations on the<br />
internet companies to ensure that the data is held securely. And whereas<br />
big firms like BT or Virgin may have the capacity and capability to secure<br />
the huge amounts of data the new law will require, will smaller firms – or,<br />
indeed, new entrants to the market – be able to cope competitively?<br />
Indeed, the threat may not even come from external hackers. We<br />
know that newspapers have not been averse in the past to hacking<br />
into mobile phone voicemails or email accounts. How easy would<br />
it be, presented with the possibility of accessing a year’s worth of<br />
a celebrity’s internet browsing history, to pass a couple of grand in<br />
a brown envelope to a low grade technician at an internet provider,<br />
and have them access that internet data and download it on to a USB<br />
memory stick for a month’s worth of stories for the paper?<br />
As more and more of our lives are lived online, so more and more<br />
of us will become vulnerable to online criminals. And as the ONS sadly<br />
pointed out, online crime is replacing traditional criminal activity and is<br />
growing apace. Cyber space is the new criminal battleground.<br />
LEARNING ABOUT CYBER SECURITY<br />
FROM CHEESE…<br />
So, another Politics First issue and here we go with<br />
another abstract article about, yes, you’ve guessed it,<br />
cheese. Why? Because I love cheese. Any cheese.<br />
In any form. From any country. It can be toasted, on<br />
crackers, with salad, with chutney or just on its own. But<br />
this article isn’t about all cheeses, we’re going to look at<br />
one in particular - Swiss cheese.<br />
Why? Well, you’ve obviously spotted from the title that,<br />
at some point, we’re going to make the link between<br />
cheese and cyber security so Swiss cheese gives us a<br />
good starting point.<br />
When we think of swiss cheese, we’ve been brought up<br />
to know that Swiss cheese has holes in it. Pockets of air<br />
created from carbon dioxide released by little bacteria<br />
make the holes as the cheese ripens. Clearly, there’s<br />
more to it than that but you get the gist of it.<br />
Anyway, we all know that these holes are placed randomly<br />
throughout the cheese and none of them line up. That<br />
means that nothing can pass directly through these holes.<br />
This is where we can make the link to cyber security.<br />
Good cyber security in an organisation is like a good<br />
Swiss cheese. Yes, there are some holes but there are<br />
layers of policy, procedure and technology that stop these<br />
holes lining up.<br />
However, when something goes wrong, something<br />
manages to slip through that’s just like all the holes in our<br />
cheese lining up.<br />
Lets put it in to context. Think of Organisation A.<br />
Normally, they’re a good Swiss cheese and all their<br />
holes are recognised but they don’t line up through their<br />
defensive layers. Except we’re going to look at a curious<br />
set of circumstances.<br />
Imagine for one moment that its the school holidays<br />
and several of the accounts staff are on holiday. Then<br />
imagine that, for whatever reason, the skeleton cover<br />
staff falls ill and can’t come into work. These are normal<br />
circumstances that could hit any business.<br />
So, in order to cover the absences, email is delegated<br />
out to someone who’s merely “steadying the ship” until<br />
normal service can be resumed.<br />
Enter the bad guy.<br />
As everyone likes to do these days, we’ll tell our email<br />
client to automatically respond to whoever emails us and<br />
tell them that we’re on holiday and, in our absence, who<br />
to contact. As the bad guy does his reconnaissance, he<br />
discovers that many are on holiday and we’ve also got one<br />
who is off sick. The bad guy knows that he’s got someone<br />
covering several jobs.<br />
So, he takes a punt. Pretending to be the CEO he starts<br />
up a dialogue with the “ship steadier” and builds some<br />
rapport. Said “ship steadier” is extremely busy but will<br />
always make time for the big boss - so the conversation<br />
blossoms and information is exchanged, resulting in an<br />
instruction to pay £25000 into a bank account. As its the<br />
CEO who has asked and the “ship steadier” is unfamiliar<br />
but keen to impress, the instruction is carried out and a<br />
pat on the back from the CEO results in a job well done.<br />
All the holes in the cheese have been lined up by clever<br />
manipulation and a healthy bit of luck. When the mistake<br />
is discovered, its too late. Funds have been extracted<br />
from bank accounts and Organisation A now becomes<br />
just another victim.<br />
This might sound far-fetched but it happens on a regular<br />
basis. Some organisations see this as just “the norm”.<br />
Some organisations can’t recover from the loss. We’ve<br />
got to become more savvy and the lead needs to come<br />
from the top. Its time to fight back.<br />
Stuart Green is MD of SJG Digital, a Cyber<br />
Security Specialist servicing the UK from its<br />
base in Lincolnshire.<br />
SJG Digital can be contacted on<br />
01673 898001,<br />
www.sjgdigital.com or safer@sjgdigital.com