Nobody likes to lose a fight. It’s a fundamental facet of human nature that, when it comes to trading blows, we like to be top dog. Not surprising, really, if you consider that evolution has armed us with the tools to survive and winning fights would have been pretty much a prerequisite for staying alive 20,000 years ago. So when an influential group of MPs announced recently that the UK is losing the fight against cyber crime, it’s natural for hackles to rise.
In July, the House of Commons Home Affairs Select Committee published a report that argued, in no uncertain terms, that the UK must do more to stop online fraud and deter state-sponsored cyber-espionage or risk losing the fight against e-crime.
Keith Vaz MP, the Committee’s chair, said that the UK's response to e-crime was too ‘fractured’ and that the country was the number one target for gangs in 25 countries. "It's much easier and more lucrative to steal on the internet than it is to go out and rob a bank,” he remarked. “These are real e-wars. At the moment we are not winning."
A sobering thought, indeed. But is the fight metaphor really a useful one to deploy in this situation? Arguably not. In reality, the struggle between the forces of good and evil in cyberspace is more akin to market forces seeking to achieve some degree of equilibrium. A parallel can be drawn with the human immune system trying to suppress an infection that it can never eradicate completely. The struggle will not end in victory but rather suppression.
So how successful is the UK currently at tackling cyber crime? It is a tough question to answer because the true extent of cyber crime is unclear. Few companies are keen to wash their dirty linen in public. Many incidents go unreported: there is no legislation compelling UK business to disclose minor security breaches or even attempted breaches – and the attempts are frequent. A recent discussion with the IT head of a small City-based SME revealed an average 20 attempts per night to hack into its server, most emanating from China. In many instances, these will not be malign criminal acts, but rather Chinese citizens attempting to connect to a UK-based server in order to bypass Chinese net censorship. However, the result of breached security and possible data loss and infection is the same. According to the UK government, 87% of small firms experienced a security breach last year while 93% of large organisations had also been targeted and found some attacks caused more than £1m of damage.
The Home Affairs Select Committee report stressed the need for government to increase the number of specialist police officers and intelligence staff to be employed in this area – for example, a dedicated cyber-espionage team to respond to attacks, many of which are believed to be backed by foreign governments. The committee went on to say that it had been told by senior police sources that up to a quarter of the UK's 800 specialist internet crime officers could be lost due to budget cuts. This was despite evidence that the UK was a prime target for many of the estimated 1,300 criminal gangs specialising in fraud.
Businesses, particularly the smaller ones, have to rely in some part on the government and law enforcement agencies to protect them against cyber threats. The issue for these smaller businesses is that the public sector is always vulnerable to financial cuts. Businesses have to, therefore, be prepared to take on more of the risk and its management themselves.
The other key issue is how much of a priority we make cyber crime. Keith Vaz told the BBC it was ‘more serious than a nuclear attack’, but, broadly speaking, the government and police equate cyber crime with financial crime, which has always been lower down the law enforcement pecking order. Cyber crime, after all, does not appear to cause personal distress in the same way as an assault or a home
invasion. Personal harm and property damage are understandably public relations issues for the police and have to be dealt with accordingly.
Yet this may be a gross misjudgement of the potential threat that cyber crime poses. This October, police in Belgium reported that drug traffickers recruited hackers to breach IT systems that controlled the movement and location of containers in the Port of Antwerp. In 2010, the Stuxnet worm, introduced into the systems controlling Iran’s fledging nuclear programme, crippled centrifuges used in the nation's uranium enrichment program.
What this proves is that programmers have the ability to affect real world objects and processes using computer code – even operate a gun.
Back as far as 2004, a US entrepreneur announced the idea of a website called live-shot.com on which users could remotely control a real rifle to shoot sheep on a Texan ranch.
The site never went operational but the concept of using the net to control an explosion or an assassination had been born. In the television series Homeland, a senior US politician was assassinated by terrorists who remotely switched off his pacemaker having gained the necessary codes to do so.
If that sounds a little far-fetched, then think again: the US Food and Drugs Administration issued a safety notice this June to hospitals and medical device manufacturers recommending that they ‘reduce the risk’ that medical equipment was vulnerable to cyber attack or what it called ‘unauthorised access’.
In what is being called ‘the internet of things’ – the billions of devices connected to the net – the potential for cyber crime is rising. According to IT systems provider Cisco, by 2020, there will be 50 billion connected devices in the world. Many of these will be operated by a system called SCADA (Supervisory Control and Data Acquisition). This protocol is used widely in industrial processes, such as the Iranian nuclear programme or the utility sector, and is primitive by today’s standards, leaving these devices vulnerable to hackers. In 2012, the US Department of Homeland Security reported 138 cyber attacks on industrial control systems – what it called ‘a steady stream of cyber incidents’, 40% of which affected the energy sector. In roughly half of all the intrusions, the target appears to be ‘data that could facilitate remote unauthorised operations’.
The reality of cyber crime is considerably more serious than we imagine. Its potential is unsettling. This is why the status of the push-me-pull-you tussle between cyber criminals and the authorities is so important. As yet, the insurance industry has had limited impact on the debate, but through the Cyber Risk and Insurance Forum we have the opportunity to influence government and educate the business community about the magnitude of the struggle we face in this new century.
Time to roll our sleeves up.
CRIF Chairman & Underwriting Manager for Strategic Assets at Liberty Specialty Markets