20/3/2014

Groups face the conundrum of cyber crime - FT.com

By continuing to use this site you consent to the use of cookies on your device as described in our cookie policy unless you have disabled them. You can change your cookie settings at any time but parts of our site will not function correctly without them.

Home
Video

World
Interactive

Companies
Blogs News feed

Markets
Alphaville

Global Economy
beyondbrics Portfolio

Lex
Special Reports

Comment
In depth

Management

Life & Arts

Tools

Todays Newspaper

February 24, 2014 6:02 am

Groups face the conundrum of cyber crime

By Sam Jones

Late last year, UK authorities helped to organise a cyber war game for institutions in Londons financial district, directing the banks, insurers, asset managers and big businesses of the city to simulate the impact on their operations of a debilitating cyber assault. While many of the players in the game no actual assets were involved demonstrated that they had defensive plans in place and often quite sophisticated technical knowhow, they also highlighted a major problem. Not a single one of the participants in operation Waking Shark II, as the scenario was dubbed, thought, during the course of their attack, to report their problems to the police. The scenario highlighted one of the biggest problems in the cyber security world: how is online and computer crime policed, and, moreover, how should it be? Many of the participants [in the city cyber war game] had little or no understanding of when criminal offences were being committed, says Adrian Culley, former detective at Scotland Yards cyber crime unit and now a technical consultant with Damballa, a cyber security consultancy. Given we have had the Computer Misuse Act for 25 years in the UK, its surprising, but we obviously have some way to go still, he adds. Ultimately, there is no such thing as cyber crime, just crime. Just like you dont really hear questions of if someone is computer literate or not these days, I think the notion of cyber crime will fade. In 100 years time. Itll be as if Sherlock Holmes had talked about electric crimes. The nub of the problem is that, for many organisations, cyber crime still seems so intangible. For big businesses such as banks, cyber crimes are all too easy to write off as a marginal cost of doing business in the modern world. A bank suffering from a physical robbery, for example, has a site from which money is stolen and staff there whose responsibility is specific for the security of that site. Doing nothing is not really an option. An attack against a whole organisation though particularly an organisation as large as a bank is far harder to feel or care about, if the relative impact is far smaller. Even if the same or more money is stolen in absolute terms. If the first hurdle is Likewise, when an act against a business involves the theft of data be it intellectual property, or customers
1/2

http://www.ft.com/intl/cms/s/0/61176e18-923e-11e3-8018-00144feab7de.html?siteedition=intl#axzz2wWPOJwV8

20/3/2014

Groups face the conundrum of cyber crime - FT.com

reporting and detection, then the second even larger hurdle facing the policing of cyber crime is attribution

personal data it is also hard to feel the impact. According to security chiefs, hundreds of major businesses have their IP stolen without ever knowing about it. Cyber crime has numerous other forms too, increasingly being exploited by criminals: propagating false news to manipulate share prices; gaining inside information on merger deals or major share transactions and capital raisings.

The pace of technology change and the cyber threats that come with it are only going to accelerate, everything from critical infrastructure to theeconomic well being of nations and companies assets is a potential target, says Mark Brown, director of information security at EY. If the first hurdle is reporting and detection, then the second even larger hurdle facing the policing of cyber crime is attribution. Tracking down attacks, in itself a hard enough endeavour, is only the beginning of the problem. Attackers often take over other peoples computers to use as platforms sometimes making the ultimate perpetrator of the crime untraceable. Even when an attacker is located, the chances are they will be based in a foreign country. And, at least according to where most attacks are currently sourced too, those countries are not necessarily likely to co-operate in the pursuit of suspects. The impact of international regulation, or in fact the absence of it, is in my view the next big issue in the fight against the cyber threat, says Mr Brown. Currently, even if a company can identify where an attack comes from there is little to no international legislation or treaties that allow prosecution to take place or help companies to respond. What we need is international bodies or specific initiatives that will ensure that everybody plays by the rules. In his recent trip to China, for example, the UK prime minister called for an International Cyber Citizenship which is an idea worth exploring. Even when local law enforcement agencies are minded to do so, the task of linking an individual to crimes committed on a specific machine is in itself a significant legal challenge. It is little wonder then, that where businesses have started to grapple with the issues of cyber security, they have focused heavily on prevention of attacks and ensuring resilience. For now, this is an acceptable status quo. But as many security experts particularly in government are increasingly aware, it is fragile. The nature of cyber attacks mean they have the potential to be hugely disruptive, and not just from a purely monetary point of view, but a systemic one too. A bank that suffers a breach involving the loss of pennies from tens of thousands of separate accounts, for example, is one issue. A bank that suffers an attack where hundreds of depositors lose everything, though, risks far greater reputational damage even a run, where unaffected clients panic to withdraw their money and stash it elsewhere. Likewise for other businesses, attacks large enough to cause lasting and sustained damage are mostly regarded as hypothetical in spite of evidence to the contrary. An attack like that on Saudi Aramco which in 2012 suffered a huge cyber assault apparently aimed at stalling production and wiping out its computer systems is more and more likely on a large western business than ever before. Policing such a large-scale attack or rather, providing a credible deterrence to it is an issue that no government let alone domestic law enforcement agency has yet addressed.
RELATED TOPICS United Kingdom, Global terror

Printed from: http://www.ft.com/cms/s/0/61176e18-923e-11e3-8018-00144feab7de.html Print a single copy of this article for personal use. Contact us if you wish to print more to distribute to others. THE FINANCIAL TIMES LTD 2014 FT and Financial Times are trademarks of The Financial Times Ltd.

http://www.ft.com/intl/cms/s/0/61176e18-923e-11e3-8018-00144feab7de.html?siteedition=intl#axzz2wWPOJwV8

2/2