ï¿½Congratulations! Youï¿½re the lucky winner of our online lotto sweepstakes!ï¿½ All you have to do is supply your personal and bank details, and youï¿½re in the money. If you had a pound for every scam to hit your inbox, you probably would be. But phishing emails are just the tip of the cybercrime iceberg, which runs deep, spans the globe and, according to the White House, costs the global economy $1 trillion (ï¿½640 billion) every year.
The list of ways the web has changed the world is endless. Itï¿½s made it possible to buy anything at the click of a button, communication has become instantaneous and itï¿½s created a virtual database of information thatï¿½s updated by the millisecond. But as weï¿½ve uploaded our lives and businesses to the cloud, criminals have followed. And assets that were once physical are now vulnerable to interception and theft online.
And the threat is very real. The UK government ranks cybercrime as a ï¿½Tier 1ï¿½ risk to national security ï¿½ the same level as terrorism. In October foreign secretary William Hague admitted that ï¿½deliberate, organised attacksï¿½ against UK networks occur ï¿½every hourï¿½ and the Office of Cyber Security and Information Assurance estimates that they cost us around ï¿½27 billion annually.
What is cybercrime?
What do NASA, MasterCard, Sony and the UK government have in common? Not only are they some of the worldï¿½s most sophisticated organisations, theyï¿½re also recent victims of cyber attacks. Cybercrime has come to refer to all kinds of illegal activity online, but there are a number of different motives and methods.
In the UK, itï¿½s a criminal offence to carry out ï¿½any unauthorised act in relation to a computerï¿½. Simply put, hacking is illegal regardless of the motive, but not all hackers are driven by criminal intent. Take Gary McKinnon for example. He was arrested in 2002 for hacking into NASA and US military computers, but the Aspergerï¿½s syndrome sufferer, whose extradition to the US has now been blocked, says he was on a ï¿½moral crusadeï¿½ to find classified documents about UFOs.
Other cyber criminals have a political agenda and commit cyber attacks as a means of protest. An allegiance of ï¿½hacktivistsï¿½ known as Anonymous has gained notoriety for its politically-motivated distributed denial of service (DDoS) attacks, which flood a targetï¿½s server to shut down its systems. Members of Anonymous protest publicly against internet censorship, recognisible by their Guy Fawkes masks, and have claimed responsibility for closing down a number of websites, including those of MasterCard, Visa, Amazon and PayPal when they froze donations to WikiLeaks in 2010.
Cybercrime is also fast becoming a vehicle for espionage and terrorism. Director general of the British security service Jonathan Evans told this yearï¿½s Annual Defence and Security Lecture: ï¿½Vulnerabilities in the internet are being exploited... and the extent of whatï¿½s going on is astonishing ï¿½ with industrial scale processes involving many thousands of people lying behind both state-sponsored espionage and and organised cybercrime.ï¿½ Whatï¿½s more, he said terrorist groups ï¿½are aware of the potential to use cyber vulnerabilities to attack critical infrastructureï¿½ and may exploit them in future.
Nevertheless, the most common form of attack is financially-motivated, organised cybercrime. Such activity usually involves theft of personal and bank details to commit fraud; intellectual property or commercial information to exploit businesses; or cold, hard, electronic cash.
In April 2011 more than 70 million users of Sonyï¿½s online gaming network had their names, email addresses, passwords and possibly credit card details stolen by hackers. Meanwhile Misha Glenny, author of DarkMarket: How Hackers Became the New Mafia recalls an operation that involved purchasing pre-paid debit cards, then hacking bank systems to raise the limits on those cards by tens of thousands of dollars to make $34 million (ï¿½22 million) over three years.
Hackers arenï¿½t necessarily the masterminds behind such large-scale criminal operations, but theyï¿½re an essential part of them. Raoul Chiesa, cyber security expert and leader of the UNï¿½s Hackers Profiling Project explains: ï¿½Hackers may help out writing exploits and zero-days [software that attacks previously unknown vulnerabilities in an application], launching IT attacks, penetrating targetsï¿½ networks, sending spam and running phishing campaigns, [in addition to] coding software to manage the money mules who will eventually pick up the money generated from the internet scams.ï¿½
Another tool used for financial profit is blackmail in the aftermath of a DDoS attack. Jerome Smith, a cyber security consultant at PA Consulting Group says: ï¿½There have been cases of companies held to ransom over distributed denial of service attacks... If the company has predictable revenue peaks, for example a sports gambling site, the attack can be timed for maximum effect, such as the Grand National race day.ï¿½
Whatï¿½s the cost?
The direct cost of cybercrime can range from a few tens of pounds if youï¿½re a victim of online fraud, to hundreds of millions of pounds if a large organisation, such as a global bank, is attacked. But the economic impact can be much greater.
In Measuring the cost of cybercrime, researchers at the University of Cambridge found that the direct monetary loss as a result of consumer cybercrime in the UK is small ï¿½ around ï¿½10 on average per citizen. But the true cost is ten times higher as it includes the cost of recuperation, additional security measures and lost business when victims lose trust in online transactions.
When itï¿½s a business thatï¿½s attacked, rather than an individual, the cost becomes even greater. According to Evans, a ï¿½major London-listed companyï¿½ recently incurred revenue losses of ï¿½800 million as a result of a cyber attack ï¿½not just through intellectual property loss but also from commercial disadvantage in contractual negotiations.ï¿½ Sony spent $171 million recovering from the leak of its customer records in 2011, and itï¿½s credibility was also damaged by the incident. A study by the Reputation Institute revealed that the proportion of customers who said theyï¿½d recommend Sony to others fell from 79 per cent before the breach was made public to 67 per cent after.
Cybercrime is becoming increasingly common, and itï¿½s not surprising: it can be incredibly profitable, but it comes with a much lower risk of being caught than other crimes because hackers can route their activities through networks located anywhere in the world. Cybercrime is also void of the violence endemic to other types of organised crime. Not only that, itï¿½s getting easier. The internet is a playground of information and, with hacker kits on the market for less than ï¿½3,000, limited technical skill is needed to access it.
In 2010 the UK government announced a ï¿½650 million budget to tackle cybercrime over four years and, most recently, it has launched a Cyber Incident Response scheme to support organisations in the event of an attack. But the global nature of cybercrime and the anonymity of perpetrators makes it difficult to police, and it remains to be seen whether effective cross-border law enforcement can be mounted.
The hacker-turned-cyber security expert
Co-author of **Profiling Hackers: The Science of Criminal Profiling As Applied to the World of Hacking and member of UN and EU cyber security organisations**
How did you become involved in hacking?
My interest in computer networks, security and hacking started in 1986, when the internet wasnï¿½t what it is today and there were no laws against hacking. In 1995, I hacked BankItalia to send an alert to my country on data security. I also hacked the top US telecommunications companies (AT&T, MCI, Sprint and GTE). I was arrested in December 1995, but never jailed because I didnï¿½t steal anything or damage the systems I hacked.
The judges realised I was a ï¿½good soulï¿½ and they told me I had to make a choice. So I stepped out from the hacking underground and entered professional cyber security. I founded @Mediaservice.net, an independent security consulting company, and am part of a number of cyber security organisations.
Hackers are different to traditional criminals. Can you explain who they are?
I joined the UN Interregional Crime & Justice Research Institute (UNICRI) to manage the Hackers Profiling Project (HPP) in 2004. Since then, weï¿½ve observed, studied and analysed the hacking scene and weï¿½ve identified at least nine hacker profiles: the Wannabe Hacker, the Script-Kiddie, the Cracker, the Quite Paranoid Skilled Hacker, the Ethical Hacker, the Cyber Warrior, the Industrial Spy, the Government Agent and the Military Hacker. Hackers are nearly always brilliant minds, but kind of paranoid. Around 95 per cent of the hackers Iï¿½ve interviewed are self-taught, often during their teenage years.
How does a lone teenaged hacker become part of organised crime?
Usually young people are hired by organised crime through explicit ads on hacking forums, especially in Eastern Europe. Organised crime needs good programmers and trusted people to run its black market operations. Money drives hackers to turn to cybercrime due to a combination of historical, social, geographic and economic factors.
What is the most effective way to tackle cybercrime?
I always say: ï¿½Alone you may win a battle, but not the war which is going on.ï¿½ We must enhance the global cooperation between states and learn from the enemy ï¿½ the people who know whatï¿½s going on. You canï¿½t defend from someone if you donï¿½t know who he is and the way he thinks, plans and acts. Thatï¿½s why we have to study the complex hacking environments and their different evolutions, zooming into those dangerous links between the hacking underground and organised crime.
The cyber security consultant
PA Consulting Group
How much of a threat is cybercrime?
The UK Government ranks cyber security as a Tier 1 priority in its National Security Strategy. The number of reported attacks is increasing rapidly and, for obvious reasons, many organisations choose not to go public when they have suffered an attack. While we can examine these documented attacks for trends, itï¿½s important to realise that the threat of cyber crime is always an individual calculation: the threat to an independent retailer is very different to the threat to a global bank.
What kind of organisations are most at risk from cyber attacks?
Organisations that have enough value ï¿½ not necessarily financial ï¿½ to attract targeted attacks are most at risk because, while the attackerï¿½s resources and skills are important, so is motivation. Whatï¿½s interesting about the attacks against Sony last year was that those flaws were always there, it just took a number of motivated attackers to take a close look at them.
Although the majority of organisations are aware of cybercrime, what can be lacking is understanding and action. When this occurs at board level, the problem can become systemic, which stops information security getting the attention it deserves and has consequences for everyday behaviour that may increase the organisationï¿½s risk.
How does PA Consulting Group protect clients from cybercrime or help them manage an attack if it occurs?
PA Consulting Group has significant experience working with clients in the public and private sectors to help develop an effective cyber security strategy. PA can help clients in a number of ways, for example, structuring the governance and risk management approach, identifying which assets need the most protection from which risks, and assessing the strength of existing security measures through penetration testing. PA also has training solutions, from security awareness programmes to technical courses, to help build in-house capability.
How do you stay a step ahead of cyber criminals?
Organisations defending themselves from cyber attacks seem to have the odds stacked against them; they need to find and fix all the holes within their systems but the attacker only has to find one. To stay one step ahead, organisations should... take a comprehensive view of security that encourages defence in depth. By building a culture of security and considering detection as well as prevention, organisations can help to protect themselves against attacks they hadnï¿½t even conceived.