The business of crime: cyber attacks

Lucy Mair finds out why cybercrime is a bigger threat to business than you might think

�Congratulations! You�re the lucky winner of our online lotto sweepstakes!� All you have to do is supply your personal and bank details, and you�re in the money. If you had a pound for every scam to hit your inbox, you probably would be. But phishing emails are just the tip of the cybercrime iceberg, which runs deep, spans the globe and, according to the White House, costs the global economy $1 trillion (�640 billion) every year.

The list of ways the web has changed the world is endless. It�s made it possible to buy anything at the click of a button, communication has become instantaneous and it�s created a virtual database of information that�s updated by the millisecond. But as we�ve uploaded our lives and businesses to the cloud, criminals have followed. And assets that were once physical are now vulnerable to interception and theft online.

And the threat is very real. The UK government ranks cybercrime as a �Tier 1� risk to national security � the same level as terrorism. In October foreign secretary William Hague admitted that �deliberate, organised attacks� against UK networks occur �every hour� and the Office of Cyber Security and Information Assurance estimates that they cost us around �27 billion annually.

What is cybercrime?

What do NASA, MasterCard, Sony and the UK government have in common? Not only are they some of the world�s most sophisticated organisations, they�re also recent victims of cyber attacks. Cybercrime has come to refer to all kinds of illegal activity online, but there are a number of different motives and methods.

In the UK, it�s a criminal offence to carry out �any unauthorised act in relation to a computer�. Simply put, hacking is illegal regardless of the motive, but not all hackers are driven by criminal intent. Take Gary McKinnon for example. He was arrested in 2002 for hacking into NASA and US military computers, but the Asperger�s syndrome sufferer, whose extradition to the US has now been blocked, says he was on a �moral crusade� to find classified documents about UFOs.

Other cyber criminals have a political agenda and commit cyber attacks as a means of protest. An allegiance of �hacktivists� known as Anonymous has gained notoriety for its politically-motivated distributed denial of service (DDoS) attacks, which flood a target�s server to shut down its systems. Members of Anonymous protest publicly against internet censorship, recognisible by their Guy Fawkes masks, and have claimed responsibility for closing down a number of websites, including those of MasterCard, Visa, Amazon and PayPal when they froze donations to WikiLeaks in 2010.

Cybercrime is also fast becoming a vehicle for espionage and terrorism. Director general of the British security service Jonathan Evans told this year�s Annual Defence and Security Lecture: �Vulnerabilities in the internet are being exploited... and the extent of what�s going on is astonishing � with industrial scale processes involving many thousands of people lying behind both state-sponsored espionage and and organised cybercrime.� What�s more, he said terrorist groups �are aware of the potential to use cyber vulnerabilities to attack critical infrastructure� and may exploit them in future.

Making money

Nevertheless, the most common form of attack is financially-motivated, organised cybercrime. Such activity usually involves theft of personal and bank details to commit fraud; intellectual property or commercial information to exploit businesses; or cold, hard, electronic cash.

In April 2011 more than 70 million users of Sony�s online gaming network had their names, email addresses, passwords and possibly credit card details stolen by hackers. Meanwhile Misha Glenny, author of DarkMarket: How Hackers Became the New Mafia recalls an operation that involved purchasing pre-paid debit cards, then hacking bank systems to raise the limits on those cards by tens of thousands of dollars to make $34 million (�22 million) over three years.

Hackers aren�t necessarily the masterminds behind such large-scale criminal operations, but they�re an essential part of them. Raoul Chiesa, cyber security expert and leader of the UN�s Hackers Profiling Project explains: �Hackers may help out writing exploits and zero-days [software that attacks previously unknown vulnerabilities in an application], launching IT attacks, penetrating targets� networks, sending spam and running phishing campaigns, [in addition to] coding software to manage the money mules who will eventually pick up the money generated from the internet scams.�

Another tool used for financial profit is blackmail in the aftermath of a DDoS attack. Jerome Smith, a cyber security consultant at PA Consulting Group says: �There have been cases of companies held to ransom over distributed denial of service attacks... If the company has predictable revenue peaks, for example a sports gambling site, the attack can be timed for maximum effect, such as the Grand National race day.�

What�s the cost?

The direct cost of cybercrime can range from a few tens of pounds if you�re a victim of online fraud, to hundreds of millions of pounds if a large organisation, such as a global bank, is attacked. But the economic impact can be much greater.

In Measuring the cost of cybercrime, researchers at the University of Cambridge found that the direct monetary loss as a result of consumer cybercrime in the UK is small � around �10 on average per citizen. But the true cost is ten times higher as it includes the cost of recuperation, additional security measures and lost business when victims lose trust in online transactions.

When it�s a business that�s attacked, rather than an individual, the cost becomes even greater. According to Evans, a �major London-listed company� recently incurred revenue losses of �800 million as a result of a cyber attack �not just through intellectual property loss but also from commercial disadvantage in contractual negotiations.� Sony spent $171 million recovering from the leak of its customer records in 2011, and it�s credibility was also damaged by the incident. A study by the Reputation Institute revealed that the proportion of customers who said they�d recommend Sony to others fell from 79 per cent before the breach was made public to 67 per cent after.

Cybercrime is becoming increasingly common, and it�s not surprising: it can be incredibly profitable, but it comes with a much lower risk of being caught than other crimes because hackers can route their activities through networks located anywhere in the world. Cybercrime is also void of the violence endemic to other types of organised crime. Not only that, it�s getting easier. The internet is a playground of information and, with hacker kits on the market for less than �3,000, limited technical skill is needed to access it.

In 2010 the UK government announced a �650 million budget to tackle cybercrime over four years and, most recently, it has launched a Cyber Incident Response scheme to support organisations in the event of an attack. But the global nature of cybercrime and the anonymity of perpetrators makes it difficult to police, and it remains to be seen whether effective cross-border law enforcement can be mounted.

Insider view

The hacker-turned-cyber security expert

Raoul Chiesa

Co-author of **Profiling Hackers: The Science of Criminal Profiling As Applied to the World of Hacking and member of UN and EU cyber security organisations**

How did you become involved in hacking?

My interest in computer networks, security and hacking started in 1986, when the internet wasn�t what it is today and there were no laws against hacking. In 1995, I hacked BankItalia to send an alert to my country on data security. I also hacked the top US telecommunications companies (AT&T, MCI, Sprint and GTE). I was arrested in December 1995, but never jailed because I didn�t steal anything or damage the systems I hacked.

The judges realised I was a �good soul� and they told me I had to make a choice. So I stepped out from the hacking underground and entered professional cyber security. I founded, an independent security consulting company, and am part of a number of cyber security organisations.

Hackers are different to traditional criminals. Can you explain who they are?

I joined the UN Interregional Crime & Justice Research Institute (UNICRI) to manage the Hackers Profiling Project (HPP) in 2004. Since then, we�ve observed, studied and analysed the hacking scene and we�ve identified at least nine hacker profiles: the Wannabe Hacker, the Script-Kiddie, the Cracker, the Quite Paranoid Skilled Hacker, the Ethical Hacker, the Cyber Warrior, the Industrial Spy, the Government Agent and the Military Hacker. Hackers are nearly always brilliant minds, but kind of paranoid. Around 95 per cent of the hackers I�ve interviewed are self-taught, often during their teenage years.

How does a lone teenaged hacker become part of organised crime?

Usually young people are hired by organised crime through explicit ads on hacking forums, especially in Eastern Europe. Organised crime needs good programmers and trusted people to run its black market operations. Money drives hackers to turn to cybercrime due to a combination of historical, social, geographic and economic factors.

What is the most effective way to tackle cybercrime?

I always say: �Alone you may win a battle, but not the war which is going on.� We must enhance the global cooperation between states and learn from the enemy � the people who know what�s going on. You can�t defend from someone if you don�t know who he is and the way he thinks, plans and acts. That�s why we have to study the complex hacking environments and their different evolutions, zooming into those dangerous links between the hacking underground and organised crime.

The cyber security consultant

Jerome Smith

PA Consulting Group

How much of a threat is cybercrime?

The UK Government ranks cyber security as a Tier 1 priority in its National Security Strategy. The number of reported attacks is increasing rapidly and, for obvious reasons, many organisations choose not to go public when they have suffered an attack. While we can examine these documented attacks for trends, it�s important to realise that the threat of cyber crime is always an individual calculation: the threat to an independent retailer is very different to the threat to a global bank.

What kind of organisations are most at risk from cyber attacks?

Organisations that have enough value � not necessarily financial � to attract targeted attacks are most at risk because, while the attacker�s resources and skills are important, so is motivation. What�s interesting about the attacks against Sony last year was that those flaws were always there, it just took a number of motivated attackers to take a close look at them.

Although the majority of organisations are aware of cybercrime, what can be lacking is understanding and action. When this occurs at board level, the problem can become systemic, which stops information security getting the attention it deserves and has consequences for everyday behaviour that may increase the organisation�s risk.

How does PA Consulting Group protect clients from cybercrime or help them manage an attack if it occurs?

PA Consulting Group has significant experience working with clients in the public and private sectors to help develop an effective cyber security strategy. PA can help clients in a number of ways, for example, structuring the governance and risk management approach, identifying which assets need the most protection from which risks, and assessing the strength of existing security measures through penetration testing. PA also has training solutions, from security awareness programmes to technical courses, to help build in-house capability.

How do you stay a step ahead of cyber criminals?

Organisations defending themselves from cyber attacks seem to have the odds stacked against them; they need to find and fix all the holes within their systems but the attacker only has to find one. To stay one step ahead, organisations should... take a comprehensive view of security that encourages defence in depth. By building a culture of security and considering detection as well as prevention, organisations can help to protect themselves against attacks they hadn�t even conceived.