The UK is heading for trouble unless Government, companies and law enforcement shake up their ideas and start taking cybercrime more seriously.
A whole string of speakers at the e-Crime Congress in London today (Thursday) painted a picture of incompetence, poor organisation and complacency that is allowing criminals to operate with little chance of detection or punishment.
They have abdicated responsibility and don't see the problem as serious
MP, Shadow Home SecretaryConservative Party
The opening salvo came from David Davis MP, the Shadow Home Secretary, who said that while many companies underestimated the threat of cybercrime, the current Government was the biggest culprit.
He said the Government's appetite for building ever larger databases was "irresponsible and naïve" and created a target that was "valuable, vulnerable and attractive to attackers."
He said that the concerted attacks on Estonia last May gave just a flavour of what could happen in future anywhere in the world. "We've not seen any cyber terror attacks here yet, but it's almost certain we will," said Davis. "Cyber terror and cyber crime are two sides of the same coin, just with different motivations. If we don't prioritise crime, we will also be vulnerable to cyber terror."
He said the current Government lacked any co-ordinated or urgent strategy for tackling the problem. "They have abdicated responsibility and don't see the problem as serious."
The disbandment of the National Hi-Tech Crime Unit (NHTCU) two years ago, he said, had left companies and individuals with no way of reporting financial crime. The Serious Organised Crime Agency (SOCA), which absorbed the NHTCU, is not interested in financial cybercrime, and consumers are advised to report losses to their banks. But the banks have little incentive to report losses to the police, and so the whole level of crime goes under-reported. "In cyberspace, it seems, no-one can hear you scream," said Davis.
He also attacked the UK Government for its failure to ratify the Council of Europe's Convention on Cybercrime, which it signed in 2001, and which lays the foundation for cross-border law enforcement.
"The Government needs to take action on an international level to tackle the problem. At the moment the UK is a soft touch," he said.
The Conservatives' approach is embodied in a new Green Paper published today (available for download at www.conservatives.com). Among the actions proposed are the appointment of a minister to look after cybercrime across Government and industry, and a new Fraud and Cybercrime Complaints Centre, where people and companies could report crimes.
Davis also pledged to ratify the Cybercrime Convention and to introduce mandatory disclosure of security breaches. But Government does not have the resources to do this alone. "The only way Government can keep up is to work with industry," he said. "The only agency that is fast enough on its feet is the public sector."
He also promised to cancel the proposed ID card scheme if the Conservatives were elected, saying it was the best way to make it secure.
The private sector perspective came from a later speaker, Paul Simmonds, the global head of security for ICI. He gave several statistics to show that credit card fraud and cybercrime was rising sharply, including an FBI estimate that at $105 billion a year, cybercrime is a bigger business now than drug trafficking.
But these figures are the tip of a much larger iceberg of unreported crime which meets little resistance, he said, because of weaknesses at all levels. Consumers get little advice, resulting in around half all PCs being affected with malware. As he said, an unpatched Windows PC will be infected within 15 minutes of being attached to the Internet.
But corporations are no better, with only 40% of FTSE 100 companies having a dedicated security team in place, and the proportion even lower in smaller companies. Meanwhile the criminals are working hard to stay ahead of the game. "The bad guys do their ROI on e-crime, and even send their people off to University or other training to improve their coding techniques," he said. "They are doing a lot better job of investing in their staff than UK business is doing. No wonder we're losing."
He called for more resources to go into cyber crime law enforcement. While the police spend (according to 2004/5 figures) £4.5 billion a year on tackling drugs, SOCA's total budget for 2007 was £416 million. Of that, just 10% would be spent on e-crime, said Simmonds.
In other words, although e-crime is now bigger than drug trafficking, the budget to fight it is around one-hundredth of that given to drugs. "We need to up the spending by 10 or 20 times," he said.
Simmonds also lamented the demise of the NHTCU which left UK companies with nowhere to go to report e-crime. "The crime therefore never surfaces, so it doesn't get the resources. It's a vicious circle. We need a proper mechanism to report problems and to get help."
He also called for companies to be forced to take security more seriously, and suggested that company boards should be made to report on their state of information security inannual reports. "We did it for the Year 2000 problem, and we could do it for security," he said.
One example of the desperate situation came later in a talk by Peter Bassill, an information security officer for Gala Coral, an online betting site. He described the growing sophistication of DDOS attacks that his company had experienced, and said it was becoming increasingly hard to beat the attackers.