UK Threat from Cybercrime is Very Real

When it became clear that the UK's National Security Strategy (published today) would highlight "Cybersecurity" as one of the most serious threats to the United Kingdom's security, the media were most querulous. Even some of the more experienced journalists seemed to pour immediate scorn on the suggestion that computer-based crime could rank in seriousness alongside terrorist attacks that kill and maim.

But like the methods of attack, the harm capable of being done by electronic crime and warfare is barely understood, even by governments such as the US and the UK: and as a result there is very little mitigation capability in place.

The Spamhaus Project has for over twelve years now taken the initiative in investigating and trying to disrupt many forms of Cybercrime, and in recent years - together with a number of other international security organisations - we have been responsibly reporting what we have seen.

But with little result.

One of the problems has been that governments have traditionally seen the security of their own computer systems as completely synonymous with the cybersecurity of the country. In that, they could not have been more wrong. The gradual encroachment into, and undermining of, electronic payment systems can and will cause far more permanent damage to a country's economy and future well-being than any terrorist explosion or short-term computer shutdown could achieve. The threats from malware that we have seen and reported include substantial capabilities for data theft, card payment fraud, and above all credential theft - the logging by a trojan program of any credentials entered through a computer keyboard to gain access to a remote computer system, and the subsequent undetectable forwarding of that information to a remote gathering point.

Such data theft has assuredly been going on for some years now, with very little of the data so harvested actually being used in a way that caused the theft to be discovered: and so we predicate that a lot of data - financial and personal - is being garnered in some (probably Eastern European) location for future criminal use. After all, so far the world has seen no sign of where the extensive data stolen from the UK's Revenue and Customs organisation went.

Yet the media seemed to base their assessment of the impact of Cyberattacks on the Denial-of-Service attack on Estonia in early 2007, which was fairly minor in overall scheme of things. What was significant about that attack was that it appeared to come from "hackers" while it was clear that the political need for such an attack would have emanated from within the Russian government. It's clear to us that both Moscow and Beijing are finding it very convenient to allow electronic mischief by internet users in their country to go unchallenged, to make it difficult to point the finger of blame on those governments for any nefarious actions that their own operatives carry out. For some time, the UK has been host to the "Russian Business Network" - believed to have been set up by Russian organised crime - first under its own name, and later under some other names.

So with electronic warfare and electronic crime overlapping so much that the distinction between them is difficult to make, the one point that governments - UK, US and others - need to grasp quickly is that current policing methods are completely incapable of providing an adequate response to the total threat. That is, of course, no criticism of the people involved, but is a serious indictment of the structure, processes and limitations within which they are forced to work. One of the most vexing hallmarks of Cybercrime is that in the majority of cases it is impossible to know with certainty in which jurisdiction a crime was committed, due to the ability of criminals to distort the routing mechanisms of the internet so that telemetry would give investigators a completely erroneous picture of how a signal had reached the victim network.

The Internet was never "created", it came together on a co-operative basis wthout any thought for the likely impact on it of Trans-National Organised Crime (TNOC). Basing its own governance processes on libertarian principles and openness has meant that those processes are completely incapable of responding to even the existence of TNOC, and many otherwise-responsible bodies insist that dealing with such crime is a "matter for the police" and not for them. One clear message that came out of the ICANN 38 meeting in Brussels this summer, was that the public at large are angry at the lack of enforcement by ICANN of the existing (weak) regulation: but there is as yet no indication that ICANN are taking this point under advisement. When the US Government recently called ICANN and a number of domain registrars to a meeting to discuss how to the threat from fake drug vendors on the Internet might be addressed, ICANN conspicuously declined to attend.

RIPE (the Regional Internet Registry, or number-address co-ordinating body, for Europe and the Middle East) is one of the bodies shouting loudest for the principle that internet crime is not their concern. But the governance of RIPE appears to be under the control of less than 1000 self-appointing individuals who bear zero responsibility to anyone other than themselves for the impact of their actions. That was fine for as long as their actions only impacted on each other, but with recent developments in the forms of subterfuge employed by Trans-National Organised Criminals being specifically enabled by a weakness in RIPE's operating structure - a weakness specifically absent from the other four Regional Internet Registries - Spamhaus has to question whether RIPE's form of internet governance is anywhere near fit for purpose.

That is not to say, of course, that Spamhaus is opposed to freedoms: communication by means of the internet has been a great enabler of freedom fighters, and has helped expose oppression in many parts of the world. What we do say is that if the Internet's own governance structures fail to address the issues created by the TNOCs, then governments will have no option but to step in and that might result in the loss and destruction of what the Internet has achieved to date.

While protection from and prevention of Cybercrime has to begin at home, it cannot achieve much without major changes in the way policing is managed, or without the capability for criminal intelligence gathered in one country to result in immediate action in another. We will wait to see if the UK government has really understood this.