ECJ EUROPEAN Cleaning Journal

This column has reported on the rapid rise of internet fraud and predictions that the cybercriminal would emerge as the next global public enemy number one. With this prophecy now fulfilled in many people’s eyes, Hartley Milner reports on how the world is seeking to bring this faceless felon to justice.

Cybercrime is a booming global industry, built on low risk and high returns. It is difficult to detect, perpetrators are only rarely brought to justice and most incidents go unreported. In many ways, cybercrime is the perfect crime.

Incomplete data makes it a challenge to even guesstimate the cost of cybercrime to the world economy. Estimates vary between $350 billion and $600 billion, but what is generally accepted is that revenues from internet fraud now exceed those of the international illegal drugs trade and many global corporations.

The cost impact, though, should not be measured only in terms of lost revenue but also in tandem with any collateral damage, eg, to a particular target organisation’s daily routines, IT functions, ability to service customers and, crucially, its standing within its industry. Reputation and likely questions about the security of client data are reasons why companies are reluctant to go public about an attack. Increasingly employment looks set to become another victim of the fallout, with as many as 150,000 jobs a year expected to be lost in Europe alone.

Yet businesses and governments still underestimate the cybercriminal and just how destructive these shadowy figures can be, frequently plying their furtive trade from within the target organisation itself or even from a coffee shop just around the corner, using only a laptop.

But companies that dismiss the risk of a cyber attack do so at their peril, according to Lloyd’s insurer AEGIS London. It says that with destructive attacks likely to occur throughout 2015 and beyond, businesses have a duty to manage online fraud risks, to both protect themselves from negligence claims, which have been on the rise in recent years, and to ensure their own survival.

Joe Hancock, cyber security specialist at the firm, said: “These attacks are now increasingly destructive, as we have seen with the recent attack on Sony Entertainment and statistics from the Organisation of American States (OAS). This trend is going to continue, with affected businesses squeezed between a shrinking top-line due to reputational harm and rising costs to get back on their feet. In 2015, we fully expect a business to fail due to the financial consequences of a cyber attack.”

So how are governments fighting back? Last September, the UK National Crime Agency, the FBI, Interpol and Germany’s Federal Police joined forces to form the Joint Cybercrime Action Taskforce (J-CAT), hosted by Europol at The Hague. Its wide-ranging brief includes coordinating investigations into virus attacks that steal banking logins and into high-profile criminals who deal in hacker tools or sell personal data on underground forums.

Notable successes

Cybercrime police from Austria, Canada, Colombia, France, Italy, the Netherlands and Spain were among the first to add their expertise to J-CAT – and the unit was rewarded with its first scalp just a month after its launch. The team coordinated Operation Imperium that closed down a gang suspected of crimes including large-scale ATM-skimming, electronic payment fraud and document forgery, and resulted in 31 arrests and 42 house searches in Spain and Bulgaria.

Then in February this year, the taskforce played a leading role in neutralising a sophisticated botnet that installed various forms of malware on more than 30,000 machines. What set this attack apart was the botnet behaved like an organic virus, reproducing modified versions of itself to avoid anti-virus software and to disable processes that could have shut it down.

In charge of setting up J-CAT was Andy Archibald, deputy director of the National Cyber Crime Unit within the UK’s National Crime Agency. He said: “There are many challenges faced by law enforcement agencies with regards to cyber criminals and cyber attacks. This is why there needs to be a truly holistic and collaborative approach taken when tackling them.

“J-CAT, for the first time, brings together a coalition of countries across Europe and beyond to coordinate the operational response to the common current and emerging cyber threats faced by J-CAT members. This is a unique opportunity for international law enforcement agencies to collectively share our knowledge to defend against cyber-related attacks, and the UK’s National Crime Agency is proud to be a founding member.”

The UK is in the frontline of the fight against internet fraud, but then its position as a major global financial centre makes it a prime target, second last year only to the US. Its ‘tier one’ status ranks its probability of coming under attack on the same level as for a terrorist strike. In the UK in 2014, five out of six large companies were targeted by cybercriminals, a 40 per cent increase over the previous year.

The National Cyber Crime Unit has notched up some notable successes since it was set up in 2013, including earlier this year arresting 56 suspected hackers in a week of raids across the British Isles. In all, 25 separate operations were carried out, with those arrested suspected of being involved in crimes varying from data theft and fraud to writing virus software.

Not all EU countries are quite so committed to the affray, however. To help them raise their game, the European Parliament has adopted a proposal for a network and information security directive. The directive, which is expected to come into force later this year, follows a consultation undertaken by the European Commission in 2013, in which 57 per cent of respondents said they had experienced information security breaches over the previous year.

Together with proposed EU data protection regulation, the directive will impose minimum information security requirements on member states and a myriad of new measures related to the use of personal data. It aims to raise cybersecurity in the region by:

• Improving member states’ national cybersecurity capabilities
• Improving co-operation between member states, and between public and private sectors
• Requiring companies in critical sectors – such as energy, transport, banking and health – as well as key internet services to adopt risk management practices and report major incidents to their authorities.
Once agreed and then implemented by member states, it is claimed that the directive will bring many benefits, such as:
• Citizens and consumers being able to have more trust in the technologies they rely on daily
• Governments and businesses being able to rely on digital networks and infrastructure to provide their essential services at home and across borders
• The EU economy reaping the benefits of having more reliable services and a culture of systematic risk management and incident reporting – creating “more equal and stable conditions for anyone trying to compete in the digital single market”.

The EU is also keen that member states share information about attacks. Under the proposals, each country would have to appoint a computer emergency response team and create an authority to which companies would report breaches. These new bodies would decide whether to make the breaches public and whether to fine companies. According to the EU, only one in four European companies has a regularly reviewed, formal ICT security policy. Even among ICT companies, the figure is only one in two.

But are these responses really sufficient to meet the cybercrime challenge?

“The snowball is rolling, but not fast enough,” said internet security consultant Stan Ogilvy. “We have people doing bits here and bits there, but we still do not have a joined up world strategy to tackle the problem. Cross-border co-operation is key, but for an effective collaborative approach we would need co-operation from the parts of the world where hackers are predominately based, such as Russia, Eastern Europe, South America and China.

“With the political situations that exist in these areas of the world, establishing such an arrangement is going to be a huge challenge in itself. In fact, it is the political isolation that makes these places so appealing to cybercriminals. They feel safe and secure and beyond the reach of our law enforcement agencies. Even if these countries have cyber security enforcement strategies, they are generally relaxed about implementing them, so the hackers are able to carry on their trade with impunity. They are untouchable.”

Ogilvy said a new approach was needed, with cyber policing agencies receiving wider powers. “In its Organised Crime Threat Assessment, Europol itself makes the point that investigations into cybercrime in Europe are being hampered by laws limiting how much data can be held and for how long,” he said. “The majority of intelligence and evidence for cyber investigations come from private industry. With no data retention, there can be no attribution and, therefore, no prosecutions. Tougher laws for investigating and prosecuting cybercrime also need to be harmonised.

“Until we supply policing agencies with all the tools they need, the cybercriminal will always stay remain one step ahead.”