Cybercrime reporting to get government boost

Minister pledges to make it easier for businesses to report attacks, as cybercrime agencies say that companies' fears of damage to reputation are leading to underreporting

The government is working on plans to make it easier for companies to report cybercrime, in an effort to make the UK more resilient to attack.

Security minister Baroness Pauline Neville-Jones told ZDNet UK on Thursday that while cybercriminals are stealing large amounts of money, companies are reluctant to share information on the losses with government agencies because they fear exposing the attacks may damage their reputation.

"It's clear that criminals get away with quite considerable sums, but companies are not talking about it because of reputation," said Neville-Jones. "We want to find a way of dealing with that."

Neville-Jones told a Commonwealth Telecommunications Organisation conference on Thursday that companies needed to be able to report cyberattacks to government to enable a coordinated response between the public and private sectors, and so that government defence and attack capabilities are up to speed.

"Shared situational awareness is absolutely vital to construct cybercapacity and defences," said Neville-Jones.

A senior Whitehall official with links to the government agency dedicated to UK computer security, the Office of Cyber Security, told ZDNet UK that while some channels between government and business were open, there are still gaps in data-sharing.

"It's difficult to get a clear [overall] picture in terms of attacks," said the official. "Information is quite fragmented, as different parts of industry report to different parts of government."

At the moment, businesses that want to report cybercrime have a number of separate government agencies they can to send the information. These include the Office of Cyber Security, the Cyber Security Operations Centre, the Centre for Protection of National Infrastructure (CPNI), the National Fraud Initiative, the Police Central e-Crime Unit (PCeU), the National Fraud Authority, the Serious Organised Crime Agency (Soca), and City of London Police. Last year, the Association of Chief Police Officers (Acpo) said that e-crime victims are uncertain of where they should report incidents.

The Whitehall official said the situation was complicated by businesses not reporting incidents. "A lot of companies don't want to admit they've been turned over, but if companies are not reporting [crime], it's hard to assess how bad the situation is," said the official.

One government agency that encourages information sharing between the public and private sectors is the CPNI. Mark Oram, head of threat and information security at the organisation, told ZDNet UK that it is possible to get companies to exchange information about attacks, but that it was necessary to use incremental steps so they gain trust in one another.

CPNI uses a series of 'information exchanges', or groups of businesses divided by sector, that share information. "Getting everybody in a room sharing information is a success, but it takes quite some time," said Oram.

The next step, taking that information and sharing it within companies, can sometimes be a problem, he added.

"We're not necessarily dealing with the entire company," said Oram. "Some people will take the information, but then not share it more widely. There's always a concern that if they share the information around, it might make the press, and they will be held responsible."

Paul Hoare, head of operations and e-crime senior manager for Soca, told ZDNet UK that while there have been successes with businesses sharing information with the police, the data held by law enforcement agencies is still disparate.

"There are some gaps, with lack of cybercrime reporting platforms in place," said Hoare.

While Soca has industry exchange, with specific managers to liaise with business, and the PCeU and City of London police also talk to business about cybercrime, fraud reporting could still be better, he added.