Why crooks won't be doing time for cybercrime

How the UK is taking the fight to the cybercriminals instead...
Written by Nick Heath, Contributor

How the UK is taking the fight to the cybercriminals instead...

Imagine reporting a crime only to be told that locking up crooks was no longer a priority for the police.

Then to be informed that the boys in blue are instead focusing on just making life difficult for the criminals - slashing their car tyres and occasionally breaking their legs for good measure.

You'd be best off, a fictional officer tells you, battening down your windows and fitting CCTV to deter the crooks from coming back.

Sounds bizarre, but in crude terms that is the approach security minister Baroness Pauline Neville-Jones said the UK is taking to combat cybercrime - a problem that costs the country £27bn per year, according to the government.

Neville-Jones said cybercrime is one type of law-breaking where prosecution is not the answer.

"The prosecution figures are dwarfed by the activity itself. It is an area where we need to increase our resources but I do not believe that [the answer to] successfully combating this... is going to lie with law enforcement," she said in a briefing at the Home Office on Thursday.

The government's focus will initially be to work with industry to shore up defences against cybercrime - particularly IP theft and industrial espionage, which government figures say account for £16.8bn of the annual losses.

And it won't all be passive - law enforcement and the security services in this country will hit back, Neville-Jones implied, turning the tools of the cybercriminal back on themselves and presumably using methods such as DDoS attacks to cut off their internet access and malware to scramble their systems.

The UK is taking the fight to the criminals on cybercrime, which the government says costs the country £27bn annually

The UK is taking the fight to the criminals on cybercrime, which the government says costs the country £27bn annually
Photo: Shutterstock

"I think [the key to tackling cybercrime] is going to be through much better defences and disruption - for example, screwing up their network. Much as the intruder can screw up the company network, the reverse can happen," said Neville-Jones.

The decision not to make locking up cybercriminals the main focus of UK computer crime-fighting policy is a reflection of the time and resources it takes to track down and prosecute those responsible.

Unpicking global cybercrime networks requires police to track the attack back to its source across a web of computers or money transfers. Even then, the laws in the host country may make it difficult or impossible to prosecute the culprit.

Cost of cracking down on cybercrime

Graham Cluley, senior technology consultant with security firm Sophos, said: "Cracking down on these gangs is expensive and time-consuming. They are situated around the world, which means police are working with their partners in different time zones, with different languages and different legal systems.

"Also, criminals are not using their own computers to launch these attacks - most of them use other people's computers that are compromised, and investigators can be playing a game of leap-frog around the world trying to track the gangs down."

Cybercriminals are aware how difficult it is for international law enforcement to prosecute them, Neville-Jones said, which makes it such an appealing illegal enterprise.

"The reason it is so attractive is because they are fearless, because they do not believe they are going to get caught," she said.

Other stats bear out the contention that law enforcement is not significantly hampering the growth of cybercrime. Despite the growth of international investment in tackling cybercrime, a report by professional services firm PwC last year found that the annual cost of cybercrime stood at £10bn, more than double its estimated cost in 2008.

Britain's approach to tackling cybercrime is a tacit acknowledgement that - given the existing legal and technical challenges - focusing on prosecuting cybercriminals is not good value for money, and does not act as a sufficient deterrent.

Neville-Jones said the approach is about making cybercrime less appealing, both by making it harder to penetrate corporate systems and by disrupting criminal operations. She drew a parallel with the disruptive model used to tackle...

...terrorism, where she said, "if we relied [solely] on prosecution we would have lots of incidents".

Despite the difficulties in bringing cybercriminals to justice, Sophos' Cluley said enforcement must not be allowed to drop too far down the priority list, to avoid a situation where the UK is "building better bike locks but not prosecuting bike thieves".

The government is working to build those better bike locks - setting up a forum with businesses to form a "strategic and operational" partnership. A meeting was held at 10 Downing Street to discuss the plans with companies including BAE Systems, Barclays, British Airways, GlaxoSmithKline, HSBC, Symantec and Tesco on Monday.

Neville-Jones stressed that the government would work with businesses to ensure they had the right technical staff and the right intrusion-detection, firewall and other security technologies to spot when their systems came under cyber attack.

What's in a number?

Then there is the £27bn government estimate for the annual cost of cybercrime - a figure that is almost twice the £13.9bn cost of drug-related crime and far in excess of the £12bn that physical crime costs UK industry, according to a 2008 survey by the British Chambers of Commerce.

The total figure covers £21bn from losses suffered by businesses, £3.1bn by citizens and £2.2bn by government, the Office of Cyber Security and Information Assurance (Ocsia) said in a report published on Thursday.

The figures from the report, produced by Ocsia and security company Detica, mark the first time the government has made a public estimate of cybercrime costs.

But one of the major problems with the figure, Neville-Jones revealed in a Home Office briefing, is that businesses often do not report cybercrime for fear of flagging up weaknesses in their IT systems or damaging their corporate reputation.

"One of the issues is that the information base is poor and that we need to flesh it out over time. The figures you are getting today are estimates. They might, over time, change as we get better informed," she said.

Detica said the figures were put together based on national statistics, publicly available figures and its own experience of dealing with cybercrime.

Vested interest in raising alarm over cybercrime?

Sophos' Cluley questioned the value of the figures in the report: "I feel very uncomfortable when a security company is being called on to say how large a problem cybercrime is," adding that there needs to be a report into the issue by a body independent of IT security industry and its vested interest in raising alarm.

Another point is that, when compiling research for the £27bn cost report, Detica made no distinction between who was carrying out attacks. This stance was justified by the firm's CEO, Martin Sutherland, who said the cost and risk of a successful attack remains the same no matter who the perpetrator is.

For instance, when it comes to IP theft, the report does not distinguish between state-sponsored IP theft, people stealing company secrets and people illegally downloading movies they don't own from the internet.

But having insight into who is carrying out the attacks and the intention would surely be useful to law enforcement and security services in guiding how best to defend against these kind of attacks.

And if the £27bn is correct, it suggests a massive disparity between the £650m government has pledged to tackling cyber attacks over the next four years and the economic damage cybercrime is already wreaking on the UK economy.

So either the best figures we have to base our policing response to cybercrime are off kilter, or the cost of cybercrime is 40 times greater than the government investment in fighting it. And on top of that, it's so difficult to catch cybercriminals that the government's main focus is not locking them up.

When it comes to fighting cybercrime, the landscape is still littered with "known unknowns" - not least of which are how much it costs the UK, who is responsible for it and what is the best way to stop it?

Editorial standards