Big cyberattacks in Britain tend to come in clusters after a long absence. And so, in honour of the principle that a crisis should never be wasted, the events at Marks & Spencer, the Co-op, and Harrods make it a good time to face up to two big questions about how we tackle the scourge of cybercrime.
The first is how we deal with the fact that cybercrime breaks our traditional model of policing. If you’re the victim of a crime in this country, you have two reasonable expectations of the police. One is that you will be treated seriously and sympathetically. The other is that they will pursue the perpetrators with a decent prospect of bringing them to justice. This model is already under strain — complaints about police failure to pursue burglaries and bike thefts are legion. But these are things the government could address if it wanted to, at least in theory.
This is not the case with cybercrime, and the statistics reveal why. British businesses are estimated in government figures to have suffered 8.6 million cyberattacks in the past year. The Global Anti-Scam Alliance estimated that one in seven adult Britons suffered cyber-enabled fraud last year. In extreme cases, such as that of Colin Chudley, reported in The Sunday Times last week, people can have their savings wiped and their lives ruined.
Colin Chudley, left, lost his £260,000 life savings to a scam
BRAD WAKEFIELD
So while it’s easy to assert that the problem is police resourcing — campaigners point out that fraud covers 40 per cent of crime but 2 per cent of police budgets — there is simply no way policing can be scaled up to pursue these as individual cases.
This would be true even if all of the attacks were coming from the UK, but the overwhelming majority aren’t. When University of Oxford researchers published the first significant study of the geography of cybercrime last year, no one was surprised to see Russia in first place, the source of about three quarters of ransomware. In the next tier came China, Belarus, Nigeria and the United States. Most of these are not places where we expect much in the way of law enforcement co-operation. Russia’s constitution prohibits the extradition of its citizens.
To the credit of our police, little serious cybercrime is carried out from British territory. But, for the first time in human history, great harm can be done to the UK without perpetrators setting foot on our soil or that of an ally. Unusually, though, the hackers of Britain’s retail giants appear to be native speakers of English; the cybersecurity rumour mill is linking them to a transatlantic criminal group. But even if this episode ends with that most unusual of outcomes, a serious cybercriminal in a UK jail, it would be wrong to expect that very often.
What can we do about it?
It’s depressing but necessary to concede that cybercrime breaks our policing model, so law enforcement are thinking and acting differently. Last year, the National Crime Agency led a superb multinational operation to “hack back” and take down the digital capabilities of the so-called LockBit group, the biggest criminal gang in Russia. None of the ringleaders were arrested, and they probably never will be. But the criminals’ enterprise took a serious knock. More of this, please.
But we also need to protect the digital homeland better through innovation. In Australia, for example, the bank Westpac and phone network Optus make it easier to spot fraudulent calls. When you get a call from Westpac, your phone says the message is verified by Optus and tells you what the bank wants to discuss. Customers are told to ignore any communication that doesn’t look like this.
We also need incentivise different sectors to do their bit, from tech and telecoms companies to financial institutions and private citizens. Some of this is about education and awareness. Some of it is about technical improvements, such as greater use of automated blocking. But a lot of it is about liability for who pays when things go wrong. Banks have a point when they grumble that nearly all of the risk and responsibility lies with them, while tech companies can walk away. We could also — finally — ban the payment of cyber-ransom.
The second big problem
DANNY LAWSON/PA
Expecting too much of the police isn’t the only mistake we are making. Far too often, we are defending against the wrong sort of crime.
There are broadly three consequences of cybercrime. One is people scammed out of money. Another is the loss of personal data. Then there’s the disruption of important or even essential services. In terms of the duties placed on our companies, public authorities and charities, the most heavily regulated and punished, by some distance, is personal data. But in terms of damage done, this is usually the least important.
Many data breaches contain little usable information. In the Co-op attack it was members’ names, home addresses and emails – a 21st-century version of the old-school telephone directory. Other than being on the lookout for slightly more convincing scams that draw on the knowledge that they’re a Co-op member or M&S account holder, none of the millions of Britons who have been getting breach notifications should worry.
Every organisation should take sensible steps to protect the personal data it holds, of course. And some data, such as healthcare records, are more sensitive, although criminal threats to “publish” stolen data are largely bluff because no one on the open web will publish it.
Our real vulnerability
What should really concern us about recent events is not so much the loss of personal data but the ability of unknown criminals to take M&S, one of the country’s most iconic brands, largely offline. This is a playbook which could be used not just by other criminals but by hostile states — at great scale — in a time of crisis. Recall south London’s hospitals last June, when blood testing services went offline and some 2,000 operations were cancelled. It’s this type of attack, disruptive to the point of dangerous, that is our real vulnerability.
Encouragingly, there are signs that the government understands this. Legislation pledged for this year will shift our national cyberdefence priorities away from the obsession with personal data and towards making the fabric of our national life more resilient. The government should ignore the temptation to try to police our way out of the problem, and the noise about relatively unimportant bits of data, and get its bill to parliament as quickly as possible.
Ciaran Martin teaches at the University of Oxford and was the founding chief executive of the National Cyber Security Centre at GCHQ
