Aggressive bytes: Collateral damage of cyber crime

“Military websites under attack from US hackers,” heralded the Chinese Shanghai Daily on March 1, 2013. Yet during the preceding months, the American press had been full of the opposite view, reporting how China’s People’s Liberation Army had hacked into American servers. US cyber-security firm Mandiant claims that during the past six years, the Chinese military has stolen data from 115 companies within the US. The alleged attacks ranged from information technology and telecommunications to aerospace and energy.

“Computers have turned into the new weapon of choice when it comes to industrial espionage,” says Alana Maurushat, academic co-director of the Cyberspace Law and Policy Centre at the University of New South Wales.

Indeed, Australia’s 2012 Cyber Crime and Security Survey shows that more than 20% of the surveyed 255 organisations in the Australian energy, defence, communications, banking and water sectors reported a “cyber incident”. One business reported the theft of 15 years’ worth of critical data. Of the organisations aware of having experienced cyber incidents, 17% suffered from loss of proprietary information, 16% encountered a denial-of-service attack, and 10% financial fraud.

But Maurushat recommends a healthy disrespect for the statistics. “There is no reliable data,” she says. “For example, Australian banks do not have to report the theft of credit card information, so the known numbers are probably too low. The same goes for identity theft, where many victims either do not know or do not report that they have been hacked. [But the] problem is definitely escalating.”

The World Economic Forum estimates that during the coming decade the probability of cyber crime causing a major global breakdown of critical infrastructure costing more than US$250 billion is about 10%. Already an online survey conducted by the European Commission has found that 57% of responding companies had experienced incidents during the previous year with serious impact on their business.

Spurred on by such warnings, Prime Minister Julia Gillard announced in January that Canberra would create a cyber security centre to work with businesses. It will be established this year, bringing together experts from CERT Australia, the Defence Signals Directorate, the Defence Intelligence Organisation, the Australian Security Intelligence Organisation, the Federal Police and the Crime Commission.

A global concern

Neelie Kroes, the European Commission vice-president responsible for the digital agenda, and Cecilia Malmström, commissioner for home affairs, have suggested similar measures for the European Union (EU). Their proposal would require all EU countries to establish an authority to monitor online security. All companies would have to notify authorities of “incidents with a significant impact” on services. Railways, airlines, transport hubs, utilities, hospitals, banks and IT companies would be covered by the new law.

According to The Wall Street Journal, the proposal would have an impact on 40,000 organisations, including foreign companies with European subsidiaries, such as Google, Facebook and Twitter. In the US, a White House cyber-security executive order followed suit with the most comprehensive plan to date for confronting electronic attacks on America’s computers. Among other things, the initiative instructs intelligence agencies to share information on possible threats with companies considered vital to the US economy, in sectors such as transportation and banking.

In Australia’s 2012 Cyber Crime and Security Survey, Attorney-General Mark Dreyfus says “cyber attacks have shifted from being indiscriminate and random to being more co-ordinated and targeted for financial gain”. Attempting to thwart attacks is expensive. The Crime Commission’s most recent figures refer to 2008, when victims estimated the cost of e-protection for their Australian companies was up to A$1.95 billion.

At the European Commission, Kroes estimates the damage from cyber crime for business worldwide at about US$1 trillion annually. Not only commercial enterprises, but also individuals suffer, too. According to cyber security firm Symantec’s latest annual Norton Cybercrime Report, the direct costs for citizens associated with consumer cyber crime during the year leading to September 2012 amounted to US$110 billion globally.

Protective measures

When asked if their organisation had increased expenditure on IT security during the previous 12 months, only 52% of Australian respondents affirmed, indicating that the other half of the participating organisations were just hoping for the best. Comparable statistics from Europe suggest that only 26% of all companies in the EU have proper security mechanisms.

The cost of protection is high, but Kroes believes the only thing more expensive than acting on cyber security is “the cost of not acting”. She refers to the Dutch certificate authority DigiNotar: in September 2011 it became clear that a security breach had caused the issuing of fraudulent certificates. Consequently, organisations would no longer buy DigiNotar’s legitimate certificates and the company went bust.

So, what can be done? Maurushat argues for political and economic initiatives to create central authorities and laws mandating that specific corporations report breaches. “Defence needs shared intelligence,” she says, while pointing out that the IT industry needs to lift its game. Contrary to the constraints of other manufacturers, software companies are not liable for poor product quality.

“Software is sold without guarantees and is often atrociously insecure. Developers work under time and capital restrictions and need to have a product on the market quickly [and] security is often not high on their agenda,” says Maurushat. To have a fighting chance against cyber crime, “first of all, software producers should become liable for product quality”.

Maurushat also favours a public education campaign: “Most people have no idea how to secure their own systems. Currently the situation resembles a car with no doors where the owner has left the keys in the ignition. No wonder such a ride gets stolen.”

A dangerous complacency

Maurushat has little patience with companies that don’t do proper risk analysis. “Any intellectual property needs protecting, otherwise you might wake up one day to see competitors abroad working your customer base with your know-how, data or the development of your product under a different brand name,” she says.

Ken Gamble, executive chairman of cyber-detective firm Internet Fraud Watchdog, deals with such disasters every day. He and his team were employed to shut down a young hacker who was illegally broadcasting NRL games. They also helped a public school in New South Wales when it was attacked by Russian cyber-thugs who had locked the school’s data, demanding a ransom to unlock it.

But most of Gamble’s clients are multinationals, and since they don’t want to see their vulnerability reported in the papers they make Gamble sign non-disclosure agreements. He regards the biggest problem to be the human factor. “Even if corporations make a strong stand, some of their staff may be lax about procedures. It’s human nature: if we have never been victims before, we become complacent,” he says.

Gamble’s advice for business: “If you are big enough, hire your own in-house IT expert for security. If the business is too small for that and you outsource your IT, make sure you have tight controls over security. Do regular vulnerability assessments and penetration tests. Use encryption software and force your employees to use complex passwords.”

Gamble also feels that “Australia has some of the highest numbers of cyber crime incidents in the world”. The country really needs to step up to the challenge, he says, and points to Thailand, where already about 200 police detectives work in cyber crime units with about 800 more to be hired during the coming five years.

“Just for comparison, in all of NSW we have about 12 detectives working in cyber crime and even less in several other states.”