Crime is inevitably a reflection of the time in which it is committed. 'Organised crime' has existed since man first discovered the benefits of living in organised communities and the target for such criminal activity has been where vulnerability in the protection is perceived. In the 19th and 20th Centuries, the physical movement of money or bullion was an essential element in greasing the wheels of economic activity. Money was, in the main, well protected in major banks but more at risk when in transit.
Organised crime recognised this weakness and progressed from robbing stagecoaches a la Wells Fargo to holding up armoured bullion vans. Society, recognising this as a serious threat to commercial and economic well being, responded by the imposition of long custodial sentences. The banks responded by a huge investment in technology and physical security measures. The threat was largely obviated.
However, in the digital age in which we now live, the vast majority of global finance is conducted in the virtual world and necessity for the physical move of money is reduced. Cyber-criminals have responded by moving into the cyberspace where the perception is that assets are less well protected and the sentencing of perpetrators, when caught, is relatively light.
Where are we then in the ever-developing battle with organised crime? The whole basis of the digital economy is one of trust. If we lose trust in the safety of conducting business in cyberspace then the way we now conduct business could itself collapse - it certainly will not develop as quickly as it ought to, or enable us to reap the benefits. It is against this background that we must gauge not only how well we are protected but what data requires protection and, to understand that, we need to understand the threats themselves.
Everyone accepts the phrase that 'we live in the information age' - but what does that actually mean? In many ways the most valuable thing that we now possess is information in all its various facets. Whist we cannot always put a value on information in the way we can on bullion bars, the accidental or deliberate release of information or distrust in its integrity, or the non-availability of it when required can have a devastating effect on business. Information then, is perhaps the most prized and most useful asset for any organisation in the 21st century.
What, therefore, are the threats in the information age? Protecting ourselves against the 16-year-old hackers utilising downloaded tools from the internet is now not so much a problem. The computer industry looks at the same hacker sites and moves quickly to block any new tool posted on those sites. The common perception is that these 16 year olds pose the greatest problem. Yes, they pose the most visible problem and on a percentage basis the overwhelming majority of malicious activity. But, the real threat from organised crime in the digital world comes from the perpetration of fraud, and the commission of commercial espionage.
Groups who feel compelled to forward their extreme agendas, whatever they may be, are also an emerging risk in the digital world as we now spot the advent of cyber terrorism. Cyber terrorism is not necessarily targeted against governments but against the components of society, the majority of which are the commercial enterprises. We are also at risk from the use of these tools by a range of activities from investigative journalists through dedicated single interest group activists to, disconcertingly, governments themselves who have been identified using their resources to obtain commercial advantage for their own industries - and yes, this has been going on within the EU.
We have to recognise that we are not well protected against the various threats and the major problem has been in identifying how major these threats really are. The psyche of the 16 year old hacker requires that he waves a 'digital flag' to show everyone how clever he has been. Organised Crime has the opposite motivation – they hide where they have been and what they have done and it requires sophisticated tools to spot what is happening. Disappointingly, all the major surveys still show that the overwhelming management perception of the problem is that the major threat is from viruses and overt hacking and defacement.
Countering crime is multi-faceted and requires activity by individuals, by organisations and by the collective might of the state. Whilst the UK is not in the vanguard of nations who provide the highest level of protection, the problem at the least is better recognised than is the case with many of the nations who comprise our trading partners. However, when we consider that only four years ago only 4 of the 43 police forces in England and Wales had a computer crime capability, the Crown Prosecution Service had few personnel capable of prosecuting a crime and the judiciary by and large came from the computer illiterate age then we must realise we are only starting on a journey. That we accelerate along the path is essential for our economic prosperity.
In common with the other countries that comprise the 'first world,' the expectation of our citizens for activity provided by government expenditure greatly exceeds the willingness of those citizens to fund such activity through taxes. Our police face difficulty in providing the protection demanded by most citizens with the resources they are provided. The common cry is for safety on our streets, freedom from physical attack and protection of our homes against burglary rather than countering cyber criminality. In many ways cyber criminality is viewed as 'victimless crime;' however, it has the potential to damage our economy far more than any other single human activity.
In the area of policing, the journey has now started with the formation of the National High Tech Crime Unit that not only provides a central resource and global liaison but also has provided expertise in every England and Wales force with Scotland and Northern Ireland developing similar skills. The resources are still insufficient for the task but we must admire the excellent start that has been made. Perhaps the biggest single barrier to providing sufficient resource is a lack of understanding of the scale of the problem. The financial industry in particular sees the problems of reputational loss far outweighing the benefit of a prosecution. Millions of pounds could be lost as a result of the adverse publicity from a successful digital fraud whereas the perpetrator may only receive a probationary sentence for a non-violent crime. There has been a significant underreporting of such crime however, unless such crime is reported the state never will allocate sufficient resources to combat the problem. The national High tech Crime Unit has started an important initiative to have such crime reported confidentially without the requirement for any attendant publicity.
The Crown Prosecution Service is making valiant and effective measures to equip itself to deal with Cyber Crime but again suffers from under funding and, at last, there is formal training for sections of our judiciary. Legal council is developing computing expertise but mainly in the civil sector where, of course, the large commercial cases increasingly demand such expertise. Computing is now the medium of business and of course is now also the medium of fraud and of mistake and error.
Investigating cyber criminality is technically complex but the jurisdictional problems provide an even greater challenge. Cyber crime occurs in cyber space and takes not one jot of notice of international boundaries. An attack may be mounted through several countries and this not only makes the evidential trail more difficult to follow but providing continuity of evidence through diverse codes of law is hugely difficult – and hugely expensive. Currently, only the most serious cases can be resourced to provide such evidence.
So, we are at last on the journey to provide collective protection against cyber criminals. However, just as our commerce and industry cannot rely on the state for protection of physical assets (security guards, barriers, gates, CCTV will always be with us), so we cannot expect the state to provide protection for us in the computing world. It will always be the primary responsibility of the Board of Directors to protect the interest of the shareholders by safeguarding the assets of the company that now also includes the information. Primary protection of the company or organisational will always be an internal responsibility.
What then are the new technologies that will comprise this protection in our brave new world? Increasingly, 'identity management' that ties the identity of the person making the keystrokes to the business that is being conducted is critical and digital certificates will play an increasingly vital part in proving such functionality. The use of the predictive power of artificial intelligence to identify malicious cyber activity not previously identified will play a role in countering fraud, in countering virus and denial of service attacks, and, in countering cyber terrorism. Increasingly we understand that the majority of malicious or negligent activity is occurring within our perimeter defences. Much of the IT protection currently in the market place concentrates on perimeter defence but to counter the real problems we will need to concentrate on providing protection, monitoring activity and access management inside our computing networks. To identify attacks, whether external or internal, requires not segmented security but security protection integrated together and an enterprise wide overview from a single point. Technology now exists to achieve such functionality.
Finally, there has to be a realisation that we cannot solve all the problems of the world by hardware and software alone. Integrated corporate protection requires physical security, personnel security, procedural security and IT security to be married together in the overall enterprise management of the organisation. There can never be a 100% guarantee of security but we can provide adequate security to ensure that the cost of breaking into a system is greater than the rewards of such activity. The pendulum is moving towards adequate protection but we fool ourselves if we think we have yet arrived.
This article was contributed to OUT-LAW.COM by David Love of Computer Associates. The company is exhibiting at Infosecurity Europe, Europe's largest information security event. Now in its 8th year, the show features over 200 exhibitors at London's Olympia from 29th April - 1st May 2003. See: www.infosec.co.uk