It should be mandatory for banks and businesses to report cyber-attacks against them to the police first, according to a committee of UK Members of Parliament (MPs) who also want to see tougher UK punishment for distributed denial of service (DDoS) ransom attempts or data theft for fraudulent purposes. More public disclosure is also being called for, in-line with the mandatory data breach reporting laws that originated in California, US, and are now seen elsewhere around the world. The same level of openess is now expected from corporate cyber-attack victims.
At the moment in the UK banks share data about fraud via the Payments Council and Cifas meaning they can report the level of fraud and trends can be tracked, but there is no obligation to inform police of attacks and reputational damage is avoided because there is anonymity.
The House of Commons Home Affairs Select Committee cyber-crime report wants to do away with this cosy arrangement because it believes it leads to significant under-reporting of the cyber-crime problem in the UK and went as far as to recommend that the government “publicly distances itself” from a cyber-crime report commissioned by the Cabinet Office and run by Detica that estimates the cost of online criminality at ‘only’ £27bn.
The call for a return to police reporting as a first step in cases of cyber-crime is a return to the common pre-2005 practice in the UK. Interestingly, fraud figures have fallen significantly since the change-around.
Market Reaction and News Analysis
The MPs proposal has not been welcomed by the Confederation of British Industry (CBI), however, who said that businesses should instead be concentrating on fighting off cyber-attacks initially, rather than worrying about police reporting procedures first thing. According to Matthew Fell, CBI sector director: “Mandatory reporting would also risk cyber security becoming a tick-box regulatory requirement and stifle business-to-business (B2B) information-sharing.”
The stance of rubbishing the relatively small £27bn cost figure attached to cyber-crime by Detica in the Home Affairs Select Committee’s cyber-crime report was supported by Gary McIlraith, chief executive officer (CEO) at brand protection firm NetNames, who believes the real business cost is more than £80bn annually. “Although it’s certainly good news to see governments and regulators taking steps to combat cyber-criminals, businesses do need to take matters into their own hands,” he stated, while emphasising that the battle against international cyber-phishing, domain name infringements, online counterfeiting and DDoS attacks, among much else, should be a priority for any firm that is online - regardless of whether they have to report it to the police first or not.
“One thing remains clear: the internet and its eight billion pages is a vast vacuum with no government or regulator able to truly impose its authority,” concluded McIlraith.
Waking Up To The Reality of E-crime
Pat Carroll, CEO at the ValidSoft information security firm pointed out that the Home Affairs Select Committee report had made a clear call to action to tackle online fraud in the UK. “In particular, the Committee are calling for banks to wake up to the reality of online crime, and are pushing for them to report all instances of e-fraud to the police.
“Beyond reporting online crime and uncovering and persecuting the criminals hiding in cyberspace, surely it is now time for financial institutions (FIs) to step up and utilise effective security systems that can protect against this type of fraud occurring in the first place.
“The key to this security lies in real-time detection, prevention and immediate resolution of fraudulent activity,” continues Carroll. “Technology is available today to absolutely achieve this, in real-time, totally privacy sensitive, highly secure and yet intuitive from a customer standpoint. In fact, in many cases the customer is not even aware that security is being applied as many of the techniques used are completely invisible. The answer is robust customer authentication and transaction verification, relative to the bank’s perceived risk of the transaction. It must have speed (real-time), strong security, efficiency, good customer service and ease of use, while shutting down the scope for fraudsters to benefit from their crime.”
Lessons could certainly be learnt from the gaming industry in this regard where real-time dynamic pattern-spotting behavioural software is commonplace.
Cyber-criminals to be treated same as real-world ones?
The Parliamentary Committee also pointed out that the Computer Misuse Act 1990 was not working as it should with many crimes misrepresented adding to the under-reporting problem said the cross-party group of MPs. For instance, DDoS attacks are charged as extortion if blackmail rather than hacktivist intentions were proved but the technology aspect of it may not be properly accounted for. “Phishing attacks could also be recorded as fraud or money laundering,” added the report.
The MPs concluded their wide-ranging investigation into the cyber-crime arena by suggesting the UK government review its sentencing guidelines to ensure electronic e-criminals get the same sentences as a bank robber would for physically stealing cash. “We were surprised Anonymous hackers, who cost PayPal over £3.5m, were given sentences of seven and 18 months and do not believe they would have received such sentences had they physically robbed a bank,” reasoned the MPs.
Anonymous of course would argue that their action in that particular case was political and intended to support WikiLeaks founder Julian Assange after the withdrawal of support from his website following Bradley Manning’s revelations. There-in lies the debate among certain communities of techies between what is criminality and what is hacktivism, but there is no doubt the issue of online crime has rarely been higher in public and political consciousness.