The UK’s National Crime Agency (NCA) has recently published its Cyber Crime Assessment 2016, highlighting the enormous amount of cyber-attacks targeting the UK. Unsurprisingly, the report says, “A cyber attack that poses an existential threat to one or more major UK businesses is a realistic possibility.” Over the past twelve months, over 2.46 million incidents were reported, including 700,000 cases of fraud, all originating from just a few hundred criminal gangs. The volume of attacks endangering UK businesses is staggering – and we’ve certainly not seen statistics like this in Australia. So, does this mean the threat we face here at home is a lot less? If we look at the threat actors, it’s the same selection of Russian, Chinese, European and American cybercriminals who are perpetrating the majority of the world’s cybercrime. These organised criminal gangs are the most successful and well-funded cybercrime operations on the planet, all of which are threatening Australian businesses just as much as they would threaten any other nations. Nevertheless, it’s our government’s response to the threat that I find the most interesting. The NCA says the UK government will spend £1.9bn (approx. $3.5bn AUD) over the next five years to help bolster the nation’s cyber-defences. Prime Minister Turnbull has pledged $33 million AUD in the recent launch of Australia’s Cyber Security Strategy to address the problem here at home. That’s less than 1% of the UK’s budget to fight exactly the same threat. Furthermore, the majority of the Australian budget will be used to swell the ranks within government departments, such as ASD, as well as to move the ACSC into new accommodation, so the investment left to improve our nation’s defences and create a “Cyber Secure Nation” is somewhat unimpressive.
The existential threat referenced by the NCA is also mentioned in the ACSC’s Cyber Security Survey (https://www.acsc.gov.au/publications/ACSC_CERT_Cyber_Security_Survey_2015.pdf) (albeit a year old). The ACSC recognises that, “the cyber threat facing Australia is undeniable and unrelenting.” In the period covered by the ACSC’s survey (2014-2015) CERT Australia was called in to deal with 11,733 cyber security incidents affecting Australian businesses, of which 218 were related to attacks on national critical infrastructure and government systems. Compared to the 2.46 million incidents in the UK this seems like a much smaller problem, but we know that under-reporting is a massive issue everywhere, so these numbers need to be considered as a mere fraction of the real attacks, so the threat is real and persistent.
The NCA says that under-reporting of cyber-related incidents is prohibiting them from understanding the full extent of cybercrime in the UK. This has a knock on effect of hampering law enforcement agencies in being prepared to counter the threat, since there is still not enough information on the operating models the cyber criminals use. Unlike Australia, the UK has had mandatory data breach notification laws in place for many years, so it’s little wonder why under-reporting is even more of an issue here.
We know that here in Australia under-reporting is a massive problem, which is why the ACORN website (https://www.acorn.gov.au) was set up by the AFP as a national policing initiative of all states and territories to allows anyone to securely report instances of cybercrime. With the statistics gathered through ACORN, the government can then decide just how real the problem is, and hopefully invest enough money to start allowing our law enforcement agencies to tackle some of these big, international issues.
Who are the bad guys?
Russia is home to some of the most successful organised cybercrime groups. Some reports suggest their aptitude for cybercrime stems from the cold war, with ex-KGB spies now commercialising their tradecraft for black market profit. The so-called Russian Business Network (RBN) has shown incredible resilience to international law enforcement attempts to take it offline. Journalist, Brian Krebs’s account of the RBN in his book, Spam Nation, (http://krebsonsecurity.com/tag/russian-business-network/) is an eye opening account of just how corrupt Russia is and how it shows just how Russian cybercrime groups continue to profit. If you want to know more about Russian cybercriminals, read Krebs’s book.
A variety of very capable cybercrime organisations also operate out of Africa. Ghana and Nigeria are the two biggest hacking exporters, with Ghana being extremely advanced in terms of its technical capability. Nigeria on the other hand is not as technologically advanced as Ghana, but is certainly rife with cybercriminals looking to target Western countries. The so-called Nigerian 419 scams have been in the press many times before, but the origin of this comes from the Nigerian criminal code, where it reads, “any person who by any false pretence, and with intent to defraud, obtains from any other person anything capable of being stolen, or induces any other person to deliver to any person anything capable of being stolen, is guilty of a felony, and is liable to imprisonment for three years.” For more details on the extent of Nigerian scams, take a look here (http://www.geektime.com/2014/07/21/millions-of-victims-lost-12-7b-last-year-falling-for-nigerian-scams/).
The last aspect of cybercrime worth looking at, from the perspective of the threat actors, is the state-sponsored attacks originating from China. Unlike the previously mentioned Russian and African cybercrime gangs, much of the hacking undertaken from China has a state-based economic intent, with links to both industrial and international espionage. In 2015, for example, it is believed by the Federal Bureau of Investigation that the Chinese government was behind the massive attack on the US Office of Personnel Management. This attack saw the perpetrators make off with over 21.5 million U.S. government workers’ records, including 5.6 million fingerprint records. The Government Standard Form 86 was the basis of what was stolen, which is the form used for government clearance applications. Each record comprised of a complete historical record of the employee’s life: friends, family, run-ins with the law, sexual preferences, history of drug or alcohol abuse, medical conditions, as well as copies of every kind of identification document the employee owned. This is a true treasure trove of information for both cybercriminals, from the perspective of ID theft, as well as from the perspective of international espionage. Clearance details for staff with up to and including access to TOP SECRET information was taken. This problem will affect the U.S. government for the next 30 years, until all those people have retired and can no longer pose a threat to national security.
Fighting Back at Cybercrime
In the 2015 Strategic Defence and Security Review, the UK Government made building cyber defences a Tier 1 priority, doubling the investment from previous years. This included building a National Cyber Security Centre to perform a similar function to that of the ACSC, along with myriad support for businesses, including two new innovation centres to support talent and drive growth. The Australian Cyber Security Strategy also shows that Australia is raising the bar in an attempt to fend off this global scourge, albeit with limited funding. However, is there more that can be done?
The reality is that individuals and corporations need to assume that their systems have already been compromised. Only then will industry and government’s focus be on protecting the national infrastructure we all rely on. There is no easy way to combat cybercrime and it’s as much about educating individuals as it is about putting in technical controls, such as firewalls, IPS’s and content checkers. People are usually the weakest link in the chain, so unless we educate people not to click on the links they receive from the Russian spammers or the Chinese spies, we’ll always be acting on the defensive.
Adopt a security framework and make sure it’s been operationalised rather than just documenting a lot of processes that are ignored until audit time comes around. ISO 27001 is a good place to start, since it’s an international standard and one that’s well respected and widely adopted. But don’t stop there – you need to make sure that your staff are living and breathing security in their everyday activities. It just takes one slip of attention, one double click while running on autopilot after lunch, for your whole organisation to be compromised, so regular, immersive training and awareness programmes are needed, with cyber drills showing staff what can go wrong and just how easy it is for them to be the weak point in the company.