UK battles to defeat cyber crime

Hackers costs the economy £27bn a year, but companies are fighting back. By Mark Leftly
  • @MLeftly

A team of 10 computing experts must tackle half a billion possible cyber attacks made on their employer, a large multinational, every day. They are overrun.

A system developed by Detica, a unit of BAE Systems with a £300m turnover, helps them prioritise the 81 most significant threats that day. There are 17 suspicious-looking emails, inviting staff to an "exclusive event" or to look at a contact list. Another, from one Fraser Anderson, reached five staff members. Two opened the email that was ostensibly describing a conference in Seattle.

Detica's software instantly traces the computers this email has been through, forming what looks like a molecular structure on a huge flat-screen monitor. Hackers, or at least their bug, seem to be lurking in an employee's recycle bin, where they can access the company's network.

"Forever, you've had nations competing for economic advantage," says Martin Sutherland, Detica's managing director. "Cyber is just a new medium. It's the same with organised crime: the days of walking into a bank with a sawn-off shotgun and stocking over your head are done."

Google, BP and Mitsubishi are among the big corporates that have suffered cyber attacks in recent years, as rivals and even state-backed hackers look to gain that "economic advantage". Just last month, 32,000 computers in South Korean banks and TV stations were disabled by attacks that originated from an address in China.

Britain opened an anti-cyber threat centre last Wednesday where business and Government can share information. Coincidentally, that day saw the biggest cyber attack in history, which slowed down the entire internet. The situation was likened to a series of digital "nuclear bombs" being detonated online.

The Cabinet Office has estimated cyber crime costs the UK economy £27bn. Business is the main loser as it bears £21bn of that, though government and charities are also targeted.

Typically, a hacker will send an email to board-level directors, as they have access to commercially sensitive parts of the company's network. As it is not noticeably different from the norm, the director opens the email. The hacker is then buried into the IT system, hiding in nooks and crannies for perhaps as long as four years, discreetly accessing vital information.

The big banks are hit by criminal gangs with a plot that is fiendishly difficult to spot. Hundreds of accounts are created online, and money is transferred between them, building up a credit history that is strong enough to successfully apply for large loans. The credit is withdrawn, never to be repaid – the registered account holders having been fictional creations. Banks receive complaints from only one in 10 of the suspect accounts they close down, that being the small minority to have turned out to be legitimate.

Ross Parsell, the director of cyber security at Thales UK, says that he's seen a "70 per cent increase in interest, conversations" with potential clients about better protecting their systems over the past 18 months.

He adds: "The difference now is that attacks are being reported more. It used to be that a bank wouldn't mention it out of fear that customers would put their money elsewhere."

As institutions become more prepared to talk about cyber attacks, it could well turn out that the cost put on this crime has, as the Cabinet Office concedes, been underestimated.