Maintaining control in an age of cyber crime
IFSEC International returns to London’s ExCeL Centre on 21-23 June for Europe’s largest security exhibition. Here, IFSEC Global explores how criminal gangs are abandoning traditional crimes in favour of cyber crime.
The expression ‘crime doesn’t pay’ isn’t exactly entirely true. It needs a caveat: ‘unless you get away with it’. And let’s face it, lots of people get away with it.
But not as often as they used to, perhaps, when you consider the dramatic advancements in crime-fighting methods and technologies over recent years and decades.
Take CCTV, for instance, with more than 1.85 million surveillance cameras now watching over UK streets and businesses (and we published a debate on the influence of CCTV in falling crime last year).
For a long time, of course, criminals could be confident that any grainy footage captured would likely be inadmissible in court. Not anymore. Not only can the latest surveillance cameras match high-end 4K televisions for image quality and latency, but video analytics platforms have given control-room operators an unprecedented ability to identify, track and zoom in on suspicious persons.
Meanwhile, developments in forensic science mean that even the most careful of criminals have been convicted based on a single hair or skin cell. And it’s easier than ever before for security services to track suspects’ activities through their digital footprint, whether via social media, Google maps or – as was the case with one suspect in the Hatton Garden Raid – use of an Oyster card.
Such factors, along with many others like improvements in home security, go a long way to explain the 60 per cent drop in recorded UK crime since a 1995 post-war peak and similar trends across the Western world for the past 30 years (although the causes are hotly disputed, with changes in crime reporting, changes in demographics and – most bizarrely – the legalisation of abortion in the 1970s also being blamed).
Certain crimes have all but disappeared. The bank heist, a staple of movie scripts, is almost a thing of the past.
The Hatton Garden raid attracted so many headlines in part because it was such a novelty.
And who now hears of ‘joy riders’? But if advances in automotive security have seen car thefts fall from 400,000 a year in 1997 to 86,000 in 2012 then criminals could soon harness technology themselves to wrest control of modern cars – while their owners are driving. Cyber crimes like these were added to the official crime statistics for the first time this year, triggering a doubling of the annual crime rate to more than 11.6 million offences.
Did crime, taken as a whole, ever really fall as much as it seemed? It’s perhaps a bit of a stretch to suggest the rise of cyber crime can solely account for the entire decline post‑1995, when the internet was in its infancy. But it doesn’t seem unreasonable to surmise that many criminals will consider cyber crime both more lucrative and less risky than traditional, physical crimes. Some crime may simply be displaced from the physical to the virtual world.
A view on crime change
We asked a number of experts whether advances in physical security and the huge widespread vulnerabilities in IT networks were persuading criminals to migrate, at least partially, from armed robbery, drug smuggling and the like to data hacking and other forms of cyber crime.
Paul Stokes, chief operating officer at Wynyard Group, said: “Recent research from Cambridge University shows a large number of convicted cyber criminals have records for traditional offences such as theft and burglary. This strongly suggests that traditional criminals are changing their behaviour and moving to the internet for their next targets.
“From grooming children to financial fraud, cyber crime is increasingly perceived by criminal gangs as a lower risk and higher reward type of offending. Financial gains from cyber crime could be immense. And gangs can commit this type of crime to any organisation or individual, all from the comfort of their own homes.
“Take criminal attacks on banks as an example: armed robbers breaking into a branch to raid for cash have become very rare. The reality now is that theft is largely undertaken by sophisticated hackers breaking into banks’ digital channels to siphon off huge amounts of money and steal valuable customer data.
“As criminals move online businesses need to shift their approach to focus more on protecting their digital assets. Understanding changing criminal behaviours and having the capability to detect anomalies within your network are going to be key.”
Understanding the smart criminal
Phil Wood, security and resilience at Buckinghamshire New University, said: “The technology that we rely on also offers gaps that can be exploited and gives organised criminals real opportunities. Felson and Cohen’s Routine Activity Theory in criminology says there are three components that can conjoin in time and space to allow a crime to take place: a suitable target, a likely offender and the absence of a capable guardian.
“IT systems offer all of these components while technological advances in security access control, detection and alarm systems make the act of entering a building and stealing assets much more challenging. The smart criminal (and they are) will expend their efforts on softer targets that cyber gaps offer. And as we continue to use IT and mobile systems, they will increasingly target us for identities and money. It is the easy route to riches and there is no softer target.”
Julia McCarron, operations director, Advent IM, shared her views, commenting that: “It would be difficult to state that there is a definite correlation between any perceived fall in ‘traditional’ or physical crime in favour of cyber crime. However, there are some valuable points to be made.
“The Europol IOCTA findings (Organised Crime study) pointed to the rise of CaaS or Crime as a Service and the high levels of organised crime gangs using cyber crime such as phishing to fund other illegal activities.
The Deepnet has been abused into service for this purpose too, along with crypto‑currencies like Bitcoin. In practical terms, the prison sentence for walking into a bank with a weapon and marching off with the contents of the vault is significantly higher than for defrauding a bank or it’s customers via the internet, so this will naturally have a greater criminal appeal. More Geeky Blinder than Peaky Blinders?”
Newer forms, newer skills
Guy Bunker, senior vice president of Clearswift, stated: “The skills required for cyber crime activity are very different to the more usual criminal activity. However, there are now multiple cyber-crime ‘kits’ available which means that almost anyone can mount a cyber attack. And what’s more, you can mount the attack from your armchair, virtually anywhere in the world – rather than having to physically be there.
“Of course, mounting the attack and then ‘fencing’ the goods are two different things. Understanding the value of the information and who to sell it to, or where to go to sell it, is not easy – which is why we are seeing more ransoms being requested. If you don’t know who to sell it to, then sell it back to the organisation with the demand that if they don’t, it will be posted online.
“Furthermore cyber attacks are not just about money, there are now attacks aimed at damaging a business’s reputation as well. In this case, there isn’t anything to sell per se. Organisations need to be aware if this, even if they don’t think they have anything worth stealing. They also need to be aware of the fairly low level of entry into the cyber attack world, given the ‘commercially’ available packages enabling anyone to mount an attack. Protecting critical information needs to be their top priority.”
This opinion was echoed by John Flatley, head of crime for the Office of National Statistics. He said: “It has been argued that crime has not actually fallen but changed, moving to newer forms of crime not captured by the survey. Clearly some crime has moved online but this should be seen in the context of the long-term fall in traditional crime.
It can be difficult for organisations and individuals to understand what a cyber threat may look like. The reality is that ‘cyber’ is just another opportunity route for plain old criminal activity.”
Finally, Paul Rogers, president and CEO of Wurldtech Security Technologies Inc., and general manager of Industrial Cyber Security for General Electric Company (GE), remarked that: “As production systems become more interconnected, the exposure to network‑based cyber incidents increases, putting production, reputation and, ultimately, profits at risk. In particular, attacks on critical infrastructure such as in oil and gas, utilities, smart grid, transportation, medical facilities and others can lead to serious consequences in the economic, political, personal, public safety and privacy arenas.
“Furthermore, as operational technology (OT) leverages the benefits of the network, the threat of a successful cyber attack greatly increases with the expanded attack surface. System operators and security directors face challenges in responding to the growing number of security threats they face in today’s environment.”
IFSEC will be taking place on 21-23 June 2016 at London ExCeL, UK.