It is estimated that the cost of cybercrime to the UK economy is around £27 billion per year, around 2% of national GDP. Some experts suggest this is too small, excluding as it does important vectors of cybercrime such as malware.
Computer security firm Norton estimates that more than 12.5m people in the UK fall victim to cybercriminals every year – 34,246 cases each day – with an average loss of £144 each. Again, this is probably an underestimation when one considers that many people will be victims of hacks or malware without ever knowing, and so they go unreported.
A global study conducted by the UN Office of Drugs and Crime reported rates of cybercrime including hacking leading to theft and fraud at rates of up to 17%, significantly higher than rates of their conventional equivalents at less than 5%.
Fighting cybercrime is by no means easy. The wide range of technologies and vectors of attack available to cyber-criminals and the cross-border nature of these crimes make investigating them difficult. The fragile nature of digital evidence complicates matters, tracks and traces that skilled cybercriminals can erase behind them. And the intrusive nature of investigating cybercrimes – which typically requires removing computer equipment for analysis – raises privacy issues that make digital forensics an even more complicated task.
Policing cybercrime in the UK
In the context of UK policing, the National Association of Chief Police Officers (formerly ACPO) Core Investigative Doctrine provides a strategic framework and good practice guidelines for forensic investigation of e-crimes. Since 2011, the UK government has adopted a centralised approach as part of its National Cyber Security Program, with the National Cyber Crime Unit (NCCU), part of the UK National Crime Agency, the central focus for tackling cybercrime in partnership with government agencies such as GCHQ and the Home Office.
The government has committed £650m to the cybersecurity programme to improve the nation’s cyber-defences and resilience. But considering that around 60% of this is to go to GCHQ for intelligence activities, this leaves only £260m for investigation and law enforcement – a figure that does not compare favourably to the estimated cost (£27 billion) of the crimes the NCCU is to investigate.
According to the commissioner of City of London Police, Adrian Leppard, there are 800 specialist internet crime officers, yet it’s expected that a quarter of them will lose their job due to budget cuts in the next two years. Again, considering Norton’s estimation of 34,246 individuals falling victim to cybercrime every day in Britain, the remaining 600 investigators would need to address 57 cases each day of the year – a mission impossible.
So the imbalance between the capabilities of organised e-crime groups and the limited capacities of law enforcement agencies is not something that the UK can resolve in the near future. However, some solutions may narrow the gap and confine criminals’ opportunities.
Most obvious is how few university courses there are at undergraduate and especially at postgraduate level in cybersecurity and e-crime forensics that could train the skilled investigators required. Tackling the threat of organised criminals working in cybercrime over the long term requires knowledgeable experts to profile, track, detect, and ultimately provide the information that can lead to their arrest.
At a recent TechUK event attendees suggested the lack of prosecutions under the Computer Misuse Act in the 25 years since it was introduced suggests the law is not fit for purpose – and the skills required to bring a prosecution under it are at the moment in short supply.
While the lion’s share of resources goes to GCHQ, the targets of its intelligence are not necessarily the criminal gangs of interest to the police. More resources for police agencies are necessary to bring investigative capacities up to the same level of the gangs they’re investigating.
GCHQ has reported that 80% of cyber-attacks can be prevented through better education and awareness among users. Developing regional hubs to promote cybersecurity training and education among general users would be key.
The fact that the Anonymous self-styled “hacktivists” whose attacks on Paypal cost the firm £3.5m were sentenced only to seven and 18 months might suggest that cybercrimes are sentenced lightly. A better understanding among judges and juries of the serious implications of cybercrimes and greater punishments and fines for financial crimes could help make cybercrime less rewarding to criminals.