Cyber crime: what you need to know
By Adam Helliker
As technology evolves, so too do the risks associated with it. In an increasingly digitalised world, with the majority of commerce transacted online, crime has followed suit. The latest figures show that 25% of UK residents have been a victim of cyber crime, but that still means three out of four people have NOT been affected by fraudulent activity on their computer, and if they follow some simple rules of “cyber hygiene” they are much less likely to become victims of cybercrime..
As with most kinds of crime, the point of cyber-fraud is money. The personal details you keep on your devices - and the data other sites may have about you on their websites - present a juicy proposition to cyber criminals. Even if they don’t use those details to commit a fraud immediately, that data can be sold as a valuable commodity to be exploited by others. When an organisation or a business is hacked and the information is lost, some of that information could be yours. If your bank is attacked, the hackers could discover your online banking password. In some of these crimes it’s obvious to see where the money is being stolen from, but other crimes are sneakier. Often criminals will use your personal data that they have acquired to commit identity theft, when they will pretend to be you in order to get money.
This could be as simple as getting your banking password and clearing out your bank account. Or as complex as collecting enough personal information about you that the hacker can then apply for loans or open credit card accounts in your name. Experts say that after data breaches email addresses and passwords are routinely traded on the dark web (the part of the internet that is only accessible by means of special software, allowing users and website operators to remain anonymous or untraceable). Last year, for example, the credit agency Equifax was fined £500,000 by the data watchdog following a cyber attack where information belonging to 15million customers, including their addresses and passwords, was breached.
The high cost of cyber crime:
So how much money is being lost through cybercrime in the UK? Last year the Office for National Statistics estimated that 4.5 million cybercrimes were committed in England and Wales. Bank and credit card fraud made up 75% of all offences, with consumer fraud (taking out loans and mobile phone contracts, or making purchases in someone else’s name) made up 22% of the total number of crimes. According to the latest Cyber Security Breaches Survey, 27% of UK businesses and charities had experienced an attack in the past 12 months, with an average cost of £3,000 to each organisation. This adds up to billions of pounds, not to mention the personal costs of consumers losing data or becoming victims of fraud. Human fallibility is at the heart of many such security breaches. That survey found that of UK cyber attacks, 80% were related to “phishing” (when an email is sent purporting to be from a reputable company in order to induce individuals to reveal personal information), and almost a third involved hackers impersonating senior management via email. Research by the security company Kroll found that 88% of UK data breaches last year were the result of human error. The scale of attacks may be higher, given that there has been significant under- reporting in the past, although the new General Data Protection Regulation (GDPR) is likely to prompt a better picture of the number of incidents.
How the criminal works:
What a criminal is hoping for when they steal data is a combination of hard facts - addresses, credit card details, or passport information. This valuable data can either be used in an immediate attack on say, your bank account, or traded through online criminal marketplaces to those better equipped to exploit it. After stealing your data, a criminal will attempt to use email and password combinations to login to your online services and websites (Your email is the gateway to all your other accounts, so using the same email and password combination for a number of different websites increases the risk of having multiple accounts compromised. You may not become aware that you are a victim unless you notice money going from your account or are notified by your bank, anti-virus or service provider. It’s not just the obvious financial sites that are attractive to a cyber criminal. Social media accounts, which for many are a valuable way of keeping in touch with family and friends, can be hacked to blackmail a victim by, say, threatening online exposure of private photographs unless a ransom is paid (this happens not just to celebrities but plenty of “ordinary” citizens). Some hackers may break into the accounts of popular sites, such as Instagram and Facebook, just to show off to other users by demonstrating their capabilities. In some cases, social media accounts are a person’s livelihood and can be highly lucrative for those who build up a large number of followers. As such, any threat to hijack or delete can be very damaging to both the reputation and finances of the victim.
How do the thieves get at you?
The most common way for criminals to deliver their malicious software (malware) to a victim is through the sending of “phishing” emails. These emails will often contain either links to malicious websites or malicious documents, both will attempt to download and install malware if clicked or opened. In many instances, these emails are sent indiscriminately to huge numbers of email addresses that the criminals have obtained from various sources and only need a small percentage of recipients to click on the links for it to be financially lucrative for the attackers.
Criminals can make calls pretending they are from your Internet Service Provider, or a software company, claiming that there is a problem with your computer, or you may have seen fake pop-up error messages on your screen. They may then advise you to download a piece of software which, unbeknown to you, gives them control of your device. This allows them to carry out further criminal activity.
An attack may also be made through a programme you may have downloaded on your device (an App), which may contain embedded malicious malware that is downloaded alongside a legitimately requested Application. These instances are usually dealt with quickly when discovered and reported. Using the well-known and reputable App stores decreases this risk of infection.
The motivation of some cyber attacks may be emotional rather than financial. The offences may be carried out by someone closer to home, say an ex-partner who is taking revenge on a former lover, by targeting them with abusive messages, or bullying and controlling behaviour using a victim’s phone or online accounts. These incidents can be a distressing consequence of a breakdown of trust in a relationship, and may count as domestic abuse.
So, in general, cyber criminals seek to exploit human or security vulnerabilities in order to steal passwords, data or money directly. The most common cyber threats include:
Hacking - including of social media and email passwords.
Phishing - bogus emails asking for security information and personal details.
Using malware - software that is specifically designed to disrupt or damage computer systems. This includes ransomware throughwhich criminals hijack files and hold their owner to ransom.
Breaking and entering - for a cause:
Hacktivists are criminals who carry out cyber attacks but their aim is disruption for a cause, rather than cash. They can target organisations whose political beliefs are opposite to their own, or businesses who they may accuse of acting against their wishes. They often announce attacks in advance in the hope of gaining media attention. An attack by activists may involve the theft of sensitive information or the disruption of trading for a business. Some see Hactivism as an acceptable way of encouraging change in society, but others view this type of cyber attack as a malicious and destructive means of protest .
Hostile nations can use technology to spy on other countries and steal state secrets, or to attack its infrastructure (such as the power supply) by waging cyberwarfare, which can cause as much damage as the operations of conventional war. Some states, including China, Russia, Iran and North Korea, regularly use their cyber capabilities to threaten the interests of other nations.. The UK is protected by the National Cyber Security Centre, part of GCHQ, which identifies hostile activity by both individuals and other nations and works to strengthen the nation’s resilience against such adversarial actions.
Some cyber criminals use their skills to attack commercial organisations to steal intellectual property or other sensitive data and thereby gain a business advantage. Cyber attacks can result in substantial financial loss arising from the theft of corporate information. Businesses suffering a cyber breach can also face big bills to repair their systems and devices. These attacks can also damage a business’s reputation and erode the trust of customers, which can lead to loss of trade and, ultimately, profits.
While the world has benefited hugely from modern technology, a reliance on internet-based operations comes with the downside of vulnerability to misuse by those on criminal or nefarious missions. Some companies
whose systems are not fully resilient are vulnerable to disruption. There are examples of elections being corrupted, power supplies cut off, and ransomware has taken businesses offline.
In 2017 The WannaCry ransomware delivered thousands of spam emails to businesses across the world, encrypting the files of victims, rendering their systems inaccessible unless they paid hundreds of dollars. The attack hit the UK’s National Health Service which found its computers were locked out, meaning thousands of patients were
The most sophisticated technology is vulnerable to the shortcomings of those who use it; tech can’t innovate human error out of existence. Employers need to support staff in recognising when they might be vulnerable to malicious intent, but there is inaction and complacency on both sides. A poll by the US software company Centrify found that 77% of UK workers have no basic training in cyber security. The majority - 69% of respondents - said they lacked confidence in their ability token their own or their employer’s digital information safe. A third admitted using the same login credentials across multiple accounts. Human beings are the first and last line of a company’s defence and ensuring that all are as cyber aware as possible is a wise investment. So too is updating software and hardware regularly.
What you can do:
Don’t reuse passwords for multiple accounts, especially email – your email account is the gateway to all your online accounts. If it gets hacked, all your passwords can be reset. So keep it unique.
Turn on two-factor authentication – this free security feature adds an extra layer of protection online and stops cyber criminals getting into your accounts – even if they have your password.
Update regularly – using the latest software, apps and operating system can fix bugs and immediately improve your security.
An employee received a telephone call with an automated voice message explaining that her computer had been compromised. She was instructed to press “1” to download a remote access tool called “Supremo”, which granted access to the computer. She was asked to transfer money into a bank account in order to “track the hackers”. The suspect had falsely shown twice money had been transferred into the victim's accounts. She was then instructed to make bank transfers to the value of £57,000 through online banking. Her bank contacted her asking to confirm the transfers. The following day, she checked her online banking and noticed a further £12,000 had left her current account. She realised that this had occurred while the suspect was claiming to fix her pin code gadget generator. In total, she lost £69,000.
A member of the public found that his phone was starting to behave oddly and he was eventually locked out. He was then contacted on his social media account by criminals telling him that child pornography had been installed on the phone. He was ordered to pay a fee otherwise the images would be shared with his family and friends. An investigation later found that his hackers had gained access to his phone through malware installed on a game which the victim had downloaded through an unrecognised - and unsafe - app.
An office worker received an email from a client, containing an attachment. The email was entitled "Thanksgiving Day....." The employee opened the attachment and unknowingly downloaded malware Emotet and Trickbot onto his company’s computer. The business was locked out of online banking, and the account was only restored after its IT provider, assisted by the bank, had re-installed a new system.
An employee at a school received a suspect email containing an attachment. He downloaded the attachment which installed Trickbot malware onto his laptop. The school’s bank login details were compromised. The criminals attempted to make fraudulent payments for £400,000, but these were stopped by an authorisation procedure. Bank details were changed on his supplier’s database so as to divert funds to the attacker’s bank account. The victim subsequently lost £16,000 which had been transferred into the hacker’s accounts.
The Instagram account of a 26-year-old social media influencer was taken over and held to ransom. Compromising images were displayed on the account and money was demanded otherwise it was threatened that all of her 300,000 followers would be deleted. The victim was unable to log on to her account and suffered huge damage to her reputation and considerable loss of income.
The National Security Council: the first ten years
By Adam Helliker
It is a meaningful, albeit trite aphorism used by many a politician through the ages: that keeping the country safe and secure is the first priority of any government. But it was only ten years ago that a Prime Minister took the significant step of establishing a powerful body which took complete responsibility of coordinating the responses to any dangers that British citizens might face.
In 2010 David Cameron presided over the first meeting of the National Security Council, appointing the highly-regarded Sir Peter Ricketts, then Permanent Undersecretary at the Foreign and Commonwealth Office, as his National Security Adviser, a new role based in the Cabinet Office.
The first item on the NSA’s agenda that afternoon in May was - no surprise - to review the terrorist threat to the British mainland, followed by a discussion about the stability, or rather lack of it, in Afghanistan and Pakistan.
The list of those sitting alongside Cameron at that first gathering may now make it seem an overtly political animus - at the table were the Chancellor, the Foreign Secretary, the Home Secretary and the International Development Secretary - but in his introductory speech the PM made it clear that at its weekly meetings the Council would be able to summon virtually anyone who would be able to contribute to its paramount purpose of defending the country.
That would, of course, include representatives of the Armed Forces and the heads of the main intelligence agencies, MI5, MI6, GCHQ and DI, who could securely share the latest reports with ministers, all of whom would have signed the Official Secrets Act. Not that even that level of security could prevent alleged loose talk - in April 2019, an inquiry was ordered into the leaking to the Daily Telegraph of a decision by the NSC to allow the Chinese giant Huawei to bid for 'non-core' elements of the construction of the prospective 5G mobile communications network. Several cabinet ministers denied they were involved in the leak.
Cameron’s doggedness in establishing the NSC was a laudable reflection of that relative rarity - an example of a politician determined to put into action a policy that he had championed in opposition. Few PMs take office with much experience of national security issues (although the present incumbent of No. 10 had a brief spell as Foreign Secretary) and security coordination is rarely a key theme in general election campaigns.
At the time the creation of the NSC was supported by the Labour Party, with the Shadow Defence Secretary, Vernon Coaker, stating: “we support its foundation…,and it is vital that we see the NSC deliver the long-term strategic direction for which it is established.”
As ever, and particularly at a time when the Government was still largely committed to enforcing austerity, the cost of Cameron’s vow to put national security at the apex of his new administration’s agenda was a concern, particularly for the Chancellor, George Osborne, even though he shared the PM’s hawkish views on finding new ways of protecting the population from harm. (It was Osborne who, six years later, was responsible for finding the £1.9billion needed to launch another of the Government’s commitments to its citizens’ safety, the National Cyber Security Centre).
But right from that first meeting of the NSC, it was clear to those involved that Cameron had shown vision in his insistence that there were alternative ways to interpret what he acknowledged was one of his most important duties - establishing a national security strategy that would ensure three core principles: the protection of people; protection of our global influence, and the promotion of our prosperity. (Former National Security Adviser Sir Kim Darroch singled out Cameron’s personal stake in the NSC process as one of the leading factors in ensuring its success. He said: “I doubt that previous prime ministers have spent anything like the amount of time this one spends on foreign policy and preparing for our meetings.”
Not that previous administrations hadn’t tried: successive premiers had attempted to reorganise the various cogs in the machinery of central government, each searching for the right constellation of resources and personnel available to meet the threats facing the UK. When it was initially raised by Cameron and a group of his policy advisers (Including Baroness Pauline Neville-Jones, a former head of the Joint Intelligence Committee, who produced paper on the subject in for the Conservatives in 2006) the idea of a central body to coordinate all the power a PM can summon to protect national security was met with some cynicism in certain quarters. One official commented that the idea of “instant cross-Whitehall coordination in a crisis was a dream, and would remain one.”
Yet now, a decade later, and with Cameron’s tenure of No.10 a fading memory, the NSC is viewed as the perfect case study of how, within an enviably short time from concept to establishment, prime ministers can effectively coordinate a key area of policy from the centre. In short, the NSC - and its supporting National Security Secretariat (NSSec) has been judged one of the success stories in how a Government can adapt to meet its responsibilities in a constantly evolving climate.
Indeed Cameron has referred to the NSC as “one of my more successful babies.” And one former senior intelligence official has described the creation of the NSC as “like the lights coming on; because it was very difficult under the previous arrangements to necessarily detect what decisions, if any decisions, were being taken on a number of issues and the thinking that led to those decisions was even more opaque.”
The Civil Service has also embraced the NSC as a success story, with one recent report finding that “In terms of regularity of process, frequency of high-level ministerial and official attendance at meetings, and focused secretariat support, it has brought greater clarity to a broad range of national security policy issues.” The report concluded, in glowing terms: “The NSC demonstrates the potential benefits of a ‘strong grip’ at the centre and the ‘halo effect’ of consistent prime ministerial investment of time and effort in committee work."
It is widely acknowledged that the NSC’s success has been due, in no small part, to the quality of its National Security Advisers, beginning with Sir Peter (now Lord) Ricketts and continuing with Sir Kym Darroch, and the present NSA, Sir Mark Sedwell, who is also Cabinet Secretary.
Before Cameron’s bold initiative, his predecessors had grappled with similar problems of security coordination for over a century. Several had experimented with different combinations of senior official appointments to deal with the responsibilities of national security (which, broadly, encompass defence, intelligence, foreign affairs, internal security and civil contingencies).
Long-serving prime ministers like Margaret Thatcher and Tony Blair had begun to favour less formal, smaller circles of national security advice and decision making. For each premier, the Civil Service had to be ready to recalibrate arrangements to provide the necessary support, and to stand its ground in arguing that each step away from formal committee processes could jeopardise clarity and transparency within government.
Today’s Council, aided by its well-resourced secretariat, is a world away from how national security was handled in the early 20th century, when it was merely an item that would be raised at Cabinet meetings. In its early days such gatherings functioned without minutes and meetings could be long, rambling affairs; ministers departed with little idea of what had been decided. Their private secretaries would have to write to each other trying to clarify the details. For example, an appeal to one of Gladstone’s secretaries stated that ‘there must have been some decision...My Chief has told me to ask you what the devil was decided, for he be damned if he knows. Will you ask Mr. G. in more conventional and less pungent terms?’
The first PM to suggest that the areas of areas of foreign and defence policy should be treated separately from domestic matters at Cabinet was Arthur Balfour who formed the Committee of Imperial Defence - the precursor to the NSC. Tweaked by subsequent PMs, notably Asquith and Lloyd George, the CID continued to develop until the outbreak of war in 1939, eventually becoming known as just the Defence Committee. As with the NSC today, other ministers attended these meetings at the prime minister’s behest, as appropriate to the subjects under discussion.
Incidentally, in terms which may still resonate today, the CID’s first head, Sir George Clarke, recognised the challenges to any prime ministerial adviser facing competing departmental centres of power and influence, lamenting that he had to operate by ‘the gentle pulling of strings’ rather than ‘being able to speak with power’, given his status as a “mere’ civil servant.
A significant change was made in 1968, with the creation of the post of a Coordinator to bring a senior security official into the Cabinet Office to assist the Cabinet Secretary with his intelligence-related responsibilities, including reviewing the agencies’ performance and scrutinising their annual bids for budget allocations. Another tweak came after the 11 September 2001 terrorist attacks, when Sir David Omand was appointed to a new role as Security and Intelligence Coordinator to oversee both the intelligence agencies and the Civil Contingencies Secretariat.
But until the formation of the NCS in 2010, the responsibility for national security continued to be spread among several cabinet committees, with specific responsibilities to deal with the changing concept of security, whether it might be coordinating anti-terrorism efforts or dealing with the threat of a nuclear threat (a salient concern during the Cold War). At some times intelligence and policy became too close. The 1983 Falklands Islands Inquiry and the 2004 Review of Intelligence on Weapons of Mass Destruction stressed the need to uphold the independence and objectivity of intelligence assessment.
Today, the responsibilities of the NCS remain the same, in enabling a government to coordinate the information gathered by Intelligence agencies to secure the country against serious organised crime, terrorists and hostile foreign intelligence agencies.
The council continues to meet weekly (often on the day of Cabinet meetings to maximise attendance) when Parliament is in session. At the meetings the usual procedure is for papers to be taken on two subjects, with a short presentation followed by discussion for roughly 30 minutes per issue. Ministers who are not standing members of NSC are invited to attend as necessary to discuss issues affecting their departments.
As to it main purpose, the Council adheres to a code in the form of the National Security Strategy, which states that there are four main security challenges for the UK for the coming decade:
The increasing threat posed by terrorism, extremism and instability
The resurgence of state-based threats; and intensifying wider state competition
The impact of technology, especially cyber threats; and wider technological developments
The erosion of the rules-based international order, making it harder to build consensus and tackle global threats
The strategy also sets out a number of other risks They are: civil emergencies; major natural disasters overseas; energy security; the global economy; and climate change and resource scarcity.
Ultimately, the long-term effectiveness of the NSC may be judged by whether its creation has improved the effectiveness of national security decision making. Is the UK safer – or at least, are its leaders making better-informed and more timely decisions on security – because of the NSC’s? The collective answer judged by the enthusiasm of all those involved in its present-day operations would appear to be a very positive yes.