Risk
7/30/2013
02:39 PM
50%
50%

U.K. Losing Battle Against Cyber Crime

New report by Home Affairs Committee warns that U.K. is insufficiently prepared to protect the country against cyber attacks and other online threats.

According to a new report by the Home Affairs Committee, the U.K. is at grave danger of losing the battle against cyber-crime. The report states that much Internet-related financial crime is not being reported to the police and that law enforcement is generally not trained to fight cybercrime.

MPs say that online criminal activity that defrauds victims of money is often not reported to or investigated by law enforcement and is covered up by British banks, who simply reimburse the victims with no attempt to find or prosecute perpetrators. "You can steal more on the Internet than you can by robbing a bank -- and online criminals in 25 countries have chosen the U.K. as their number-one target," stated the Committee's chair, labor MP Keith Vaz. "Astonishingly, some are operating from EU countries. If we don't have a 21st-century response to this 21st-century crime, we will be letting those involved in these gangs off the hook."

The Committee is also concerned about the British court system's ability to deal with this type of 21st-century criminal activity. It recommends that the government review sentencing guidance to ensure that e-criminals receive the same sentences as they would for stealing the same amount of money or data in the physical world. The report also urges the government to establish a state-of-the-art espionage response center to combat Web-based attacks by foreign powers and terrorists.

"At a time when fraud and e-crime is going up, the capability of the country to address it is going down," MPs said in a statement. "Ministers have acknowledged the increasing threat of e-crime, but it is clear that sufficient funding and resources have not been allocated to the law enforcement responsible for tackling it."

[ Doing business with Whitehall isn't cheap. Read U.K. Costliest Country To Bid On Government Contracts. ]

In addition, the Committee called for British legislators to ramp up efforts to curb or remove online content such as extremist agitation or pornography. "Young people are increasingly radicalized online by the words of radical clerics on YouTube [while] tragic murders have shown the terrible consequences of access to indecent images on the Web," said Vaz. In response, ISPs, search engines and social media sites are encouraged to be more proactive about removing inappropriate content, or risk government legislative action.

The Committee's report came out on the same day the Office of National Statistics released new data showing that, despite a welcome return to growth in British IT, cyber security remains a weak area, with too few IT professionals having the relevant skills.

However, the government also told the BBC that it is taking action to tackle the cyber-threat, investing more than £850 million ($1.3 billion) through a national cyber-security program to develop and maintain cutting-edge capabilities.

Not everyone is convinced, however. Business lobbying group the CBI said that an MP proposal that would make it mandatory for British businesses to report cyber-attacks won't help. "Proposals to force businesses to report a cyber-attack as soon as it happens when they should instead be focusing on fighting the attack privately could be counterproductive and put them at greater risk," warned Matthew Fell, CBI director for competitive markets. "Mandatory reporting would also risk cyber security becoming a tick-box regulatory requirement and stifle business-to-business information sharing."

U.K. cyber security industry commentator Klaus Gheri, VP of product management Europe at Barracuda Networks, added, "The growing threat of Internet crime is not specific to the U.K. It is the same everywhere. Law agencies are ill-equipped to protect against cyber warfare. Social media sites have become a regular hunting ground for cyber-espionage attacks and an easy way for cyber criminals to launch targeted attacks against businesses."

However, Gheri also acknowledged that governments have "the biggest responsibility here," calling on Westminster to pass legislation so all businesses have "a prescribed minimal amount of cyber security."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2208
Published: 2014-12-28
CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.

CVE-2014-2209
Published: 2014-12-28
Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.

CVE-2014-5386
Published: 2014-12-28
The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initial...

CVE-2014-6123
Published: 2014-12-28
IBM Rational AppScan Source 8.0 through 8.0.0.2 and 8.5 through 8.5.0.1 and Security AppScan Source 8.6 through 8.6.0.2, 8.7 through 8.7.0.1, 8.8, 9.0 through 9.0.0.1, and 9.0.1 allow local users to obtain sensitive credential information by reading installation logs.

CVE-2014-6160
Published: 2014-12-28
IBM WebSphere Service Registry and Repository (WSRR) 8.5 before 8.5.0.1, when Chrome and WebSEAL are used, does not properly process ServiceRegistryDashboard logout actions, which allows remote attackers to bypass intended access restrictions by leveraging an unattended workstation.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.