Groups face the conundrum of cyber crime
Late last year, UK authorities helped to organise a cyber “war game” for institutions in London’s financial district, directing the banks, insurers, asset managers and big businesses of the city to simulate the impact on their operations of a debilitating cyber assault.
While many of the players in the game – no actual assets were involved – demonstrated that they had defensive plans in place and often quite sophisticated technical knowhow, they also highlighted a major problem.
High quality global journalism requires investment. Please share this article with others using the link below, do not cut & paste the article. See our Ts&Cs and Copyright Policy for more detail. Email [email protected] to buy additional rights. http://www.ft.com/cms/s/0/61176e18-923e-11e3-8018-00144feab7de.html#ixzz2uEnRWgNh
Not a single one of the participants in operation “Waking Shark II”, as the scenario was dubbed, thought, during the course of their attack, to report their problems to the police.
The scenario highlighted one of the biggest problems in the cyber security world: how is online and computer crime policed, and, moreover, how should it be?
“Many of the participants [in the city cyber war game] had little or no understanding of when criminal offences were being committed,” says Adrian Culley, former detective at Scotland Yard’s cyber crime unit and now a technical consultant with Damballa, a cyber security consultancy.
“Given we have had the Computer Misuse Act for 25 years in the UK, it’s surprising, but we obviously have some way to go still,” he adds.
“Ultimately, there is no such thing as cyber crime, just crime. Just like you don’t really hear questions of if someone is computer literate or not these days, I think the notion of cyber crime will fade. In 100 years’ time. It’ll be as if Sherlock Holmes had talked about electric crimes.”
The nub of the problem is that, for many organisations, cyber crime still seems so intangible. For big businesses such as banks, cyber crimes are all too easy to write off as a marginal cost of doing business in the modern world.
A bank suffering from a physical robbery, for example, has a site from which money is stolen and staff there whose responsibility is specific for the security of that site. Doing nothing is not really an option. An attack against a whole organisation though – particularly an organisation as large as a bank – is far harder to feel or care about, if the relative impact is far smaller. Even if the same – or more – money is stolen in absolute terms.