A new crimewave
For the past twenty years or so, crime in the UK has been falling, thanks partly to technological developments that have made certain types of offence harder both to commit and to get away with.
But just as technology has closed down some criminal opportunities, it has opened up others. Our increasing reliance on internet-connected devices has been accompanied by the development of a new set of cyber threats. 12% of European internet users have had their social media or email account hacked and 7% have been the victim of credit card or banking fraud online.
Chart: UK online banking fraud losses
2004-13, £ millions
Much cybercrime can be prevented by individuals taking basic precautions, including using more secure passwords and installing anti-virus software to thwart the ‘malware’ that enables login details to be stolen: the Government’s Be Cyberstreetwise campaign is intended to raise awareness of these preventative measures.
But there is little the individual can do to save their data from direct attacks on businesses, which in turn are often reluctant to admit security breaches for fear of litigation and reputational damage.
The so-called ‘Heartbleed’ bug, discovered in April 2014, exposed vulnerabilities in many major websites, allowing hackers to steal passwords, credit card details, encryption keys and other sensitive data, without leaving any trace.
And staying offline does not guarantee protection; hackers attacking the US retailer, Target, were able to steal the credit and debit card details of 40 million customers thanks to malware installed in the company’s point-of-sale system.
A new battlefront
While the vast majority of cyber crime involves the theft of data and, ultimately, money, similar means can be used by terrorist groups, governments and other actors for political ends.
Cyber-attacks of this nature can range from vandalism of government websites, causing disruption and uncertainty (e.g. the hacking of US Central Command’s Twitter by individuals thought to be affiliated to ISIS), to attacks on critical national infrastructure, such as payment systems or power networks, with the potential to cause chaos.
The capacity for any group or state to wage truly calamitous cyber-attacks on the UK, or any other advanced economy, is as yet unproven.
However, the experience of other countries suggests it is at least a possibility: in what is thought to have been a joint US-Israeli operation, malicious code was used to attack the systems controlling the centrifuges in an Iranian nuclear facility in 2010, causing them to spin out of control and ultimately setting back Iran’s nuclear programme.
More commonly, groups at varying degrees of remove from the state engage in espionage, stealing intellectual property and state secrets. And the internet also presents opportunities for governments to monitor more intrusively the activity of their own citizens.
The previous Government’s National Security Strategy, published in 2010, classed cyber security as a top priority, alongside international terrorism, international military crises and natural disasters.
This led to the first Cyber Security Strategy, published in 2011, setting out how the UK would tackle cyber threats to promote economic growth and protect national security.
As part of the strategy, the Government allocated £650 million over four years to strengthen the UK’s cyber security.
This included the establishment of a National Cyber Crime Unit within the National Crime Agency; a cybersecurity information-sharing partnership between government and the private sector; and a new organisation for national cyber incident management (CERT-UK).
A future filled with fear?
The perils of connectivity seem only to be growing as the ‘internet of things’ brings more devices online.
Already, it has been shown that hackers can assume control of car steering wheels, insulin pumps, baby monitors, toilets and central heating systems, raising the prospect of all sorts of cyber malfeasance.
The Cyber Security Strategy acknowledges that it is not possible to eliminate cyber crime. But just as car thefts have been dramatically cut by preventative technologies such as immobilisers and alarms, cyber crime may be reduced by eliminating some of the opportunities available to prospective cyber criminals.
As well as more advanced security and anti-virus software, further onus could be put on companies to release products and programmes with fewer security flaws in the first place, rather than reacting to vulnerabilities as they emerge with software updates.
Nor can we be guaranteed immunity from more serious attacks. For those companies operating critical infrastructure, especially payments systems, and power and communications networks, the costs of security lapses to society may be far greater than to the individual firm.
Co-operation between firms may help to reduce these costs, while information-sharing arrangements with government, including the security services, to improve understanding of the nature and source of threats, may help scarce resources to be better directed.
Finally, government action may be required to address the shortage of cyber skills at all levels, from awareness of cyber risks among ordinary users, to the expertise necessary to detect and defend companies and governments against sophisticated threats.
3.6 - 3.8 million. Estimated incidents of card and bank fraud in England and Wales in 2013. The figures are not included in survey-based measures of crime, but if they were, they could account for a third of all crimes.