[Updated] 'Lacklustre' NCA cyber-crime report adds nothing new, critics say

The NCA has issued a report in cooperation with industry partners, in which they admit they are falling behind the cyber-criminals but the report has been criticised for containing little information that is new or useful.

National Crime Agency cyber-crime report released today
National Crime Agency cyber-crime report released today

Criminal cyber-capabilities are rapidly outpacing the capabilities of law enforcement and the private sector to combat them, according to a new report from the NCA.

The National Crime Agency's “Cyber Crime Assessment 2016” sets out to define the immediate threat to UK businesses from cyber-crime and was, for the first time, produced with cooperation from industry partners.

It identifies growing risks including DDoS and ransomware which increased significantly in 2015. Most of these attacks can be traced back to a few hundred international cyber-criminals, they believe.

However, some commentators in the industry dismissed the NCA report as containing little new or useful information, adding it demonstrates that despite pumping money into the problem, the UK government has achieved little.

404: justice not found

Steve Durbin, managing director of the UK-based Information Security Forum, said: “For anyone who has been monitoring the cyber-crime space, the NCA Cyber Crime report doesn't really contain any significant ‘aha' moments.”

“The question really is how can law enforcement be seen to be adding a new dimension to protecting and anticipating advanced attacks, not just working to bring perpetrators to justice?” Durbin said.

The objectives of business and law enforcement in the global cyber-security war are at odds. “Law enforcement is primarily concerned with crime-prevention and bringing perpetrators of crimes to justice. Businesses are concerned with ensuring the integrity of their systems and information in a way which does not lend itself to necessarily supporting law enforcement,” he said.

He said the police need to demonstrate to business the value of reporting cyber-crime. “Until this perspective changes, and there is very real benefit to be derived by businesses, the situation will continue,” Durbin said. “It is incumbent upon law enforcement to demonstrate value to businesses in participating in threat and intelligence sharing – across multiple jurisdictions, since crimes carried out in the UK for instance may often originate outside of UK jurisdiction.”

Graham Mann, managing director at Encode UK, told SCMagazineUK.com that the problem of cyber-criminality is only getting worse. “When you consider the sums involved I think it's time for a new strategy – investing it in CESG isn't working. There are some great minds out there in the commercial world, let's use them,” he said.

Bad guys ahead

As the report said, the actual numbers of cyber-security incidents is probably much higher than what's been reported – “just the tip of the iceberg”, Mann said.

“I know from battle-testing networks over more than 10 years, advanced cyber-attacks are never spotted and in hours we have complete domain admin control. When you know what you are doing this isn't difficult. This leads me to believe that the problem is much larger than the figures show,” he said.

“Perpetrators of cyber-attacks have always led the way, leaving the good guys to work out how to stop them – little has changed nor will change. Trying to prevent sophisticated attacks has proved ineffectual, we need to focus on early identification and response,” he added.

He is highly critical of the compliance approach to cyber-security, saying that overall it has made us less secure. “I'm sure many organisations don't report or acknowledge attacks, for obvious reasons but in my experience the majority simply don't know that they have been/are being attacked.”

The NCA report supports Mann's assessment about the tick-box approach to security but said that it's difficult to identify the true extent of the problem because many incidents are not reported.

“Under-reporting continues to obscure the full impact of cyber crime in the UK,” the NCA said. “This shortfall in reporting hampers the ability of law enforcement to understand the operating methods of cyber-criminals and most effectively respond to the threat.”

Jamie Saunders, director of the NCA National Cyber Crime Unit (NCCU), said: “This is the first time the NCA has released a joint assessment with industry on cyber-crime, and it is a good example of the collaborative approach between business, law enforcement and government that we need to cultivate and strengthen if we are to succeed.

“I hope that senior members of UK business, and not only those involved in the protection of their IT systems, take note of its contents and think seriously about ways that they can improve their defences and help law enforcement in the fight against cyber-crime,” Saunders added.

The government is due to publish a new National Cyber Security Strategy soon. It also plans to unveil the new National Cyber Security Centre in the autumn.

Industry reaction

Paul Simpson, principal consultant at Verizon RISK, told SCMagazineUK.com that its 2016 Data Breach Investigation Report found many organisations still lack basic defences or have implemented or configured them incorrectly. “This is unbelievable when we are aware of the cyber-criminal activity around us. For example, we saw 63 percent of confirmed data breaches involving weak, default or stolen passwords,” he said.

“Some of the reasons behind this are reliance on old security policies, security being more of an afterthought in a business' strategy rather than a priority or even just down to lack of good employee education. Often businesses forget that their employees are often an easy route for any opportunistic hacker looking to find their way into an organisation via phishing emails, as they commonly make mistakes that leave their doors wide open,” Simpson said.

Luke Brown, vice president and general manager for EMEA, India and LatAm at Digital Guardian, said the IT industry simply doesn't have the staff it needs to fight cyber-crime. “The UK government's plan to open a new National Cyber Security Centre is certainly a step in the right direction, but without more widespread investment to train more cyber-security recruits, this war will continue to rage on,” he said.

Ryan O'Leary, vice president of the threat research centre at WhiteHat Security, believes the government should be investing more money in defence than trying to track down and prosecute the criminals. "Finding and prosecuting attackers can also be a challenge. Many of the attackers operate out of countries that make it near impossible to instigate legal action. Finding the individuals responsible also gains the company nothing,” he said.

However, Stephen Love, security practise lead (EMEA) at Insight disagrees, saying that law enforcement must take the fight to the cyber-criminals with the help of industry. “While defensive measures like layered security solutions, anti-virus protection and encryption are crucial in protecting a business from attack, too often we are playing catch up... Now it is vital we begin to think proactively and stop the hole from appearing in the first place,” he said.

Love agrees that businesses must be ready to report cyber-crime to the police. “Through sharing information across industries, we will soon find ourselves one step ahead in finding cyber-criminals and stopping them before they can act,” he said.

Peter Cohen, strategic manager of Countercept told SC that, "The report states that 'Directors of businesses should challenge their business management teams to go beyond compliance with minimum cyber security standards  to ensure that rapidly evolving cyber security and resilience challenges are addressed and the threat to the UK is reduced.'

To this point, Peter replies, "It is true that compliance does not equal security, but it does give organisations a baseline that is generally geared around mitigating low-level threats such as commodity malware or script kiddie activity – as such it can be considered a reasonable starting point (depending on the compliance framework). The real danger with compliance is that while its purpose is understood within security circles, executives often believe that compliance is security – however when it comes to mitigating more capable threat actors, this simply is not the case."