At Prospect's recent event, experts discussed cyber threats to our financial systemby Tanjil Rashid / March 8, 2016 / Leave a comment
Read more: Cyber security—mapping the unknowable risk
This week the former Head of MI5, Jonathan Evans, claimed that cybercrime constituted “the biggest and likeliest threat” to the British economy. Speaking at a Prospect event entitled Cybercrime and cyberattack—the threat to our financial system, to an audience at The City of London’s Guildhall on 1st March, Evans said that it was “now easier to attack banks cybernetically than physically.”
In his keynote speech, Evans warned British companies that cyber-enabled crime is now more lucrative than crime committed in the real world. “It is much more profitable to attack a financial institution through cyberspace than through a traditional bank raid,” he said. He also remarked how the difficulty of landing a successful prosecution in cases of cybercrime is enticing criminals. “If you are a sensible criminal, you will make the internet your attack vector,” he said.
Beyond financially-motivated law-breaking, Evans outlined the diversity of other threats posed by cybercrime. Mark Camillo, Head of Cyber at AIG, argued that to best protect themselves against such threats businesses must ask themselves “What is good cyber hygiene?” He drew attention to the existing cyber security frameworks published by, among others, the government, but suggested such frameworks needed to be “more adaptable.”
Formerly one of Britain’s top spies, Evans spoke of how information technology has increased the threat of espionage, which has shifted from “a very analogue activity” to what is now “a very cyber activity.” Stealing information from governments and companies digitally is now more effective and cheaper than doing so using traditional methods, as well as having, he argued, “the great advantage of deniability,” with cyber espionage proving very difficult to attribute. He noted that financial institutions were no less at risk than companies in the defence contractor world, because states are now using cyber espionage to gain commercial advantages, as well as political or military ones.
Evans contended that cyberterrorism is the threat most likely to grow in the years to come. The UK’s director of international counter terrorism at the time of the terrorist attacks on 11th September 2001, he observed that although Al-Qaeda and Daesh have declared days of cyber jihad, the classic terrorist groups haven’t been using cyber attacks on national infrastructure and financial services at “anything like the level expected.” But, he predicted, “their time will come,” noting how terrorists have demonstrated an interest in targeting banks.
Related to cyberterrorism, Evans pointed out the more frequent—but softer—phenomenon of anti-establishment activity known as “hacktivism.” He argued that although it is regarded as “relatively harmless,” it can in fact be “deeply embarrassing to governments.” Collectives such as Anonymous have hacked US, Canadian and Israeli government agencies and companies, securing propaganda victories for various campaigns (including one for the legalisation of marijuana). This may affect the financial sector, being as it is the target of many political campaigns.
The final sphere of cybercrime that Evans outlined concerned military campaigns. “There are no interstate conflicts of any intensity today that do not have a cyber component,” he declared, adding that this was an area of rapid investment for the UK military. He described how states worldwide are outsourcing and developing their own attacks.
He explained how, in all of these cases, cybercrime is being enabled by the burgeoning “dark web,” a portion of the internet that is unindexed and unregulated, noting “the thriving market for cyber attack capabilities.” Attacks on states and companies can now be purchased or rented from mercenary cyber criminals alongside classified and commercially sensitive stolen material.
Given the relative ease with which cybercrime can be committed, Evans urged every company “to think about its risk exposure.” He advised that a successful anti-cybercrime strategy rested on two elements: knowledge of what is happening on a company’s own networks and knowledge of what is happening in the “hacker community.”
In a wide-ranging discussion afterwards chaired by Prospect editor Bronwen Maddox, senior figures in the field of cybercrime echoed and supplemented the points raised in Evans’s speech.
Mark Boleat, Policy Chairman of the City of London Corporation, emphasised the threats to the financial sector in particular. “We will have another financial crisis,” he predicted, “and it may well be cyberconnected.”
Boleat also noted the inadequacy of crime figures in fully reflecting cybercrime. “Crime figures are going down, while cybercrime is on the up,” he noted. Commander Chris Greany, National Coordinator for Economic Crime with the City of London Police acknowledged the need for statistics to reflect the magnitude of the problem, welcoming the fact that the Crime Survey is to register cyber fraud from this year. According to the Crime Survey’s test data, there were 2.5 million cybercrimes committed in England and Wales last year, none of which were registered in the overall crime figure for 2015 numbering at 6.5 million. He also picked up on the issue of rising cybercrime from a law enforcement perspective. “[Cybercrime] is the only crime where, culturally, citizens are not doing what they should be,” he said, likening businesses’ lack of appropriate precautions to “leaving the front door open.” The majority of cybercrime —up to 70%, in Greany’s view—could be prevented.
There were a number of notable audience contributions. One member of the audience proposed that insurance companies could be harnessed for good, using their terms to force companies to take measures to prevent cybercrime. Another audience member asked who was responsible for cyber security at a time when most infrastructure is privately owned. On this question, none of the panel members could agree, indicating the difficulty of addressing the threat of cybercrime in the 21st century.
This article is drawn from a Prospect discussion held in conjunction with AIG and the City of London Corporation on Tuesday the 1st of March 2016 held at Livery Hall in the City of London’s Guildhall. This event explored the threat and impact of cyberattacks on the financial sector and featured a keynote address from Jonathan Evans, former head of the Security Service. You can read an article highlighting the importance of dealing with cyberthreats at board level by visiting this page. For more information on this event and upcoming Prospect discussions, please email firstname.lastname@example.org.