Insights

05
May 2016

Cyber crime’s (un)virtuous circle

”Why we will lose the war against the cyber threat unless we change”

Following last month’s article on how the UK should be staying one step ahead in the cyber battlefield Geoff Krechting, Technical Architect at L-3 TRL Technology explains why we’re still losing the cyber war.

The cyber criminal is the single biggest ongoing and long term threat to the safe and secure operation of technology, both now and in the future. Businesses and infrastructure are beginning to realise the scale of the problem and act accordingly, but it’s not enough.

 

We are continually focused on current threats: advanced persistent threats (APTs), nation states, the 'Russians' acting in Ukraine, hacktivists, etc. Significant attacks generate media coverage that often results in high-tech cyber scaremongering, when the actual details can be somewhat mundane.

 

There’s a simple reason for this, in the form of virtuous and vicious circles. The cyber criminal exploits a virtuous circle: they invest in a capability; they exploit that capability to make money; they reinvest those profits to improve their capability. Back to the beginning, pass go, collect 200 bitcoins.

 

They risk getting caught, yes, but this does not negate the power of their business model from our (the victim’s) perspective. For the organisations, corporations and individuals at risk of exploitation, a vicious circle applies – one must essentially pay out for insurance just to operate as normal. Whether as a statutory cost (regulation, policing etc), literally as a financial product, or as the cost of implementing and maintaining technical countermeasures – the defenders must spend simply to retain the status quo. These defenders gain little as a result of this investment – they simply minimise their losses or, in the best case scenario, recover some.

 

Of course the cyber security industry can profit from developing and providing defensive measures against the growing sophistication of the threats, but as an industry cannot offer full spectrum protection; the defending businesses simple have to expose themselves to attackers to do business at all in the internet age – one phishing e-mail opened can equal an entire defensive suite bypassed. Guarantees are hard to come by.

 

If you always do what you’ve always done…

 

Continuing in this way will have two outcomes: the cyber criminal becomes the dominant player in the field, improving the sophistication and scope of their capability to the point where they are both profitable and untraceable (see the example below). Secondly, the collateral from their activities is the development of significant black market capabilities available to those looking to make money in service to the cyber-criminal.

 

The skills of both the hacker and the cyber criminal will become more widely available as the black market ramps up – if it hasn’t already – to supply the demand for greater capability, and that capability will become available to other less capable threat groups, due to dissemination and reverse engineering.

 

So how do these criminals continue to evade capture? Simple. They take steps to ensure they can’t easily be traced to the computers they used to perpetrate the attack so law enforcement agencies are hindered by complexity and cross-jurisdiction issues, and equally important measures to ensure they can’t be linked to the revenue generated from the attack. Simply put it costs us more to chase than them to run.

 

Stolen credentials are readily available to the cyber criminal, as is the ability to locate and reroute their data communications anywhere in the world – or simply pay someone else to take the risks involved in putting together or deploying the attack capability itself.

 

Low level attacks fund high level capabilities

 

While the risk of corporate cyber attack is limited to any one business, the threat of attack against a nation’s critical national infrastructure (CNI) threatens the safety and continued operations of entire countries.

 

We’ve all seen movies that portray the destruction of large-scale cyber crime against a nation’s CNI. In truth I think we all understand the Hollywood scenario isn’t real, but let us put the real business level risks from feasible scope and scale of attacks into simple words – disruption, downtime, loss of revenue, loss of reputation, and loss of custom. CNI business spend large sums to procure and operate sufficiently reliable automation and production systems – to not work just as hard to making them secure is to waste a good proportion of that investment in reliability. Real world attacks range from smaller scale disruption caused by data protection breaches to public utilities, through critical loss of production (oil, gas or electricity), right up to threats to the national economy and risks to public health (electricity, water or transport).

 

In the same way businesses seek to grow and become more successful within their field of expertise, the cyber criminal has the same ambitions. While the current risk of a high impact threat may be reasonably low, day-to-day lower-level cyber attacks are funding the development of the potentially high impact capabilities of the future.

 

Over time, the cyber criminal will begin to change the way they monetise their activities, from extortion and theft to stock price manipulation. And while the effects of the cyber attacks that make headlines may not be long lasting, achieving impact on share prices through criminal means will lead to unhappy shareholders.

 

The ability to exploit a significant cyber attack via a country’s stockmarket continues the criminal’s virtuous circle without the additional risk of getting caught due to attempt of direct theft or extortion. Maybe in future stolen customer data will simply be dumped online to create headlines and not take in an attempt to monetise the stolen information itself.

 

As the effects of this (un)virtuous circle increase over time, every aspect of business will become subject to the cyber threat. Currently vulnerable systems must improve to such an extent that cyber attacks themselves become uneconomical to develop.

Government-grade protection for businesses

All organisations need to prioritise the protection of their data to minimise the risks of security breach. Commercial off-the-shelf (COTS) firewall and software solutions still leave sensitive information and critical data vulnerable to sophisticated attacks – as discussed, the attacks are only ever going to get more sophisticated in the current climate - meaning those technologies alone are no longer a viable option to keep the cyber attackers at bay.

 

Businesses must seriously consider investing in the kind of cross-domain cyber protection measures used by governments to reduce their risk to acceptable levels.

 

In the short term, investment in government-grade hardware encryption may make your business less attractive to the cyber criminal than your competitors. In the long term, wide rollout of such measures is the only way to put cyber criminals out of business – pushing them into a technological dead end, and increasing their costs to unsustainable levels.

 

Businesses can no longer look to Microsoft, Apple or Linux vendors to make their systems ‘secure’ –there is simply too much code, and too much change over time in both the software and the processors running it, to ensure secure implementation.  The biggest risk is fast becoming not the platforms but the applications that run on them, including bespoke and highly tailored business applications – and the big platform providers cannot help there

 

Instead, we must allow more of the software that businesses rely on to be cheap and functional, and shift our focus to the interfaces between these functions – focussing on attestation, authentication, audit, data integrity, and encryption. The current basis of the internet – the Internet Protocol Suite and other protocols and systems built upon it, weren’t designed with ubiquitous and global scale security in mind, and so we are always patching the patchwork.

 

In a world where the threat of cyber attack grows daily, it is more vital than ever to ensure communication between these vulnerable applications is rigorously protected.

 

Existing network and application protocols may not make the grade in future, but it is easier to address the visibility and ease of protocol change than to tackle vulnerabilities in the vast codebase with endless patches and updates.

About L-3 TRL

With 30 years of experience at the forefront of technological development, L-3 TRL is an official supplier to Her Majesty’s Government, and part of the Cyber Growth Partnership (CGP). Our cutting-edge, best-of-British technology is accredited and approved by CESG, and we have achieved two Queen’s Awards for innovation.