BBC News - Anti-cyber threat centre launched

Ian Batten igb at batten.eu.org
Wed Mar 27 08:35:09 GMT 2013 

	
http://www.bbc.co.uk/news/uk-21945702

I'm really sceptical about this sort of story.  Incredible (in every sense) claims are made as to the cost of cyber-crime, but there doesn't seem to be any evidence for it.  

Suppose it's true that shadowy gangs are extorting money from British companies.  How are the payments made?  Large amounts of cash dropped by trees?   Bogus invoicing for invisible services? Direct transfer to numbered accounts in opaque offshore banks?   Have you tried getting significant amounts of money out of a company without triggering attention from your bank (obligated under money-laundering regulations to report suspicious activity), your auditors (terrified of being the next Arthur Anderson) and the taxman (for obvious reasons)?  It simply doesn't stand examination that there could be a significant flow of money out of businesses without it being noticed by someone, and that someone would have far more incentive to report it than to keep quiet.

We're reduced to the "but everyone is sworn to secrecy and no-one breaks their oath" stuff of conspiracy theorists to explain how all this money is disappearing out of the UK economy in a completely frictionless manner.  Why, for example, hasn't there been a case of a company being accused of tax fraud (transferring large sums of money offshore) and then turning out to be, or claiming to be, the victim of extortion?  Why has no company had their accounts queried because of large cash payments?  Why aren't the FSA worrying about this?   Cyber-crime gets almost no mention in the FSA Policy Guide on financial crime [1], and the section on it (section 6.8 on page 20) is all about insider risks.

What about the claim of large off-the-books losses?  Well, there's a vague suggestion of that:

> One major London listed company had incurred revenue losses of £800m as a result of cyber attack from a hostile state because of commercial disadvantage in contractual negotiations.

Translation: they bid for a contract with a total contract value of £800m and lost to a foreign company.  Well, there's a million and one reasons why that could happen, starting with your price being too high or your delivery schedule being too slow, and ending with your salesman committing some terrible faux-pas over dinner.  It's impossible to ascribe one explanation, but obviously "it was shadowy hackers that lost us the business" is a very easy excuse for everyone involved.

I don't for a second deny that there is _risk_ associated with cyber-crime.  But the question is, is that risk proportional to the money, time and emotional capital expended on it?  Would the typical company be better off worrying about putting better locks on its warehouse doors and making sure they have a decent policy of random searches of cars leaving the premises?  And once we're into a world of "there are shadowy gangs committing shadowy crimes who have to be paid off in a shadowy way", isn't a serious risk that financial controllers become party to the IT function in the business siphoning money off and then disappearing ("we need to pay this gang in Faraway-istan, or is it Faraway-ia, £1m in cash or they'll bankrupt us, yes, of course I'm volunteering to deliver the cash").

ob.ukcrypto: this all smacks of the high days of crypto-wars, in which government presented "evidence" of arrival of the four horsemen of the apocalypse in order to justify the controls they wanted to impose.  

ian

[1] http://www.fsa.gov.uk/pubs/policy/ps11_15.pdf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20130327/009aa054/attachment.html>

More information about the ukcrypto mailing list