There were almost 10,000 new cases of fraud reported in the UK every day in 2018, according to Office for National Statistics (ONS) figures. The problem is endemic, and to James Hatch, Chairman of The Intelligence Network – a BAE Systems initiative that has brought in 1,500 partners since its tentative formation last year – the gulf between cybersecurity and fraud teams is part of the problem.
The issue is one Network has chosen to prioritise and Hatch, BAE Systems’ Director of Cybersecurity, thinks developing a common terminology for cyber fraud – that could be used as a cross-reference for cybersecurity, fraud, and law enforcement teams – is among the the ways forward. (One inspiration: the MITRE ATT&CK framework, a knowledge base of adversary tactics and techniques used by the security industry to share insight.)
In an interview in BAE Systems Applied Intelligence’s London offices, he told Computer Business Review: “Fraud teams are typically bent on trying to control economic losses; law enforcement are trying to prosecute; security teams only able to look at the initial breach and not necessarily able to gain further behaviour patterns from a bank’s data.”
“Joining up the intelligence part of the fraud-security jigsaw is easier than joining up the technical side. [And] industry is on the back foot, with the financial services sector understandably often quite reluctant to get involved beyond what their fraud teams are doing, which is asking: ‘Has there been a fraud? Are we paying for that? Is the customer paying?'”
The Intelligence Network: Who’s Involved?
The Intelligence Network names a nine-strong steering committee that includes Microsoft UK’s Chief Security Adviser, Sian John; the CBI’s Head of Digital Policy, Roxanne Morison; Trafigura’s CISO Mark Swift; and cyber security accelerator and seed investment programme CyLon’s co-founder Jonathan Luff.
It is currently bankrolled by BAE Systems, with other supporters dedicating time and resource including the CBI, Microsoft, F-Secure, Secure Chorus, Nominet and more.
So what’s the plan, exactly? In a report published late last week, the network names 22 proposed actions around four key themes. These will be honed into an action plan during ongoing consultation with other members, with the network forming working groups to deliver the outcomes they settle on in the coming months.
It sounds diffuse and at the risk of turning into another industry talking shop, but Hatch thinks it will prove a genuinely effective way to get the private sector collaborating and thinking outside of the box when it comes to tackling cyber fraud; and efforts over the past 12 months by the steering committee have narrowed focus substantially.
The Cyber to Fraud Gap
There are four crucial areas of change that these 1,500 partners have agreed on.
1) The issue of endemic attacks and challenge of baking in security to non-technical roles (putting it on a par with user experience for businesses).
2) The need to stop operating in fraud/law enforcement/cybersecurity silos. As the Intelligence Network sees it, there is scope to develop an industry-wide cyber fraud intelligence model. This would capture and share information from fraud attempts, including failed attempts, and develop closer links between existing fraud, security, and financial crime intelligence-sharing platforms, reducing barriers to collective action.
3) Tackling the cyber-fraud gap by reaching “back down the chain” to investigate tactics and understand the information fraudsters are using. The Network’s report also makes an explicit call for greater transnational private sector collaboration in the face of essentially failed attempts by geographically constrained law enforcement.
“We need to shift from the geographically-based policing of fraud to a state where enforcement is built into the transnational technology platforms and payment systems run by the private sector” the report notes. “The current legal, regulatory, ethical and enforcement framework surrounding cyber fraud simply does not work.”
4) Addressing social engineering is the Network’s fourth theme. This is among the issues the steering committee believes to be a long-game that deserves tackling through increased innovation, so that opportunities to establish false trust are reduced. This might mean not just end-users having to prove who they are, but enterprises having to prove to customers who they are….
As James Hatch puts it: “So much authentification of individuals at the moment is still based on what they know: secret questions, passwords, mother’s maiden name, date of birth… finding out your date of birth and mother’s maiden name is trivially easy.”
Industry Needs to Be Less Self-Serving
As Hatch notes: “Financial institutions have a got a lot of data, but not much in the way of legal power and they don’t have a very strong incentive to deal with the problem. The victims have a lot of incentive but they have hardly any information.”
“If you’re an organisation that’s been subject to a cyber attack and information has been stolen that might be used for cyber fraud, then you’ve got a strong incentive to control that incident, but you haven’t got a strong business case to take measures that would stop that information being re-used for fraud.”
“And if you’re law enforcement, you’re sitting there with all the legal powers in the world, but without the visibility into what’s going on and often without the technical skills to deal with a lot of what’s going on in the investigation. We’re seeing banks taking a bit of cyber data and feeding it into the fraud system. but that’s still tackling a narrow problem. We need, as an industry, to start following the long-term threads: ‘who was carrying out this attack? etc.’ It needs a broader mindset around the investigation.”
With a heavyweight group of participants, the Intelligence Network appears to have real potential. Whether it can turn draft actions for exploration into something that has real impact on on such an entrenched problem will depend on how much engagement from its large community it can secure. As Hatch acknowledges however: “These are pieces of a jigsaw there that need to be put together. This is a not a project for a matter of weeks, or months, but probably years.”