Cough up now

What you are about to read was out of date the moment it was written.

The rate at which virus attacks are hitting our computers has accelerated so rapidly since the beginning of 2004 that they are now an uncontrollable epidemic moving faster than the experts can reckon.

The numbers are staggering. According to digital risk specialists mi2g, the global economic damage caused by MyDoom ‘malware’ (the term is used to describe a range of cybernasties that behave in a variety of malevolent ways) is reckoned to have cost businesses between $74bn and $94bn – so far. It heads the all-time world rankings, followed by Sobig (between $33bn and $41bn of economic damage) and then Netsky, which has done most of its damage of between $28bn and $34bn very recently.

Already 2004 is the worst year by far for virus attacks, but what does this mean for UK plc? First, what is meant by economic damage? Mi2g arrives at its numbers with reference to the cost of “helpdesk support, overtime payments, contingency outsourcing, loss of business, bandwidth clogging, productivity erosion, management time reallocation, cost of recovery and software upgrades. It is too early,” they say, “to calculate intellectual property rights violations or customer and supplier liability costs.” Nor is it the case that most of the costs associated with virus attacks are likely to be felt in the US. MyDoom, which sprung up at the beginning of 2004, has affected more than 215 countries and the economic damage borne by the UK falls only fractionally behind the US.

A key characteristic of a virus is that once inside a computer it self-replicates and causes damage. The most recent malware, however, behaves quite differently. So-called “trojans” or “worms” bring with them independent pieces of software, enslaving the computer for their own purposes or sending out multiple emails to people in the user’s contact list. These distinctions are important because they point to the root of why malware is becoming a grown-up industry rather than a geekish hobby.

Take the case of MyDoom and the Bagle malware families. The purpose of these is to create slave or zombie computers which then act as proxies for spam campaigns. These campaigns will then aim to extract money from the recipient through various scams.

Such spam may also be used for so-called ‘phishing’ scams. These will attract the recipients to spoof or phoney websites purporting to be those of well-known financial institutions and invite them to input confidential data. This data is then used to extract cash from bank accounts. In the 12 months to 20 February this year, six UK banks, including HSBC, Lloyds TSB, Barclays and NatWest, were reported to have been targeted by phishing scams. The exact amount of their losses is not known, but estimates are as high as £30m.

The initial findings of the Department of Trade and Industry’s biennial Information Security Breaches Survey showed that in 2003 “… around half of all businesses in Britain suffered from virus infection or denial of services attacks …” This information has already been eclipsed by events so far this year and one questions the use of a biennial survey in a field that is changing daily, if not by the minute. In a separate survey among a range of more than 200 UK companies of various sizes, the National Hi-Tech Crime Unit found that 83% experienced hi-tech crime in some degree during 2003, most through virus attacks.

The conclusions drawn from these numbers are several-fold, including:

– All UK businesses are potentially vulnerable to malware attacks.

– Malware attacks are increasing at a rapid pace.

– Despite the claims of software vendors, no antivirus software (which most businesses now install) is foolproof against all attacks.

– Statistics show that the global and local UK economic damage caused by malware is huge but that there is no effective, concerted effort by government to prevent it.

Meanwhile, Home Office minister Caroline Flint has said that the government is planning amendments to the Computer Misuse Act. However, despite the magnitude and urgency of this live and increasing business issue, these legislative changes will only be made “as soon as parliamentary time allows”.

One wonders if the government is living on the same planet as business and the cyber criminals. For now, lack of effective deterrents leave businesses open to malware attacks. That is the state of play as we go to press, and that is unlikely to have changed by the time this issue lands on your desk.