Criminals are turning to the internet as a "lower risk" way of carrying out theft or other attacks, according to a panel discussion at Infosecurity Europe 2013.
Although the range of attacks, and their motivation, has increased over the last few years, with state-sponsored cyber espionage efforts and cyber attacks, as well as hacktivism, the majority of attacks against businesses and individuals continue to focus on theft. But the prevalence of cybercrime is such that it is now being viewed as a national problem, both in the UK and the US.
"Cyber is fast emerging as the next threat and could surpass counter terrorism; it has reached the level of a national security threat," said Scott Cruse, London legal attaché of the US' Federal Bureau of Investigation.
This has prompted the agency both to employ more computer scientists, but also to train its agents to deal with cybercrime and cyber attacks. Cybercrime is now becoming a mainstream part of policing, agreed Detective Superintendent Charlie McMurdie, of the Metropolitan Police.
That change in priorities is also being driven by the way that even relatively small cyber attacks can have far reaching consquences. As the journalist and broadcaster Misha Glenny noted, the recent hack on Associated Press Twitter accounts caused dramatic, although brief, falls in share prices on US markets. "We need to look at security in different ways: the threat is very plastic," he said.
But there is also a danger in focusing just on the largest, most devastating attacks, or potential attacks. "A lot of the emphasis is on the high end of cyberwarfare and security, the 'sky will fall on your head' scenario," said Glenny. "You have to look at the issue in its totality."
This was echoed by Arnie Bates, head of information security at Scotia Gas Networks. "It is not always helpful to think about the biggest threats. It is not one threat but multiple threats; that's why you have to think about defence in depth, and layers and layers of security."
"Threat is the likelihood times the impact," said McMurdie. "If you run a business, an attack might cause you to go bust, but what is the likelihood of being victim of a state-sponsored attack, or of your data being stolen? That will inform your threat picture, and the most appropriate response," she said.
But organizations also need to deal with a different set of motivations, which in turn drives the type of attack, and its likely impact.
At the UK Ministry of Defence, head of information security Adrian Price pointed out that attacks are focused on either disrupting public facing parts of the ministry's web presence, for example as a protest against the UK's involvement in theatres such as Afghanistan, or at stealing operational data that could put service personnel at risk. "From my perspective, the greatest threats are state sponsored, terrorists, or hacktivists," he said.
But in other areas, the internet is allowing criminals to shift their attentions from riskier crimes in the physical world, to online activity. The anonymity of the internet may even be encouraging people who might not consider offline offenses to dabble in criminal activity.
"The internet is alienating, you don't feel responsible for what you are doing," said Misha Glenny.
"People usually either carry out cyber attacks for financial motives, or because they can," said McMurdie. "A cybercriminal can be anyone who wants to be, with off the shelf tools," warned Bates, "and they are often still using techniques that have been around for many years.