back to article Tech boffins: Spend gov money on catching cyber crooks, not on AV

The UK government should be spending more on catching cybercriminals instead of splurging taxpayers' money on antivirus software, tech boffins have said. Blighty goes through around £639m a year trying to clean up after attacks or prevent threats – including £108m it spends on antivirus – but the country is only spending £9.6m …

COMMENTS

This topic is closed for new posts.
  1. Buzzword

    The long arm of the law doesn't reach that far

    The UK's cyber-cops can't raid crims in the Ukraine, Nigeria, or China; so defence remains a better option than attack.

    1. pixl97

      Re: The long arm of the law doesn't reach that far

      Yet the local government should spend some time making sure that the attacks aren't local, or from a place that will prosecute the attackers. To not investigate criminals because they could be in another country will teach the local scurvy rats that they can mask source of their attacks out of state and have little fear of reprisal.

      1. Tom 35

        Re: The long arm of the law doesn't reach that far

        The "scurvy rats" already know that. They target their attack by country to avoid hitting someone who can hit them back, or even outsource to another country like the fake AV call centres in India.

        Or are you going to call in a drone strike?

        Sure there are some locals you can go after but that's just the dumb ones and never going to have a significant effect.

  2. asbokid
    FAIL

    AV = AntiVirus, not Alternative Vote

    And there was me thinking the LibDems were making a media comeback.

  3. John A Blackley

    How about

    Outlawing all Adobe and Microsoft software as a method of reducing cyber attacks?

    1. Christian Berger

      Re: How about

      Seriously if you extend that list a bit to include PHP and C(++) and fire everyone suggesting to switch to ASP and C# we'd be in a much better position. Most of the problems would be solved then.

  4. wowfood

    Perhaps

    they wouldn't need to spend so much buying al these AV / Firewalls if they actually installed them right in the first place.

    I can't help but think they're buying this stuff, and then setting it up in such a way that it isn't effective. I mean I only have a free AV and no firewall, I visit some fairly dodgy sites on occasion, and yet I have 0 viruses and some tracking cookies.

    Meanwhile my stepdad who has a paid for AV, a firewall, doesn't visit dodgy sites (apparently) seems to get a new virus every couple months. Its a bit silly when you think about it.

    1. AdamWill
      FAIL

      Re: Perhaps

      "I mean I only have a free AV and no firewall, I visit some fairly dodgy sites on occasion, and yet I have 0 viruses and some tracking cookies."

      How do you know?

      Because your free AV tells you so.

      Your homework is to spot the flaw in your logic.

    2. Framitz
      Devil

      Re: Perhaps

      Perhaps your computer is OWNED, how would you know?

  5. Anonymous Coward
    Anonymous Coward

    FFS, wake up.

    The current reactive, tactical approach is NEVER going to actually address the problems. Especially anti-virus is a good example of a tourniquet after the leg has been ripped off - it would be better to improve the fundamentals that cause the problem.

    Maybe I'm just to old for IT - I can remember when you installed an OS that was in itself stable, and patches were an *exception*. Nowadays you install a code base that doesn't even fit on a single DVD anymore, and over the life of the product you basically install enough patches to replace the OS several times over - try missing a day worth of Internet connectivity and see just many alert flags show up. Not that such eternal patching does any good at all - you still need a plaster called "anti-virus" over it all to be sure.

    The good news is, of course, that a tactical-only, process based approach provides *perfect* CYA for the people involved. Directors have approved spend, managers have imposed process and technical people get to play with standard toys, effectively turning qualified security people into administrators with a better salary. That a more strategic approach would lead to less of a need to have CYA in place seems to be an issue that is gladly overlooked let's not disturb a thriving market, after all. Sure, you need the tactical level, but if you restrict security work to that you will always fight at the bad end of an arms race - one mistake away from disaster.

    I've been involved in turning the tables - not vigilante nonsense, but understanding the motive of assailants and acting on that. Not only is this more interesting (but less technical), it is also FAR more capital efficient. But it needs intelligent people with lateral thinking skills and more than just technical knowledge, and for there is as yet no valid qualification (translated: the peopel you need will get filtered out by HR, which is also not a novel observation)..

  6. Christian Berger

    Get minimal security standards

    Just like cars need to have seatbelts and buildings need to be structurally safe, we should have minimal standards for computer security. Companies with a bad security track record should for example be banned from getting public orders.

    Or we could try to enforce that certain aspects are proven in the code. For example that array boundaries are checked. This is trivial in many programming languages, but solves a lot of the current security problems.

    Today we let every idiot program security critical software. If we had security standards which are easy to fulfill unless you are an idiot, we'd finally have a "not made by total idiots" stamp for software.

  7. Will Godfrey Silver badge
    Unhappy

    It's all down to evolution you know. As soon as they start to catch the buggers, natural selection will produce a smarter crim. At the same time, the more you cover people's arses and keep them away from the sharp knives, the more you'll breed a better class of idiot.

    1. Christian Berger

      Not really

      At the moment many systems are so badly designed they break by accident. If people would move forward and ditch the worst systems, criminals would have to be a lot smarter than they can possibly be.

      Eventually opening a bank will be simpler than writing a banking trojan.

      You don't need to outrun the wolfs, you only need to outrun your peers.

  8. csaenemy
    Linux

    Maybe I'm just lucky

    I've not used an anti virus, or firewall for the past three years and had no problems. Probably helps that I use Linux and don't download anything stupid

  9. Don Jefe
    Meh

    Slimey Problem

    Patches and security would be nothing more than an inconvenience if commercial operations weren't gradually pushing everyone to do everything online. Requiring people to input sensitive information on their computers is the root of the problem.

    I'm actually OK with that. What I'm not OK with is the fact 'they' promised us using online services would make everything less expensive. The reality is that doing the bulk of my business online has pushed up the cost of everything (to pay for their shiny electronics and IT staff) and has put my very existence, or at least credit rating, at risk. What's the point? Why not just use my computer to create some databases, do some email, examine products, and surf some porn. I'm beginning to doubt the long term validity of online. I certainly doubt the security.

    That's my little rant. Sorry...

  10. Anonymous Coward
    Anonymous Coward

    Oh really?

    So that'd be like everyone not buying locks for their doors and giving the money they saved to the police who'd use it to stop all beak-ins by arresting every criminal.

    See title.

    1. daveeff
      Unhappy

      Re: Oh really?

      I would not be happy buying new locks every year because the police / locksmiths kept letting the crims find the pass key...

      It's not just the money I object to, my m/c runs like a slug which I'm blaming (on no real evidence) on all the AV checking that goes on. As for the Mcafee crap on my work PC, I don't have time to list all the woes it has caused me.

      It would be interesting to do a carbon footprint on the energy expended on AV processes, h/w upgrades required, ...

  11. Boris the Cockroach Silver badge
    Flame

    Perhaps

    suitable punishments for the crims caught here instead of 200 hr community service because he had a difficult childhood.

    Since cyber crime is super national now, how about 5 yrs in a nigerian prison?.. or just handing him over to the yanks for that special cuban holiday

    Either sounds better than what I'd do to the little virus writing scumbags though..

    They would'nt be able to use a keyboard afterwards....... or pick their nose

    Boris

    101 uses of a 3/4" ring spanner ...

    1. Christian Berger

      Re: Perhaps

      Actually depending on the insecurity of the system. I'd personally opt for 5 years for the programmer. It's a crime that there is still new code being written you can inject SQL code into.

      We need to stop using code written by complete idiots. That's the problem.

  12. unhappy bunny

    Arresting the cybercriminals

    You can only arrest a cyber criminal if he is operating from a country where:

    Cybercrime is illegal, and in some places it isn't

    The local criminal justice organisations are willing to help you

    You have appropriate legal agreements in place

    The criminals haven't corrupted local law enforcement or come to a tacit agreement with law enforcement and the state in return for 'services rendered' to help the state from time to time.

    It's no co-incidence that much cybercrime originates from places where the criminals are pretty much immune from arrest and prosecution. Bullet-proof web hosting is one such example.

    Nice idea, but only 6 out of 10 for grasp of the facts.

  13. Christian Berger

    Economics of Information Security????

    WTF????

    I'm sorry, but good code isn't more expensive than bad code, and even if it was, programmers are dirt cheap. Why don't they just simply try to avoid the largest pitfalls. For example if a company avoids using PHP and C(++) a lot of the security problems they would otherwise have simply disappear. At no extra cost.

    Security, at least up to a point, doesn't cost anything. And even beyond that it's so little that the cost of those people travelling to Berlin could have made a serious difference. Security research is not like cancer research. You don't need expensive lab equipment and mass tests, all you need is some scientists a room and a computer.

  14. Benjamin 4

    Anti phishing toolbar?

    Or just some common sense - is this address actually the website (is it paypal.com or p@ypal.ru etc).

This topic is closed for new posts.

Other stories you might like