Our paper Measuring the Cost of Cybercrime sets out to debunk the scaremongering around online crime that governments and defence contractors are using to justify everything from increased surveillance to preparations for cyberwar. It will appear at the Workshop on the Economics of Information Security later this month. There’s also some press coverage.
Last year the Cabinet Office published a report by Detica claiming that cybercrime cost the UK £27bn a year. This was greeted with derision, whereupon the Ministry of Defence’s chief scientific adviser, Mark Welland, asked us whether we could come up with some more defensible numbers.
We assembled a team of experts and collated what’s known. We came up with a number of interesting conclusions. For example, we compared the direct costs of cybercrimes (the amount stolen) with the indirect costs (costs in anticipation, such as countermeasures, and costs in consequence such as paying compensation). With traditional crimes that are now classed as “cyber” as they’re done online, such as welfare fraud, the indirect costs are much less than the direct ones; while for “pure”cybercrimes that didn’t exist before (such as fake antivirus software) the indirect costs are much greater. As a striking example, the botnet behind a third of the spam in 2010 earned its owner about $2.7m while the worldwide costs of fighting spam were around $1bn.
Some of the reasons for this are already well-known; traditional crimes tend to be local, while the more modern cybercrimes tend to be global and have strong externalities. As for what should be done, our research suggests we should perhaps spend less on technical countermeasures and more on locking up the bad guys. Rather than giving most of its cybersecurity budget to GCHQ, the government should improve the police’s cybercrime and forensics capabilities, and back this up with stronger consumer protection.
I wonder why the author consider the reactionary defense seems to be the way for managing the cybercrime, cyber-espionage. How much do the researchers know or estimate the amount of secret governmental and industry beyond the defense? We still do not know adequately to capture lots of malware that may be sleep or trojan malware that nobody knows, either. It is a fact that nation-state sponsored cyber-criminals are getting lots of benefit by stealing various valuable information from other countries to take advantage of others’ sweat without much expenses and efforts.
Therefore, the academic community and pure researchers should concentrate on more proactive defense or counter-measure methodologies in which cyber-attackers will be afraid of counter-offense to deter any kind of attack since there is no global standard definition of what the cyber-attack, cyber-crinimal, etc. are and since there is no agreement of guessing statistical figures without any way of validating figures. There is no international standard of definition and law that every government agrees with in cyber security area yet. Am I wrong?
By calling “reactionary”, you’re missing the point. Because the attacks are global and highly reproducible, reacting well to one incident (or arresting one bad guy/group) can proactively benefit many, many others.
Where to spend money? in a PreDeCo model Prevention is the best, but considering other parameters (possibility of occurrence, effect etc.) sometimes Corrective actions are enough.
My opinion is that ‘cyber’ is too large, but considering just the critical infrastructures the cost of defence may be better counted and positioned. Anyway, I would spend a lot of money on education, because educated users are the most valuable ones when You want to defend sg. and having educated users means You have many volunteers also…
The paper has now appeared at WEIS 2012; it also got coverage in the Mail, PC World, Computer World UK, Computer Weekly and the BBC.
Another piece today in The Economist, which also has a poll on whether the hyperconnected world is a more secure place.
Michael Levi has written a nice summary of the paper.
Eurobarometer has released a special report on cybersecurity based on survey data collected this March. It’s got numbers by member state for a wide variety of indicators of internet use, confidence, and fear of various types of cyber-crime.
Propublica has a good article on the history of the exaggerated claims from McAfee
The UK government is still relying on the discredited Detica report when making policy, as can be seen from the evidence given by the Home Office and SOCA to the Home Affairs Select Committee inquiry into e-crime. They reveal plans to create a National Cyber Crime Unit (NCCU) when the SOCA is rebranded as the National Crime Agency next year.
Ross, totally agree with your research indicating the 27billion pound figure is an extrapolation of extrapolated numbers. This may work when considering climate change, or the anticipated number of cicadas every 17 years, but not in a dynamic, constantly changing environment such as losses due to ‘cyber’. More telling is the complete lack of discussion about a) ICANN failing to require true name and addresses for domain name registrants (yes, I know ICANN is a policy making entity and not a regulator), lack of bilateral MLATs (Mutual Legal Assistance Treaties), or use of Letters Rogatory; and ever more striking is the disparity between how extraditions are addressed when requested between ‘friendly’ countries.
One final thought (pretty random) is that banks must stop agreeing to pay for customer losses when the loss is clearly the fault of the customer – the end result is that customers do NOT feel they have any obligation whatsoever to keep their PINS or one time passcodes secure because ‘the bank will make me whole’. WE (collectively – commerce, gov’t policies, etc.) make it too easy for the miscreant to do whatever s/he, they, are bent on doing. Thanks for continuing to do what you do best, Ross – and that is to question the status quo. Ed Gibson (FBI retired)