Governments Should Invest More in Catching Cybercriminals, Researchers Say
Investing in law enforcement action against cybercriminals is more important than buying cybersecurity software, researchers say
Mon, June 18, 2012
Improving the ability of law enforcement agencies to catch cybercriminals should be a priority when governments decide how their cybersecurity budgets get spent, according to University of Cambridge security engineering professor Ross Anderson.
Anderson is one of seven computer researchers from the U.K., Germany, the Netherlands and the U.S. who recently performed an analysis of the costs of cybercrime at the request of the U.K. Ministry of Defence. Their findings were published in a research paper that will be presented on June 26 at the 11th Annual Workshop on the Economics of Information Security in Berlin.
The researchers split the costs of computer crimes into direct losses, indirect losses and costs associated with defending against those crimes in the future.
The defense costs stem from acquiring cybersecurity software like antivirus and firewall programs, offering fraud prevention services to consumers, implementing fraud detection systems and performing law enforcement investigations.
The study found that for more traditional crimes like tax and welfare fraud, which are increasingly performed with the help of computers, the defense costs are much lower than the amounts being stolen, which makes sense from an investment perspective.
However, for Internet-based crimes like hacking, denial of service attacks, online scams, phishing, spam and others, the defense costs are many times higher than the actual losses.
Anderson gave the example of a cybercriminal gang that ran a botnet responsible for a third of the world's spam traffic in 2010. It's estimated that this gang made less than US$3 million from their spam operation and yet, the worldwide cost of stopping spam was estimated at around $1 billion, he said.
There are multiple reasons for this discrepancy, but one of them has to do with the lack of law enforcement action against cybercriminals, the researchers said in their paper. "The straightforward conclusion to draw on the basis of the comparative figures collected in this study is that we should perhaps spend less in anticipation of computer crime (on antivirus, firewalls etc.) but we should certainly spend an awful lot more on catching and punishing the perpetrators."
"A lot of Internet crimes are perpetrated by only a small number of gangs," Anderson said. Current methods of dealing with cybercrime are inefficient, Anderson said, adding, "I think it's because many policemen think it's too hard."
The fact that many of these gangs are located in countries where cybercrime legislation is lacking or not strongly enforced should not necessarily be an impediment for law enforcement action, Anderson said. "There have been some gangs from Russia and the Ukraine who have been arrested after pressure from the British government."