A new report commissioned by the British government has concluded that the direct cost to citizens of online crime is far exceeded by the sums of money being spent on measures to counter it.
Having determined to tighten controls on the Internet, the British government is now turning its attention to cybercrime – criminality occuring online. That task is not without its difficulties, chief among them assessing the true cost of cybercrime. The few studies that have been carried out on the subject have so far produced more questions than answers. The latest, conducted by the IT firm Detica (part of the BAE Systems global security company, a major benefactor of British government contracts) puts that cost at around €33.5 billion a year; €3.75 billion to individuals, about the same to the State, and €26 billion to businesses.
The British Ministry of Defence commissioned Ross Anderson, security engineering expert and professor at the University of Cambridge, to quantify the actual cost of crimes committed online. Assisted by seven other academic specialists, their findings have now been published in a 30-page report.
In a blog post announcing the report, Anderson signalled his intention to “demystify” cybercrime. The experts assert that “traditional” fraud – such as falsifying tax records or gaming welfare payments – increasingly occurs by means of computers. Considerable sums of money are involved, but the cost to ordinary citizens in guarding against this type of fraud remains reasonable.
When it comes to other types of online fraud, however, the inverse is true. With phishing, spam or malware, all dangers specific to the Internet, the direct cost of the crime is relatively low. Much lower, in any case, than the indirect expense incurred by efforts to counter this type of crime. These efforts include securing networks and computers, virus detection software and risk prevention measures. According to the report, the massive investment in these expensive tools, which has occured in parallel with expanded population surveillance policies, is a matter of regret. The report’s advice: give the police the means to deal directly with the offenders plaguing the online world.
The idea is to put into practise the dream of any self-respecting intelligence agency: a tool for the widespread and permanent monitoring of all telephone and electronic communications of a population.
This initiative is a continuation of policies pursued by the coalition government in Britain for over a year. In 2011, a cybersecurity investment plan was launched, allocating some €810 million until 2015. Most of the money has been earmarked for the Government Communications Headquarters (GCHQ), one of three British intelligence agencies, with the stated objective of “protecting and promoting the UK in a digital world.”
According to researchers, the distribution of funds is deeply misguided. Favouring the GCHQ at the expense of the police offers no significant advantage in the fight against cybercrime.
The number of phishing websites, of distinct attackers and of different types of malware is persistently over-reported, leading some police forces to believe that the problem is too large and diffuse for them to tackle, when in fact a small number of gangs lie behind many incidents and a police response against them could be far more effective than telling the public to fit anti-phishing toolbars or purchase antivirus software.
A more targeted response is the solution put forward by the group of academics. Concluding his blog post, Anderson prioritises taking action at the source and advocates avoiding overvalued prevention tools.
Rather than giving most of its cybersecurity budget to GCHQ, the government should improve the police’s cybercrime and forensics capabilities, and back this up with stronger consumer protection.
Unsurprisingly, this conclusion has not sat well with companies who make a living marketing specialised security software. Typically, statistics on cyber crime are provided by private sector companies, such as Symantec, which sells the Norton antivirus system. As can be seen below in the screenshot from a Norton presentation on the cybercrime, the figures seem excessive, if not fictional.
Strengthening Internet security remains a big problem for the British government, as the report underlines.
Ranking all 27 EU countries by online user’s concerns, the UK ranks sixth for virus infections, fourth for spam, and second behind Latvia for the three remaining threats: personal data abuse and privacy violation; financial losses caused by phishing and pharming; and financial losses due to fraudulent payment card use…(The UK ranks) first for payment card fraud, which affected 5% of the UK’s online population.
In the light of these figures, the fight against cybercrime has plenty of miles left to run yet.
Online attacks are becoming an increasingly important aspect of many global conflicts. To slow down Iran’s nuclear progress, the US has launched cyber-attacks on computer systems responsible for managing uranium enrichment programs.
Barack Obama is carrying on the policies of his predecessor George W. Bush, a fact which troubles many in the US and beyond. The executive director of the Bulletin of the Atomic Scientists made clear some of her fears in a recent article. Kennette Benedict fears that cyber weapons are becoming the nuclear weapons of the 21st century.
We have come to know how nuclear weapons can destroy societies and human civilisation. We have not yet begun to understand how cyberwarfare might destroy our way of life. We do know, however, that the United States has much to lose from unrestrained cyberattack capabilities that might be spread around the world. In fact, the United States is so highly dependent on information and communications technology in every sector of society that it may be more vulnerable to attack than other countries. That’s why we need vigorous public discussion about this new class of weaponry.
In their continuing fight against cybercrime, governments might do well to take precautions. To go from victim to culprit, all it can take is one click.