Spend more on cops, less on antivirus, say researchers

Who should bear the cost of cybercrime?

Britain is spending far too much on security software and not enough on law enforcement in the war on cybercrime, Cambridge University security researcher Ross Anderson has told CSO.com.au.

Nine researchers, including Anderson, fellow Cambridge University researcher Richard Clayton and US researcher Tyler Moore, argue in a new paper “Measuring the cost of Cybercrime” that the war against cybercrime would more effectively be waged through law enforcement than increased expenditure on software and deals with the cyber divisions of defence contractors like BAE Systems and Lockheed Martin.

The research paper is a feisty response to a widely criticised report last year on the cost of cybercrime that was co-authored by the Cabinet Office (CO) of the UK and BAE System’s security division Detica that urged business to spend more on security to combat threats to intellectual property.

“Our figures suggest that we should spend less in anticipation of cybercrime (on antivirus, firewalls, etc.) and more in response—that is, on the prosaic business of hunting down cyber-criminals and throwing them in jail,” the researchers argue in a paper to be presented at a workshop on the economics of cybercrime, in Berlin, later this month.

The basic thrust of the paper is that incorrectly framed costs of cybercrime misguide public policy and private sector investments.

Its release is set against the backdrop of intensifying efforts by governments to develop offensive cyber capabilities like Stuxnet, and a slowdown of defence-based contracts as western nations withdraw from Iraq and Afghanistan.

“The big arms companies see Iraq as over, Afghanistan as winding down, and few more orders for big platforms like aircraft carriers. They hope that cyber will be the next bonanza, so they are cranking up the fear, uncertainty and doubt,” said Anderson, who was this week in the US briefing the White House's cyber security team.

“Governments are told that other governments are developing cyber weapons but they don't know what; it all leads to a febrile atmosphere in which the decisions are being made by people who are basically clueless. That may be great for the vendors but it's bad news for the rest of us.”

While cyber war capabilities are being ramped up, investment in actual cyber ‘crime’ fighting capabilities for law enforcement remains paltry by the researchers’ count.

They show that each year the UK spends over US$1 billion on efforts that ‘anticipate’ a threat, made up of $170 million on antivirus, $50 million on patching, $500 million on users remediating infections, and $500 million for business’ ‘defence costs’ such as system administration.

By contrast the UK spends just $15 million a year on the response mechanism—law enforcement’s capability to fight cybercrime.

“The way forward is to see computer misuse as crime, which almost all of it is. Get the police to take down the big criminal botnets and crack down on the big scams,” Anderson explained.

“Then what's left will be the government stuff, which will be much more in plain sight. That will make unwitting escalation less likely and will also make it more difficult for states to launch attacks that escape attribution,” he added.

Cyber fraud, such as fake antivirus and black market pharmaceuticals, is driven by a few main spam and botnet actors that would earn “a couple of dollars per citizen per year”—a direct cost to citizens in the researcher's framework.

The average ‘indirect’ and ‘defence’ cost to consumers and business, on the other hand, would amount to “ten times” that, the researchers argue.

The Detica-CO report estimates the cost of cybercrime to the UK was a staggering £27 billion—roughly 1.8 per cent of the nation’s GDP. The report recommended businesses asses their defensive technologies and take “urgent measures to prevent the haemorrhaging of valuable intellectual property”.

According to Anderson, the report and its recommendations were a joke. The “Detica sales brochure”, however, had the good fortune for BAE Systems of being “badged" by the Cabinet Office.

“People rolled on the floor laughing, and this sufficiently disturbed Mark Welland [then chief scientist for the Ministry of Defence] that he asked us to do a proper job. So we did,” said Anderson.

“You can get a lot more from a few million more spent on the FBI or the Metropolitan police than on hundreds of millions spent on firms like Detica,” he added.

The Detica-CO report, for example, estimates the cost of IP theft at just over £9 billion a year and espionage at over £7 billion a year. IP theft in the pharmaceutical industry alone was estimated at over £1.7 billion (US$2.6 billion).

By Anderson and Co’s estimates, the actual ‘direct cost’ to the UK pharmaceutical sector is just US$14 million. This figure was based on an analysis of leaked documents from one of the world's largest pharmaceutical spam operations in the world, SpamIt, which collapsed last year. The researchers estimate the global cost to the industry at US$288 million.

Spreading costs that should be limited to an individual sector may not only unfairly burden society, but also encourage a misallocation of public resources and a failure to leverage enforcement tools that are available to governments, according to Anderson.

“If most spam is being sent by six big gangs who only use three banks, why should the world spend billions on spam filtering?” asked Anderson.

“The WikiLeaks incident showed that the US government can persuade Visa and Mastercard pretty quickly to blacklist any payment flows it really doesn't like, so the police aren't the only enforcement lever available; bank regulators could also play a role.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about BAE Systems AustraliaCambridge UniversityFBILockheed MartinMastercardVisaWelland

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place