Britain is spending far too much on security software and not enough on law enforcement in the war on cybercrime, Cambridge University security researcher Ross Anderson has told CSO.com.au.
Nine researchers, including Anderson, fellow Cambridge University researcher Richard Clayton and US researcher Tyler Moore, argue in a new paper “Measuring the cost of Cybercrime” that the war against cybercrime would more effectively be waged through law enforcement than increased expenditure on software and deals with the cyber divisions of defence contractors like BAE Systems and Lockheed Martin.
The research paper is a feisty response to a widely criticised report last year on the cost of cybercrime that was co-authored by the Cabinet Office (CO) of the UK and BAE System’s security division Detica that urged business to spend more on security to combat threats to intellectual property.
“Our figures suggest that we should spend less in anticipation of cybercrime (on antivirus, firewalls, etc.) and more in response—that is, on the prosaic business of hunting down cyber-criminals and throwing them in jail,” the researchers argue in a paper to be presented at a workshop on the economics of cybercrime, in Berlin, later this month.
The basic thrust of the paper is that incorrectly framed costs of cybercrime misguide public policy and private sector investments.
Its release is set against the backdrop of intensifying efforts by governments to develop offensive cyber capabilities like Stuxnet, and a slowdown of defence-based contracts as western nations withdraw from Iraq and Afghanistan.
“The big arms companies see Iraq as over, Afghanistan as winding down, and few more orders for big platforms like aircraft carriers. They hope that cyber will be the next bonanza, so they are cranking up the fear, uncertainty and doubt,” said Anderson, who was this week in the US briefing the White House's cyber security team.
“Governments are told that other governments are developing cyber weapons but they don't know what; it all leads to a febrile atmosphere in which the decisions are being made by people who are basically clueless. That may be great for the vendors but it's bad news for the rest of us.”
While cyber war capabilities are being ramped up, investment in actual cyber ‘crime’ fighting capabilities for law enforcement remains paltry by the researchers’ count.
They show that each year the UK spends over US$1 billion on efforts that ‘anticipate’ a threat, made up of $170 million on antivirus, $50 million on patching, $500 million on users remediating infections, and $500 million for business’ ‘defence costs’ such as system administration.
By contrast the UK spends just $15 million a year on the response mechanism—law enforcement’s capability to fight cybercrime.
“The way forward is to see computer misuse as crime, which almost all of it is. Get the police to take down the big criminal botnets and crack down on the big scams,” Anderson explained.
“Then what's left will be the government stuff, which will be much more in plain sight. That will make unwitting escalation less likely and will also make it more difficult for states to launch attacks that escape attribution,” he added.
Cyber fraud, such as fake antivirus and black market pharmaceuticals, is driven by a few main spam and botnet actors that would earn “a couple of dollars per citizen per year”—a direct cost to citizens in the researcher's framework.
The average ‘indirect’ and ‘defence’ cost to consumers and business, on the other hand, would amount to “ten times” that, the researchers argue.
The Detica-CO report estimates the cost of cybercrime to the UK was a staggering £27 billion—roughly 1.8 per cent of the nation’s GDP. The report recommended businesses asses their defensive technologies and take “urgent measures to prevent the haemorrhaging of valuable intellectual property”.
According to Anderson, the report and its recommendations were a joke. The “Detica sales brochure”, however, had the good fortune for BAE Systems of being “badged" by the Cabinet Office.
“People rolled on the floor laughing, and this sufficiently disturbed Mark Welland [then chief scientist for the Ministry of Defence] that he asked us to do a proper job. So we did,” said Anderson.
“You can get a lot more from a few million more spent on the FBI or the Metropolitan police than on hundreds of millions spent on firms like Detica,” he added.
The Detica-CO report, for example, estimates the cost of IP theft at just over £9 billion a year and espionage at over £7 billion a year. IP theft in the pharmaceutical industry alone was estimated at over £1.7 billion (US$2.6 billion).
By Anderson and Co’s estimates, the actual ‘direct cost’ to the UK pharmaceutical sector is just US$14 million. This figure was based on an analysis of leaked documents from one of the world's largest pharmaceutical spam operations in the world, SpamIt, which collapsed last year. The researchers estimate the global cost to the industry at US$288 million.
Spreading costs that should be limited to an individual sector may not only unfairly burden society, but also encourage a misallocation of public resources and a failure to leverage enforcement tools that are available to governments, according to Anderson.
“If most spam is being sent by six big gangs who only use three banks, why should the world spend billions on spam filtering?” asked Anderson.
“The WikiLeaks incident showed that the US government can persuade Visa and Mastercard pretty quickly to blacklist any payment flows it really doesn't like, so the police aren't the only enforcement lever available; bank regulators could also play a role.”