Improving the ability of law enforcement agencies to catch cybercriminals should be a priority when governments decide how their cybersecurity budgets get spent, according to University of Cambridge security engineering professor Ross Anderson.
Anderson is one of seven computer researchers from the UK, Germany, the Netherlands and the US who recently performed an analysis of the costs of cybercrime at the request of the UK Ministry of Defence. Their findings were published in a research paper that will be presented on June 26 at the 11th Annual Workshop on the Economics of Information Security in Berlin.
The researchers split the costs of computer crimes into direct losses, indirect losses and costs associated with defending against those crimes in the future.
The defence costs stem from acquiring cybersecurity software like antivirus and firewall programs, offering fraud prevention services to consumers, implementing fraud detection systems and performing law enforcement investigations.
The study found that for more traditional crimes like tax and welfare fraud, which are increasingly performed with the help of computers, the defense costs are much lower than the amounts being stolen, which makes sense from an investment perspective.
However, for internet-based crimes like hacking, denial of service attacks, online scams, phishing, spam and others, the defence costs are many times higher than the actual losses.
Anderson gave the example of a cybercriminal gang that ran a botnet responsible for a third of the world's spam traffic in 2010. It's estimated that this gang made less than $3 million from their spam operation and yet, the worldwide cost of stopping spam was estimated at around $1 billion, he said.
There are multiple reasons for this discrepancy, but one of them has to do with the lack of law enforcement action against cybercriminals, the researchers said in their paper. "The straightforward conclusion to draw on the basis of the comparative figures collected in this study is that we should perhaps spend less in anticipation of computer crime (on antivirus, firewalls etc.) but we should certainly spend an awful lot more on catching and punishing the perpetrators."
"A lot of internet crimes are perpetrated by only a small number of gangs," Anderson said. Current methods of dealing with cybercrime are inefficient, Anderson said, adding, "I think it's because many policemen think it's too hard."
The fact that many of these gangs are located in countries where cybercrime legislation is lacking or not strongly enforced should not necessarily be an impediment for law enforcement action, Anderson said. "There have been some gangs from Russia and the Ukraine who have been arrested after pressure from the British government.
"The problem at the moment is that there seems to be a very low priority for police cooperation," Anderson said. "If the governments of Britain, Germany, France, the US and so on, were to make it a higher priority then the government of Russia would start to crack down on these gangs."
Western governments can also fight cybercrime by pressuring credit card companies like Visa and MasterCard into banning banks that process payments for cybercriminals, from their systems, Anderson said. "For example, almost all payments for fake Viagra go through only three banks."
The US government has already demonstrated its ability to do this in 2010 when it pressured Visa and MasterCard into blocking credit card donations for WikiLeaks, the researcher said. "In the same way the banking system can be pressured into stopping processing payments for criminals."
There are particular types of cybercriminals that law enforcement agencies should aggressively target; for example, the people who write hacking tools and malware, Anderson said. In the future, law enforcement should be the priority when governments allocate more money to cybersecurity, he said.
Last year, the UK government allocated an extra £640 million to cybersecurity, but they gave around £400 million of this money to the UK Government Communications Headquarters (GCHQ), which is a technical surveillance agency, and only about £15 million to the police, Anderson said.
"This is a bad outcome," he said. "The police should have gotten many tens of millions of pounds so they could improve forensics, improve enforcement and improve their technological capabilities in general."