In-depth: Why we're losing the war on
cybercrime
Apr 10, 2001
Auerbach Analysis
© 2001
TechRepublic, Inc.
Summary prepared by TechRepublic's John
Connell
By the end of 2002, there will be at least one economic
cyberincident that will impact thousands, according to a recent prediction from
Gartner. By 2004, Gartner expects that the economic loss due to cybercrime will
increase by anywhere from 1,000 to 10,000 percent. (TechRepublic is an
independent subsidiary of Gartner.)
The same study contends that funding
for fighting cybercrime will probably be inadequate through 2004. In fact, the
report notes that the annual U.S. budget for funding cybercrime-related
training, investigation, and enforcement is unlikely to exceed 1 percent of the
overall federal law enforcement budget.
Why is cybercrime so easy to
commit and our efforts to stop it so inadequate?
"Cybercrime:
How technology makes it easy and what to do about it," a recent report from
Auerbach
Publications, provides some answers. The entire article appears on
TechRepublic through a special agreement with Auerbach Publications.
Brad
Oates, chief executive officer of LEXIS-NEXIS Risk Solutions Group, a provider of fraud,
identity theft, business due diligence, and risk management solutions, wrote the
report. Oates explains that cybercrime is another type of white-collar crime,
and, as such, presents some of the same legal and financial challenges for law
enforcement.
He also explains how technology enables cybercrime and
identifies the types of cybercrime victims. Finally, he discusses steps that
those victims can take to wage war against cybercrime, including what challenges
and needs must be faced before we can hope to combat this high-cost
crime.
To read the complete article, continue
to page two.
For more on fighting cybercrime, check out the following
TechRepublic articles:
Auerbach Publications on TechRepublic |
For 40 years, Auerbach Publications has been publishing
premier content for IT professionals. You can find many of its enterprise
computing articles at TechRepublic. You can read more Auerbach
Publications articles by clicking
here. |
Cybercrime: How
technology makes it easy and what to do about it
By Brad
Oates
For years, Americans have had contradictory views of economic
crime. To some, it is a minor issue that they believe affects someone else; to
others, it represents a major crisis that increasingly affects almost every
aspect of their daily lives.
Over the past 20 years, there have been
times when white-collar crime has been thrust into the national spotlight
because of a financial crisis, such as the savings and loan scandal or the
insider trading problems in the 1980s. Usually, however, it takes a backseat to
more sensational or violent crimes.
The truth, however, is that economic
crime costs Americans over $500 billion annually. And there has been a
significant increase in these figures over the past 30 years. In 1970, for
example, estimates put the cost at $5 billion annually; it rose to $20 billion
in 1980, and approximately $100 billion in 1990.
And as businesses and
financial transactions become more and more computer and Internet dependent,
economic crime will increase dramatically, (in fact, it is already happening),
and its impact will become a serious national crisis. For this reason, economic
crime can no longer be viewed merely as the cost of doing business.
The U.S. economy, including the rapidly expanding area of
e-commerce, is increasingly threatened by cyber economic crime. In fact, most
economic crimes today have a cyber version.
This is, in large part,
because cybercrimes offer criminals more opportunities with larger payoffs and
fewer risks. Web sites can be spoofed and hijacked. Payment systems can be
compromised, and theft of electronic fund transfers or laundering of money occur
at lightning speeds.
Serious electronic crimes and victimization of the
public have caused consumer confidence to waver. In turn, the reluctance of the
American public to fully embrace e-commerce is preventing this new form of
business from reaching its potential.
The growth of the information age
and the globalization of Internet communication and commerce have significantly
affected the manner in which economic crimes are committed, the frequency with
which those crimes are committed, and the difficulty of apprehending the
perpetrators. A recent survey conducted by Gartner of 160 retail companies selling products over the
Internet reveals that the amount of credit card fraud is 12 times higher online
than in the physical retail world.
There is no reason to believe that
this figure is unique to the credit card industry. Another recent study
indicates that the number of search warrants issued by the federal government
for online data has increased 800 percent during the past few
years.
Technology has contributed to that increase in four major
respects—anonymity, security (or insecurity), privacy (or the lack of it), and
globalization.
Additionally, technology has provided the means and the
opportunity for the commission of traditional crimes. Criminals continue to make
false statements in credit applications submitted over the Internet, bank
employees continue to embezzle funds by wire transfer or account takeover, and
swindlers continue to misrepresent products at auction sites over the
Internet.
It is the widespread use of technology and the Internet for
business transactions and communications and the confluence of anonymity,
security, privacy, and globalization that have exposed the public and private
sectors to an alarming new array of cyberattacks. In addition to their inability
to prevent such attacks, both the government and the private sector lack
effective enforcement tools and remedies to bring the perpetrators to
justice.
TechRepublic and Auerbach Publications |
This article first appeared in the January/February 2001
issue of Information Systems Security. It appears here under
agreement with Auerbach Publications. For information on subscribing to
this journal or to see a list of previously published topics, click
here. To find out about other Auerbach publications, click here. |
Anonymity
Anonymity enables the criminal to submit
fraudulent online applications for bank loans, credit card accounts, insurance
coverage, brokerage accounts, and health care coverage or to construct a
counterfeit Web site to establish an inflated value for publicly traded stock in
order to sell the stock at a falsely inflated price ("pump and dump"
schemes).
Anonymity also enables employees to pilfer corporate assets.
For example, bank employees can embezzle money through electronic fund transfers
and employees of credit card issuers can capture account numbers and sell them
to outsiders, electronically transferring the account numbers to the
co-conspirators. Further, anonymity provides enhanced opportunities for two
types of perpetrators—the organized-crime mobster and the teenage
hacker.
Security
Security, or the lack of
it, enables criminal hackers to disrupt e-commerce in several ways.
They
can engage in denial-of-service attacks, such as those that made worldwide
headlines in 2000. They can compromise payment systems in online banking,
penetrate Web sites, and extract credit card account numbers for resale or to
use as ransom for the extortion of cash from the card issuer. Or they can hijack
a Web site for the purpose of stealing the identity of the e-commerce merchant,
directing the proceeds of sales to the hijacker.
Privacy
Privacy protections enable thieves to take
advantage of the benefits of anonymity, while hampering the efforts of law
enforcement and private sector prevention and investigation
efforts.
Globalization
The Internet
enables communication and commerce to occur beyond or without borders,
presenting significant problems in the prevention, investigation, and
enforcement of economic crime.
According to the National White Collar Crime
Center's National Public Survey on White Collar Crime, FBI statistics
indicate that for the period from 1988 to 1997, arrests for violent crimes
decreased, but the arrest rate for crimes having to do with fraud and
embezzlement increased dramatically.
This trend is expected to continue
as technology facilitates the emergence of cybercrime. As a result, it will soon
be difficult to differentiate among traditional economic and
cybercrimes.
It is clear that a higher priority must be given to
providing the necessary resources and passing relevant legislation to counter
the near-epidemic impact of economic crime on American society and the
world.
Unfortunately, the justice system is threatened by its inability
to keep pace with the criminal element's technical abilities. If the private
sector's level of confidence in law enforcement's ability to investigate and
prosecute cyber economic crime is low, it will have a chilling impact on
e-commerce growth.
The victims
Few studies
have been conducted on fraud victimization. Most, such as those conducted by
Harris and Associates and the American Association of Retired Persons, focus on
telemarketing.
The most comprehensive study to date is the National White
Collar Crime Center's National Public Survey on White Collar Crime. The study's
goal was "to present a picture of what the average American thinks about white
collar crime." Its survey of 1,169 households throughout the United States found
that:
- Over one out of three households had been victimized by white-collar crime
in the past year.
- Widely held opinions concerning the profile of typical white-collar crime
victims are divorced from the actual profile of victims.
- There is a disparity between how Americans believe they will react if
victimized and how they do react when they are actually victimized.
- Less than one in 10 victimizations were ever reported to law enforcement
or consumer protection agencies.
- The public has deep concern about increasing the apprehension and
sanctioning of white-collar criminals.
Consumer
Consumer victimization usually results in
three types of losses: privacy, good credit status, and funds or
assets.
Consumers increasingly are concerned that personal information
disclosed to companies with which they do business may be compromised. Such
compromises include unauthorized access by the company's employees, lack of
security to protect the information, providing the information to third parties,
and the maintenance of accurate information.
Any one of these breaches
could result in the consumer's personal information falling into criminal hands,
which could easily result in identity theft. Other consequences range from
damage to an individual's credit rating to the loss of funds or
assets.
Industry
The victimization of
industry falls into four categories: profit losses, damage to reputation, loss
of continuity of business and loss of intellectual property.
According to
the Association of Certified
Fraud Examiners, "The average organization loses more than $9 a day per
employee to fraud and abuse. The average organization loses about 6 percent of
its total annual revenue to fraud and abuse committed by its own employees.
Fraud and abuse costs U.S. organizations more than $400 billion
annually."
Early on, many corporations were able to take the position
that fraud was a cost of doing business and could make it up by passing the cost
of fraud to the consumer through increased prices. In more competitive markets,
this is not possible. In those cases when the bottom line is hit hard by fraud,
executives are less reluctant to commit funds to fraud management and computer
security.
While big business can sustain a major loss to fraud, many
small businesses have suffered severely and in some cases have gone out of
business as a result of their fraud losses. This often occurs because these
small organizations cannot afford sophisticated hardware and software to prevent
and detect fraud.
Because corporations are afraid that reporting fraud
may damage their reputation, they are reluctant to do so. They fear legal
retaliation if they share or disclose too much, and are afraid that their
consumers and stockholders will lose confidence in them. In addition, regulatory
statutes require the protection of corporate assets from fraud.
However,
there is a paralysis that exists today that can be solved only by legislation
(i.e., safe harbors). The actual amount of corporate victimization is not known
because of the reluctance of corporations to report or admit that fraud has
affected them.
Many e-businesses are concerned about the continuity of
their business. That is, they do not want their services to customers to be
disrupted. Although security remains a significant concern for business,
consumers are paramount in e-commerce. They want to shop quickly with no
hassles. Recent denial-of-service attacks on Web sites such as eBay point to the
vulnerabilities of e-commerce. The lack of security and the intrusion of
criminals (fraudulent element) both impede the growth of e-commerce.
TechRepublic and Auerbach Publications |
This article first appeared in the January/February 2001
issue of Information Systems Security. It appears here under
agreement with Auerbach Publications. For information on subscribing to
this journal or to see a list of previously published topics, click
here. To find out about other Auerbach publications, click here. |
Government
Much like corporations, government suffers
from several forms of victimization, including theft of intellectual property,
theft of assets, and loss of reputation. Several recent high-profile cases where
U.S. secrets have been compromised or potentially compromised have tarnished the
reputation of several government agencies by pointing out loose or nonexistent
security procedures.
In addition, numerous federal government Web sites
have been defaced by hackers. Several reports of intrusions have involved
government computers. In many of these cases, systems have been penetrated but
no classified information was accessed.
Fraud, waste, abuse, and
mismanagement are generally reported together, making it difficult to get a
handle on their size and scope. The Senate Governmental Affairs Committee,
chaired by Senator Fred Thompson (R-TN), however, reported in January that, "In
1998 alone, $35 billion in taxpayer dollars was lost due to government waste,
fraud, abuse, and mismanagement."
Waging the
war
On the federal level, numerous regulatory and law-enforcement
agencies are authorized to combat specific economic crimes, including the
Federal Bureau of Investigation (FBI), the U.S. Secret Service (USSS), the U.S.
Postal Inspection Service, the Securities and Exchange Commission (SEC), and U
.S. Customs.
Each of these agencies has jurisdiction over specific
economic crimes and fraud as follows:
- FBI—health care, financial institution, intellectual property,
telemarketing, securities and commodities, bankruptcy, insurance, computer,
and Internet
- USSS—credit card, cellular, and computer
- U.S. Postal Inspection Service—mail and consumer
- SEC—insider and online trading, stock manipulation, and fraudulent
stock offerings
- U.S. Customs—money laundering, cybercrimes, including child
pornography and the importing of dangerous substances
On the
international level, Interpol recently announced its intention to become active
in the investigation of international computer crimes. Interpol announced in
June that it is establishing an international intelligence network to inform the
public and private sectors of impending cyberattacks and potential targets for
malicious hacks. The intelligence information will be relayed to Interpol by
Atomic Tangerine, a venture consulting firm, using technology (Net Radar)
developed by SRI International, the parent company of Atomic
Tangerine.
Local law enforcement capabilities for combating economic
crime vary depending on the size and location of the department and the
allocation of resources. Some larger municipalities and state law-enforcement
agencies have formed economic and computer crime units.
As resources,
training, and awareness of the intensity of the problem increase, it is likely
that more of these units will be formed.
TechRepublic and Auerbach Publications |
This article first appeared in the January/February 2001
issue of Information Systems Security. It appears here under
agreement with Auerbach Publications. For information on subscribing to
this journal or to see a list of previously published topics, click
here. To find out about other Auerbach publications, click here. |
Internet fraud council
The Internet Fraud
Council (IFC), a division of the National Coalition for the Prevention of Economic Crime, is
composed of organizations from around the world that are interested in the
prevention, investigation, and prosecution of Internet fraud. The Internet Fraud
Council's mission is to be the centralized, premiere source of research,
education, best practices, and tools for the prevention of economic crime
committed using the Internet.
The IFC's ultimate goal is to reduce
Internet fraud victimization. As stated on its Web site:
"Long term
benefits of this program will be substantial. Not only will its efforts reduce
the amount of economic loss by Internet fraud throughout the United States, it
will enable corporations to become knowledgeable so that they may protect,
investigate, or prosecute criminal Internet fraud classes. IFC will also serve
as the catalyst that allows corporations, law enforcement, and regulatory
authorities to network and share permissible fraud data."
Needs and challenges
Reporting of economic and
cybercrime is problematic and grossly underestimated, as is apparent from the
many risks associated with corporations in reporting or sharing fraud losses and
activity. A uniform crime reporting system should be developed that includes
specific economic crimes.
The Fraud Identification Codes established by
the National Fraud Center are a start. Until such a means of reporting is
implemented and the stigma of fraud victimization is removed, this problem will
not be solved. Uniform and thorough reporting is necessary in the war on
economic and cybercrime; resources for investigation and prosecution will
naturally follow as the enormity of the problem unfolds.
The lack of
agreed-on definitions regarding economic crime and computer crime has resulted
in a paucity of data and information on the size and scope of the problem.
Academics have not been able to agree on definitions and have, for the most
part, continued to focus on white-collar crime.
Economic crime is defined
as an illegal act (or a constantly evolving set of acts) generally committed by
deception or misrepresentation (fraud) by someone (or a group) that has special
professional or technical skills for the purposes of personal or organizational
financial gain or to gain (or attempt to gain) an unfair advantage over another
individual or entity. To this day, the true nature of the amount of economic
crime is buried in the statistics of more conventional crimes. For example,
credit card fraud is typically classified as a larceny instead of access-device
fraud.
Preventing, detecting, investigating, and prosecuting economic
crimes must become a priority in order to lessen their impact on the economy and
the public's confidence. Law enforcement, as it stands now, is in danger of
slipping further behind the highly sophisticated criminals. New resources,
support for existing organizations (e.g., The National Fraud Center, The
National White Collar Crime Center, the IFC, and The Economic Crime
Investigation Institute), and innovative solutions are needed to control this
growing problem in the United States and the world.
These needs and
challenges can be accomplished only with the cooperation of the private, public,
and international sectors. All stakeholders must be more willing to exchange
information on the effect economic and cybercrime has on them and the methods
they are using to detect and prevent it.
No single sector holds all the
resources, tools, or solutions. In fact, industry has more resources than
government, but it must be motivated and authorized to partner and communicate.
All parties must be willing to work together to effect change in existing laws
and regulations and to promulgate new initiatives. The "victims" need to follow
the lead of the "criminals" and organize themselves, so that the organized "bad
guys" are not operating in a lawless environment, where culpability is at a
minimum.
The United States must take the lead. Current and future
administrations must recognize the full impact of economic and cybercrime, both
domestically and globally, and make a concerted, strategic effort to combat it,
for the benefit of all society.
Brad Oates is the Chief Executive Officer of LEXIS-NEXIS Risk
Solutions Group, a division of LEXIS-NEXIS that provides fraud, identity theft,
business due diligence, and risk management solutions in full service,
automated, interactive, service bureau, or consulting environments to meet the
unique risk needs of businesses and governments worldwide.
TechRepublic and Auerbach Publications |
This article first appeared in the January/February 2001
issue of Information Systems Security. It appears here under
agreement with Auerbach Publications. For information on subscribing to
this journal or to see a list of previously published topics, click
here. To find out about other Auerbach publications, click here. |
Copyright © 1999-2001 TechRepublic, Inc.
Visit us at http://www.techrepublic.com/