In-depth: Why we're losing the war on cybercrime

Apr 10, 2001
Auerbach Analysis
© 2001 TechRepublic, Inc.

Summary prepared by TechRepublic's John Connell

By the end of 2002, there will be at least one economic cyberincident that will impact thousands, according to a recent prediction from Gartner. By 2004, Gartner expects that the economic loss due to cybercrime will increase by anywhere from 1,000 to 10,000 percent. (TechRepublic is an independent subsidiary of Gartner.)

The same study contends that funding for fighting cybercrime will probably be inadequate through 2004. In fact, the report notes that the annual U.S. budget for funding cybercrime-related training, investigation, and enforcement is unlikely to exceed 1 percent of the overall federal law enforcement budget.

Why is cybercrime so easy to commit and our efforts to stop it so inadequate?

"Cybercrime: How technology makes it easy and what to do about it," a recent report from Auerbach Publications, provides some answers. The entire article appears on TechRepublic through a special agreement with Auerbach Publications.

Brad Oates, chief executive officer of LEXIS-NEXIS Risk Solutions Group, a provider of fraud, identity theft, business due diligence, and risk management solutions, wrote the report. Oates explains that cybercrime is another type of white-collar crime, and, as such, presents some of the same legal and financial challenges for law enforcement.

He also explains how technology enables cybercrime and identifies the types of cybercrime victims. Finally, he discusses steps that those victims can take to wage war against cybercrime, including what challenges and needs must be faced before we can hope to combat this high-cost crime.

To read the complete article, continue to page two.

For more on fighting cybercrime, check out the following TechRepublic articles:

Auerbach Publications on TechRepublic
For 40 years, Auerbach Publications has been publishing premier content for IT professionals. You can find many of its enterprise computing articles at TechRepublic. You can read more Auerbach Publications articles by clicking here.
Cybercrime: How technology makes it easy and what to do about it
By Brad Oates

For years, Americans have had contradictory views of economic crime. To some, it is a minor issue that they believe affects someone else; to others, it represents a major crisis that increasingly affects almost every aspect of their daily lives.

Over the past 20 years, there have been times when white-collar crime has been thrust into the national spotlight because of a financial crisis, such as the savings and loan scandal or the insider trading problems in the 1980s. Usually, however, it takes a backseat to more sensational or violent crimes.

The truth, however, is that economic crime costs Americans over $500 billion annually. And there has been a significant increase in these figures over the past 30 years. In 1970, for example, estimates put the cost at $5 billion annually; it rose to $20 billion in 1980, and approximately $100 billion in 1990.

And as businesses and financial transactions become more and more computer and Internet dependent, economic crime will increase dramatically, (in fact, it is already happening), and its impact will become a serious national crisis. For this reason, economic crime can no longer be viewed merely as the cost of doing business.

The U.S. economy, including the rapidly expanding area of e-commerce, is increasingly threatened by cyber economic crime. In fact, most economic crimes today have a cyber version.

This is, in large part, because cybercrimes offer criminals more opportunities with larger payoffs and fewer risks. Web sites can be spoofed and hijacked. Payment systems can be compromised, and theft of electronic fund transfers or laundering of money occur at lightning speeds.

Serious electronic crimes and victimization of the public have caused consumer confidence to waver. In turn, the reluctance of the American public to fully embrace e-commerce is preventing this new form of business from reaching its potential.

The growth of the information age and the globalization of Internet communication and commerce have significantly affected the manner in which economic crimes are committed, the frequency with which those crimes are committed, and the difficulty of apprehending the perpetrators. A recent survey conducted by Gartner of 160 retail companies selling products over the Internet reveals that the amount of credit card fraud is 12 times higher online than in the physical retail world.

There is no reason to believe that this figure is unique to the credit card industry. Another recent study indicates that the number of search warrants issued by the federal government for online data has increased 800 percent during the past few years.

Technology has contributed to that increase in four major respects—anonymity, security (or insecurity), privacy (or the lack of it), and globalization.

Additionally, technology has provided the means and the opportunity for the commission of traditional crimes. Criminals continue to make false statements in credit applications submitted over the Internet, bank employees continue to embezzle funds by wire transfer or account takeover, and swindlers continue to misrepresent products at auction sites over the Internet.

It is the widespread use of technology and the Internet for business transactions and communications and the confluence of anonymity, security, privacy, and globalization that have exposed the public and private sectors to an alarming new array of cyberattacks. In addition to their inability to prevent such attacks, both the government and the private sector lack effective enforcement tools and remedies to bring the perpetrators to justice.

TechRepublic and Auerbach Publications
This article first appeared in the January/February 2001 issue of Information Systems Security. It appears here under agreement with Auerbach Publications. For information on subscribing to this journal or to see a list of previously published topics, click here. To find out about other Auerbach publications, click here.
Anonymity
Anonymity enables the criminal to submit fraudulent online applications for bank loans, credit card accounts, insurance coverage, brokerage accounts, and health care coverage or to construct a counterfeit Web site to establish an inflated value for publicly traded stock in order to sell the stock at a falsely inflated price ("pump and dump" schemes).

Anonymity also enables employees to pilfer corporate assets. For example, bank employees can embezzle money through electronic fund transfers and employees of credit card issuers can capture account numbers and sell them to outsiders, electronically transferring the account numbers to the co-conspirators. Further, anonymity provides enhanced opportunities for two types of perpetrators—the organized-crime mobster and the teenage hacker.

Security
Security, or the lack of it, enables criminal hackers to disrupt e-commerce in several ways.

They can engage in denial-of-service attacks, such as those that made worldwide headlines in 2000. They can compromise payment systems in online banking, penetrate Web sites, and extract credit card account numbers for resale or to use as ransom for the extortion of cash from the card issuer. Or they can hijack a Web site for the purpose of stealing the identity of the e-commerce merchant, directing the proceeds of sales to the hijacker.

Privacy
Privacy protections enable thieves to take advantage of the benefits of anonymity, while hampering the efforts of law enforcement and private sector prevention and investigation efforts.

Globalization
The Internet enables communication and commerce to occur beyond or without borders, presenting significant problems in the prevention, investigation, and enforcement of economic crime.

According to the National White Collar Crime Center's National Public Survey on White Collar Crime, FBI statistics indicate that for the period from 1988 to 1997, arrests for violent crimes decreased, but the arrest rate for crimes having to do with fraud and embezzlement increased dramatically.

This trend is expected to continue as technology facilitates the emergence of cybercrime. As a result, it will soon be difficult to differentiate among traditional economic and cybercrimes.

It is clear that a higher priority must be given to providing the necessary resources and passing relevant legislation to counter the near-epidemic impact of economic crime on American society and the world.

Unfortunately, the justice system is threatened by its inability to keep pace with the criminal element's technical abilities. If the private sector's level of confidence in law enforcement's ability to investigate and prosecute cyber economic crime is low, it will have a chilling impact on e-commerce growth.

The victims
Few studies have been conducted on fraud victimization. Most, such as those conducted by Harris and Associates and the American Association of Retired Persons, focus on telemarketing.

The most comprehensive study to date is the National White Collar Crime Center's National Public Survey on White Collar Crime. The study's goal was "to present a picture of what the average American thinks about white collar crime." Its survey of 1,169 households throughout the United States found that: Consumer
Consumer victimization usually results in three types of losses: privacy, good credit status, and funds or assets.

Consumers increasingly are concerned that personal information disclosed to companies with which they do business may be compromised. Such compromises include unauthorized access by the company's employees, lack of security to protect the information, providing the information to third parties, and the maintenance of accurate information.

Any one of these breaches could result in the consumer's personal information falling into criminal hands, which could easily result in identity theft. Other consequences range from damage to an individual's credit rating to the loss of funds or assets.

Industry
The victimization of industry falls into four categories: profit losses, damage to reputation, loss of continuity of business and loss of intellectual property.

According to the Association of Certified Fraud Examiners, "The average organization loses more than $9 a day per employee to fraud and abuse. The average organization loses about 6 percent of its total annual revenue to fraud and abuse committed by its own employees. Fraud and abuse costs U.S. organizations more than $400 billion annually."

Early on, many corporations were able to take the position that fraud was a cost of doing business and could make it up by passing the cost of fraud to the consumer through increased prices. In more competitive markets, this is not possible. In those cases when the bottom line is hit hard by fraud, executives are less reluctant to commit funds to fraud management and computer security.

While big business can sustain a major loss to fraud, many small businesses have suffered severely and in some cases have gone out of business as a result of their fraud losses. This often occurs because these small organizations cannot afford sophisticated hardware and software to prevent and detect fraud.

Because corporations are afraid that reporting fraud may damage their reputation, they are reluctant to do so. They fear legal retaliation if they share or disclose too much, and are afraid that their consumers and stockholders will lose confidence in them. In addition, regulatory statutes require the protection of corporate assets from fraud.

However, there is a paralysis that exists today that can be solved only by legislation (i.e., safe harbors). The actual amount of corporate victimization is not known because of the reluctance of corporations to report or admit that fraud has affected them.

Many e-businesses are concerned about the continuity of their business. That is, they do not want their services to customers to be disrupted. Although security remains a significant concern for business, consumers are paramount in e-commerce. They want to shop quickly with no hassles. Recent denial-of-service attacks on Web sites such as eBay point to the vulnerabilities of e-commerce. The lack of security and the intrusion of criminals (fraudulent element) both impede the growth of e-commerce.

TechRepublic and Auerbach Publications
This article first appeared in the January/February 2001 issue of Information Systems Security. It appears here under agreement with Auerbach Publications. For information on subscribing to this journal or to see a list of previously published topics, click here. To find out about other Auerbach publications, click here.
Government
Much like corporations, government suffers from several forms of victimization, including theft of intellectual property, theft of assets, and loss of reputation. Several recent high-profile cases where U.S. secrets have been compromised or potentially compromised have tarnished the reputation of several government agencies by pointing out loose or nonexistent security procedures.

In addition, numerous federal government Web sites have been defaced by hackers. Several reports of intrusions have involved government computers. In many of these cases, systems have been penetrated but no classified information was accessed.

Fraud, waste, abuse, and mismanagement are generally reported together, making it difficult to get a handle on their size and scope. The Senate Governmental Affairs Committee, chaired by Senator Fred Thompson (R-TN), however, reported in January that, "In 1998 alone, $35 billion in taxpayer dollars was lost due to government waste, fraud, abuse, and mismanagement."

Waging the war
On the federal level, numerous regulatory and law-enforcement agencies are authorized to combat specific economic crimes, including the Federal Bureau of Investigation (FBI), the U.S. Secret Service (USSS), the U.S. Postal Inspection Service, the Securities and Exchange Commission (SEC), and U .S. Customs.

Each of these agencies has jurisdiction over specific economic crimes and fraud as follows: On the international level, Interpol recently announced its intention to become active in the investigation of international computer crimes. Interpol announced in June that it is establishing an international intelligence network to inform the public and private sectors of impending cyberattacks and potential targets for malicious hacks. The intelligence information will be relayed to Interpol by Atomic Tangerine, a venture consulting firm, using technology (Net Radar) developed by SRI International, the parent company of Atomic Tangerine.

Local law enforcement capabilities for combating economic crime vary depending on the size and location of the department and the allocation of resources. Some larger municipalities and state law-enforcement agencies have formed economic and computer crime units.

As resources, training, and awareness of the intensity of the problem increase, it is likely that more of these units will be formed.

TechRepublic and Auerbach Publications
This article first appeared in the January/February 2001 issue of Information Systems Security. It appears here under agreement with Auerbach Publications. For information on subscribing to this journal or to see a list of previously published topics, click here. To find out about other Auerbach publications, click here.
Internet fraud council
The Internet Fraud Council (IFC), a division of the National Coalition for the Prevention of Economic Crime, is composed of organizations from around the world that are interested in the prevention, investigation, and prosecution of Internet fraud. The Internet Fraud Council's mission is to be the centralized, premiere source of research, education, best practices, and tools for the prevention of economic crime committed using the Internet.

The IFC's ultimate goal is to reduce Internet fraud victimization. As stated on its Web site:

"Long term benefits of this program will be substantial. Not only will its efforts reduce the amount of economic loss by Internet fraud throughout the United States, it will enable corporations to become knowledgeable so that they may protect, investigate, or prosecute criminal Internet fraud classes. IFC will also serve as the catalyst that allows corporations, law enforcement, and regulatory authorities to network and share permissible fraud data."

Needs and challenges
Reporting of economic and cybercrime is problematic and grossly underestimated, as is apparent from the many risks associated with corporations in reporting or sharing fraud losses and activity. A uniform crime reporting system should be developed that includes specific economic crimes.

The Fraud Identification Codes established by the National Fraud Center are a start. Until such a means of reporting is implemented and the stigma of fraud victimization is removed, this problem will not be solved. Uniform and thorough reporting is necessary in the war on economic and cybercrime; resources for investigation and prosecution will naturally follow as the enormity of the problem unfolds.

The lack of agreed-on definitions regarding economic crime and computer crime has resulted in a paucity of data and information on the size and scope of the problem. Academics have not been able to agree on definitions and have, for the most part, continued to focus on white-collar crime.

Economic crime is defined as an illegal act (or a constantly evolving set of acts) generally committed by deception or misrepresentation (fraud) by someone (or a group) that has special professional or technical skills for the purposes of personal or organizational financial gain or to gain (or attempt to gain) an unfair advantage over another individual or entity. To this day, the true nature of the amount of economic crime is buried in the statistics of more conventional crimes. For example, credit card fraud is typically classified as a larceny instead of access-device fraud.

Preventing, detecting, investigating, and prosecuting economic crimes must become a priority in order to lessen their impact on the economy and the public's confidence. Law enforcement, as it stands now, is in danger of slipping further behind the highly sophisticated criminals. New resources, support for existing organizations (e.g., The National Fraud Center, The National White Collar Crime Center, the IFC, and The Economic Crime Investigation Institute), and innovative solutions are needed to control this growing problem in the United States and the world.

These needs and challenges can be accomplished only with the cooperation of the private, public, and international sectors. All stakeholders must be more willing to exchange information on the effect economic and cybercrime has on them and the methods they are using to detect and prevent it.

No single sector holds all the resources, tools, or solutions. In fact, industry has more resources than government, but it must be motivated and authorized to partner and communicate. All parties must be willing to work together to effect change in existing laws and regulations and to promulgate new initiatives. The "victims" need to follow the lead of the "criminals" and organize themselves, so that the organized "bad guys" are not operating in a lawless environment, where culpability is at a minimum.

The United States must take the lead. Current and future administrations must recognize the full impact of economic and cybercrime, both domestically and globally, and make a concerted, strategic effort to combat it, for the benefit of all society.

Brad Oates is the Chief Executive Officer of LEXIS-NEXIS Risk Solutions Group, a division of LEXIS-NEXIS that provides fraud, identity theft, business due diligence, and risk management solutions in full service, automated, interactive, service bureau, or consulting environments to meet the unique risk needs of businesses and governments worldwide.


TechRepublic and Auerbach Publications
This article first appeared in the January/February 2001 issue of Information Systems Security. It appears here under agreement with Auerbach Publications. For information on subscribing to this journal or to see a list of previously published topics, click here. To find out about other Auerbach publications, click here.

Copyright © 1999-2001 TechRepublic, Inc.
Visit us at http://www.techrepublic.com/