Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

6/7/2019
01:45 PM
50%
50%

Massive Changes to Tech and Platforms, But Cybercrime? Not So Much

The still-relevant recommendation is to invest more in law enforcement, concludes an economic study of cybercrime.

In 2012, a group of cybersecurity researchers and social scientists studied the impact of cybercrime and its cost to society, concluding that the money spent anticipating an attack is less effective than money spent responding to an attack.

This week, many of the same researchers released an updated paper at the Workshop on the Economics of Information Security (WIES) conference, in Cambridge, Mass., that looks at direct and indirect damages due to cybercrime, as well as the cost to defend against the crimes. Their conclusion? While people and technology are more interconnected and different platforms have become dominant, the overall impact of cybercrime remains relatively the same.

"One of the lessons of the paper is that, although there's been huge changes — new platforms, some crime types replacing others, etc. — the overall picture is little changed," says Richard Clayton, a co-author of the paper, director of the Cambridge Cybercrime Centre, and a security researcher at the Computer Laboratory at the University of Cambridge. "That's because fixes are not technical but have to do with incentives, economics, criminal justice, sociology, [and] criminology." 

The latest research attempting to quantify the costs of cybercrime comes as estimates for the market for cybersecurity products and services continue to grow. Largely unsupported estimates of cumulative annual growth vary from 9% to 18%, and estimates vary from $119 billion in 2019 to more than $300 billion in 2024.

Similarly, the cost of cybercrime has been a quantity of much speculation. One firm estimates costs of about $1 trillion annually in 2019, while another estimates a supersized $6 trillion in yearly damages by 2021.

The paper presented at WEIS aims to inject some sanity into all of these estimates, representing the most complete look at the state of cybercrime without relying on data collected by companies that are trying to sell security products, says security expert Bruce Schneier, a lecturer at Harvard University's Kennedy School of Government.

"It is the best data that we have that isn't being driven by some corporate agenda," he says. "To me, that is the key for why this is important. They don't have a dog in the fight. They are just trying to figure it out."

For the most part, the paper underscores the unreliability of current data. Among the best data is payment fraud, which has doubled in total volume since 2012 but has decreased as a percentage of the total amount of payments. 

The paper finds that only a dozen or so crimes — such as online credit-card fraud, cryptocrime, ad fraud, and telecom fraud — actually result in more than $1 billion in damages. However, new ways of doing business using connected devices has resulted in new pathways for fraud; the world has changed since the original paper, the authors stressed.

"New apps, such as ride hailing, and new technologies, such as cryptocurrencies, create new targets, while old targets, such as medical records, have migrated to cloud services," they wrote. "So larger quantities of personal information are kept online and are open to a variety of attacks."

This leaves the authors with little advice for the average user or small or midsize enterprise (SME), Clayton says.

"It might make sense to replace your Windows machines with Chromebooks because that allows you to eliminate some attack types," he says. "But, generally, the step change in response is needed by law enforcement, not SMEs."

The actual economic problem is paying for defenses for every person is extremely inefficient. The cost of securing their systems outpaces the damages caused by cybercriminals. Instead, nations should focus on empowering law enforcement to pursue and punish cybercriminals, the authors argued.

"The core problem is that many cybercriminals operate with near-complete impunity," the paper states. "We will not get a real handle on cybercrime until we put an end to impunity."

Yet that remains a difficult, Schneier says.

"That is easy to say and hard to do anything about because it is so international," he says. "A lot of the impunity comes from the difficulty of reaching into some country in, say, sub-Saharan Africa and exacting penalties."

In addition, attempts by the United States to hold actors from larger countries accountable has typically failed. In 2018, as part of the Mueller investigation, the US government issued arrest warrants for 12 Russian nationals who allegedly took part in that country's interference in the US elections. To reduce the cost of cybercrime, such actions need to become more common and effective, the paper stated.

Related Content:

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
6/10/2019 | 3:36:26 PM
Hard to believe
An article that makes a blanket statement like " replace machines with chromebooks."   As if a business can simply convert and port all apps over to a cloud-based standard.  Pardon me but I have done client consultanting and in a perfect world, gee, Linux would be the ideal OS but porting my clients there was impossible for a wide variety of reasons.  Simply making a statement like that is brain dead dumb.  So I judge the remainder of the article in that vein.  (I generall give up on authors whenever they get basic facts wrong too.)  Unbelievable. 
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12280
PUBLISHED: 2019-06-25
PC-Doctor Toolbox before 7.3 has an Uncontrolled Search Path Element.
CVE-2019-3961
PUBLISHED: 2019-06-25
Nessus versions 8.4.0 and earlier were found to contain a reflected XSS vulnerability due to improper validation of user-supplied input. An unauthenticated, remote attacker could potentially exploit this vulnerability via a specially crafted request to execute arbitrary script code in a users browse...
CVE-2019-9836
PUBLISHED: 2019-06-25
Secure Encrypted Virtualization (SEV) on Advanced Micro Devices (AMD) Platform Security Processor (PSP; aka AMD Secure Processor or AMD-SP) 0.17 build 11 and earlier has an insecure cryptographic implementation.
CVE-2019-6328
PUBLISHED: 2019-06-25
HP Support Assistant 8.7.50 and earlier allows a user to gain system privilege and allows unauthorized modification of directories or files. Note: A different vulnerability than CVE-2019-6329.
CVE-2019-6329
PUBLISHED: 2019-06-25
HP Support Assistant 8.7.50 and earlier allows a user to gain system privilege and allows unauthorized modification of directories or files. Note: A different vulnerability than CVE-2019-6328.