In a paper produced in response to a Ministry of Defence request, the authors present what they believe is the first systematic study into the costs of cybercrime. The paper separates cybercrime into four categories in order to distinguish crimes that are moving onto the internet (such as fraud) from crimes that owe their existence to the internet. It finds that the cost to the citizen for the former is relatively high, whereas the cost of defense is relatively low. For the latter, this is reversed: the cost to the citizen is relatively low, whereas the cost of defense is relatively high.
“As a striking example,” says the report, “the botnet behind a third of the spam sent in 2010 earned its owners around US$2.7m, while worldwide expenditures on spam prevention probably exceeded a billion dollars. We are extremely inefficient at fighting cybercrime.” The report implies that one of the reasons is the source of threat statistics. Governments, it says, want to know how much money to spend on cyberdefense; and this creates a demand for statistical surveys. “However,” it notes, “many of the existing surveys are carried out by organisations (such as antivirus software vendors or police agencies) with a particular view of the world and often a specific agenda.”
This has led to a reactive rather than proactive stance on security. “The straightforward conclusion to draw on the basis of the comparative figures collected in this study is that we should perhaps spend less in anticipation of computer crime (on anti-virus, firewalls etc.) but we should certainly spend an awful lot more on catching and punishing the perpetrators.”
Professor Anderson takes this view further in comments reported today by the BBC. “In fact,” he told the BBC, “a small number of gangs lie behind many incidents and locking them up would be far more effective than telling the public to fit an anti-phishing toolbar or purchase anti-virus software.” But the implications of the report go further. He also “told the BBC that less government money should be spent on monitoring phone and internet communications.” The solution is “to drain the swamp by arresting people.”
These implications have yet to be accepted by government. A UK Cabinet Office spokesman welcomed the report, but told the BBC, “Our approach strikes the right balance between defending our interests and pursuing cybercriminals.” This is exactly what the report says it doesn’t do.