Cybercrimes seem to grab headlines almost every day. In August alone, we witnessed stories about 1.2 billion usernames and passwords being grabbed by a Russian gang, 4.5 million personal identity records stolen from a major American hospital system by some folks in China, plus data breaches at UPS and Supervalu. Sony suffered a serious denial of service attack, and DHS warned that more than 1,000 businesses in America are likely infected with point-of-sale malware.
Unfortunately, just as tsunamis follow earthquakes, these high profile criminal hacking incidents can produce waves of criticism directed at companies for failing to do a better job of protecting information systems and the data entrusted to them. Amid the criticism and recrimination we often lose sight of the root cause of the problem: The perpetrators, the law breakers who trespass into systems, steal data, sell stolen data, and commit fraud and intellectual property theft with purloined information.
Sure, many companies and consumers could do a better job of protecting the information systems they use, from changing the default password on point of sale devices, to using stronger passwords on our accounts than 123456 (which recently replaced “password” as the most widely used password, according to an analysis of millions of compromised records). In recent years a lot of useful advice on how to improve our digital security has been made freely available. The federal government publishes a wide range of guides to best practices, including the comprehensive Framework for Improving Critical Infrastructure Cybersecurity from NIST (the National institute of Standards and Technology).
So why don’t more organizations do a better job at security? There are many reasons, cost being the most obvious. But failing to fit your front door with an expensive pick-proof lock does not make you responsible for a burglary or home invasion. There seems to be broad consensus that responsibility for those crimes rests with any criminal who chooses to violate your space.
America has well-established measures in place for responding to such physical crimes, from tracking down the perpetrators to arresting, prosecuting, and punishing them. And, America’s efforts to deter traditional physical crime appear to be effective when you look at the number of bank robberies each year and the average amount of loot they yield. Both numbers are gradually declining: from 7,644 incidents yielding an average of $10,000 in 2003 to 5,086 incidents yielding $7,539 in 2011 (based on FBI reporting).
When it comes to computer fraud, the graph is a steep upward incline: from $125 million in 2003 to $781 million in 2013 (based on Internet Crime Complaint Center reporting, in conjunction with the FBI). So where is the effort to deter cybercrime? And where is it located on the list of national priorities? Clearly there are some law enforcement resources devoted to catching and prosecuting cybercriminals. We have seen a number of high profile arrests already this year (and I expect to see more). I have seen some impressive computer forensics conducted by law enforcement at the local, national, and international levels.
What I don’t see are sufficient resources deployed to fight cybercrime at anything like the scale on which such crime is being conducted. In no way is this a criticism of the folks in the field who are knocking on doors and dissecting hard drives. I just don’t think there are enough of them.
An academic study in 2012 put the total U.S. law enforcement spend on the fight against cybercrime at $200 million per year. The FBI’s budget request for fiscal year 2015 was $8.3 billion. Compare that with the $21 billion budget for the NSA/NRO and $14.7 billion for the CIA. Now look at the staffing funded in the 2015 FBI budget: 34,970 permanent positions including 13,050 special agents. Compare that with the FBI’s 2014 request for $8.4 billion to cover 34,787 permanent positions including 13,082 special agents.
I’m a security professional and not a budget analyst, but to me those numbers don’t seem consistent with a firm national resolve to tackle cybercrime. So, speaking as a security professional, I suggest that the next time a major IT security breach hits the headlines, we take a break from blaming the victim and start lobbying our government to take more decisive action against cybercrime and the people who perpetrate it.
Stephen Cobb is a security researcher at ESET’s North American headquarters in San Diego.