Understanding the costs of cybercrime

There was a workshop on the Economics of Information Security held at Cambridge in England last June. Studying the economics of information security is, to me, absurdly trivial. It is like studying the economics of operating a trading desk, an interesting pursuit for the accountants at Schwab and eTrade but completely irrelevant to what is going on in the real economy. Looking at cost trade-offs between help-desk support and investments in antispyware may be a valuable study for someone who is responsible for the help desk or the vendor selling antispyware software, but it contributes nothing to an understanding of the origins of spyware in the first place. And, it would not produce insight about how to combat the scourge.

Cybercrime is now the primary threat to not only our computing infrastructure but our business processes and in some cases our businesses. Understanding the economics of cybercrime will be fundamental to making investments in security technologies as well as drafting new legislation and engaging international law enforcement efforts.

I was recently asked to join a workshop on modern malware hosted by the Santa Fe Institute and co-chaired by Matt Williamson, principal research scientist from Sana Security, and Esther Dyson. It was a two-day session with no fixed agenda or goal other than bringing together malware researchers, policy makers and security practitioners to try to understand where the battle is heading. I can sum up the overall sense that was shared by the participants at the end of the second day: This is a war. The enemy is organized, well financed and smart. Reactive measures such as research and signature generation are falling behind. Most important, when this workshop convenes again, at least half the time and effort should be devoted to understanding the economics of cybercrime.

Think about spam for a second. No one reading this column would ever purposely click on an ad contained in spam, much less purchase anything. Yet we continue to get more spam messages. It is easy to conclude that enough people are clicking on and purchasing from spam to make it a viable business model. The minuscule percent of spam recipients that act as dupes make fighting spam through user awareness training or grass-roots efforts fruitless. Spam is here to stay.

Now look at spam’s evil cousin, phishing attacks. Enough people are being taken in by fake messages, tricky URL obfuscation and elaborately crafted Web sites that phishing works. The only way to stop phishing is make it unsuccessful. Unlike spam, though, phishing attacks can be stopped, at least on a bank-by-bank basis. The day you stop seeing phishing e-mails from Bank of America is the day you will know that they have deployed effective countermeasures to protect user accounts. As long as you see BoA phishing attacks, you know that BoA is fueling cybercrime by continuing to address the problem by compensating account holders for losses caused by fraud instead of instituting stronger security measures.

Studying the economics of cybercrime will lead to less mystification and head scratching as each new threat appears on the scene. I hope it leads to effective countermeasures against cybercriminals. We have to retaliate against their bank accounts, not against their software.