Organized cyber crime rings are wreaking havoc because they’re vastly more organized and better funded than Canadian law enforcement, say security experts. “The criminals are having a field day – we need to increase our efforts exponentially to tackle this effectively,” says Ian Wilms, president of the Canadian Association of Police Boards (CAPB).
This imbalance is creating huge incentives for organized crime to get involved in e-fraud, hacking, phishing and other scams. These international rings can buy the best technology with stolen credit cards, but law enforcement doesn’t have the budget or manpower to keep up with changing technology even at the federal level, let alone at the cash-strapped municipal level, says Wilms.
A related and disturbing trend is organized cyber crime’s tendency to approach young people looking to make a quick, easy buck via chat rooms in colleges and universities, he says. “Organized crime is big business, and just like big business, they recruit the best and brightest. There are clear indications that smart young people are being attracted to this area.”
To illustrate the issues, Wilms points out 17 suspects aged 17 to 26 were apprehended in a recent raid in Montreal and nearby towns by the Surete de Quebec , the province’s police force. Using Trojans, worms and other malware, the hacking syndicate broke into poorly-protected computers to commandeer them. About 100,000 of these “zombie” computers were directed by the ring to steal identities and distribute spam and denial-of-service attacks. About $44 million was stolen from victims in Poland, Brazil, Mexico and other countries.
In this reversal of victim and victimizer roles, Wilms points out the case also explodes some myths. “These were Canadian kids attacking other countries. For years, the claim has been we’re the types of people who are typically attacked by other countries in cybercrime incidents – but now we’re the kind of people attacking others.”
Some major shifts in cyber crime are occurring, agrees Bruce Cowper, security lead at Microsoft Canada. “We’re seeing a massive increase in social engineering attacks,” he says.
Human beings are now becoming cyber criminals’ primary targets. “We’ve reached a crossroad, as there’s lots of security technology to protect computers. The latest Web browsers all have anti-phishing features, e-mail has spam filters, and desktops have anti-virus software. So it’s become easier to exploit users rather than the technology.”
Cowper cites some statistics that underscore this trend. In 2006, 95 per cent of the total malware sent via spam e-mail was comprised of Trojans, worms and other traditional software exploits. But in 2007, this dropped to 47 per cent.
“What happened was a shift from criminals trying to get users to install software on their machines to getting them to go to an external Website masquerading as a legitimate bank or government site and inputting their personal information,” he explains. “Cyber criminals are essentially getting users to do the work for them.
Canadian law enforcement agencies are currently ill-equipped to stem this rising tide, says Wilms. An estimated 245 out of about 62,000 officers Canada-wide are focused on cyber crime, and many of these are primarily involved in combating child pornography.
“But today, almost every crime has a technology component to it,” he says. “In a homicide involving drug dealers, for example, officers may seize a cell phone or computer so they can find out what happened with computer forensics. The guys in tech crime units are being bombarded on almost every aspect of policing and it’s overwhelming qualified officers.”
To beef up anti-cyber crime resources and intelligence, Wilms is leading a venture to start up a non-profit collaboration centre to organize and centralize counter-attacks by law enforcement. Based at the University of Calgary, the organization was initially called Cyberpol but was renamed the Global Centre for Security and Cyberspace (GCSC) in January to reflect its international nature.
The GCSC’s mandate is to bring together law enforcement experts from countries such as Britain, US, and Australia, private sector companies, government and academics to unify the silos of information and expertise scattered in various regions. “Many academics, for example, do good work in encryption and other security technologies, but the thesis gets put on a shelf and no one hears the information,” says Wilms.
“We want to bring all that community into a central repository. The intent is to have the budget to train and send officers across Canada on assignments to work with the RCMP and FBI. And we want one central place to report cyber crime so we can start building statistics and analyse trends.”
Under-reporting of cyber crime is a major issue, he says. Major companies are leery of bad press so they avoid reporting cyber crime, and even if they want to, there’s also confusion about which organization to report it to when it occurs.
The GCSC is in talks with the Canadian Bankers Association and other major banks, since these are primary targets for cyber crime, to develop an anonymous reporting process companies can trust, he says. “We want to find a format that allows them to provide sanitized data that won’t show individual accounts.”
Accurate figures about the size and impact of cyber crime are critical in organizing and funding effective counter-measures, he says. “This is growing at a massive rate, but since it’s under-reported, government can’t get a grasp of the price tag. I’ve heard numbers like cyber crime has a trillion dollar impact on the global economy. But no one can say for sure, they just have a feeling, and that’s why we need a centre to analyze the information.”
The political will to combat cyber crime exists, but politicians need to be armed with information to make the case to their constituents, he says. “The way budgets are assigned, politicians make decisions based on statistics and reports. The first penny that has to drop is accurate information.”
In its first start-up phase, the GCSC received $53 million from Public Safety Canada and the province of Alberta to develop a business plan and set up the centre. In addition, the GCSC is in talks with private sector sponsors such as IBM, Telus Corp. and Siemens.
“The government is doing its due diligence now for future funding, and it looks favourable,” says Wilms. “But if we want to get serious about cyber crime, it will take a billion dollar injection into law enforcement and justice agencies to get budgets at a proper level. Most of the money today is spent on crime in the physical world, and funding for cyber crime is not equivalent.”
Government lags cyber crime fight, says report
RCMP urges cyber crime reporting