Cybercrime has become a threat to the nation’s economic and security interests, according to a report released Monday by a Congressional research and investigation agency.
Cybercrime in its various forms — computer crime, identity theft and phishing — costs the U.S. economy some US$117.5 billion a year, reported the Government Accountability Office (GAO).
“These projected losses are based on direct and indirect costs that may include actual money stolen, estimated cost of intellectual property stolen, and recovery cost of repairing or replacing damaged networks and equipment,” says the report, released through the offices of Reps. Bennie G. Thompson (D-Miss.), chairman of the committee on Homeland Security, and James R. Langevin (D-R.I.), chairman of the subcommittee on Emerging Threats, Cybersecurity, Science and Technology.
As staggering as the losses pegged to cybercrime are, they may even be worse than estimated, according to the lead author of the report, GAO Director of IT Management Issues David A. Powner.
“Whatever is reported by organizations, most of that will likely be underreported because of disincentives to report losses,” he told TechNewsWorld.
Reporting remains a major challenge to fighting cybercrime, Powner noted.
“There are many companies that won’t report for many reasons, one of which is they don’t want negative information out that will affect their stock price and other corporate positions,” he told TechNewsWorld.
What’s more, he added, a lot of cybercrime goes undetected.
“So you’ve got a twofold issue,” he said. “Some crime is undetected by organizations and some businesses are making trade-offs between whether they want to report and disclose or not report and disclose crimes.”
When bad things happen to a company, they like to control the situation, which many feel they can’t do if they have government investigators crawling all over their premises, maintained Jeff Bedser, president and COO of the Internet Crimes Group, a cybercrime consulting and investigations firm in Princeton, N.J.
Oftentimes, businesses just want to clean up a problem internally and move on with their business, he explained.
“If they bring in government, the investigative period tends to be longer and a perceived lack of communication from the FBI and such back to the company makes them hesitate at giving up control,” he told TechNewsWorld.
Moreover, he continued, there’s a feeling in companies that they have better personnel than governments to handle incidents of cybercrime.
“There’s more expertise in the private sector, where it’s easier for a corporation to have an instant response team of professionals that deal with these issues,” Bedser said. “They can go in, figure out what happened, clean it up, fix it and keep the business running quicker and more effectively than calling in criminal investigators to look into the problem.”
The GAO report acknowledges that certain personnel policies at federal law enforcement agencies may be hurting the fight against cybercrime.
“[S]taff rotation policies at key law enforcement agencies may hinder the agencies’ abilities to retain analytical and technical capabilities supporting law enforcement,” the report observes.
“In order to address the challenge of ensuring adequate law enforcement analytical and technical capabilities,” it continues, “we are recommending that the Attorney General and the Secretary of Homeland Security reassess and modify, as appropriate, current rotation policies to retain key expertise necessary to investigate and prosecute cybercrime.”
From the business’s point of view, once a security issue has been resolved internally, reporting it to a government agency becomes problematic, Bedser contended.
Companies, he said, think like this: “If we’ve already dealt with the problem, cleaned it up and our business is running, if we report it to the government, we’ll have to take those systems offline and have another investigation going on that will interfere with business.”
That’s the way things have typically been done for the last decade, he declared, “and I don’t see that attitude changing drastically.”
Some companies, he added, are also willing to treat cybercrime losses as a simple cost of doing business rather than some catastrophic event that requires outside intervention.
Some banks, for example, can experience phishing losses as high as $1 million a month, he noted. “That’s just a rounding error for the type of money that they’re dealing with,” he said.
Eroding Consumer Confidence
Cybercrime has reached the point where it is undermining consumer confidence in electronic commerce, contended Ron O’Brien, a senior security analyst with Sophos in Burlington, Mass.
“Consumer confidence in the Internet as a vehicle for buying products online, paying bills online, even communicating with other people is at risk here,” he told TechNewsWorld.
“When it comes to cyber, we have two worlds to secure — the public and the private sector. In order to provide leadership to the private sector, the Department of Homeland Security must demonstrate control of its networks. Unfortunately, previous GAO engagements and our own investigations into the Department have shown that ‘information security’ has become an oxymoron,” said Thompson.
“I encourage all businesses — small and large — to take a very close look at their cybersecurity practices,” added Langevin. “Though 100 percent security may be unattainable, there are many policies and procedures that businesses can implement to better safeguard their data.”