The anonymity of the Internet and the potential for higher rewards for criminals has fueled an alarming increase in cybercrime activity in recent years. Indeed, analysts agree that Internet-savvy lawbreakers may have more to gain and less to lose than their physical world counterparts.
“If you’re talking about physical assets, you can only steal so much, due to physical limitations,” SecurityFocus CEO Arthur Wong told the E-Commerce Times. “When you’re talking about just numbers, the quantum of damages [online] can be so much higher.”
The Web has proven to be a land of opportunity for criminals, spawning such infractions as intellectual property theft, denial of service attacks, unauthorized network access, fraud and child pornography. The recent round of arrests in the “DrinkOrdie” copyright infringement ring is just the latest example.
Many believe that ill-equipped law enforcement officials will remain one step behind online lawbreakers unless they mount a more comprehensive counterattack.
Cost of Crime
While overall crime in the United States has declined over the past decade, cybercrime and its resultant damages are on the rise.
The Federal Bureau of Investigation’s annual Crime Index decreased 0.2 percent in 2000. More specifically, serious crime was 14 percent lower than in 1996 and 22 percent lower than in 1991.
In contrast, Internet-based crime is spreading, apparently unabated. According to the 2001 Computer Crime and Security Survey, conducted jointly by the Computer Security Institute (CSI) and the FBI, 85 percent of corporations and government agencies detected computer security breaches within the last twelve months.
The report found that total financial losses in 2001 from these penetrations were estimated to be US$378 million, an increase of more than $100 million over losses reported in 2000.
As a case in point, the United States district courts incurred expenses of at least $40,000 to discover and repair the damage caused by a hacker who infiltrated their servers in 2000.
Rampant vulnerabilities in corporate networks are to blame for such intrusions, said analysts.
“Few organizations have the financial resources or skilled people to implement security systems effectively,” Yankee Group analyst Matt Kovar told the E-Commerce Times.
Further, as more and more business requirements mandate the interconnection of multiple networks, organizations have less control of overall security, paving the way for intruders, Kovar added.
“Your overall security is only as good as the weakest link,” Kovar said.
After capitalizing on security loopholes, cybercriminals rely on the anonymity of the Internet to go undetected — and often unpunished.
As is frequently the case with denial-of-service offenses — where hackers cripple systems with a series of phony data requests — online perpetrators can easily mask their identities.
Such was the situation with the now infamous distributed denial-of-service attack that occurred in February 2000, simultaneously hitting pillar companies like EBay (Nasdaq: EBAY), E*Trade (NYSE: ET), Amazon (Nasdaq: AMZN) and Yahoo! (Nasdaq: YHOO).
“Jurisdictional and geographic boundaries do not apply online,” said Wong. He added that cybercriminals can anonymously break into networks from anywhere in the world, which makes it much more difficult to apprehend criminals on the Internet than in the physical world.
With minimal barriers to entry and an inexperienced law enforcement community, many lawbreakers view the Internet as the “low-hanging fruit” among criminal venues, according to Wong.
“It is a cat and mouse game,” said Wong. “Every time law enforcement devises a way to catch cybercriminals, [the criminals] come up with ways to get around that.”
“Organizations that want to survive in the coming years need to develop a comprehensive approach to information security, embracing both the human and technical dimensions,” CSI director Patrice Rapalus said. “They also need to properly fund, train, staff and empower those tasked with enterprise-wide information security.”
A collaborative campaign backed by government, law enforcement and private industry will build the strongest barrier against Internet crime, suggested Wong.
In that vein, the U.S. government launched InfraGard in 1996. With cooperation from the FBI, private businesses, academic institutions and law enforcement agencies, the InfraGard program champions the sharing and analysis of security information in order to protect the national infrastructure.
“In the proper hands, the Internet is a great tool to share information among agencies to coordinate efforts to prevent cybercrime,” Wong said.
> “The anonymity of the Internet and the
> potential for higher rewards for criminals”
The misconception in this case is obvious. Even though there’s a natural limitation to the extent and speed in which someone can learn his attacker’s identity, there is no anonymity on the net. The anonymity myth has been coined by less than professional investigators and self-proclaimed security experts to excuse their own inability to track and prosecute attacks.
In the “real world,” most crimes seem to be unsolvable and “perfect” in a layman’s eyes at first, but amazingly enough, the professionalism and expertise of forensic analysts, police work and crime scene study gets them bad boys in jail in most cases.
The same is true for criminal conduct on the net. Sure, for the untrained, the self-proclaimed and the CISSP, crimes may seem unsolvable, due to lack of expertise and mutual respect in the network and security community, but for the professionals, the trained, the experienced, much crime does not look that unsolvable at all.
As every criminalist learns, every crime leaves its traces, and every motivation has its surrounding symptoms. It is not that hard to establish and maintain relationships that allow an in-depth investigation. The lone wolf and the inflated ego, however, will always fail.