Schneier on Security
A blog covering security and security technology.
« Counterfeiting Ring in Colombia |
| Open-Source Intelligence »
November 30, 2005
This sentence jumped out at me in an otherwise pedestrian article on criminal fraud:
"Fraud is fundamentally fuelling the growth of organised crime in the UK, earning more from fraud than they do from drugs," Chris Hill, head of fraud at the Norwich Union, told BBC News.
I'll bet that most of that involves the Internet to some degree.
And then there's this:
Global cybercrime turned over more money than drug trafficking last year, according to a US Treasury advisor. Valerie McNiven, an advisor to the US government on cybercrime, claimed that corporate espionage, child pornography, stock manipulation, phishing fraud and copyright offences cause more financial harm than the trade in illegal narcotics such as heroin and cocaine.
This doesn't bode well for computer security in general.
Posted on November 30, 2005 at 6:05 AM
• 21 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"This doesn't bode well for computer security in general."
... especially given those who would have computer security follow the same insane path that so called "anti-terror" has taken ...
How exactly do narcotics cause financial harm and to who? The person that buys it? I doubt it would really be measurable. Then again how do you really measure the financial harm of corporate espionage, child porn (don't ask me), stock manipulation, phishing fraud and copyright offences?
Add up all the blown out of proportion reported losses from them all? Why not throw in all the estimated unreported ones as well.
I would not think of it as a problem,
as she counts copyright offences into it.
Alone the miscalculations always involved in copyright statistics are pushing these values through the roof.
Regarding the BBC article,
now how would the "head of _fraud_" for an insurance company have expert knowledge on narcotics trafficking? Would you trust what a narcotics agent told you about online fraud?
Another part of the article jumped out at me:
"Another problem, Norwich Union said, is that there are simply no figures collected to show just how big a problem fraud is for the UK.
So it has tried to build its own numbers..."
Frankly I don't trust their numbers, since it would definitely be in their best interest to convince the Government to crack down on the fraud that hurts _their_ bottom line. Impressive figures help do that.
"(Insurer Norwich Union ) called on the government to set up a National Commission to devise a strategy for tackling the problem."
I wouldn't put too much faith in their numbers given their obvious agenda.
I agree with mcr on the doubtfulness of the profits from copyright infringement -- all too often these numbers are based on estimates such as "projectiosn say we should have sold this many copied/CD's/DVD's/etc but we only sold this many so infringement must be the explanation" with loss predictions to match. Similarly for child pornography -- the material is (as it should be) contraband and is therefore almost impossible to study to develop real incidence rates and derived income estimates. So we're left with law enforcement estimates based on their data which we can't see. So the only numbers I would even try to evaluate are the ones on espionage, fraud, etc.
"How exactly do narcotics cause financial harm and to who?"
In the UK a lot of drug addicts support their habit by crime, burglary, shop lifting etc. This eventually causes financial harm to society
"this is the equivalent of £340 per adult" or "1.4% of the UK's entire economic output"
If it *really* was this much, we'd all have experience with this in the UK. But we don't.
It is also more than 10x the government's figures which are dodgy already! See my earlier post:
"claimed that corporate espionage, child pornography, stock manipulation, phishing fraud and *copyright offences*"
Yeah, sure. All those mp3s and such would've been actually bought in a store if they weren't downloaded. Cut that figure out and I'd guess you'd arrive at a much more reality-based figure.
Several other security related sites have labeled the latter information release from the US Treasury consultant to be pure bunk.
I have to agree with them. It seems they are lumping in things like copyright infringment (think P2P) into "cyber crime".
When Jane Doe mom is lumped in with drug dealers, something is wrong, very wrong with the analysis.
It may very well be that criminals have found a new niche, but I'm curious just how a computer is used in the commision of these crimes. Was a computer simply used by the criminal, or did the criminal use the computer to commit the crime? Seems like they call a lot of stuff nowadays Cybercrime, when it's just simply a snazzy new word for visibility and funding.....
Whenever you see an **Alarming Revelation** in the news that isn't backed up with verifiable facts, just figure somebody is trying to sell something on hype.
Top 10 CyberCrime:
1. Blackberry rips off NTP's patents
2. Ebay rips off patents
3. Sony rips off customer hardware/software with rootkit
4-10 Everyone chip in on some more!
Quickly! We must declare a War on Cybercrime and form national agencies to fight it! We must all give up a few "insignificant" freedoms to be more safe!
Oh, by the way, everyone keep using Microsoft products.
Yeah I gather that, but how do you measure that? Everyone who steals something who's on drugs adds to that figure? If they only count petty crime/thieft of drug users and put them up against five huge categories the sentence isn't even worth printing.
What happens if some executive is on cocaine decides to steal copyrighted material from a rival company using a phishing attack on one of their employees with the ultimate goal of exploting the stock market, while looking at child porn?
Mark one up for drug use, five for cybercrime?
Hey, but it's great news for the anti-drug squad? At the end of the year, they'll be able to say "Due to our vigilance and dedication, drug-related crime has fallen as a percentage of all crimes committed."
"...corporate espionage, child pornography, stock manipulation, phishing fraud and copyright offences" is a very odd bunch of crimes to be lumping together. I'm sure they're all believed to be facilitated in some way by computers and computer networks, but that doesn't buy you much in the way of a coherent approach. Should we think about all the crimes facilitated by cars or by lightbulb as a single entity to be attacked by one agency?
Indeed, many of the measures you might want to take to prevent or catch some of these categories of crime will in fact make others easier to commit as we have seen from the Sony rootkit debacle, or from the neverending wars about private access to effective crypto. And, of course, as Bruce has pointed out until he's blue in the face, although these crimes have technological components, it's the institutional incentives that have to change to make any serious dent.
> This doesn't bode well for computer security in general.
Maybe it does, in a sense. It's obvious that there still is not enough public outcry/pressure to force the marketplace to correct itself. If things continue to get worse, it's axiomatic that at some point there will be a snowball effect and a real public backlash will occur.
Of course, the backlash will probably be disproportionate, and you'll see years of see-sawing before the right balance between security and usability is established, but that's to be expected.
That's becuase there are no many people who use the Internet. Not nearly as many people are on drugs.
"In the UK a lot of drug addicts support their habit by crime, burglary, shop lifting etc. This eventually causes financial harm to society"
does it? Think of all the jobs it creates.
I'm searching through www.treasury.gov and I can't seem to find their report. Has anyone else found it?
It is par for the course that the media (CNN) just gives us the hyped up blurb without a pointer to their source. This is the web damn it! Give us the URL of the treasury report!
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.