Cybercrime as a Tragedy of the Commons

Two very interesting points in this essay on cybercrime. The first is that cybercrime isn't as big a problem as conventional wisdom makes it out to be.

We have examined cybercrime from an economics standpoint and found a story at odds with the conventional wisdom. A few criminals do well, but cybercrime is a relentless, low-profit struggle for the majority. Spamming, stealing passwords or pillaging bank accounts might appear a perfect business. Cybercriminals can be thousands of miles from the scene of the crime, they can download everything they need online, and there’s little training or capital outlay required. Almost anyone can do it.

Well, not really. Structurally, the economics of cybercrimes like spam and password-stealing are the same as those of fishing. Economics long ago established that common-access resources make for bad business opportunities. No matter how large the original opportunity, new entrants continue to arrive, driving the average return ever downward. Just as unregulated fish stocks are driven to exhaustion, there is never enough "easy money" to go around.

The second is that exaggerating the effects of cybercrime is a direct result of how the estimates are generated.

For one thing, in numeric surveys, errors are almost always upward: since the amounts of estimated losses must be positive, there’s no limit on the upside, but zero is a hard limit on the downside. As a consequence, respondent errors --­ or outright lies -- cannot be canceled out. Even worse, errors get amplified when researchers scale between the survey group and the overall population.

Suppose we asked 5,000 people to report their cybercrime losses, which we will then extrapolate over a population of 200 million. Every dollar claimed gets multiplied by 40,000. A single individual who falsely claims $25,000 in losses adds a spurious $1 billion to the estimate. And since no one can claim negative losses, the error can't be canceled.

[...]

A cybercrime where profits are slim and competition is ruthless also offers simple explanations of facts that are otherwise puzzling. Credentials and stolen credit-card numbers are offered for sale at pennies on the dollar for the simple reason that they are hard to monetize. Cybercrime billionaires are hard to locate because there aren’t any. Few people know anyone who has lost substantial money because victims are far rarer than the exaggerated estimates would imply.

Posted on May 2, 2012 at 7:10 AM • 27 Comments

Comments

Andrew RoseMay 2, 2012 7:30 AM

And since no one can claim negative losses, the error can't be canceled.

...is of course nonsense. It can be cancelled by the person who suffered a $25,000 loss but chose not to report it.

AlanSMay 2, 2012 8:14 AM

Cormac Healy often starts with an interesting counter-point to what's supposedly conventional wisdom, in this case the dubiousness of most of the cybercrime numbers that are floated around (see also his discussion of passwords), and then takes it somewhere that's equally dubious.

His argument would be more convincing if he wasn't also guilty of the exaggeration. He talks about "Cybercrime where profits are slim and competition is ruthless" and claims "cybercrime billionaires are hard to locate". There are quite a few people making hundreds of thousands or millions. Anything less than a billion is slim profits? We should all be so lucky to work at Microsoft.

ShaneMay 2, 2012 8:18 AM

I have a problem with using the criminal's profits to estimate the cost to society, which the article only briefly mentions. Most of the costs of crime in general do not translate directly to profit for the criminal. For example, when someone breaks into a car, destroying a $400 pane of glass, causing $200 of damage to the console, in order to get to a $200 radio, only to sell it on the black market for $50 - the cost to the victim is $800, but the profit by the criminal is only $50. Indeed, the low profitability of breaking into cars to steal electronics isn't relevant at all to the question of "is there a wave of car break-ins occurring," and is a distraction from the real question of what the cost to society is.

Guy FawkesMay 2, 2012 8:20 AM

You equate cyber crime to fishing?? Really?? Clearly you have a skewed view into the crime and the criminal justice environment. Every time I come across something that you have written it always downplays the severity or implications of the topic. But this one takes the cake. I don't understand your thought process, but certainly would like to as you posit yourself as an "security guru". Instead of equating cyber crime to fishing you should put it more in line with the crime of burglary. They both require the perps to go up to a containment vessel; in this case a computer or a building. The perps then check to see if it is "secure". They then commence to force entry. Once inside they take whatever property they want and leave. Burglary has been going on since man had a structure to hold his possessions and will continue to do so. The same can be said now for cyber crimes. This is nothing more than a new "structure" to hold possessions.

I think you really need to re-access your thought process on this.

ExtremeWaysMay 2, 2012 8:28 AM

@Guy Fawkes
You seem to have a reading comprehension issue. Schneier didn't write the article in question. He was just quoting from it.

Nick SimmondsMay 2, 2012 8:43 AM

Well, the cybercriminals could report negative losses. Of course, they wouldn't, but still.

Clive RobinsonMay 2, 2012 8:44 AM

Cybercrime billionaires are hard to locate because there aren’t any. Few people know anyone who has lost substantial money because victims are far rarer than the exaggerated estimates would imply.

This cuts both ways, if I was a crime millionaire let alone a billionaire, my main concern would be keeping it quiet. Not just from LEO'S but everybody, firstly because some people will figure it's easier to put a gun against your head and take from you, but also because as noted the only way to stop your favorite "fishing spot" being ruined is to keep it secret.

But also consider if you are a victim, do you want to advertise you are a soft target unless you have to? especialy if your income is based on other peoples confidence in you?

It also needs to be noted that as far as LEO's are concerned the higher the value of the crime the more likely the chances are it will be investigated and also the longer the sentances handed down, which again means the next investigation is more likely to be investigated.

Thus you get the kitchen sink mentality, where every cost is counted including the cost of the coffee consumed during counting at least twice, just to ensure the crime "value" gets to the "bar".

As has been pointed out on a number of occasions many of the costs include those of "making good" where the original poor security that would have to have been fixed any way gets included.

That is the cost of a paper shopping bag to put the days takings in and leave it under the managers desk is cheap compared to a proper night safe. However the cost of obtaining, installing an appropriate safe and redecorating of the office are now included in the cost of the crime as they have become necessary...

And this "cost inflation" gets added to each time the tale gets told to "allow for inflation" just as the fish that was caught in the fishing hollow gets larger and the strugle to land it commensurately more heroic with each telling.

The simple fact is very few people have any idea that is even remotely close to the truth, and it's rarely in their interest to say what the truth is.

Even with compulsory reporting of crime (which is never going to happen) people will "fudge the figures" depending on their drivers...

BenMay 2, 2012 8:46 AM

@Guy Fawkes

You equate cyber crime to fishing?? Really?? Clearly you have a skewed view into the crime and the criminal justice environment.

Surely you're not equating equation and contextually bound comparison of pertinent features? Fishing was mentioned precisely once in that article - and as an analogy at that. Did you even read it?

Dave SillMay 2, 2012 9:24 AM

One can't report negative losses, but one can *not* report losses and one can under report them, either intentionally or inadvertently. So there's a possibility for some correction or over reporting, though it's anyone's guess how close the reported figures are to reality.

derpMay 2, 2012 9:54 AM

Guy Fawkes,

Do you realize that this is not Mr. Schneier's opinion? Did you not read the beginning that said "two very interesting points in THIS ESSAY...". Bruce is not arguing that this is correct, but merely trying to spur discussions about these points of view (aka: the reason why he "always downplays the severity or implications of the topic").

If you go read the article, it is not saying that cyber crime is not a problem, but merely stating that the data that quantifies loss due to cybercrime can be easily skewed, and probably is, because of how the figures are obtained.

Your point that cybercrime cannot be equated to fishing is pretty moot, because you only refute the analogy based on one type of cyber threat - targeted attacks - which is relatively uncommon compared to bots and phishing campaigns (wait a sec... that attack even sounds like "fishing"... perhaps there is a reason for that...). The article does not equate *all* cybercrime to fishing, just spam and password stealing. If you really think about it, cybercrime can be analogous to commercial fishing, with the exception of APTs and other targeted attacks - which are better equated to tracking/hunting than your analogy to burglary. For instance, the majority of cybercriminals' {fishermen's} goal is to pwn {catch} as many people {fish} as possible with the highest ROI possible. Botnet operators do this by buying crimeware kits {boats} like Zeus or Spyeye (both of which are freely available now) and after a few clicks, add some distribution points for the binaries {nets}, then they start reeling in the victims ... seriously, thats about all there is to it apart from money laundering. The more people get pwned by cybercriminals, the more people get paranoid and take further measures to protect themselves, making the "fish" population smaller, yet the "fisherman" population keeps growing because of how cheap/easy it is to start up.

I think you really need to re-assess your thought process on this, Guy.

KarlMay 2, 2012 11:13 AM

My takeaway is that we need to regulate the cybercrime industry in the same way that we regulate fishing: licenses.

If all cybercriminals were required to purchase licenses, and to throw back any hauls of less than a certain size, there would be more cybercrime for everyone.

kashmarekMay 2, 2012 12:05 PM

A cyber question: in the arena of cybercrime, there are facilitators that provide capabilities to "monetize" the network to their advantage (at the disadvantage of the targeted victims). Is the FaceBook organ donor list such a facilitation?

Clearly, the FaceBook organ donor list is a marketing ploy to collect data from not only the potential organ doners but from those seemingly in need of organs (for direct use to be implanted or wanting to "monetize" the methodology for financial gain). The key here is that the FaceBook based information has NO protection and is thus made open for all sorts of purpose (honorable and otherwise).

It is my observation that the medical communities have all sorts of lists for this purpose and that putting such data on FaceBook is only for the purpose of making money off the providers and those in need (though such operations are likely to be neferious in nature). Thus, are we looking at a huge potential cybercrime event being spawned (not unlike the existing distribution of intellectual property that may or may not be against the law). Or better yet, would such data on FaceBook be considered as protected by HIPAA and make FaceBook subject to HIPAA regulations?

AlanSMay 2, 2012 12:13 PM

A key assumption made in the article is that "common-access resources make for bad business opportunities....new entrants continue to arrive, driving the average return ever downward."

Maybe this is true for some types of cybercrime. There are resources that are widely and freely available that make it possible for anyone to hack into systems and steal credit cards etc. But that's not how a lot of cybercrime works. Spam, fake-antivirus, distribution of Trojans for the purposes of raiding bank accounts, etc. actually depend on large botnets backed by quite elaborate organizations and partnerships. It's organized crime. New entrants actually create more profit for Partnerkas as they buy services and generate income. There are more business opportunities than can be effectively exploited. And the business is very lucrative. All this is well documented bt Brian Krebs at https://krebsonsecurity.com/.

AlanSMay 2, 2012 12:17 PM

@Karl "My takeaway is that we need to regulate the cybercrime industry in the same way that we regulate fishing: licenses."

That's actually the way it works in some countries. To get your 'license' you only steal from people in other countries and you pay fees to appropriate officials.

Paul MassonMay 2, 2012 1:51 PM

Cybercrime is only a minor problem when it happens to someone else. When it happens to you, then it becomes a tragedy. Attempting to mitigate the perception does not help promote the best defense, which is education of the user.

MiramonMay 2, 2012 3:42 PM

> And since no one can claim negative
> losses, the error can't be canceled.

Oh?

If Alfred over-reports by $50,000, and Betty under-reports by $50,000, obviously the error has been canceled.

On the one hand there is more scope for over-reporting due to the lack of an upper limit. On the other hand, victims of cons tend not to report their losses out of embarrassment at being conned. Moreover, since it doesn't profit a survey respondent to over-report, why assume they are doing so?

Either way, the the second block of quoted text in the OP is rather dumb.

Nick PMay 2, 2012 10:30 PM

I like the article a bit. (Quick tangent: anyone responding to Guy Fawkes trolling was foolish, as troll's goal is to waste people's time by causing such responses & anger. He's named after a terrorist, for goodness sake ;)

So, as for the article, I do have issue comparing cybercrime to fishing. I think this is similar to Bruce's talk about fighting "tactics" of terrorist vs what's good at fighting terrorists. Credit cards, various accounts, etc. are just tactics or specific ways of getting money. Bruce's excerpts of this report show that it essentially says that people who all use the same tactic usually don't make exceptional amounts of money. Isn't this usually true?

In reality, cybercrime has a ton of tactics available. The article didn't examine ACH fraud or ATM skimmers, for example. I second Brian Kreb's site b/c he's covered ACH fraud & card skimmers in detail. Even with certain costs (eg money mule capture), individual crooks can make hundreds of thousands a year off of this. Many millions if they're running a network of others who only get a bit of the cut. Then there's espionage.

So, many types of cybercrime are quite profitable. Always. The reason is that the particular type produces quite a bit of money & it's easy to convert to cash. In espionage, it's the value of the information & haggling skills of the spy. Additionally, as Storm & Conficker showed us, innovation + partnership with profitable non-legit businesses made the group tens of millions of dollars in one of the businesses the authors tell us suck (spam). Same principle applies to other "tactics" or sub-industries.

In short, the authors are right for certain types of dumb/average crooks. The same principles probably apply to average honest workers, too. The truth that they ignore is that certain specialties & innovation in common spaces can make a cybercrook millions. Other than this major dispute, the rest seemed like good thinking after skimming it (no pun intended). Particularly, that extrapolation of possibly unreliable data leads to overestimating things. That's not just cybercrime, though. ;)

anonymous cowardMay 3, 2012 1:39 AM

"Suppose we asked 5,000 people to report their cybercrime losses, which we will then extrapolate over a population of 200 million. "
Iff these 5000 were randomly picked, statistics 101 will teach you the prediction is not extrapolation with all negative connotations at all. It is actually pretty good.
Not only in security is true randomness all-important.

cafMay 3, 2012 2:05 AM

Just as unregulated fish stocks are driven to exhaustion, there is never enough "easy money" to go around.

This might be bad news for the fishermen, but it's also terrible news for the fish.

claudioMay 3, 2012 3:53 AM

"common-access resources make for bad business opportunities....new entrants continue to arrive, driving the average return ever downward." I think he is oversimplifying the problem. Saturating the market requires time, and while numbers are not correct, there is still a lot of space for growth, and we wouldn't really like to reach the costs of saturation. And there are other limits, the market is not a perfect market, and not everyone is willing to enter it. If he were starting from the fact that losses are low and criminals are not making money, then he could be correct. But he just says that estimates are too high (everybody knows that) without giving better numbers, and then tries to fit the reality to his reasoning.
And as somebody already mentioned, it's the social cost that matters.

AndrewMay 3, 2012 8:52 AM

Well, at this makes me feel better about thinking how hard it is to learn this stuff...

J taylorMay 3, 2012 11:14 AM

I am a cyber criminal myself admittingly. I have stolen from persons and companies alike. Hardware, software, identity, bank information... all of it. Ive been in I.T. since the days of the Commadore 64 and know the industry and hacking inside out. The author is right. There's no giant rainbow of money out there that you can generate millions of dollars. In those cases, its usually someone who works at a firm and chooses to embezzle a large sum. These are not cyber criminals though. Of all of you that commented, how many of you actually have pulled it off or tried. I still look for every angle to profit from. There are too few there.

Dark LegendMay 4, 2012 12:16 AM

From the point of view of the fisherman/cybercriminal, relentless competition drives the "fisherman's" returns towards zero, and severely caps the upside.

But if the pond keeps getting restocked, fishermen will still keep coming, as a few free fish are better than none. And from the perspective of the fish/userbase and from the perspective of those who must cover the cost of replacing the stolen "fish", the TOTAL cost does NOT approach zero, instead the TOTAL cost from the perspective of the targets, the total cost approaches infinity, not zero, as a limit.

As long as cybercrime pays well enough for cybercriminals to persist, even if there are no billionairs, then more and more fish will get poached as time goes on.

And anyway, the correct statement is that there are no KNOWN billionaire cybercriminals. But not all cybercriminals are driven to brag about there 'sploits -- some, the likely rich ones, are more likely driven by the ethos of keeping the best fishing holes quiet.

If you doubt there could be cybercriminal billionaires even after this analysis, look around for an excellent film on the Russians of the thieves' code, Vor V Zakony, make by a Vor gone legitimate, like Michael Corleone tried to do in the Godfather.

Those guys didn't get all their money from the Russian oil industry...and they don't brag about how they thrived as their competition died, except to note that they have survived and thrived. They do not talk about what kind of fishing they have done, or how successful they have been in individual "fishing for dollars" expeditions.

If the over/under on cybercriminal billionaires worldwide was two dozen, and we could really know the truth, I'd take the over.

And cybercriminal millionaires? Enough, I'd wager to encourage others to try to follow the route to their good "fishing" spots...

And for years, at least until many of them got themselves "legitimized", the Vor would have no families or fixed places of abode that could be used against them, and little or no fear of prison, as they ruled on the inside as well as the outside.

Sorry, but competition will never be enough to discourage ever increasing numbers of cybercriminals or wannabes from chasing an ever larger pool of $ to hook into.

Please, no more pseudo-economic analyses that confuse the micro-economic with the macro-economic. All the author's argument proves is that cybercrime is a long-tail phenomenon, and it does not prove that there are NO big scores, nor does it prove that aggregate damage will wither away. After all, whales were a limited resource, so they went extinct for all practical purposes.

But cybercrime targets are everywhere, and no amount of cybercrime (at least that has been known to man yet) can clean out the targets of the "game".

Once again, "Author! PLEASE...!"

/s/ One who knows how, but chooses to refrain because he has things more valuable to him that he will not risk...

PS Install and use good personal computing security tools. There are excellent ones available for free if you look around a bit and do your research.

PPS I have infinitely more respect for the Vor, who are only following human nature, often very successfully, than I do for people who write supposed analyses that tell fish not to worry, that the ever increasing army of poachers aren't much of a threat, because their individual catches will go down over time. And that is what we were just told, in a few more words. The author hit his target, unfortunately, his target was a "straw man"...he never even caught a glimpse of the true nature of the threat.

And yes, the author is rightly respected for what he does know and can do, but he was looking through a prism, and missed the red lights flashing in this case...

Nick PMay 4, 2012 4:37 PM

@ j Taylor

I say you're full of s*** or were one of the less skilled cybercriminals. For one, we don't need to be cybercrooks to know these things: plenty of articles and arrests to tell us. Go read some krebs posts bout ACH fraud, ATM skimmers, or buying bank accounts, then come back with evidence the margins are like fishing.

Cybercrime is like crime in general: some activities require volume, some pay a premium, and some are luxury (usually temporary). The authors are extrapolating traits of the first category over the entire industry. That's not only bad science: it's obviously ignorant to anyone following the amounts crooks are able to steal (and are stealing).

Geordie StewartMay 8, 2012 7:12 AM

Florencio and Cormac are spot on when they say that the cybercrime market has diminishing returns just like any other market. Consider that often the first thing a hacker will often do once they’ve taken over a system is to make it harder for anyone else to take it over. In effect, they raise the amount of effort for others to attain the same benefit. For those that are interested in more examples they should check out Florencio and Cormac’s other paper “Where do all the attacks go?” which is available as a free download where they ask why are there not more compromises if there are so many insecure systems?

There seems some hostility here about criticising the claims made for the cost of computer crimes. Florencio and Cormac rightly point out that a small number of large claims can have a huge impact on totals when extrapolated to the entire population. Consider that when claiming expenses you normally have to produce evidence - for claiming computer crime losses there is no such rigor and too many incentives to exaggerate. The US authorities are still claiming that Gary Mckinnon caused $700,000 of damage. I haven’t seen any explanation of how that figure was reached but I have no doubt its already banked somewhere on a ledger of US Govt cybercrime losses. Also, what’s the vested interest of the companies / organising the cybercrime surveys? All the players involved (including us infosec pro’s) have a vested interest in bigging up the issue. Some of the industry cybercrime loss claims made are ludicrous and Florencio and Cormac are right to question them.

I remember the London Infosec conference a few years ago when a vendor presented their annual breaches survey. One of the senior partners was presenting a graph showing how the average cost of a breach was approaching 100k and he was concluding that things were getting worse. I pointed out that his chart was just a graph of inflation (awkward silence).

RogerMay 10, 2012 8:11 AM

Cormac's (false) argument that an over-estimate of $25k can't be cancelled out, makes some sort of sense if he thinks that $25k is an insanely high number that would almost never be seen in reality.

For example, consider if we were talking about, say, car theft. Then having just one victim claim that his stolen car was worth $20 million would blow the average right out. Even if every other victim gave an accurate report, it would require many thousands of reports to dilute the effects of such an exaggerated claim.

So perhaps that is what he meant. However, $25k is not a particularly high amount. It may (or may not) be very high for the criminals' profits, but for the victims' clean-up costs it's actually pretty reasonable, maybe even on the low side. Take a team of 5 IT professionals at $50/hr, working 1 week flat-out (including overtime for the weekend) to replace / rebuild / patch servers, web apps and compromised desktops; add in a management report and an audit (legally mandatory), and there's your $25k down the drain before you even start looking at direct business losses, lost custom, etc.

Of course the exact details will vary wildly, but as soon as you are talking wages and salary in any organisation much bigger than a corner store, $25k doesn't go very far.

DewiMorganJanuary 4, 2013 1:03 PM

I suspect that the most common false claimed is "the maximum the insurance people would pay out for this type of attack".
...for some value of false. The cost of "making good", as pointed out earlier, can be used to inflate as necessary to get the max payout.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..