Computer Crime Research Center

A crime wave festers in cyberspace

By Bob Tedeschi/NYT (The New York Times)

Cybercrime, long a painful side effect of the innovations of Internet technology, is reaching new dimensions, security specialists say. Spurred by a tightening economy, the increasing riches flowing through cyberspace and the relative ease of such crimes, technically skilled thieves and rank-and-file employees are stealing millions if not billions of dollars a year from businesses around the world, according to consultants who track cybercrime.

Thieves are not just diverting cash from company bank accounts, these experts say. They are pilfering valuable information such as business development strategies, new product specifications or contract bidding plans and selling the data to competitors.

"Criminal activity on the Internet is growing - not steadily but exponentially, both in frequency and complexity," said Larry Ponemon, chairman of the Ponemon Institute, an information management group and consultancy. "Criminals are getting smarter and figuring out ways to beat the system."

The number of successful, and verifiable, worldwide hacker incidents this month is likely to surpass 20,000 - above the previous monthly record of 16,000 in October, as counted by mi2g, a London-based computer security firm. Others have also offered dire estimates, although the dollar amounts are difficult to verify or compare because the definitions of loss vary so broadly. Part of the challenge in quantifying the problem is that businesses are often reluctant to report and publicly discuss electronic theft for fear of attracting other cyberattacks or, at the least, undermining the confidence of their customers, suppliers and investors or inviting the ridicule of their competitors. In one survey of 500 computer security practitioners conducted last year by the FBI and the Computer Security Institute, a trade group, 80 percent of those surveyed acknowledged financial losses resulting from computer breaches. The computer professionals took part in the survey on the condition they and their organizations would not be identified. Among the 223 respondents who quantified the damage, the average loss was $2 million. Those who had suffered losses of proprietary company information said each incident had cost an average of $6.5 million, while financial fraud averaged $4.6 million an incident.

One of the best-known cases of corporate computer crime involved two accountants at Cisco Systems, who after pleading guilty were each sentenced in late 2001 to 34 months in prison for breaking into parts of the company's computer system they were not authorized to enter and issuing themselves nearly $8 million in company stock.

But it is nearly impossible to identify the companies that have incurred the biggest losses, because of corporate reluctance to discuss what anonymous surveys have found to be a growing problem.

Computer security specialists who help protect these companies said the attacks were hitting major banks, telecommunications companies and other Fortune 500 companies - and included a great variety of attacks. "If people found out how astoundingly large this problem is, they'd be shocked," said James Hurley, an analyst with Aberdeen Group, a technology consulting firm. Hurley said one client, which he declined to identify, suffered a $500 million case of electronic theft last year. Other consultants also recently recounted numerous examples of electronic thefts, but, like Hurley, they omitted company names because of confidentiality clauses in their contracts. Some examples, all provided by consultants who had seen the damage, include these: Last summer, someone hacked into the treasury system of a U.S. financial services company and transferred more than $1 million to what investigators presume to have been personal accounts. The company suspects it was an employee because of the inside knowledge required to gain access to the system. The investigation is continuing, but the employee's identity is still unknown.

In November 2001, a New York brokerage house noticed an intruder in its network from overseas but did not know the nature of the intrusion. When a security firm tracked him, they saw that he was removing trading information on euros and using that data to compete with the firm while trading in markets in the Far East. The estimated damage was in the millions of dollars. Last spring, hackers broke into a U.S.-$ based bank's database and gained access to accounts of wealthy customers. Millions of dollars was transferred overseas. The bank managed to undo most of the transfers, but total losses, including a security clean-up, were more than $1 million.

The weak economy is partly behind the rise in cybercrime, said Richard Power, global manager of security intelligence for Deloitte Touche Tohmatsu, a business management consultancy. "In times of economic hardship, crime always increases," he said. "The more that money flows into cyberspace, the more criminal activity there'll be."

Corporations, meanwhile, are struggling to keep pace. With budgets and personnel stretched thin, companies that added many new technologies to their computer systems during the dot-com build-up now find themselves lacking the resources to secure those systems against break-ins.

Part of the problem is that cybercrime is much harder to detect than crime in the physical world. "The vast, vast majority of virtual crimes right now never get caught or prosecuted, where you have some chance in the real world," said Dan Farmer, chief technology officer of Elemental Security, a computer security firm in Silicon Valley. "It is extraordinarily hard to prove anything using digital evidence."

Electronic crime is difficult to detect because it is so often an inside job. Security experts say the fastest-growing type of cybercrime involves theft of intellectual property - the pilfering of a company's plans for major projects, for instance, or marketing schedules and budgets stolen by an employee and sold to a competitor.

John Pescatore, an analyst with Gartner Inc., a technology consulting firm, estimated that in 70 percent of computer systems intrusions that resulted in a loss, an employee was the culprit.

In other industries, losses have become so widespread that accounting specialists are starting to call for fuller disclosure of cybercrimes by corporate victims, saying that customers and shareholders should know more about the losses and risks. Ponemon, the consultant, said companies often concealed the losses in their balance sheets. "It'll be recorded in different accounts that wouldn't have the same level of scrutiny as a loss," he said.

Such cover-ups do not allow for "a clean picture about how expensive it is to have to deal with fraudulent or criminal activities," Ponemon said. "This is becoming a very material part of the business model, so it deserves its own disclosure. That way, people can make better business decisions - whether to demand better controls or better technology or different precautions."

A securities lawyer cautioned against holding companies to a higher standard for disclosing cybersecurity breaches in all cases, lest they attract copycat attacks. "Sometimes it's more socially responsible not to disclose, because it could multiply a company's losses by 20," he said.

But Jay Ehrenreich, senior manager of the cybercrime prevention and response group at PricewaterhouseCoopers, said requiring broader disclosure of cybercrimes "makes a lot of sense and is something shareholders should demand."

Still, he does not expect corporations to easily give in to such demands.

"A lot of times companies don't want to know what was taken," Ehrenreich said. "They just want us to find what the problem was and close the door, because there's a cost to finding out what was actually taken."


Home | What's New | Articles | Links
Library | Staff | Contact Us

Copyright Computer Crime Research Center 2001, 2002 All Rights Reserved.
Contact the CCRC Office at +38 061 220 12 83