Microsoft can only do so much to fight cyber threats

Thwarting cyber criminals also requires cops to work together

That headline was not written to make me sound like an apologist for Microsoft. A lot of the security breaches happen because people with bad intentions exploited weaknesses in ubiquitous Windows operating systems in computers worldwide. Try as they might, Microsoft and other software companies still need to diligently patch security leaks in the virtual world. But there is also a need for security in the physical world, although a recent report shows not all the cops on the beat are doing their jobs.

The New York Times reported Monday that U.S. authorities arrested a Russian resident in France earlier this month who has been indicted in the U.S. on charges of identity theft and fraud for allegedly managing Web sites that sold stolen credit card numbers to those who would use the numbers to run up fraudulent bills. The article points out that the suspect, Vladislav Horohorin, who went by the Internet moniker BadB, worked with impunity in Moscow due to lax efforts by Russian law enforcement.

Online fraud is not a high priority in Russia even when specific hackers there have been identified by outside groups, the Times reported, because most of the time, fraud victims aren’t in Russia, but are in Europe or the United States. A nonprofit group aimed at fighting spam and other online fraud, the Spamhous Project, told the newspaper that seven out of 10 spammers in the world operate out of Estonia, Russia and Ukraine, all once part of the Soviet Union.

The article again makes the point that has been made before on this blog that fighting cybercrime requires global law enforcement cooperation. But the article adds that while the U.S. sees fighting cybercrime as a law enforcement issue, the Russians have pushed for an international treaty focused on restricting use of “online weapons” by military or espionage agencies. The U.S. has entered treaty talks with Russia, but there seems to be a fundamental disagreement on what is the right approach.

The idea of a treaty among nations to require enforcement of laws against cybercrime first came up on this blog back in March at RSA Conference 2010 when cybersecurity consultants said they felt the risk of a cyberattack is high but that preparedness is low. The “Pearl Harbor” warning made at that panel discussion continues to spark comments on this blog from skeptics who question the analogy and think the threat may be overstated by consultants who sell security. They were Richard Clarke, an adviser to three presidents and Michael Chertoff, secretary of homeland security under President George W. Bush. By the way, it was Chertoff who said it might take the cyber equivalent of the attack on Pearl Harbor in 1941 to serve as a wake-up call to step up security.

Commentors called out the hyperbole of this writer as well as the cybersecurity consultants for the Pearl Harbor analogy and for using terms like “catastrophic” to describe the cyberthreat. Fair enough. But whether it’s the nuisance of spam, the financial loss of credit card fraud, or the far more serious taking down of an electrical grid, cybercrime needs to be addressed both by technology companies and nations.

• Microsoft
• cybersecurity
• Microsoft
• Richard Clarke
• Russia
• Windows