The Government Accounting Office took an assessment of the cybercrime battle and didn’t very much like what it saw. In a report issued today, the GAO said despite huge efforts by public and private entities to address cybercrime, those efforts are falling way too short. The agency pointed out five areas it said were key challenges the government – federal, state and local – corporations and individuals face in slowing cybercrime.Those challenges include:
· Information: reporting cybercrime—companies and government agencies do not always detect or report cybercrimes;
· Experience: ensuring adequate law enforcement analytical and technical capabilities—law enforcement organizations often have difficulty obtaining and retaining investigators, prosecutors, and examiners with the specialized skills needed to address cybercrime; this is due in part to the staff rotation policies in place at certain law enforcement organizations;
· Jurisdiction: working in a borderless environment with laws of multiple jurisdictions—because cybercrime crosses national and state borders, law enforcement organizations have to deal with multiple jurisdictions with their own laws and legal procedures, a situation that complicates investigations;
· Lax security: implementing and raising awareness about strong information security practices—our experience in evaluating the information security of federal agencies demonstrates the difficulty that organizations face in maintaining strong information security programs; despite efforts by public and private entities to raise awareness about the importance of information security, many organizations and individuals remain insecure.
· Bad policies: Public and private entities, cybercrime partnerships, and task forces have initiated efforts to address these challenges, including leveraging resources and technologies to fight cybercrime. However, more can be done to help ensure agencies have adequate law enforcement capabilities. Specifically, staff rotation policies at key law enforcement agencies may hinder the agencies’ abilities to retain analytical and technical capabilities supporting law enforcement.
The GAO’s “Cybercrime: Public and Private Entities Face Challenges in Addressing Cyber Threats,” says the direct economic impact from cybercrime is estimated to be in the billions of dollars annually. The annual loss due to computer crime was estimated to be $67.2 billion for U.S. organizations, according to a 2005 Federal Bureau of Investigation (FBI) survey.
In addition, there is continued concern about the threat that our adversaries, including nation-states and terrorists, pose to our national security. For example, intelligence officials have stated that nation-states and terrorists could conduct a coordinated cyber attack to seriously disrupt electric power distribution, air traffic control, and financial sectors.
Also, according to FBI testimony, terrorist organizations have used cybercrime to raise money to fund their activities. Despite the estimated loss of money and information and known threats from adversaries, the precise impact of cybercrime is unknown because it is not always detected and reported. The report also notes that the different types of cybercrime act ivies are on the rise.
For example:
· Spam: Has increased over 65% since January 2002.Approximately 88% of all e-mail processed at service centers is classified as “junk.” From September 2006 to March 2007, Postini collected over 60 billion pieces of spam totaling 537.7 terabytes of data. Between July and December 2006, spam constituted 59% of all e-mail monitored. Through 2005, hackers most frequently targeted the telecommunications and health care sectors, where almost 80% of all e-mail traffic was spam.
· Botnets: Between July and December 2006, an average of 63,912 active, bot-infected computers per day were observed, an 11% increase from the previous reporting period.
· Phishing: Between July and December 2006, 166,248 unique phishing messages detected, a 6% increase over the first 6 months of 2006. An average of 904 unique phishing messages per day was reported for the second half of 2006. During the same period, over 1.5 billion phishing messages were blocked. During 2006, U.S.-based businesses were the most targeted organizations of phishing e-mails, accounting for 71% of all phishing e-mail. In addition, more than 55% of the world’s phishing attacks fabricate company Web sites that are hosted in the United States.
· Malware: Between January and June 2006, approximately 2 million of the 4 million computers cleaned by the malicious software removal tool had at least one backdoor Trojan horse. 43,000 new variants of malware were found in the same period.
· Trojan horses: In 2005, close to 40% of the financial services and banking industry sector suffered the most Trojan horse attacks.
The report wasn't all bleak. The GAO says that federal and state law enforcement organizations are taking steps to help them work in the borderless environment within which cybercriminals operate. For example, federal, state, and local law enforcement organizations participate in cybercrime task forces that combine a region’s law enforcement capabilities to investigate and prosecute cybercrime in the most advantageous way. To address transnational jurisdiction, investigation, and prosecution issues, DOJ and the State Department have established agreements with more than 40 nations through the G-8 High Tech Crime Working Group to address cybercrime cooperatively.
The GAO concludes: “We recommend that the Attorney General direct the FBI Director and the Secretary of Homeland Security direct the Director of the Secret Service to assess the impact of the current rotation approach on their respective law enforcement analytical and technical capabilities to investigate and prosecute cybercrime and to modify their approaches.”