Cybercrime, they just don't mention it
January 30 2003
Criminals are not only stealing money on the Internet, but ideas, business
plans and bidding strategies, writes Bob Tedeschi in New York.
Cybercrime, long a painful side effect of the innovations of Internet
technology, is reaching new dimensions, security experts say.
Spurred by a tightening economy, the increasing riches flowing through
cyberspace and the relative ease of such crimes, technically skilled
thieves and rank-and-file employees are stealing millions if not billions
of dollars a year from businesses in the United States and abroad,
according to consultants who track cybercrime.
Thieves are not just diverting cash from company bank accounts, these
experts say. They are pilfering valuable information like business
development strategies, new product specifications or contract bidding
plans and selling the data to competitors.
"Criminal activity on the Internet is growing - not steadily, but
exponentially, both in frequency and complexity," said Larry Ponemon,
chairman of the Ponemon Institute, an information management group and
consultancy. "Criminals are getting smarter and figuring out ways to beat
the system."
The number of successful, and verifiable, worldwide hacker incidents for
the month of January is likely to surpass 20,000 - above the previous
record of 16,000 in October, as counted by mi2g, a computer security firm
based in London.
Others have also offered dire estimates, although the dollar amounts are
difficult to verify or compare because the definitions of loss vary so
broadly. Part of the challenge in quantifying the problem is that
businesses are often reluctant to report and publicly discuss electronic
theft for fear of attracting other cyberattacks or at the least undermining
the confidence of their customers, suppliers and investors - or inviting
the ridicule of their competitors.
In one survey of 500 computer security practitioners conducted last year by
the FBI and the Computer Security Institute, a trade group, 80 per cent of
those surveyed acknowledged financial losses to computer breaches. The
computer professionals took part in the survey on the condition they and
their organisations would not be identified. Of the 223 respondents who
quantified the damage, the average loss was $US2 million ($A3.38 million).
Those who had sustained losses of proprietary company information said each
incident cost an average of $US6.5 million, while financial fraud averaged
$US4.6 million an incident.
One of the best known cases of corporate computer crime involved two
accountants at Cisco Systems, who after pleading guilty were each sentenced
in late 2001 to 34 months in prison for breaking into parts of the
company's computer system they were not authorised to enter and issuing
themselves nearly $US8 million in company stock.
But it is nearly impossible to identify the companies that have lost most,
because of corporate reluctance to discuss what anonymous surveys have
found to be a growing problem.
Computer security experts who help protect these companies said the attacks
were hitting major banks, telecommunications companies and other Fortune
500 companies - and include a great variety of attacks.
"If people found out how astoundingly large this problem is, they'd be
shocked," said James Hurley, an analyst with the Aberdeen Group, a
technology consulting firm. Hurley said one client, which he declined to
identify, endured an electronic theft worth $US500 million last year.
Other security consultants recently recounted numerous examples of
electronic thefts, but, like Hurley, they omitted company names because of
confidentiality clauses in their contracts. Some examples, all provided by
consultants who had seen the damage, include these:
•Last summer, someone hacked into the treasury system of an East Coast
financial services company, and transferred more than $US1 million to what
investigators presume to have been personal accounts.
•In November 2001, a New York brokerage house noticed an intruder in its
network from overseas, but did not know the nature of the intrusion. When a
security firm tracked him, they saw that he was removing trading
information on euros and was using that data to compete with the firm while
trading in other markets. Estimated damage was millions of dollars.
•Last year, hackers broke into a publicly held bank based in the US and
gained access to the bank accounts of wealthy customers. Millions of
dollars were transferred overseas. The bank managed to back out of most of
the transfers, but total losses, including a security clean-up, were more
than $US1 million.
The weak economy is partly behind the rise in cybercrime, said Richard
Power, global manager of security intelligence for Deloitte Touche
Tohmatsu. "In times of economic hardship, crime always increases," he said.
"The more that money flows into cyberspace, the more criminal activity
there will be."
Corporations, meanwhile, are struggling to keep pace. With budgets and
personnel stretched thin, companies that added many new technologies to
their computer systems during the dot-com build-up now find themselves
lacking the resources to secure those systems against break-ins.
Part of the problem is that cybercrime is much harder to detect than crime
in the physical world.
"The vast, vast majority of virtual crimes right now never get caught or
prosecuted, where you have some chance in the real world," said Dan Farmer,
chief technology officer of Elemental Security, a computer security firm in
Silicon Valley. "It is extraordinarily hard to prove anything using digital
evidence."
Law enforcement authorities acknowledge the difficulty of catching
electronic thieves. "The crime is much easier because you have anonymity,"
said Tim Caddigan, deputy special agent in charge of the Secret Service's
financial crimes division. And often, he said, "It's much more profitable
for criminals to use the computer" than to steal through more traditional
means.
Adding to the difficulty of catching wired thieves is the fact that the
authorities are outnumbered and, in many cases, outsmarted by criminals
with better computing skills - although the FBI and the Secret Service are
increasing their ranks of investigators with sophisticated computer skills.
The number of investigators in the FBI's cyber division will roughly double
in the coming months, to 700, for example, while Caddigan of the Secret
Service said 200 of the Service's 3000 agents had completed training and
more would follow.
Electronic crime is also difficult to detect because it is so often an
inside job. Security experts say the fastest-growing type of cybercrime
involves the theft of intellectual property - the pilfering of a company's
plans for major projects, for instance, or marketing schedules and budgets
stolen by an employee and sold to a competitor.
John Pescatore, an analyst with Gartner, a technology consulting firm,
estimated that in 70 per cent of computer systems intrusions that resulted
in a loss, an employee was the culprit. In many cases, he said, those
employees knew the company was headed for difficult times and possible
layoffs, and sold information to competitors "either to make sure they got
a good job at another place, or just to give themselves a golden parachute".
In other industries, losses have become so widespread that accounting
experts are starting to call for fuller disclosure of cybercrimes by
corporate victims, saying that customers and shareholders should know more
about the losses and risks.
http://theage.com.au/articles/2003/01/29/1043804407631.html
