Wednesday, July 15, 2020

Time to flatten the [cybercrime] curve

Recently, a journalist asked for input on this question: Do you think companies are doing enough to protect consumer data?

In my response, I pointed to the chart you see on the right, the graph that I call the IC3 Hockey Stick of Cybercrime. What the graph shows is internet crime losses reported to the Internet Crime Complaint Center (IC3) operated by the FBI. The X-axis covers a 17 year span, but the last five years are where things start to look truly troubling.

(Note: while IC3 is the source of the numbers in the graph, IC3 has not—to my knowledge—published them in a graph, in other words, I built the graph from their numbers.)

Back in January of 2020, even before the "Covid Effect" kicked in—a huge surge in computer-enabled crime that began to emerge in late February—I predicted that the 2020 numbers from IC3 will blow past the $4 billion mark. Then, in early March we started seeing articles on "How cybercriminals are taking advantage of covid-19: scams, fraud, and misinformation." By mid-April, FBI Deputy Assistant Director Tonya Ugoretz was saying the number of crimes reported to IC3 had "quadrupled compared to months before the pandemic."

While the methodology behind the IC3 numbers shown in this chart is likely to disappoint statisticians—an issue I covered in depth in this law journal article—the trend you see here is consistent with all the other measures of cybercrime that I have studied. And while the tall thin version of the chart exaggerates the effect, it still doesn't look particularly reassuring when you produce a squarer version like this one.

The sad reality is—as I said to the journalist—companies are falling short in their efforts to protect data and systems relative to the level of threats they face, from criminals and other threat actors.

That caveat is important: relative to the level of threats they face, from criminals and other threat actors. You can only give companies so much grief for falling victim to crimes before you're just victim blaming. And victim blaming can lead to punitive measures against organizations that failed to prevent themselves from being victimized.

(I'm sure some organizations that have fallen victim to cybercrime feel as though they've been penalized by the authorities for suffering a burglary while living in a neighborhood where police presence is practically non-existent.) 

Yes, some companies have been victimized because their security practices were not to the highest standard, but that standard is very expensive to maintain at current threat levels. Some companies—like defense contractors—may be able to get their information security costs covered by the prices they charge. Others have to pass them on to consumers. 

Either way, one thing is clear, the more cybercrime there is, the higher the cost to society at large. The counter-argument that profits from cybercrime bolster the economies of those places in which cyber-criminals spend their money, doesn't impress me. I suggest that the benefits of those ill-gotten gains are not outweighed by the social costs of creating crime-based economies.

So let me put it this way: given that our efforts to defend against such cyber-criminal activity have so far proven to be incredibly expensive relative to the limited success achieved, discouraging people from engaging in cybercrime should be our number one priority in terms of government policy and social strategy. So how might that work?

Curve flattening

As the number of COVID-19 cases started to rise in the first quarter of 2020, the governments of many countries urged all sectors of society to work together to "flatten the curve" of Coronavirus infections and this has become a key element in the global response to the pandemic. 

This type of public call to action—the "we're all in this together" strategy—has long been a theme of "cybersecurity awareness" efforts, recurrent campaigns to enlist the public's help in reversing the rise in cybercrime, essentially flattening the cybercrime curve.

The best known of these cybersecurity awareness programs has become an annual event, taking place in October as Cybersecurity Awareness Month in the US and Cybersecurity Month Europe in the EU, with many countries outside those areas also participating. 

While much of the Cybersecurity Awareness Month activity is voluntary or sponsored by companies, government agencies in US and the EU have provided leadership in establishing these programs. That leadership is a good sign, and there's no doubt in my mind that security awareness programs do reduce the number and impact of security breaches, thefts, extortion schemes, fraud, and so on. 

But I am equally certain that the governments of the world are doing far too little to make cybercrime a risky and unattractive proposition. So, maybe the next large-scale public cybersecurity awareness program needs to be:

"Awareness of how governments have seriously failed their citizens when it comes combating and deterring cybercrime, and how we can force them to do better."

Needs a catchier title—but I will work on that.