Cybercrime Now Worth $105 Billion, Bypasses Drug Trade

Stony Stevenson writes "Citing recent highly publicized corporate data breaches that have beset major companies like Ameritrade, Citigroup, and Bank of America, McAfee CEO David DeWalt, said that cyber-crime has become a US$105 billion business that now surpasses the value of the illegal drug trade worldwide. Despite the increase in government compliance requirements and the proliferation of security tools, companies continue to underestimate the threat from phishing, data loss, and other cyber vulnerabilities, DeWalt said. 'Worldwide data losses now represent US$40 billion in losses to affected companies and individuals each year, DeWalt says. But law enforcement's ability to find, prosecute, and punish criminals in cyberspace has not kept up: "If you rob a 7-11 you'll get a much harsher punishment than if you stole millions online," DeWal remarked. "The cross-border sophistication in tracking and arresting cyber-criminals is just not there."'"

McAfee?

[parcel (145162)]

McAfee CEO David DeWalt, said that cyber-crime has become a US$105 billion business that now surpasses the value of the illegal drug trade worldwide.

erm, conflict of interest?

Bypasses drug trade?

[by Anonymous Coward]

Bypass: A means of circumvention.
Surpass: To be or go beyond, as in degree or quality; exceed.

Re:

[ichigo 2.0 (900288)]

Maybe that means the drug trade is worth more, but cybercrime bypassed it! Those dastardly hackers!

Sounds scary

[BadAnalogyGuy (945258)]

Considering the international nature of the Internet and the ability to hack from just about anywhere, including extradition-free countries, it seems like anyone could become a cybercriminal and make billions of dollars.

Does O'Reilly or Manning have a book on how to become a cybercriminal? Besides the Camel, I mean.

It is scary. AV coordination is suspicious though

[Erris (531066)]

The BBC has a nice write up [slashdot.org] on how open and inviting the world of cybercrime is. Tools are passed around and improved and auctioned along with the results, according to William Beer, of Symantec. The scene is booming, with almost double the number of new threats in the first six months of 2007 as in the last of 2006.

Arbor Networks is reporting the same boom from the ISP perspective [slashdot.org], and thinks the infrastructure of the internet itself is in danger.

Darkreading [slashdot.org] details some of the sophistication of the attacks, from an IT perspective as reported by MessageLabs.

Hmmm. Symantec, MessageLabs, McAffe, all at once reporting the same thing. Not to downplay the threat, but is a new version of Windows out?

Re:

[dedazo (737510)]

Not to downplay the threat, but is a new version of Windows out?

Yes, thankfully. It's been out for 8 months, it has twice [hitslink.com] the market share of Linux and OS X combined, and it's much more secure than the one it's replacing.

BTW, I think it's funny that you'd give so much weight to companies that you've referred to in the past as "snake oil vendors".

Given the fact that the vast majority of computers on botnets are there because of user action instead of exploited vulnerabilities, I fail to see what a new

Now expect

[Jeremiah Cornelius (137)]

The covert Government support of CyberCrime by "intelligence" agencies, and the monopoly of profits from this - just like the drug trade.

Too bad the CIA can't destroy the black urban population of America with phishing spam, like they did to the brothers ad sisters with drugs in the 70's and 80's.

Maybe this isn't true

[Centurix (249778)]

Maybe drug dealers are getting smarter.

Re:Maybe this isn't true

[MillionthMonkey (240664)]

No, this just means we're finally achieving victory in our War on Drugs!

Uhhh, wtf?

[QuantumG (50515)]

"If you rob a 7-11 you'll get a much harsher punishment than if you stole millions online," DeWal remarked. "The cross-border sophistication in tracking and arresting cyber-criminals is just not there."

Yeah, it's the difference between a violent crime and shifting some numbers from one table in a database to another.

What an idiot.

Re:

[clarkkent09 (1104833)]

Is it really that clear-cut that violent crimes should be punished more harshly than non-violent "white collar" crimes? An employee of a 7-11 who gets held up suffers some stress (unless he gets shot, but that's rare) and the company loses a few hundred dollars. I would say that people responsible for the Enron fraud for example caused much greater suffering to more people (who lost their life savings, pensions etc) than a crackhead who robs a 7-11.

Re:

[QuantumG (50515)]

The purpose of prisons is to separate those who are a danger to society from society.

As much as I believe those responsible for the Enron disaster are a danger to society, they can be neutralized simply by prohibiting them from being directors of companies ever again.

Re:

[clarkkent09 (1104833)]

The purpose of prisons is to separate those who are a danger to society from society.

There is a bit more to it than that. In all countries there is a retributive element in the justice system, i.e. making the punishment proportional to the severity of the crime. If your statement were true, anyone who commits a crime and can show that they are not able to commit that crime again should just be let go.

Re:

[QuantumG (50515)]

Yeah, the whole "we'll be complete assholes to you so that other people think twice before doing what you did" thing. It's barbaric.

Re:Uhhh, wtf?

[ZorbaTHut (126196)]

Sadly, some incentive to others to not follow in the person's footsteps is often helpful. Many people aren't fundamentally good - they're fundamentally selfish, and any legal system that doesn't take this into account is doomed to failure.

If I had some way to push a button and take one dollar from every American in the country, with a 5% chance of getting caught and no penalty besides losing the money I'd gained, I'd honestly probably push it. If the penalty was instead 80 years in prison, I wouldn't. Penalties are important.

Re:

[StikyPad (445176)]

Robbery isn't necessarily violent, although he probably should have used home burglary as a better example. It does seem ridiculous that "white collar" crimes are less penalized since any one case typically affects many more people than any one burglary.

Re:

[QuantumG (50515)]

Robbery isn't necessarily violent

Huh? Then it's not robbery.

although he probably should have used home burglary as a better example

You're suggesting that burglary is the same thing as robbery?

Ok...

It does seem ridiculous that "white collar" crimes are less penalized since any one case typically affects many more people than any one burglary.

Larceny, whether committed via burglary or fraud or hacking carries the same penalty, determined by the value of the goods stolen. Burglary may carry other penalties, like trespass, or entering a domicile while the occupants are home, or damaging the property.. but that's just co-incidental.

Re:

[anagama (611277)]

Shooting someone violates old deep seated morality. Moving data does not. Check out the portion on the inner chimp [wnyc.org].

Re:

[Joebert (946227)]

Yeah, it's the difference between a violent crime and shifting some numbers from one table in a database to another.

What if shifting numbers results in a riot or suicide ?

Say if, someone "shifts some numbers" on the stock market, an investor loses everything he has because of this shift & hangs himself, could that be considered violent crime ?

What if someone alters a news release on a company website to artificially decrease the value of that companies stock & it causes a riot ?


Cybercri

Re:

[QuantumG (50515)]

So you're saying that atheists are required to value money more than life.

yah.

   

Re:

[ZorbaTHut (126196)]

If the lost money causes two people to starve to death, or 100 people to die one year earlier than otherwise due to slightly inferior medical care, then you could easily argue that the lost millions is indeed a great cost than a single murder.

If you want a real challenge, try to figure out exactly how much emotional pain and depression is equivalent to one murder.

This number

[symbolic (11752)]

...sounds like it was pulled out of someone's ass. I don't deny that there's a problem, but what concerns me is that this "number" could very well become another excuse for the government to pursue "solutions" that are even more invasive than our current crop of 9/11-related idiocy.

Re:This number

[Dunbal (464142)]

but what concerns me is that this "number" could very well become another excuse for the government to pursue "solutions" that are even more invasive than our current crop of 9/11-related idiocy.

      Everyone knows those cyber-terrorists are building weapons of mass destruction. You are either with us or against us, you liberal cyber-terrorist facilitator...

      You know, the scary thing is it's almost not even funny anymore.

Re:

[dgun (1056422)]

but what concerns me is that this "number" could very well become another excuse for the government to pursue "solutions"

Oh, the "war on cybercrime" is just a campaign slogan away from reality. Are you ready for random searches of your hard drive? With my luck, a random search of my hard drive would reveal trace amounts of cocaine.

How to make a number up

[EmbeddedJanitor (597831)]

Exactly how does cybercrime cost almost $20 for every man, woman and child on the planet? There must be some creative accounting going on here.

If the RIAA are involved in creating the stats, then they're probably using their $750 per track damages. If MS does the same thing for pirated versions of Office (probably $10000 per copy) etc, then just the piracy part of cybercrime would add up pretty quickly.

Bottom line: This sounds like a number that has been created to support some proposed course of action.

Re:How to make a number up

[AJWM (19027)]

There must be some creative accounting going on here.

They're including sales of Windows Vista. If releasing that thing to the market isn't a crime, I don't know what is.

(Ba dump bump.)

Re:This number

[rwyoder (759998)]

...sounds like it was pulled out of someone's ass.

Absolutely! When a thief robs a liquor store of $1000, he actually has the money, and the store has really lost the money. Now let me relay something I learned from a lecture I attended by a wekll-know former hacker a few years ago; He had used social engineering to obtain a copy of some cell-phone infrastructure s/w from a large, well-known high-tech company. He later learned that when the cops questioned the mgt of the company, they wanted a dollar amount of the damages. When the mgt hesitated about how to determine the damages, the cops asked: "So what did it cost to develop it?" And that was the number they used! The hacker had done nothing but use social engineering to persuade an employee to FedEx him a copy of the s/w which he kept, but did nothing with it. He never even broke into a single computer, nor ever distributed the s/w, nor did any kind of damage. But in their zeal to pump this up into a big case, the cops used the completely bogus multi-million dollar cost of the project and charged him with that dollar amount of (non-existent) damage.

Shift emphasis

[Harmonious Botch (921977)]

Legalize drugs for consenting adults, and put the crime-fighting resourses to use stopping cybercrime.

Re:

[User 956 (568564)]

Legalize drugs for consenting adults, and put the crime-fighting resourses to use stopping cybercrime.

Yeah, but you know their solution is to just trump up a third never-ending war. In addition to the "war on drugs" and the "war on terror", we'll have the "war on netcrime" which will result in nothing less than an increase in the rate of usurpation of powers by the Federal government.

Re:Shift emphasis

[QuantumG (50515)]

Don't forget the war on copying.

We could probably make this easier by just call them all "the war on freedom".

Re:

[QuantumG (50515)]

Did you just refer to sex as a vice?

Only on Slashdot..

Punishments...

[sydneyfong (410107)]

"If you rob a 7-11 you'll get a much harsher punishment than if you stole millions online,"

Like... distributing a mp3 on a P2P network?

This must mean...

[NeoSkink (737843)]

We're winning the drug war! That's the only way to explain such low numbers!

Maybe we'd better start a war on cyber crime too, seeing how the drug war has been so successful!

Drugs vs Cybercrime

[RancidPickle (160946)]

If you think about it, this makes perfect sense. Why risk getting 'capped' picking up ten bricks of heroin, risk getting snagged at some border transporting the bricks, and getting it home, just to get shot by your partner, when you could sit at some Starbucks, sipping a Venti White Chocolate Mocha and rake in tens of thousands of dollars.

Pushing ones and zeros are safer than pushing dope. No wonder organized crime has delved into the digital world.

The Courts

[photomonkey (987563)]

I agree that cybercrime is a huge problem (although I don't buy that it's more of a problem than illegal drug trade). At the very least, it is a crime on a lesser level because no one is placed in danger of physical harm through it's effects.

Cybercrime, as well as other crimes, should be punished according to the level of damage caused.

With that in mind, the current US court systems cannot seem to wrap their heads around the tactics and ideas put forth in the discovery period of civil copyright cases. There is a common misunderstanding or complete lack of understanding on the part of most of society in the ways of computers and networking.

At this point, I doubt very seriously that most of the accused and prosecutors have the knowledge or ability to fairly fight a cybercrime court case.

In physical, there is always some level of evidence present to tie a suspect to the crime. In the land of computers, it's much more difficult to do so. Where a physical bank robber can wear a mask or clothing to conceal identifying aspects of his physical person. But there remains at the scene hairs, fibers, eyewitness accounts, surveillance tapes and other evidence that helps to narrow down the criminal.

With cybercrime, the 'break-in' can happen from thousands of miles away without the perpetrator ever setting foot, or having ever previously set foot on the premises. There is no physical description, no chemical or biological evidence left behind. The attack could come from a public terminal at a library, or even someone's open (or hijacked) wireless access point. Through the use of zombie computers, the attack could come from my mother's computer.

How can we expect to catch, let alone prosecute cybercriminals without special law enforcement and prosecution/defense attorneys and judges capable of fairly trying people like my mother or the guy who used her computer to break into the Bank of America system?

Re:

[Dunbal (464142)]

With cybercrime, the 'break-in' can happen from thousands of miles away without the perpetrator ever setting foot, or having ever previously set foot on the premises. There is no physical description, no chemical or biological evidence left behind.

      The money has to go SOMEWHERE, otherwise there's no point. Follow the money.

Re:

[photomonkey (987563)]

What about in a case where no money is stolen, but rather credit card numbers and SSNs?

Likely the person who makes use of that information is not the same person who stole it. Even if that's the case, how many different places can you go to swipe someone's name, SSN and even DOB? Until recent years, universities used SSNs as student ID numbers.

If money goes from account A to account B, sure follow the money. When bits and bytes with no direct monetary value goes missing from one place, who's to say th

Re:

[sentientbrendan (316150)]

>don't buy that it's more of a problem than illegal drug trade). At the very least, it is
>a crime on a lesser level because no one is placed in danger of physical harm through it's effects.

That is faulty reasoning. You are thinking that dealing drugs is worse than theft because the "damage done" is worse (at least with harder drugs like cocaine and heroin). However, you aren't considering *responsibility*.

If a free person does something to harm themselves, it is no crime. It is just foolish and being

Fabricated Numbers

[Rothfuss (47480)]

I don't want to belittle the impact of cyber-crime, but this $105 Billion number is just fabricated to make the problem look large. On the other hand, the numbers for drug trade are basically an estimated amount of drug sales.

Drug numbers are *real* numbers. They still may not be accurate, but at least they represent the summation of finite transactions - like the global automobile trade, or the global whale oil trade. It is a sales number.

Cyber crime is a 'damages' number. Like the woman that spilled hot coffee on her leg and sued McDonalds for several million dollars in 'damages'... and at least she had a specific amount of damages ruled in her favor. The trumped up cyber-crime numbers... along with the RIAA numbers... are just manufactured because it is handy to provide very large numbers if you are on the side of the people producing the numbers.

What I would like to see is how many $$s were actually phished last year? How much did the Nigerians actually rake in by claiming to be my/your/her/his brother in law or trusted barrister?

Re:

[TubeSteak (669689)]

I don't want to belittle the impact of cyber-crime, but this $105 Billion number is just fabricated to make the problem look large.

I'm leaning in that direction also... Especially because of something in TFA.

"[McAfee CEO] DeWalt said that cyber-crime has become a US$105 billion business ... Worldwide data losses now represent US$40 billion in losses to affected companies and individuals each year"

So are they really saying that cybercrime is a $65 billion business with $40 billion in collateral damages?

If that's how they're playing the numbers, then you can easily jack up the cost to society of drugs, just add in hospital bills, lost w

Here's Another Reason: Cybercrime Pays

[patio11 (857072)]

You know what your hourly wage works out as any dealer not on top of the local pyramid? Check out Freakonomics, its an interesting case study. Using one gang's meticulously kept accounting records, they estimated the average dealer makes a bit more than minimum wage. Oh, and for that he has a 25% chance of death or imprisonment over an N month interval. (I can't remember what N was but, yikes, for 25% it wouldn't matter if it were 120!)

Compare this to cybercrime. I have been, at points in the past, a spam researcher. At the time, I lurked in spammer forums to get an idea of what the enemy is thinking. Ignoring the "I make a million a month and own a fleet of cars and a harem" boasting, and just focusing on the deals that were offered and consumated there, it is clear that cybercrime makes Serious Money especially by the standards of the locales where some criminals hang out. A single script to clean a spam mailing list, which is what, two or three hours of work, costs about a month worth of a legit Russian programmer's wages.

Or take a look at the opportunities for low-level criminals in the US, like "cashers". A casher is the guy at the end of the identity theft chain who gets the only risky job: turning the swiped data into money. (Phisher turns credentials over to casher, casher gets money, pays phisher.) He has a non-zero chance of his photo ending up on camera. For this, he gets perhaps 35% of the take from the scam. 35% of the banking account of say a lower-middle class family is easily thousands of dollars. No drugs in your pocket, no guns in your face, and no dedicated squad of police officers busting into your apartment at 1:00 in the morning if you get sold out by a buddy.

Why would you sell drugs if you weren't using, given these risk-vs-reward scenarios?

Bypasses?

[DrJimbo (594231)]

Cybercrime passes, or even surpasses drug trade but I don't know why you think cybercrime "goes around" drug trade.

Forgive me for being an English Nazi but jeez Louise, have they now outsourced Slashdot editing to people who don't speak English?

Snark

[ewhac (5844)]

"Dear Customer,

"Thank you for your correspondence dated 17 May 2001, 22 January 2002, 8 July 2004, 14 March 2006, and 19 September 2007, requesting that the Federal Bureau of Investigation enforce existing wire fraud statutes with at least the same vigor with which we enforce non-violent drug posession statutes. Upon review, we regret to inform you that your requests to date were not of the form required by this authority.

"Please re-submit your request according to the traditionally established procedure. The most recent edition of this procedure may be obtained from the office of Senator Ted Stevens (R-AK). Your request may be filed at any Republican party field office. Please enclose with your request a cashier's check made payable to the Republican National Committee in the sum of no less than fifteen million (15,000,000) US dollars or equivalent sum in easily-convertible currency excepting Euros. Please do not enclose cash.

"We pride ourselves on providing our customers the best and most convenient law enforcement service possible, and look forward to receiving your request."

Surpasses US market, not global

[fafalone (633739)]

The value of the global illegal drug trade is upwards of $300-500 billion by most estimates (and at least 150-200 by almost all others); of which the US market makes up about $60-100bn. Why is fact checking virtually non-existent with anything related to drug prohibition? And the other tactic, deceptive use of statistics, such as implying the $90bn maximum value of the trade is the entire value based and neglecting to mention that's only the wholesale market, is equally acceptable in even the most reputable publications. Why? Oh yeah, because virtually every actual fact contradicts the political consensus that prohibition is the best way to deal with the harms drugs create.

How do you divide 105 B$ ?

[hernick (63550)]

Divide 105 B$ between these kinds of cyber-crime:

x B$ stolen from e-mail users who have to work through deluges of spam
x B$ stolen from drug companies by thieves who sell illegal generics online
x B$ stolen from software vendors by digital-high-seas pirates
x B$ stolen from the RIAA and the MPAA by the common man who won't pay retail price
x B$ stolen from bookstores by project Gutenberg
x B$ stolen from encyclopedia makers by Wikipedia users
x B$ stolen from McAfee and other security vendors by Linux and OS X users
x B$ stolen from buggy-whip makers by car drivers

McAfee is here to help: your computer will be safe from all these cyber-crime enablers.

Not True

[klblastone (972628)]

Cybercrime alarmists have been saying this for two years, but it's simply not true. The United Nations drug statistics indicate that the global market for illicit substances is approximately $322 billion. More information here: http://arstechnica.com/news.ars/post/20051129-5648.html [arstechnica.com]

ugh

[pestilence669 (823950)]

Problems:

A) Pulling numbers out of ass.
It's crime. Criminals don't pay taxes. Where did this revenue estimate come from? Surely not from the IRS or the criminals' accounting department.

B) Playing the victim card.
The "victims" of "cybercrime" are almost always entirely at fault due to gross negligence. We shouldn't cry for people (or businesses) that cause themselves harm... especially if the "crime" involves losing a laptop filled with private data.

C) Trying to present something old as new.
It's not theft, i

Drug Dealers

[dontspitconfetti (1153473)]

The drug dealers just need to move their whole business online, then they'll be on top again!

Imagine IRC channels dedicated to the drug trade! /me is ready to meet in the alley behind the liquor store

Short memory?

[suv4x4 (956391)]

Just go back two articles and we see that the industry lied blatantly about the $40 billion losses of piracy in Canada, and that such numbers are hard or impossible to obtain. And in other news "cyber-crime has become a US$105 billion business"...

Do we ever learn?

Re:Penalties are not that much lower

[Jeremiah Cornelius (137)]

Oh yeah.

That Conrad Black will be facing a real "three strikes" kind of deal!