Feeds

Tech boffins: Spend gov money on catching cyber crooks, not on AV

Cure is the best form of prevention, say Cambridge brains

Seven Steps to Software Security

The UK government should be spending more on catching cybercriminals instead of splurging taxpayers' money on antivirus software, tech boffins have said.

Blighty goes through around £639m a year trying to clean up after attacks or prevent threats – including £108m it spends on antivirus – but the country is only spending £9.6m on techy law enforcement, a University of Cambridge study found.

"Some police forces believe the problem is too large to tackle," Ross Anderson, professor of security engineering at the University of Cambridge’s Computer Laboratory, said in a canned statement.

"In fact, a small number of gangs lie behind many incidents and locking them up would be far more effective than telling the public to fit an anti-phishing toolbar or purchase antivirus software."

The Cabinet Office said it welcomed "this latest contribution to the debate on cybercrime".

"The government believes the threat is serious and needs to be tackled and that is why we have rated cyber as a Tier 1 threat. Raising awareness and building capacity to resist threats continues to be our focus," a spokesperson told The Reg in an emailed statement.

"That includes investing in law enforcement capability to detect and apprehend cyber criminals. But we also think it is important to make sure people have the information they need to take steps to protect themselves."

The study, which was started after a request from the Ministry of Defence, also said that the amount of money the UK was losing as a result of cybercrime was being exaggerated.

"For instance, a report (PDF) released in February 2011 by the BAE subsidiary Detica in partnership with the Cabinet Office’s Office of Cybersecurity and Information Assurance suggested that the overall cost to the UK economy from cyber-crime is £27 billion annually," the research said.

"That report was greeted with widespread scepticism and [was] seen as an attempt to talk up the threat; it estimated Britain's cybercrime losses as £3bn by citizens, £3bn by the government and a whopping £21bn by companies. These corporate losses were claimed to come from IP theft (business secrets, not copied music and films) and espionage, but were widely disbelieved both by experts and in the press."

Using figures ranging from 2007 to 2012, including some which are "extremely rough estimates" based on data or assumption for the reference area, the study reckoned that all the costs of cybercrime both direct and indirect came out at around £11.7bn.

UK.gov – Cybercrime is expensive

The Cabinet Office spokesman said that Detica was best placed to explain its own methodology, but still disagreed somewhat with the study's conclusions.

"The Cyber Security Strategy was clear that a truly robust estimate would probably never be established, but that the costs are high and rising," he said.

"That said, we think there are grounds for believing that the true cost is higher than the £11bn quoted by Cambridge University.

"For example, the authors say that they can't find any hard evidence of the cost of IP theft and have therefore concluded this doesn't impose any costs beyond the defensive measures they refer to elsewhere in the paper. However, there are suspected cases of IP theft in the public domain and the costs are not nil.”

Aside from differing opinions on the cost of cybercrime, the research team also reckoned that some existing meatspace crime was moving online and being tallied up as part of the cyber cost.

The study pointed out that fraud in the welfare and tax systems, which now often takes place online, is probably costing Brits a few hundred pounds a year on average while card and bank fraud cost a few tens of pounds a year per citizen.

However, what they call 'true cybercrime', scams that completely depend on the internet, are only costing a few tens of pence a year, while the cost of antivirus software can be hundreds of times that.

Basically, the indirect costs of folks trying to protect themselves from cybercriminals actually end up costing them more.

"Take credit card fraud," said Richard Clayton, expert in the econometrics of cybercrime in Cambridge’s Computer Lab. "Direct loss is clearly the monetary loss suffered by the victim.

"However, the victim might then lose trust in online banking and make fewer electronic transactions, pushing up the indirect costs for the bank because it now needs to maintain cheque clearing facilities, and this cost is passed on to society.

"Meanwhile, defence costs are incurred through recuperation efforts and the increased security services purchased by the victim. The cost to society is the sum of all of these," he explained.

The research team concluded that there should be less spent on antivirus and firewalls and other preventative measures and "an awful lot more" on catching and punishing the perpetrators.

The study (PDF, 346KB) is due to be presented at the 11th annual Workshop on the Economics of Information Security (WEIS), which takes place in Berlin on 25 and 26 June. ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.