Cyber-Crime Loss at Firms Doubles to $10 Billion
Financial losses attributed to computer crime in the United States probably doubled to $10 billion in the last year, in part because of the surging popularity of the Internet, according to the Computer Security Institute.
Malicious hacking, online corporate espionage and other computer crimes launched over the Internet are taking a rising financial toll at 643 major corporations and public agencies, according to a survey released today by Computer Security Institute, a San Francisco-based research group.
Those surveyed estimated their computer crime losses at $266 million in 1999--more than double a year earlier.
Based on that survey, Richard Power, CSI’s editorial director, estimates the total losses attributable to computer crime in the U.S. is upward of $10 billion annually--largely from financial fraud and theft of proprietary information.
Experts note that as the Internet boom continues, along with e-mail, Web surfing and e-commerce, so does computer crime.
And a recent spate of cyber-crimes--notably a wave of hacking episodes that temporarily blocked access to Yahoo, EBay and other leading Web sites in February--has boosted public awareness of the problem.
The average person now realizes that “this particular computer crime had an influence on my life,” said Jeff Schiller, network administrator for the Massachusetts Institute of Technology and a leading security expert.
In the CSI survey, 59% of respondents identified computer attacks initiated from the Internet, compared with 38% who detected crimes initiated from internal company computers.
Although most of those surveyed reported only a handful of Internet attacks per business last year, experts say these attacks happen all the time. That’s because computer hackers have developed automated software programs that probe possible targets--computers connected to a public network--for vulnerabilities.
Meanwhile, the proliferation of high-speed, always-on cable-modem or phone-line Internet connections have vastly increased the number of available computer targets. Such connections make any PC without a properly configured “firewall” security system accessible to hackers whenever the computer is turned on.
“Even home users [with always-on connections] have multiple attacks per day,” said Bruce Schneier, chief technical officer at Counterpane Internet Security in San Jose. “Corporate networks get them pretty much constantly.”
Despite intensive reporting of the recent Yahoo and EBay attacks, many businesses and public agencies are complacent about such cyber-crimes, said John Pescatore, an analyst with GartnerGroup in Stamford, Conn. Executives tend to lose sight of the need for vigilance against more serious cyber-crimes, such as theft of corporate data or consumer credit card numbers, he said.
And the open nature of the Internet suggests that security problems could increase over time, some experts say. One reason is that many Internet servers--the powerful computers that operate Web sites--must be placed outside security firewalls to be accessible to retail customers.
The rapid churn of new Net technology also opens channels for cyber-crime. “People change their Web services constantly,” such as adding new servers or interactive features, Pescatore said. “It is impossible for any corporate security group to keep up with these changes.”
He estimates that as many as 75% of Web servers are vulnerable to hacking attacks.
The Federal Bureau of Investigation assisted in the development of the Computer Security Institute survey questionnaire. The FBI faces widespread distrust in the high-tech industry, which doubts the agency’s competence. These executives also fear that an investigation of a successful hacking attack could scare away potential customers.
Perhaps because of those reasons, only one in four surveyed reported computer crimes to law enforcement in 1999, down from 32% in 1998. The low reporting rate “is a concern,” said George Grotz, an FBI spokesman.
The FBI has previously acknowledged that it lacks sufficient expert staff to handle its surging computer crime caseload.
Grotz said of February’s Web site attacks: “No credible suspects have been developed at this point.”
