Losses From Computer Crime Show Major Increase, FBI Survey Finds

Financial losses from computer crime seem to be growing dramatically--perhaps into the tens of billions of dollars annually for companies worldwide, according to an author of an annual survey released today.

Computer crime is increasing, but views diverge about which problems--from high-profile vandalism such as last year’s “Love Bug” e-mail virus, to profit-seeking hackers, to insider theft of corporate secrets--cause the most damage. The reason for confusion is that few businesses willingly report attacks to the police or reveal them to the public, so comparative data remain sparse.

More than 500 corporations and government agencies were surveyed by the San Francisco-based Computer Security Institute in conjunction with the FBI in their sixth annual computer-crime study. Although only a fraction of the businesses contacted responded to the survey, it is widely cited as a benchmark of trends because no more reliable data have been collected.

The survey’s most notable finding might be the shift away from computer attacks launched from within a company as the chief cause of computer intrusions. Some 70% reported frequent attacks launched via the Internet, compared with only 31% reporting attacks originating from inside company computer networks.

For years, conventional wisdom in the security industry has held that 80% of computer-system attacks are perpetrated by insiders, said Richard Power, editorial director of the Computer Security Institute. “The threat from the inside is decreasing because people are getting better at security and are more vigilant with internal [computer] networks,” he said.

That conclusion was greeted with skepticism by Tom Talleur, director of forensic technology for the financial-services firm KPMG, and former cyber-security chief for NASA. “Inside offenders are the big problem, but getting the numbers to prove it is always difficult,” he said.

Companies rarely reveal publicly any problems with computer security because they fear legal liability if customer data are exposed or a backlash from investors. And most companies contact law enforcement only after a security lapse has attracted public notice. So experts bemoan a dearth of solid information on the true scope of security problems.

Bruce Schneier, a noted cryptographer and founder of Counterpane Internet Security, scoffs at the validity of the CSI/FBI survey. “The Internet is perceived as a lawless society--if you publicly blame hackers and go after them, there will be retribution,” he said. “In a world where the Mafia rules, you don’t bad-mouth the Mafia.”

Perhaps that is why 86% of organizations approached refused to participate in the survey. One problem is the FBI suffers from a reputation for failing to protect information on computer-crime episodes, so its involvement might have contributed to that poor response rate.

The one clear fact, Schneier said, is that computer attacks are common and increasing.

Computer hackers who work inside companies might be getting more sophisticated at operating under network-detection radar, he said. Meanwhile, the perception of outside computer threats has grown due to recent high-profile episodes, such as “denial-of-service” attacks that shut down Yahoo and other major Web sites by flooding them with electronic requests last year.

Respondents to this year’s survey reported a substantial rise in denial-of-service attacks, software viruses and theft of proprietary data.

“A lot of the intruders are . . . looking to leave their signature on a digital park bench,” Power said, referring to low-skilled vandals who use hacking tools downloaded from the Internet. “But many others . . . are professionals [engaging in] information-age espionage.”

Talleur said that when he worked at NASA, he encountered cyber criminals on the outside who organized attacks on the space agency. Some of the hackers were prosecuted, he said. And last week, the FBI reported that an “organized hacker group” from Russia and Ukraine had successfully downloaded 1 million credit card numbers from more than 40 organizations during the last few months.

In the limited CSI/FBI survey, 34 organizations reported $151 million in losses associated with computer crime--with the largest single episode pegged at $50 million.

Experts agree that total computer-crime costs--including lost revenue and work time, spending on security and stolen intellectual property--might total billions of dollars. Power estimates the total in the tens of billions. But damage estimates reflect considerable guesswork.