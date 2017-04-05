With the focus we see on cybersecurity and cybercrime we might expect that the number of incidents and losses would be decreasing. We might also expect that we would see more people entering the profession at all levels.

Based on industry predictions, the exact opposite is expected. A recent report predicts that damages from cybercrime will hit $6 trillion by 2021 and that unfilled cyber positions will exceed 1.5 million by 2019. Spending on cyber tech between 2017 and 2021 will exceed $1 trillion. The cyber world will become more vulnerable as the Internet of Things is predicted to reach 200 million devices by 2020.

Finally, the human attack surface, an increasingly important element in attacks, will reach 4 billion people by 2020. While we will be challenged by more cyber users, and more smart objects will be in the environment, we will still feel the shortage of qualified cyber defenders, and attackers will still have the advantage.

More troubling than the direction cybercrime is headed is that we have not been able to solve legacy information security problems. Spam is a good example. Despite efforts spam continues. While it might have slipped from public attention it is still a major annoyance for users and a significant cost for business.

The real challenge is that spam shows no signs of disappearing any time soon. According to Kaspersky Labs, spam accounted for 58.31% of all email sent in 2016 which represented an increase of 3 percent over 2015. Given that 269 billion emails are sent every day, 58 percent represents a huge number of wasteful and potentially malicious messages. If only 1 percent of spam messages reach our email accounts, users must decide to open or discard as many as 1.6 billion messages a day.

Our defense against spam is primarily limited to detection and isolation programs. Big data and analytics promises even more granular and accurate detection capabilities in next generation tools. The problem is that detection and isolation have little impact on spammers. We cannot solve the spam problem by creating better detection engines. We cannot continue to expect companies and users to carry the cost of criminal activity. We need to increase the business and personal cost to spammers and use detection mechanisms as the second line of defense.

Hashcash, a proof of work algorithm that is now used as the bitcoin blockchain proof of work, was initially proposed as an anti-spam mechanism. Internet mass marketing companies would have to create a stamp using the proof of work. The stamp would be a cost in terms of machine cycles for mass-marketers while being quick and almost cost free for users who would validate the stamp before accepting mail. More recently there has been a proposal that mass email marketers pay a fee using bitcoin as a way of increasing the cost of email marketing. Increasing the cost of doing business is a legitimate way to eliminate spam.

A more impactful way of reducing spam may be to increase the personal cost of illegal mail marketing by imposing criminal penalties on those making the money. In late 2003 the U.S. Congress passed the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act).

The Act prohibits messages with false or misleading header information and deceptive subject lines in messages. It requires that messages include an opt-out option. Messages must be identified as an advertisement and include a valid physical postal address. A warning must be provided if the content is sexually explicit. Outside of the U.S., Australia (2000), Canada (2014), and Singapore (2007) have enacted specific legislation targeting spam.

Others rely on data protection, privacy, electronic communications and consumer protection laws to target spam. Most do nothing. Legislation has mainly failed to have a material impact on spamming. Without universal laws, cooperation among governments, and criminal prosecution with significant jail sentences, there is no personal cost for spamming.

Creating more security tech and hiring more security practitioners are necessary, but will never by themselves change the economics of cybercrime. To change the economics, we need to increase the personal cost to cyber criminals through coordinated action by governments. When we have addressed legacy security issues like spam, we may be better prepared to take on evolving security challenges.

