Pulling Threads: The 2005 E-Crime Watch Survey

You can’t fight what you can’t see, and you can’t assess prevention efforts unless you measure what’s going on. So it is with the fight against electronic crime.

The second annual “E-Crime Watch Survey,” completed by the U.S. Secret Service, the CERT Coordination Center at Carnegie Mellon University and CSO, quizzed 819 security executives and law enforcement officers to get a sense of the often shadowy realities of electronic crime in the United States. What the survey reveals is that in this nascent field—where electronic crime is defined by survey researchers as “any criminal violation in which a computer or electronic media is used”—there’s still plenty of room left for improvement.

Improvement in setting up formal systems for tracking incidents, which barely half of respondents said their organizations had in place. Improvement in reporting incidents to authorities, when a full 65 percent of those who had been victimized had not reported any electronic crimes in the past year. And improvement in identifying losses to businesses, when 62 percent of victims could not even wager a guess at what a crime had cost their companies.

As you’ll see, neither the survey nor its respondents’ knowledge was perfect. But because the electronic crimes landscape is a wily one, these results beat the alternative—pure, wild speculation. We know you’re hungry for these numbers, so here are the survey’s most instructive findings, presented to you in five discernible threads.

Thread 1: Spyware hits the mainstream

Yes, yes, we know that a lot of what of gets called “spyware” isn’t illegal—although the most insidious kind of spyware (keyloggers) can be used to pilfer sensitive information and then commit crimes. What’s interesting is that a category that didn’t even make it onto last year’s “pick list” is now a top problem. Spyware has gone mainstream.

As for the phishing numbers, make of them what you will. It’s likely some of the 57 percent interpreted the question as phishing scams sent to their employees—not ones targeting their brand. Most scams documented by the Anti-Phishing Working Group target the same couple dozen household-name companies, and the survey cast a much wider net than that. Nevertheless, phishing as a precursor to fraud and identity theft has rapidly become one of the most frustrating and time-consuming issues for law enforcement. “These sites come and go so fast, it’s very hard to investigate,” says Larry Johnson, special agent in charge of the Secret Service’s Criminal Investigative Division.

Meanwhile, 32 percent of survey respondents reported experiencing no electronic crimes. But do they really know for sure? This brings us to the next point….

Thread 2: Too few companies track e-crime attempts

The fact that barely half of respondents are sure that their organizations have processes for tracking attempted cybercrime is concerning enough. (No wonder one-third of them don’t think they’ve experienced any crimes.) But the real picture is probably worse. This survey was sent to a select group: members of 15 of the Secret Service’s regional Electronic Crimes Task Forces, the Justice Department’s Electronic Commerce Working Group and CSO subscribers, who must qualify as security executives to receive the print magazine. “You’re reaching a more educated audience on these issues” than the general business public, says Paul Kurtz, executive director of the Cyber Security Industry Alliance, who is formerly of the White House’s Homeland Security Council.

“One of the things that really strikes me is the degree to which corporations have a procedure in place to report these kinds of issues,” he says—by which he means the degree to which corporations don’t have procedures in place. Lacking that, no survey will ever reveal The Answers.

Thread 3: The work of estimating e-crime losses is in its infancy

What this tells us is that 62 percent of respondents are honest. There’s no clear way for them even to know what part of a “loss” to include in an estimate. Physical damage? Sure. Downtime on an e-commerce site? Maybe. Damage to the brand? How? Respondents were on their own to decide. (The mean loss reported, by the way, was just over $500,000.) But even a stricter question might not have yielded a better answer. “It’s not something of eminent accuracy,” says professor Robert McCrie, noting that that’s not the point. “This gives us a sense of what’s happening,” says McCrie, a coordinator for the Security Manage-ment Program at the John Jay College of Criminal Justice in New York City.

The Secret Service urges businesses to document as much as they can.

Thread 4: Companies cite many reasons not to report e-crime incidents

This is the bugbear for law enforcement. A full 65 percent of respondents who had experienced electronic crimes or intrusions said that they didn’t involve law enforcement for any of those intrusions. The reasons why are complex. But the fact that fewer companies cite concerns about negative publicity and competitors gives us hope that perhaps the process is becoming less fear-driven and more rational.

“Local police departments don’t understand this stuff, and the people who do are the federal agencies,” says Joe Williams, CSO of San Francisco-based retailer Sharper Image. “The problem is that [electronic crime] has become such a large problem in this country that the threshold [for reporting] is quite high.” Williams says that in the 1980s, companies knew to follow an unofficial 10-10 rule: With a $10,000 loss or 10 credit cards stolen, a U.S. attorney was likely to take the case. “Now, it has to be a much, much bigger case” to be worth their while.

Still, the Secret Service hopes companies will report more crimes—even ones that seem small at first. Johnson points out that a month after announcing a breach, Reed Elsevier subsidiary LexisNexis increased tenfold its estimates of those affected. Companies often don’t “know the full scope of the problem right off the bat,” he says.

Thread 5: Fraud and ID theft top cops’ cybercrime-fighting list

Clearly, the problem of cybercrime within corporate America is substantial enough. But it’s worth noting that these crimes are only a fraction of what law enforcement considers electronic crimes. Electronic crime decidedly does not equal hacking. In fact, many of the crimes that law enforcement wrestles with (for instance, child exploitation in the form of online pornography and illegal narcotics trafficking involving the Web) are just new-fangled ways of committing very old crimes. Remember, even phishing is just a superpowered method of social engineering. “Unfortunately, the criminals are finding new ways of committing the same crimes,” says Dawn Cappelli, a senior member of the technical staff for CERT who was involved with the survey.

We can’t help but wonder what kind of scope creep we’ll encounter as more criminals use electronic devices to break the law. Companies already say that nearly all their investigations involve computers, even if it’s only e-mail sent and websites visited. How long before using Mapquest to get directions to the bank makes robbing it an electronic crime? As the years progress, our definition of electronic crime is either going to have to get bigger, or a whole lot smaller.