Fearless New Year’s prediction: Computer crime gets worse

McAfee has just released its annual McAfee Virtual Criminology Report: Cybercrime Versus Cyberlaw. Regular readers of my column won’t be surprised to learn the three main points of the report:

• Cybercrime is not enough of a priority for most countries to allow any real headway to be made
• Cross-border law issues continue to be a primary impediment to fighting the nature of global cybercrime
• Law enforcement at every level and in every country is ill-equipped to fight cybercrime

There’s nothing in there we didn’t already know. Although the report is high-level and states the obvious, it is an interesting read with lots of case studies and a few global recommendations. Many other reports state that cybercrime is at an all-time high and tens of millions (and perhaps hundreds of millions) of dollars are stolen across the Internet each year. Regardless of the real figures, Internet crime is going up, and more people are losing money than ever before. No one disputes this reality.

This has occurred while our traditional defenses, operating systems, and applications have become “more secure.” Every vendor is working hard at minimizing bugs, creating more security warnings, and pumping out more end-user education than the year before. We have sophisticated anti-spam tools, yet spam continues to be 70 percent of our total planetary e-mail. Today, 95 to 99 percent of all attacks take place because the end-user intentionally installs malware (à la the Fake Antivirus warning programs). It is fairly easy for any company to be exploited using targeted attacks against gullible employees.

Cybercrime goes virtually unchallenged (percentage-wise) and is making many cybercriminals multimillionaires. Cybercriminal organizations operate in huge office towers in city centers and function as “legitimate” businesses. They have employee payrolls, pay taxes, have holiday parties, and support their country’s economies. In many cases, they enjoy the protection of their country’s most senior leaders.

And that’s the frustrating part. Even though software has become more secure and anti-malware systems are more sophisticated than ever, end-users are being exploited in higher rates than ever before, and they are losing real money in the process.

And as we focus to make more secure OSes and applications, and continue to educate our end-users on the new, growing threats, we must realize that we are losing the battle. Everything we’ve done so far to date hasn’t worked and, as far as I can see, won’t work anytime soon. More secure OSes, more accurate anti-virus scanners, faster patching — all of that is not working, and won’t work.

It’s this weird little idiosyncrasy that many of us in the industry don’t want to acknowledge. It’s like being asked to design a more secure car, and putting every safety device into it that engineers and consumers can reasonably afford, then calling it a success even while more drivers die than ever before. What we have delivered to customers is not fixing the problem.

The computer security industry has utterly failed consumers, and we ought to be ashamed. Or maybe like a lot of complex issues, we get what we ask for, so even consumers are to blame.

I’m absolutely confident that the near- and midterm future of computer security looks worse than it does today. It’s certainly worse than it was 20 years ago. It’s worse than it was 10 and 5 years ago. It’s worse than it was 2 years ago. Cybercrime is becoming more and more profitable, so it’s human nature to expect even more criminals and bigger enterprises to develop. We catch only the stupid and lazy ones. Most cybercriminals are never caught or serve a day in jail. The bigger they are, the less likely they are to be caught.

And as long as we allow the current form of the Internet to continue, we will never make cybercrime better. To fix it, we need pervasive authentication and accountability. That will take a complete rebuild of all hardware and software connected to the Internet. I’ve discussed those ideas and offered solutions in this space before in many columns.

So my prediction for 2009 — and I’m not taking much of a reputation risk here — is that cybercrime continues to grow and becomes an even bigger problem next year. I also predict that everyone continues to try to improve the traditional defenses and that they don’t work any better than they do today.

Happy New Year!