Cybercrime has emerged as a topic of concern, for individuals, companies and States. But it remains difficult to clearly define what cybercrime is and to identify its stakeholders, be it victims or criminals. Hence the importance of working hand in hand with academics, in the hard task consisting on gathering data on the topic. Ross Anderson, one of the leading researchers on that matter warns the public about the various, but underestimated, costs of cybercrime and exposes its views on how to tackle it.
Cybercrime is a broad concept. How would you define it?
First of all, cybercrime can be opposed to traditional crimes. But a distinction also needs to be made between traditional crimes that have gone cyber because they are now conducted online, for instance tax and welfare fraud; transitional crimes whose modus operandi changed since they are conducted online, such as credit card fraud; and new crimes, that emerged with Internet. On top of that, there is also what we call platform crimes, that proliferate with the use of botnets and are here to facilitate other crimes, or to extract money from the victims.
Since very little is known about cybercrime, we decided, at Cambridge University, to create a centre, the Cambridge Cybercrime Centre, that would collect data and make it public so that it could be used for research. Here are the cybercrimes that we consider: online banking fraud, “stranded traveler” fraud, fake virus, advanced fee fraud, IP-infringing pharmaceuticals, IP-infringing music and software, bank card fraud and forgery, PABX fraud, cyber-espionage and extortion, tax and welfare fraud.
As you can see, we encompass traditional and transitional crime as well as pure cybercrime.
What is the profile of cybercriminals and their victims?
We have a criminologist amongst our team, who has been studying the profile of those criminals. It appears that computer gaming is mainly driving people into this type of crime. Through gaming, those people learn how to cheat, how to conduct attacks. The other pathway is usually through traditional ATM crimes, that evolve with technology.
The majority of cybercrimes are petty crimes, but committed on a big scale. One person can be responsible for a lot of crimes. What happens in Cambridge, Oxford and London now is a good example of that. On Craigslist, 80 % of the flats that you find in Oxford and Cambridge are a rental scam. It is also often the case in London. We investigated this and it appears that only one person, based in Germany, is responsible for all of those scams. We estimate the cost of fake operators of accommodations to be around 3 to 4 M£ per year, in London only.
In the UK, households are now twice as likely to be victims of fraud as of traditional burglary and theft of or from their vehicle.
Is cybercrime well taken into account by the authorities?
In the UK, at least, it has been seriously underestimated in the past few years. Indeed, in 2005, the government decided that cyberfrauds shouldn’t be reported to the police, but only to the banks. The reason for that is obvious: it made crime figures drastically fall. This lasted for 10 years, meanwhile the number of police forces was reduced by Theresa May. Criminologists have been warning the authorities about this distortion of reality. In 2012, the UK Ministry of Defence requested us to investigate the real cost of cybercrime. And in 2015, the Office of National Statistics started to include fraud in victim surveys.
This is an example of what happened in the UK, but, worldwide, we observe that police forces are not enough tackling cybercrime. The reason for that is that the amount stolen per crime committed is usually low. Moreover, it would imply a necessary cooperation between police forces across the globe, and that only happens for issues such as terrorism or drug trafficking.
You say that the amounts per crime are low, but do you have an estimation of the global cost of cybercrime?
The cost is commonly underestimated because not all of its aspects are accounted for. Our aim was to take into account all the levels of costs. We break them up as criminal revenue (gross crime receipts), direct losses (losses, damages, suffering), defence costs, indirect losses (anticipation, opportunity cost…), and the cost of crime infrastructure (botnets).
Here are a few figures of the global cost of cybercrimes. For online bank fraud, in 2007, the cost was 320 M$ for phishing, 370 M$ for malware and 1 000 M$ for bank defenses. Fake antivirus represented 97 M$ in 2010. That same year, online card fraud went up to 4 200 M$. As of indirect costs, one example is the indirect cost of payment fraud, which is a loss of confidence. On the consumer side, it represented 10 000 M$ in 2010, and as much as 20 000 M$ on the merchant side.
Beyond the numbers, what are the consequences and risks induced by cybercrime?
We participated in a survey for the BBC on the consequences of cybercrimes on the victims. It revealed that the psychological arm is serious, because what they went through is ignored. They are being blamed by the banks for the fraud, as if they could have prevented it. And the police is not taking care of the crime and usually simply advises to turn to the banks. So, there is a social cost of cybercrime. However, it varies across countries. In the UK, regulation is weak and banks and authorities dump the risk on consumers. On the other hand, US and French consumers are better protected and compensated when being victim of a fraud.·
The loss of confidence from consumers has effects on the global economy. According to Eurostat figures, 14 % of UK consumers avoided online purchases due to security concerns. They probably partially bought offline instead, so the cost for the economy is around 10 % of this.
We are also worried about the possibility of seeing violence emerging in cybercrime. With cryptocurrencies, we might see, more often in the future, individuals being physically threatened, in order to make cryptocurrencies transfers. The amounts involved could be huge.
Moreover, if cybercrime mainly focuses on individuals for now, we expect that companies will be more and more targeted as well in the future, especially by ransomware.
Is cybercrime in cryptocurrencies, especially bitcoin, important now?
We added bitcoin to our surveys in 2012, since it is widely used to support both online and traditional crimes. Bitcoin is used for money laundering but is also being stolen for its value, as we’ve seen with the hacking of different exchange platforms in the recent years.
There are different consequences to this. First of all, there is a need for more regulation. Rules of know-your-customer should be applied for all bitcoin exchanges, be them in currencies like dollars or euros or against other cryptocurrencies. It is also interesting to observe that, this year, the EU plans to regulate wallet hosting providers.·
The second major issue is the ability of tracing stolen bitcoins. Indeed, over 6% of bitcoins have been reported stolen. There are actually two ways to hide stolen bitcoins amongst other legal bitcoins, named “poison” and “haircut”. At the Cambridge Cybercrime Centre, we have worked on a technological solution in order to be able to trace them down, no matter in what form they were incorporated amongst legal bitcoins. We would appreciate to see our solution widely used now, since we consider it to be more efficient, both in the legal sense and in the computer science too, than the algorithms now being used. In conclusion, bitcoin tracing is not as hard as it seems.
What are the means at our disposal to fight cybercrime?
Like burglary, cybercrime can be hard to investigate, but in many cases, it is really easy to go back to its origins. The real issue is about the resources allocated to cybercrime. We consider that traditional frauds gone cyber cost each citizen a hundred of euros a year. Transitional frauds, like bank and payment frauds, cost each of them a few tens of euros a year, same for new cybercrime and fake antivirus. Since the amounts are so small, police forces do not allocate resources to those cases. So far, the only nation that has done so is the United States. For cybercrime, the federal budget (FBI, secret services, NCFTA) is 100 M$, and there is an additional 100 M$ at the state and local level. Other countries relied on the US for too long. For instance, the UK spent 15M$ up until 2010. But as a result of America’s recent protectionism, its agencies shouldn’t concentrate so much on cybercrime if the threats are not directly concerning their country. This situation is a real shame, because the best response to cybercrime is to fight it with police forces and put criminals in prisons, just like we do with traditional crime.
Should we expect companies to intervene as well?
There is a problem of conflict of interest for many companies of the sector. First of all, cybercrime is a marketing argument for many companies selling defence systems. Moreover, companies selling software play an unclear role as well. If your computer is infected, they will likely advise you to buy a new one instead of fixing it. So, in a way, the current situation suits them.
Technological solutions should be investigated as well, but the GAFA only focus on solutions strictly centered on their own issues, and not profitable on a larger scale, although they spend around 100 M$ each in that field.
What would you recommend then?
I encourage a larger implication of governments and police forces. I think, as well, that research and investigation are crucial, especially since everything changes so fast, because of advancing technology. At the Cambridge Cybercrime Centre, we work on the legal and ethical framework of the data that we collect, so that it can be used by other academics. And, of course, we are strongly willing to see them seize the matter.