Welcome to lesson 35.
In this lesson, we ask ourselves,
why not go after the cyber criminals.
As we learned in lesson nine,
the 1984 counterfeit access device and Computer Fraud Abuse
Act makes it illegal to access computer without permission from the owner.
A 1986 amendment, made it further crime to distribute malicious code,
traffic passwords or conduct denial of service attacks.
As we mentioned previously,
anyone who commits a crime in this country is subject
to United States law whether they live in this country or not.
Sadly, cyber crime is a growth industry.
It is a growth industry because it is a low-risk, high-reward venture.
A 2014 report by the Center for Strategic and International Studies estimates that
somewhere between 375 and 575 billion dollars is lost at cyber crime globally each year.
Of course this is only an estimate because most cyber crime goes unreported.
Few companies come forward with information on losses.
When Google announced it was hacked in 2010,
another 34 Fortune 500 companies who were also hacked refused to step forward.
Only one other company reported it had been hacked along with Google,
but supplied no details of its losses.
Similarly, when a major US bank lost several million dollars to a hacker,
it publicly denied any losses even as
law enforcement and intelligence officials confirmed it privately.
The reluctance of companies to admit loss is encouraged by competing need to
protect the reputation and stem further damages by loss of public confidence.
This incentive towards remaining silent,
unwittingly assists criminals with evading
justice and encourages them onto more exploits.
The two most common exploitation techniques are
social engineering where users are tricked into granting access and
vulnerability exploitation where programming or implementation failure may
be leveraged to gain access or both surprisingly cheap.
Moreover, few of the biggest cyber criminals have been
caught or in many cases even identified.
This combination of low cost and low risk makes cybercrime almost irresistible.
The most important loss from cybercrime is the theft of
intellectual property and confidential business information.
Intellectual property is a major source of
competitive advantage for companies and for countries.
The loss of intellectual property means fewer jobs,
fewer high paying jobs,
less innovation and slower technological improvement.
The U.S. Department of Commerce estimates that
two hundred to two hundred and fifty billion dollars a year worth
of intellectual property is lost each year to cybercrime.
The European Organization for Economic Development,
estimates higher losses at about six hundred and thirty eight billion dollars annually.
Financial crime is the second largest source of direct loss to cybercrime.
In Mexico, Banks lose up to ninety three million dollars annually.
In Japan, It is estimated that banks lose about a hundred and ten million annually.
The two thou- two thousand and thirteen hack against the U.S. retailer
target cost banks more than two hundred million dollars.
And retailers in Britain reported lo- losses
more than eight hundred and fif- reported losing
more than eight hundred and fifty million in two thousand and thirteen.
These crimes are carried out by professional gangs,
some with significant organizational abilities.
Among the techniques employed by hackers,
after gaining access to a bank account they will
transfer the funds to a third party called a mule.
He will launder or shuffle the money in some fashion to eliminate traces of
its origin before forwarding it to an overseas bank where the hacker owns an account.
The theft of forty five million dollars from two banks in the Middle East involved
the recruitment and use of five hundred mules around the world.
In this case by using cloned debit cards to
withdraw money from ATMs keeping a portion for themselves,
and sending the rest back to the hackers.
It is estimated that there are twenty to thirty cybercrime groups in
Eastern Europe with advanced capability to overcome almost any cyber defense.
Financial crime in cyberspace occurs at industrial scale.
Finally it is very difficult to trace a cybercrime back to a cyber criminal.
Cyb- cyber criminals employ
many techniques to hide their tracks and leave false indicators.
Accordingly, criminal attribution is highly problematic.
The same is true for state sponso- sponsored cyber espionage.
Without incontrovertible proof, It is difficult to retaliate.
And a wily cyber agent is sure to make any evidence questionable.
Let us review the main points from this lesson.
One somebody who commits a cyber crime in this country is subject to
United States criminal law whether they live in this country or not.
Two, Cybercrime is a growth industry because it is a low risk, high reward endeavor.
Three one aspect of aspect of risk mitigation is that companies are
reluctant to report cybercrime for fear of
further losses due to the impact to their reputation.
Four, moreover the two most common exploitation techniques,
social engineering and vulnerability exploitation are very cheap.
Five, the theft of intellectual property and confidential business information,
is the most important loss from cybercrime because it
affects jobs, competition and innovation.
Six financial theft is the second largest form of cybercrime conducted on
an almost industrial scale by gangs with
advanced capabilities to overcome almost any cyber defense,
and seven tracing a cybercrime back to a cyber criminal is very difficult.
Making swift attribution and retaliation almost impossible.
Join me next time as we take a look at
the difficulties entailed in cyber surveillance. Thank you.
Richard WhiteAssistant Research Professor
