Its perhaps an overhyped claim that cyber-crime is more lucrative than illicit drugs, as supposedly became the case last year according to an adviser to the U.S. Department of the Treasury. Even so, the mere comparison should be a wake-up call for anyone involved in offering, adopting, deploying, managing or using IT.
Watching failed attempts at drug law enforcement has given us plenty of opportunities to learn what doesnt work. Drug traffic has thrived on the same contributing factors that almost surely make cyber-crime a faster-growing business.
Bad drug laws and corrupt international enforcement invite contempt for legitimate concerns of public safety and health; ill-considered content protection laws (and content owners funding campaign coffers) combine with clumsy rights management fiascos to make it socially acceptable, even fashionable, to ignore or evade legitimate cyber-security measures.
Another parallel is in the ease with which criminals turn innocents into accomplices, whether moving atoms or bits. Drugs are covertly shipped in the guise of ordinary goods, snuck under the cover of reputable shippers.
Fraud on the Net likewise flies the false colors of trusted institutions. Phishers and malware writers even exploit the anxiety that their own activities create, tricking users into hasty acts by wrapping a malicious attack in an urgent request to “revalidate an account” or “install an anti-virus update.”
A serious escalation arises in the proliferation of keylogging software—whose penetration may have grown by 2,000 percent in the past five years, according to one estimate late last month. The pervasiveness and transparency of Internet connections, and users growing familiarity with software updates as hands-off background tasks, facilitate the clandestine collection of detailed records of users acts.
Keyloggers turn conventional IT security technology into a Maginot line of defenses that face the wrong way. Regardless of the length of ones encryption keys or the rigor of ones rights management tools, they all become ineffective if the wrong people gain access to our work at its source.
Theres still a lingering tendency to distinguish things in cyberspace from the same things in more familiar environments. Microsofts Bill Gates may have only mythically said that “adding on the Internet does not turn a bad idea into a good idea,” but the point is well-made even if he didnt make it: Putting “cyber” in front of “crime” doesnt turn fraud, deception and offenses against children into anything less vile than they would be in any other setting.
Its up to IT vendors to ensure that their own data hygiene is impeccable so that no legitimate product ever acts as a vector of attack. Its up to IT managers to redefine the terms of debate, making IT security the good guys instead of the killjoys. And its up to IT users to recognize that the crackers arent just whiz kids playing geek games. These are real criminals committing real crimes, and users need to learn and practice appropriate steps in their own defense.
Tell us what you think at [email protected].