Cybercriminals Gain the Upper Hand, Report Indicates


McAfee recently released its annual Virtual Criminology Report for 2008, which focuses on the state of cybercrime. Three key findings came out of the study:


Cybercrime is not yet a big enough problem to be a priority for governments.


Cross-border law enforcement remains a problem in fighting cybercrime.


Law enforcement as a whole is ill-equipped to detect, catch and prosecute cybercriminals.


The McAfee report details the extent to which cybercriminals are winning the war on cybercrime. 2008 has seen the highest growth in viruses, bots and trojans to date. Viruses and bots have doubled to roughly 10,000, while trojans have almost tripled to 120,000 variants, up from 40,000 variants last year.


There have been numerous well-known attacks this past year, including attacks by China on Belgium and India, the Burmese government's attack on two political Web sites, cyber attacks by Russia on Georgia, and the Chinese attack on Tibet through e-mail.


Yet despite these attacks, few governments have been willing to spend the resources to catch the cybercriminals. The result is that the criminals continue to gain the upper hand. U.S. companies and government facilities frequently are the target of these attacks, but because they do not have jurisdiction in the countries of origin, they can do little except file a complaint.


Even if foreign governments wanted to fight cybercrime, many find themselves unable to because of the lack of money, manpower, knowledge or technology. To date, their successes include only prosecuting the mules -- no kingpins.


There is a glimmer of hope. In 2001, The Committee of Ministers of the Council of Europe drafted a treaty, "The Convention on Cybercrime." Its objective is to "pursue a common criminal policy aimed at the protection of society against cybercrime, especially by adopting appropriate legislation and fostering international co-operation." As of 2006, 43 nations have signed the treaty. It went into effect in the U.S. on January 1, 2007.


The report concludes that more training has to be available for investigators, prosecutors and judges; consumers need to be continually educated; financial institutions have be given strong legal and commercial incentives to implement better security measures; and limited liability for software vendors who don't implement good security is necessary.