How cyber-cops are taking the fight to online fraudsters

Open padlock on computer board Image copyright Thinkstock
Image caption Cyber-attacks are on the increase but businesses often don't report data breaches

When it comes to fighting cybercrime, law enforcement agencies are facing an uphill struggle.

Lack of resources, conflicting international jurisdictions, and the borderless nature of the internet, all make catching coder criminals particularly difficult.

Just look at attempts to stop Gameover Zeus, a malware program thought to have infected more than a million computers worldwide.

The virus moves between victims' computers through fake links or attachments in emails, capturing banking or other private information. It has cost victims more than $100m (£65m).

Last June, the UK's National Crime Agency (NCA), the FBI and Europol successfully disrupted the malware by seizing "command and control" servers in several countries.

But there was a caveat - the public were told they had just two weeks to rid themselves of the program and safeguard their operating systems.

Image copyright FBI
Image caption Evgeniy Bogachev is still wanted by US authorities

Any longer and the hackers would have found a way round the defences.

And Russian Evgeniy Mikhailovich Bogachev, thought to be the mastermind behind Gameover Zeus, is still on the run despite US calls for his arrest.

Threat to business

With the capacity of law enforcement so stretched, businesses are rightly feeling worried.

According to a global Ponemon Institute study published in October, the annualised cost of cybercrime per company stands at $7.6m, a 10.4% increase over the previous year.

But individual company losses can run into millions.

Anecdotal evidence suggests that the number of successful prosecutions of cybercriminals is dwarfed by the increasing number of attacks.

"In proportional terms [the number of successful prosecutions] may actually be going down," says David Cook, cybercrime and data security solicitor at Slater & Gordon.

While total losses through cybercrime are difficult to assess, due in part to large-scale under-reporting by businesses worried about damage to their reputations, security company McAfee last year estimated the figure was $445bn, up from $300bn in 2013.

Image copyright Thinkstock
Image caption Cybercriminals can operate from anywhere in the world

Some say it's more, others less, but even if a business doesn't suffer a direct loss, the indirect damage can still be great.

US retailer Target saw earnings drop by nearly half following the theft of payment card and personal data belonging to 70 million customers. The chief executive and chief information officer both later resigned.

Thin on the ground

The biggest problem for law enforcement agencies is lack of resources.

"It's not from lack of desire or want, but they kind of have their hands tied behind their backs," says Stephen Nicholls, senior manager of security advisory services at Deloitte.

Tracking down criminals who may be based anywhere in the world is labour intensive, requiring forensic skills and complex investigations.

"You might have a very large number of fraudsters involved in a crime, from the guy who's spreading malware or sending phishing emails, to the guy receiving or withdrawing the fraudulent funds and passing them on," Mr Nicholls says.

Image copyright Christopher Furlong
Image caption The UK's surveillance centre GCHQ has been co-operating with the National Crime Agency

"Also, by the time you've chased them down you're very rarely going to get any money back. It's a low return for the effort."

A report by Her Majesty's Inspectorate of Constabulary last April found that just three out of 43 police forces in England and Wales had a comprehensive plan to deal with a large-scale cyber-attack.

Fighting back

In 2011, the UK government earmarked £860m over five years for a National Cyber Security Programme, setting up a dedicated National Cyber Crime Unit as part of the NCA.

While more money helps, collaboration is perhaps more important, cyber-cops believe.

"Collaboration between law enforcement agencies, the banking and finance sectors, and industry is better than it ever has been before," an NCA spokeswoman told the BBC.

"The willingness from all parties to engage and work together is making a real difference in tackling cybercrime."

The NCA is tapping into the expertise of UK spy agency GCHQ and international police organisations like Interpol, and such collaboration has led to some successful campaigns, it says.

For example, last year its National Cyber Crime Unit worked with GCHQ, the FBI, Europol and others to thwart the Shylock malware program, used by criminals to steal from bank accounts.

Sticking plaster?

But David Cook at Slater & Gordon questions whether the cash is enough, as much of it has gone on tackling more sophisticated national security threats.

He also believes countries need to foster better co-operation with Russia and China - the suspected sources of many cyber-attacks.

Image copyright Getty Images
Image caption In January, UK Prime Minister David Cameron and US President Barack Obama announced greater co-operation on cybersecurity issues

But an added complication is that countries treat cybercrime in different ways.

"In the US, legislation governing cybercrime is fairly similar to that of the UK and the rest of Europe," says Mr Cook.

"But when you go further afield to parts of Russia and China, you don't have parallel offences to the UK, particularly with relation to the theft of intellectual property, which is a big problem for businesses at the moment."

Another issue is persuading foreign-based communication service providers, such as email providers or social media networks, to disclose evidence stored on their servers.

While laws in Europe and the US permit access to such information with a warrant, it can be tough elsewhere. This greatly hinders investigations, much to the cyber-cops' frustration.

Sharing economy

Businesses also need to work more closely with the law enforcers trying to protect them.

"Many firms don't report data breaches when they happen because they fear it will harm their reputations or affect their share prices," says Jessica Barker, a cybersecurity consultant.

"But if law enforcement agencies don't know what the latest threats are then they can't respond fully, because they don't know what the bigger picture looks like, let alone what they can do to fight it."

The US has made it mandatory for businesses to report all major data breaches, but Europe is playing catch-up.

Image copyright Thinkstock
Image caption Cybercriminals can unlock business security systems all too easily

New EU laws due to be enacted in the next few years will require organisations to report a data breach within 72 hours where feasible, or face a penalty of 5% of annual global turnover.

"Google and Facebook are really pushing back on it, but it's the kind of enforcement we need," says Mr Cook.

In the meantime, organisations such as the Cybersecurity Information Sharing Partnership in the UK, and the NIST Cybersecurity Framework in the US, are encouraging businesses to report data breaches voluntarily and share best practice.

All these initiatives should help reduce cybercrime, believes Deloitte's Stephen Nicholls, but we shouldn't expect total victory.

"Cybercrime is part of the cost of doing business and it's about managing that effectively, not necessarily trying to eliminate it completely."

More on this story

Related Internet links

The BBC is not responsible for the content of external Internet sites