Virtual Underworld

High-profile corporate IT security breaches, accompanying the ever increasing number of infected (zombie) PCs around the world, have many wondering if we’re losing the battle against cyber crime.

"Cyber crime is moving at such a high speed that law enforcement cannot catch up with it," said  Valerie McNiven, an adviser to the U.S. Treasury Department, a year ago.

Things have not changed much since then. This year has been named "the year of the botnets" – huge networks of infected computers controlled by cyber criminals – while data theft and losses are on the rise as well.

"As the world has flattened, we’ve seen a significant amount of emerging threats from increasingly sophisticated groups attacking organisations around the world," said McAfee CEO David Dewalt at the InformationWeek 500 conference in Tuscon, Arizona, on Sept. 19.

The cyber crime business, he added, has surpassed the illegal drug trade business in terms of revenue, worth 105 billion dollars.

But to some in IT security, this is old news. Cyber crime had already surpassed drug trade in 2005 in economic terms and is growing at a staggering rate. In the early 2000s, it used to be a more or less isolated sphere of petty criminals cashing in on the shortcomings of security standards – and lack of user awareness – but today has become a cash cow for anyone wishing to jump on the bandwagon.

Law enforcement is not the only mechanism lagging behind. IT security companies, which would ideally be on the frontline, have based their practice on fixing known security holes while "hackers" are busy coming up with new ones.

This gives criminals the advantage of dictating the tempo, and unless there is a major change in methods of dealing with security breaches, cyber crime will become an even more inviting endeavor.

A recent study on PC safety showed that more than 35% of PCs in developed countries, including those with anti-virus software installed, were infected with malicious programs. Which not only points out the ineffectiveness of IT security companies, such as McAfee and Symantec, but also underscores the imminent need to reconsider the current methodology for fighting cyber crime.

An important contributing factor, which must not be ignored, is the computer illiteracy of ordinary users. It would be safe to say that the success of widespread Internet scams – the so-called phishing methods of identity and personal data theft, including credit card and bank account information – would not be as successful without naive users entering all sorts of personal information onto false sites posing as   legitimate ones or downloading dubious applications from the Net.

Moreover, computer illiteracy among the majority of consumers – who, in turn, have to pay considerable fees for largely ineffective security applications – has led to little or no public debate demanding companies dealing with such issues to deliver what they’re expected to.

Solutions, however, are neither simple nor foolproof. Some experts have pointed out lax anti-virus certification criteria, and the lack of "intelligent" detection of so-called malware by security products. They also lack the integrated hardware and software components that might detect and neutralise suspicious behavior.

Though IT  security companies and law enforcement have attemtped to tackle the threat, the focus remains on the wrong front. Today the call is out for a substantial change in IT security standards across the market to offer sustainable security measures.

It will take time and a lot of resources to successfully implement stealth criteria in both hardware and software.

The way things stand now, however, the battle against cyber crime is not going to yield its desired results and will remain a relatively weak nuisance in the eyes of Internet criminals.