One hack of a crime wave, or so they say

Bookmark and Share Media, Telecommunications and IT Unit | Chris Berg
The Sunday Age 26th June, 2011

Keep calm and carry on: cyber crime is not the threat it's made out to be. There is no better fodder for naked fearmongering than crime conducted online. You've about heard them all: Nigerian scams, 410 scams, and phishing scams. Banking fraud, credit card fraud, hackers, viruses and keystroke loggers. And there's spam, zombies, malware, spoofing, scareware, worms, etc.

And there are the biggies: cyber crime, cyber terrorism, and full-blown cyber war. Typically these threats are all merged into each other, blurred by fearmongers to create a picture of a risky Wild West online. They feed into a fear that technology has somehow got out of control, a fear that our lives have become more dangerous as we've been sucked online.

On Tuesday, ABC's 7.30 cited the usual mix, warning of everything from petty identity theft to the ''cyber crime underworld''. The show claimed proceeds of cyber crime were now more than proceeds from illicit drugs. The next day, the federal government announced it would sign the Council of Europe convention on cyber crime - a treaty for international co-operation.

The size of any illegal industry is hard to estimate. But the claim that cyber crime is now a bigger concern than the drug trade relies entirely on an off-the-cuff remark made by a consultant to the US Treasury Department in 2005: ''Last year was the first year that proceeds from cyber crime were greater than proceeds from the sale of illegal drugs, and that was, I believe, over $US105 billion.''

Last week's 7.30 interviewed a US defence contractor saying cyber crime was now $US3 trillion. At that price, cyber crime is the fifth-biggest economy in the world, slightly below Germany. It doesn't ring true. Cyber crime would be the biggest crime wave in human history - hackers stealing an entire German economy every single year. Of course, we mostly hear these gargantuan numbers from consultants (drumming up business from law enforcement) and internet security companies (trying to sell software).

A new paper by researchers from Microsoft - Sex, Lies, and Cyber crime Surveys - explains why estimates of cyber crime have become so absurdly large. The authors, Dinei Florencio and Cormac Herley, point out that the bulk of what we know comes from tiny surveys. The authors found at least 75 per cent of losses were extrapolated from just one or two unverified, cases.

In other words, one bloke falls for the old ''I'm a prince from Nigeria'' scam, and it is reported that cyber crime is a $3 trillion industry. This is not to deny that criminals use the internet.

But crime is crime, whether it's online or not. Many cyber crimes are just digital variations of old cons. The Nigerian scam was originally conducted by post.

And much cyber crime is just vandalism, hard to police, but not hard to protect against. Lock your gate, use complicated and varied passwords, make backups. Don't trust foreign princes or popups. Accept the updates for your anti-virus software. Make sure internet companies you deal with are responsible.

These are all pretty simple, and they will protect you from 90 per cent of the danger. Education is more necessary here than legislation. The majority of online transactions are safe. And certainly no reason to give government a blank cheque for any new law it wants.

Some of the proposals to deal with the cyber crime ''epidemic'' have serious civil liberties issues. The treaty the federal government intends to sign may mean Australian internet service providers have to store records of every website we visit, and every person we email, just in case the police need it later.

We like to complain about privacy and Facebook, but that will be nothing compared with the massive amount of data compulsorily stored by our internet provider. Apart from the privacy implications, that requirement itself could increase online risk. There's little more attractive to criminals than large banks of data stored in one place.

All the hype about cyber crime is nothing compared with the noises made by defence contractors and American military commanders who have been stoking fears of ''cyber war'' and ''cyber terrorism''. But even the most famous instances of cyber war - like the StuxNet virus, which damaged Iran's nuclear program in 2010 - are more hype than reality. StuxNet was trotted into an Iranian enrichment facility on a USB stick. It was plain, old espionage. So, next time you read of the dangers online, consider: the seriousness of the threat is inversely proportional to the number of uses of the word ''cyber''. There are risks online. But they are manageable.