Cybercrime to grow because of government indifference

Cybercrime will expand as long as governments refuse to address...

Cybercrime will expand as long as governments refuse to address it by bringing in tougher sentences and giving police the funding and licence to operate across borders, says a leading internet security expert.

Eugene Kaspersky, co-founder and CEO of Kaspersky Laboratories, an internet security house, said cybercrime was now a profit-driven, multi-billion pound industry. It mirrored the legitimate economy with division of labour, job specialisation, a global market and an efficient supply chain, he said.

Speaking at a cybercrime forum yesterday, Kaspersky said, "Fighting cybercrime needs three things - for users to protect themselves and their organisations, for governments to take it seriously, and for everyone to become educated about the threats and how to stop them."

Police co-operation to fight cybercrime was improving, but governments needed to press Latin American leaders in particular to get their police to take cybercrime seriously, he said.

Kaspersky said his company already had 1.2 million "signature" exploits in its database, and was adding several thousand a week. This did not include variations of each signature. He expected lots more, and more sophisticated, exploits as more things went onto the net.

This was partly because none of the popular operating systems was secure. He said, "Users refuse to give up the openness and flexibility. Several secure operating systems, such as BREW and Symbian 9 have come to market, but no software developers are writing for them."

This was unlikely to change in the next 10 years, he said, even though Windows' domination of the desktop and server market was likely to fade as Linux and operating systems, such as Symbian for mobile devices, and autonomous but connected devices became more widespread.

As the "internet of things" developed, malware writers would design exploits for them, he said. Many would be proofs of concept, just to show what was possible, but some would have serious results.

He said the traditional example of the internet-enabled refrigerator lent itself to two types of exploit. One was to hijack it and to extort money from the owner by threatening to switch it off, ruining the food inside. Retailers especially needed to deal with that risk, he said.

The other was to fake replenishment orders from the fridge to the supplier. This would have the goods sent to an address controlled by the criminals and the bill sent to the fridge's owner.

Kaspersky said a more critical aspect was the potential to attack critical national infrastructure via the network. He appealed for engineers to apply common sense when they designed networked systems. He said where health and safety were concerned, the devices should not communicate over public internet connections, especially if they were unattended.

He referred to Boeing's new Dreamliner, where engineers had used a flawed firewall on a single network to split passengers' and aircrews' internet access. "You and I would have designed physically separate networks to ensure that someone in the plane or on the ground could not take control of the navigation system," he said.

Read more on IT risk management