Rising tide of cyber-crime shows why we need Web regulation

February 4, 2009

Michael BarrettMichael Barrett is the Chief Information Security Officer at PayPal. He is on the advisory board of StopBadware.org, an anti-malware “neighborhood watch” led by Harvard University’s Berkman Center for Internet & Society.

In less than five years, Internet crime has changed from an anomaly of teenage vandals into a multi-billion dollar industry. Just one form of cyber crime, “phishing,” where criminals masquerade as trustworthy entities in e-mails and instant messages to steal private data, reportedly amassed $3.2 billion last year.  Another form, spyware, where software surreptitiously monitors a victim’s online activity, prompted 850,000 U.S. households to replace their computers and inflicted damages totaling $1.7 billion, reported the Consumer Reports National Research Center State of the Net Survey.

At the same time, Internet usage has skyrocketed worldwide with 20 percent of the world’s population, or about one billion people, online today. It’s not hard to understand why the Internet’s popularity has continued to grow in the face of its threats. Could you get through your workday without e-mail or search? Could your kids make it to dinner without checking Facebook or sending a text? If you’re like most people I know, the answer is likely, “no way.”

We are socially and economically dependent on the Internet – a fact that makes us vulnerable in tough financial times. So, it may surprise you to know that no single entity is responsible for regulating the Internet or keeping its users safe.

Historically, Internet safety has relied on the goodwill of a few small actors such as non-profits like StopBadware.org, an anti-malware neighborhood watch led by Harvard’s Berkman Center for Internet & Society. Within the federal government, the Federal Trade Commission monitors Internet fraud and the Department of Homeland Security oversees a national cyberspace response system. The private sector, offering a host of cyber-security products and tools, and consumers also play a powerful role in keeping us all safe online. Companies such as my own employer, PayPal, invest substantially in the security of our own applications and infrastructure; we have state of the art fraud management systems; we work with law enforcement to catch, prosecute, and convict criminals whenever possible. But the persistence of the cyber-crime industry continues.

Although this deregulated approach to Internet safety has largely served us well over the past 15 years, some question whether it’s enough to tackle today’s burgeoning Internet crime industry. Indeed, what’s distressing is there is no reason to believe that Internet crime is under any effective control. This is not due to inertia or lack of interest. All of the trend lines reported by private industry and government continue to show growth “up and to the right.”

President Obama has said that he’ll make cyber security a top priority in his administration and appoint a National Cyber Advisor who will report directly to him.  In a speech at Purdue University last July, Obama said: “We’ll coordinate efforts across the federal government, implement a truly national cyber-security policy, and tighten standards to secure information – from the networks that power the federal government, to the networks that you use in your personal lives.”

Obama’s desire to administer a national cyber-security policy will surely open one or two Pandora’s boxes in the worlds of Washington and business, where many would prefer for the Internet to remain untouched by government. In the longer term, I predict we will start to see Internet governance follow the same legislative paths as automobiles and airplanes.

The Ford Model T’s introduction in 1908 revolutionized the way Americans viewed cars, and innovations in the speed of manufacturing put an unprecedented number of vehicles on the road, followed by an unprecedented number of safety concerns. Out of a need to prevent accidents, the federal and state governments initiated road regulation with speed limits, traffic lights and signage.

Aviation followed a similar history. The Wright Flyer of 1903 set forth a wave of government regulations of airspace and the aviation industry, with the National Advisory Committee for Aeronautics in 1915, the Airmail Act in 1925, and the Air Commerce Act in 1926. Less than 25 years after the Wright brothers’ first flight, the U.S. government had put in place an extensive regulatory infrastructure. Why? To prevent accidents.

The forcing function that accidents represented for road and air transportation has not existed for the Internet – until perhaps now. As cyber-crime continues to rise, I believe that citizens will increasingly request that their elected representatives do something to “make the Internet safe.” It was citizens’ complaints in the early 20th century that forced initial regulation of roads and aviation – they didn’t like carnage on the roads, and bodies and aluminum raining from the sky. The same pressures are starting to rise again for the Internet.

Internet safety should be a shared responsibility among government, private industry and consumers. But almost none of these regulatory elements are in place today. The rise of cyber-crime, with billions in damages to our economy and consumers, should motivate us to make some changes in the same way accidents catapulted new standards for road and airways. We need to develop a model framework for Internet governance, and we need to do it soon.

2 comments

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/

I believe that we are at a cross road with cyber crime. Something does need to change but regulation is a very dangerous thing. The two main negatives i see coming from it would be the abuse of power, and the falsehood of security. I like to explain it like this, let’s say you have people living in a private community with armed guards at the gate. The guards could get corrupted by the power they hold much like what happened in china with the Mongols. Or they could get over run by people with bigger guns or people that are just more skilled then they are. Yes it will detour petty criminals but simple tricks can detour petty criminals too. I believe in the “comic book theory” no matter how many times people fail at killing superman they keep trying, and eventually they succeed. If you have the ultimate security that is “un-hack-able” you will get thousands of “hackers” trying to hack it just to prove that they can. The trick is to find the happy balance of security and “that’s too much work to get into.” Meaning you want a network that will keep the rookies out but hard enough in the right ways that hackers will not be interested in getting in because they know they can get in but… it’s too much work to prove it. Such as; making the pay pal login for a user only work in the state that user is registered for. Maybe just make it a security option. Well then you have made it so all rookies couldn’t figure it out, and high grade hackers would eh, I’ll just get into this easier one or eh, that’s to much work. Because they would have to use a proxy that was in that state, which yes isn’t impossible to do but still that’s quite a bit of work to set up. You could go a step further and say ok only accept ip addresses from this city, or further, only ones from this ISP. Just make things hard enough to prey on the laziness of hackers, which i think is their worst enemy. Were as lets say you had government agencies watching all traffic, and would block parts of the internet as well as protocols used. Yep that would fix it right?!? Bad guys would get caught and they couldn’t do much hacking if they could only talk over ports 80 and 81 right?!? Well now does that mean that other people in the government couldn’t nope they still would want full access. Meaning there would be accounts that had full access, meaning that people would just have to guess a username and password or maybe some more complex information but ones an admin account was hacked that would be the end of the governments control they would have to bend to the will of a 14 year old Chinese girl. We all would be at the mercy of such a thing. Therefore i think we should not give up the battle just yet, we just need to start thinking like hackers should we ever want to come close to being able to deal with them.
But thats just my two cents.

Posted by Michael | Report as abusive

I am a successful online entrepreneur(publisher and digital films) who has used paypal for four years now. Merchants never see client card information, it is masked by layers of encryption. We never see any type of proprietary information except email address and shipping address, at clients discretion. While I do agree that there is cybe crime; this type of online rip off is a drop in the ocean compared to the wholesale looting of the Treasury that has occured on Wall Street during the last eight years.

Now those dudes are into some serious criminality . Trillions stolen. Peoples houses stolen, communities targeted and destroyed; whole States left in financial ruin. The biggest heist in history.

We need regulation. But no one needs it as much as the financial services industry does.