Sunday, October 03, 2010

Sir Paul Speaks the Truth: Cyber Law Enforcement is a Good Investment

In this morning's BBC News, Metropolitan Police chief Sir Paul Stephenson is the focus of their story, Met police chief warns on internet crime. We would do well in the United States to listen to the points he is making.

Sir Paul told the BBC "If British crime gangs take up e-crime as enthusiastically as we fear, we must match the skills at their disposal." He says that for too long the attitude of the public, and presumably the funding agencies, has been "Leave cyber-crime to the banks and retailers to sort out." Sir Paul calls this a "fundamentally misguided argument."

In England and Wales there are 385 law enforcement officers dedicated exclusively to cybercrime, but 85% of those are dealing with human trafficking and child pornography issues, leaving only 60 officers to fight bank fraud. Last year the Metropolitan Police had an e-crime unit budget of only £2.75 million pounds. Yet Sir Paul says "It has been estimated that for every £1 spent on the virtual task force, it has prevented £21 in theft."

We have a very similar situation in the United States. Sir Paul says that losses in online fraud and theft reached £52 billion globally in 2007 ($82 billion USD). (Note, this is a far more reasonable number than the $1 Trillion recently fed to the Senate Commerce Science and Transportation commmitee by the AT&T CSO Edward Amoroso (6 page PDF). For more on the mythical $1 Trillion figure, please see John Leyden's Cybercrime Mythbusters story at The Reg.)

I'm totally ok with the $82 Billion figure, because I can get there with real data from scientifically based studies. For instance, the FTC's Identity Theft Survey in 2006 found that we had more than 8.3 million victims (3.3%) in the United States. Javelin Strategy's 2010 Identity Theft Survey put the number at 11.1 million US citizens, losing an average of $4,841 per person for $54 Billion in US losses. (For comparison, Javelin found 8.4 million US victims in 2006 while FTC found 8.3 million. I believe that shows their methodology is sound, and that we can accept their current numbers as well.) The losses per person average seems high when compared with actual losses reported in the FTC's annual Consumer Sentinel Report (101 page PDF) where losses were $2,721 per person for 630,604 actual reported losses, but I'm willing to accept the difference for now. Either way, lets agree that US losses for 11 million victims would be in the range of $30 to $50 Billion.

Think about those numbers another way. In 2006 we had 8.3 (or 8.4) million victims of identity theft, mostly via cyber crime means. In 2009 we had 11.1 million victims of identity theft. So the crime has increased by nearly 33% in three years. One would think this would mean we have dramatic increases in our budget to FIGHT cyber crime as well. But that is sadly not true.

Despite both the broadly held public perspection and the facts that cyber crime is increasing through the roof, the FBI's budget is only increasing by 4%. The budget states that the number of FBI Agents being requested in the FY 2011 budget is 14,169, an increase of 347 agents from the FY2010 budget. An increase of 408 Intelligence Analysts (across FBI, DEA, and ATF) is also requested raising the number of Intelligence Analysts across those three agencies to 4,558.

Similarly, despite overwhelming evidence that our court systems are overworked and underfunded, especially in their ability to prosecute cyber crime, we are only seeing a 5.5% budget increase request for FY11 for the US Attorney's offices.

What is being done to fix this? Clearly we need a dramatic increase in the number of agents and tools available to fight cyber crime. But a review of the FBI's FY 2011 budget request to congress shows that they are planning to add "Computer Intrusion" responsibilities to 163 personnel, resulting in an increase of 81 "Full-Time Equivalent" additional people to fight Computer Intrusion. (See: FY11 FBI Budget Summary (Excel spreadsheet).

These numbers are further broken down in the "Program Increases by Decision Unit" tab of the spreadsheet Exhibits: Salaries & Expenses which shows that within those 163 personnel, only 63 are agents, of which 32 are tasked to Counter Terrorism Counter Intelligence and 31 are tasked to Criminal Enterprises and Federal Crimes.

Despite the fact that the FBI is the primary law enforcement body for responding to many of the crimes passed by the Congress, the FBI does not consider crime fighting their primary responsibility. When we review their entire FY11 budget, we see that they have their mission broken down into two broad goals, and their budget divided between those goals:

GOALDescription2011 Request (000s)
1Prevent Terrorism/Promote the Nation's Security$4,871,077
1.1Prevent, disrupt, and defeat terrorist operations before they occur$3,721,749
1.2Strengthen partnerships to prevent, deter, and respond to terrorist incidents$417,973
1.3Prosecure those who have committed, or intend to commit, terrorist acts in the United States$0
1.4Combat Espionage against the United States$731,355
2Prevent Crime, Enforce Federal Laws...$3,212,398
2.1Strengthen partnerships for safe communities and enhance the Nation's capacity to prevent, solve, and control crime$681,488
2.2Reduce the threat, incidence, and prevalence of violent crime$1,202,812
2.3Prevent, suppress, and intervene in crimes against children$26,035
2.4Reduce the threat, trafficking, use, and related violence of illegal drugs$91,733
2.5Combat public and corporate corruption, fraud, economic crime, and cybercrime$1,140,531
2.6Uphold the civil and Constitutional rights of all Americans$69,799
2.7Vigorously enforce and represent the interests of the United States in all matters over which the Department has jurisdition$0
2.8Protect the integrity and ensure the effective operation of the Nation’s bankruptcy system$0

This makes it difficult to tell how much money is actually being spent on Cyber crime, since it has now been lumped in with Public Corruption, Fraud, and Economic Crime, but it would be nice to think that a large part of that line item was cyber.

Does that line up with the FBI's stated priorities? At a risk of mixing church and state, a pastor I know is fond of saying "Show me a man's checkbook and I'll show you his priorities."

According to the FBI's National Security Priorities page, their top priorities, in order, are:

1. Counterterrorism (51.2% of budget)
2. Counterintelligence (9% of budget)
3. Cyber Crime (14.1% of budget - true number masked by combining #3,4,7)
4. Public Corruption (combined with #3,4,7)
5. Civil Rights (1% of budget)
6. Organized Crime
7. White Collar Crime
8. Major Thefts / Violent Crime (14.8%)

Its easy to see from the budget above that Counter Terrorism has swallowed the FBI. Yes, its their #1 priority, and that shows. But is Cyber really their #3, when, combining Cyber, Organized and White Collar Crimes together still gives them only 14.1% of the budget, while Major Thefts/Violent Crime gets 14.8%?

The argument could be made that not all Computer crime falls into the category of Computer Intrusion, but we seem similar tiny increases elsewhere. The FBI is requesting only $15 Million to improve its "Combat International Organized Crime" effort, which will only add 18 positions, including 3 agents and 7 attorneys. (See: Combatting International Organized Crime.

The President's FY 11 Budget request directs that the Law Enforcement Components of the entire US Department of Justice be increased from $12.6 Billion to $13.2 Billion. An additional cyber-related increase is not for crime fighting per se, but to increase the security of the DOJ's own computer systems and upgrade their technology.

Here is a graph from the President's budget for the Department of Justice outlining new hires:

click for larger version. Extracted from DOJ Budget Presentation.

$300.6 million to strengthen national security and fight terrorism

$234.6 million to restore confidence in our markets - with a $100 million for economic fraud enforcement and $100 million for infrastructure improvements

$121.9 million to reduce the threat, incidence, and prevalence of violent crime and drug trafficking

Did you notice it too? The absence of the big increase in funding and personnel to fight cyber crime?

The FBI FY11 budget asks for 13,057 personnel in the category "Criminal Investigative Series (1811), which is an increase in 276 Special Agents.

The FBI FY11 budget asks for 3,165 personnel in the category "Intelligence Series" (0132), which is an increase in 187 Intelligence Analysts.

In keeping with Sir Paul's comments about Cyber Crime in the UK, I'd like to suggest that someone should study the above numbers, study our cyber crime laws in America and the size of the problem, and then make a determination about whether we should adding 1,000 new Cybercrime agents instead of a mere handful.

In the meantime, States need to serious study this problem as well. The message in this budget is clear. THE FBI IS TOO BUSY FIGHTING TERRORISM TO HELP YOU WITH YOU MINOR CYBER CRIMES. I am an ENORMOUS fan of the FBI, and believe that the investment to fight terrorism is necessary and beneficial. I also believe the FBI has incredible cybercrime agents, as evidenced by this week's Zeus Arrests. But its clear they don't have the manpower to scale to the size of the problem.

The FBI's Internet Crime & Complaint Center 2009 Annual Report received 336,655 complaints of victimization due to Cyber Crime and online fraud.

My question is who is supposed to be helping Ma & Pa with the identity theft that they have experienced? Who is supposed to help with the undelivered eBay goods? or the phisher who just drained your bank account? 336,655 times last year someone called the FBI and asked for help. You've seen the budget.

Something has to change.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.