CHICAGO -- Organized crime is pouring massive amounts of resources into phishing, online extortion and other malicious activities by exploiting a U.S. weakness -- the lack of federal research and law enforcement investment in cybercrime, warned one of the nation's most influential infosecurity leaders Wednesday.
"We are beginning to face well-financed, well-organized groups of professional criminals, and as far as I can tell, there's been little federal funding invested in this at all," Eugene Spafford told delegates during a keynote address to open this fall's Information Security Decisions conference in Chicago.
Spafford, the executive director of the Center for Education and Research in Information Assurance and Security (CERIAS), said less than $50 million in federal funding currently is being invested in basic cybersecurity research. At the same time law enforcement resources normally devoted to capturing cybercriminals have been diverted to antiterrorism efforts.
This downsizing is occurring at a time when enterprises are facing increasing social, technological and regulatory pressures and consumers are demanding greater protections around personal data to prevent information leakages and online thefts.
"It's no coincidence that there's such an increase in phishing scams, protection schemes and bot nets," he says. "Organized criminals go where the money is and the amount of valuable data online is increasing all the time."
Attacks will come in the form of extortion, protection rackets and threats to business availability via denial-of-service attacks. More enterprises will find themselves the victims of confidential data leaks that put them in violation of recently adopted laws like HIPAA and the Gramm-Leach-Bliley Act.
And foreign governments will apply pressure on enterprises, he said. In an interview following his speech, Spafford said nations around the world are subsidizing hacker training programs in an effort to obtain confidential information that can benefit their businesses and citizens. Some examples include China, India, Brazil, North Korea, South Korea and Cuba. Their reasons range from industrial espionage to software privacy, Spafford says. "The cost of software for countries [looking to increase Internet use by their citizens] is so high many can't afford legal copies. They must develop it on their own or turn to piracy, which makes sense for economic reasons."
While the threats worldwide grow, so does the vulnerability of the nation's networks, in part because technologies are converging at a rapid rate. For example, multiple functionality of cell phones, PDAs and camera phones could allow many different types of information to all pass through a central server. If it crashed because of a flaw in an interconnected system, those services would be temporarily unavailable. Such a scenario also presents privacy issues, depending on the security of the server and who has access.
The growing popularity of Voice over IP (VoIP) is another area of convergence that security professionals must pay special attention, particularly in the realm of privacy.
"Users will be aware of the security impacts on those and other converged services and much more concerned, resulting in more regulations and in liability," Spafford says. "HIPAA and GLBA are only the beginning."
Spafford said that online storage is increasing at a rate of about 80% per year and trends in digitizing information -- the only archival method being used in some cases -- have him concerned. He cites the degradation of CDs and DVDs created 10 years ago as a problem for enterprises that rely on such media.
B2B partnerships also should cause their share of worries. When forming such alliances, Spafford advised enterprises to mitigate risks to business by demanding -- and providing -- more transparency in security. For example, a verifiable third-party audit can tell you the security history of a partner company and what protection measures it now has in place. If security remains a concern, the partnering company can fund an insurance policy to cover any potential losses.
"We don't accept 'Our security is good, trust us' anymore," Spafford says.