Financial Aspects of Network
Security: Malware and Spam
ITU Seminar on the Economics of Cybersecurity
Brisbane, Australia
15 July 2008
Johannes M. Bauer*
With Michel van Eeten**, Tithi Chattopadhyay*
* Michigan State University, USA,
** Delft University of Technology, Netherlands
International
Telecommunication
Union
Objectives of report
ƒ Malware and spam have multifaceted and farreaching, direct and indirect, financial effects
¾
¾
¾
¾
Costs for individuals, organizations, nations
Revenues for legal but also illegal players
Direct costs could be as high as 0.2-0.4% of GDP
Worst case scenario, including indirect effects, could
be as high as 0.5-1% of global GDP
ƒ Available information is incomplete and
potentially biased by stakeholder interests
ƒ The report aims at documenting the state of
knowledge of these financial aspects
July 2008
2
Overview
ƒ Malware and spam developments
ƒ A framework for analyzing financial
flows related to malware/spam
ƒ Synopsis of empirical findings
ƒ A preliminary welfare assessment
ƒ Appendix: the malware/spam
underground economy
July 2008
3
Malware and spam
developments
July 2008
4
Background
ƒ Convergence of malware and spam
ƒ Malware and spam are increasingly organized
for financial gain
ƒ Division of labor and specialization has
increased sophistication and virulence of
threats
ƒ Inefficient security decisions of some players
within the ICT value net (“externalities”)
ƒ Many spillovers between market players,
nations, and regions Æ global problem
July 2008
5
Visibility vs. malicious intent
Source: www.govcert.nl
July 2008
Time
6
Division of labor
Malware
Writer
Sells credit
cards with
identities
Seller Malware
Credit
Card
Abuser
Drop
Service
Uses
Services
Buys Goods
Sells Malware
Malware
Distributor
Guarantee
Service
Uses Services
Identity
Collector
Sells Identities
Buys
Drop
Site
Template
eShops
Sells Malware
Ships
Goods
Drop
Botnet
Owner
Drop
Drop
Uses Services
Forward Goods
Spammers
Uses Services
Reseller
Drop Site
Developers
Source: Based on MessageLabs, 2007
July 2008
7
Malware attack trends
websites as infected
50000
0
2006
RiskWare
ƒ Postini reports 10% of
100000
AdWare
¾ 30% of computers on
internet infected
¾ about 50% active
150000
MalWare
ƒ As of 3/2008 (Panda)
200000
VirWare
¾ trojans, rootkits slowing
toward end of 2007
¾ worms, viruses, AdWare
and other accelerating
250000
TrojWare
ƒ Overall increases
ƒ Monthly growth
2007
Source: Based on Kaspersky Labs, 2008
July 2008
8
Spam trends
1600
1400
268
267
204
189
ƒ Different metrics
ƒ “Abusive” messages
1200
ƒ
1000
800
600
1210
1221
1178
Q3-06
Q4-06
Q1-07
1230
400
ƒ
ƒ
200
0
Abusive
Q2-07
Unaltered
Source: MAAWG 2007
July 2008
ƒ
(MAAWG)
MessageLabs new
and old spam
Symantec
Fairly consistent
numbers (85-90% of
total messages)
Spamhaus Project
(IP addresses)
9
Geography of spam
50
60
45
2006
50
2007
40
35
40
30
25
30
20
20
15
10
10
5
% Internet spam
% Internet mail
south america
north america
europe
australia/oceania
asia
south america
north america
europe
australia/oceania
asia
africa
% Internet mail
africa
0
0
% Internet spam
Source: Symantec, 2007, 2008
July 2008
10
Financial aspects of
malware and spam
July 2008
11
Cost of spam and malware
Cost of
prevention
& adaptation
Benefits of
cybercrime
+
+
Malware
economy
Costs of
cybercrime
July 2008
-
+
+
+
-
Damages,
Fraud,
crime
Cost of law
enforcement
Indirect
cost to
society
+
+
+
Total,
direct and
indirect
cost
+
12
Selected financial flows
Hardware,
Software
4
7
8
Business
users
Security
service
providers
10
11
5
6
ISPs
9
Individual
users
14
12
3
13
1
2
Legal
Fraudsters,
Criminals
Potentially
illegal
Government
Society at large
July 2008
Society at large
13
Direct and indirect cost
ƒ Direct cost include
¾ Cost of prevention and adaptation
ƒ cost of preventative measures (e.g., security
software and hardware, personnel training)
ƒ cost of infrastructure adaptation (network
capacity, routers, filters, …)
¾ losses from fraudulent and criminal activity
ƒ Indirect cost such as
¾ cost of service outages
¾ cost of law enforcement
¾ opportunity cost to society (lack of trust)
July 2008
14
Legal and illegal revenues
ƒ Legal business activities
¾ Security software and services
¾ Infrastructure equipment and bandwidth
¾ Legal, spam-induced sales revenues
Illegal business activities
¾ Writing of malicious code
¾ Renting of botnets
¾ Profits from pump and dump stock schemes
¾ Fraudulent commissions on spam-induced
sales
¾ Money laundering (illegally acquired goods)
July 2008
15
Main empirical findings
July 2008
16
Cost of preventative measures
ƒ Percentage of IT budget spent on security
(2007 CSI Report)
¾ 35% of respondents: <3% of IT budget
¾ 26% or respondents: 3-5% of IT budget
¾ 27% of respondents: >5% of IT budget
ƒ TU Delft/Quello Center study indicates similar
orders of magnitude
ƒ 2006 global revenue of security providers
estimated to $7.5 bn
ƒ No reliable global figures on overall IT budgets
and the increase caused by malware and spam
July 2008
17
Damages, fraud, crime
(1)
ƒ Worldwide direct damage due to
malware in 2006: $13.2 bn (Computer
Economics)
¾ Decline from $17.5 bn in 2004
¾ Effects of anti-malware efforts and shift
from direct to indirect costs
ƒ U.S. Federal Bureau of Investigation
estimated cost of computer crime to
U.S. economy in 2005 to $67.2 bn
(upper ceiling, not all malware-related)
July 2008
18
Damages, fraud, crime
(2)
ƒ Global cost of spam in 2007: $100 bn, of
which US$ 35 bn U.S. (Ferris Research)
ƒ Cost of spam management to U.S. businesses
in 2007: $71 bn (Nucleus Research)
ƒ Direct costs to U.S. consumers in 2007: $7.1
bn (Consumer Reports)
ƒ Range of estimates on online consumer fraud
¾ $240-340 million for U.S.
¾ £33.6 for financial fraud in UK
ƒ Cost of click fraud in 2007: $1 bn
Forensics)
July 2008
(Click
19
Direct losses to business
Average cost per reporting firm
(in 000 $)
3500
ƒ Surveys of Computer
Security Institute (CSI)
members since 1996
ƒ In 2007, 494
3000
respondents of which
194 provided damage
estimates
2500
2000
1500
1000
ƒ Leading categories:
500
¾ financial fraud
0
1999
2000
2001
2002
2003
2004
2005
2006
2007
¾ damage by viruses,
worms, spyware
¾ System intrusion
Source: CSI, 2007
July 2008
ƒ Incomplete picture
20
Law enforcement & social costs
ƒ Costs of law enforcement (positive but
unknown)
¾ Diffusion of costs among agencies
(regulatory, civil law, criminal law)
¾ Self-regulation, co-regulation (e.g.,
CSIRTS)
ƒ Costs to society at large (positive but
unknown)
ƒ Incremental costs due to cybercrime
are not known
July 2008
21
A preliminary welfare
assessment
July 2008
22
Determining welfare effects
ƒ Complicated by the legal and illegal
revenues associated with cybercrime
ƒ Total costs due to malware and spam
¾ Direct costs (damages, prevention, …)
¾ Indirect costs (law enforcement, trust, …)
ƒ Illegal underground transactions (~
$105 bn) are costs to society
ƒ Parts of legal revenues are “economic
bads”, no net contribution to GDP
July 2008
23
Assessing global effects
ƒ Aggregation, projection to global level
¾ Projection from country to global level?
¾ Avoidance of double-counting
ƒ A preliminary global estimate
¾ Global direct costs as high as 0.2-0.4% of
global GDP (in 2007 ~ $66 trillion)
¾ In worst case scenario costs could be as
high as 0.5-1% of global GDP
ƒ Effects on industrialized, emerging, and
developing countries varies greatly
July 2008
24
Appendix
The malware/spam
underground economy
July 2008
25
Malware/spam
ƒ Players in the underground economy include
¾ Malware writers and distributors (trojans, spyware,
keyloggers, adware, riskware, …)
¾ Spammers, botnet owners, drops
¾ Various middlemen
ƒ Emergence of institutional arrangements to
enhance “trust” (e.g., SLAs, warranties)
ƒ Steady stream of new attacks (e.g., drive-by
pharming, targeted spam, MP3 spam, …)
July 2008
26
Software vendors
Security providers
App/Si
App/Sj
App/Sk
Usersi
ISPi
ISPj
ISPk
Governance
Hardware vendors
July 2008
Usersj
Usersk
Fraudulent and criminal activity
Fraudulent and criminal activity
Interdependent value net
27
Efficient & inefficient decisions
ƒ Instances where incentives of players are well
aligned to optimize costs to society
¾ ISPs correct security problems caused by end users
as well as some generated by other ISPs
¾ Financial service providers correct security problems
of end users and software vendors
¾ Negative reputation effects of poor security
disciplines software vendors, ISPs, and other
stakeholders
ƒ Instances where incentives are poorly aligned
¾ Individual users (lack of information, skills, …)
¾ Domain name governance/administration system
July 2008
28
More Information
ƒ
ITU-D ICT Applications and Cybersecurity Division
¾ www.itu.int/itu-d/cyb/
ƒ
ITU-D Cybersecurity Activities
¾ www.itu.int/itu-d/cyb/cybersecurity/
ƒ
Study Group Q.22/1: Report On Best Practices For A National
Approach To Cybersecurity: A Management Framework For Organizing
National Cybersecurity Efforts
¾ www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-draft-cybersecurityframework.pdf
ƒ
National Cybersecurity/CIIP Self-Assessment Toolkit
¾ www.itu.int/ITU-D/cyb/cybersecurity/projects/readiness.html
ƒ
ITU-D Cybersecurity Work Programme to Assist Developing Countries:
ƒ
Regional Cybersecurity Forums
•
www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-cybersecurity-workprogramme-developing-countries.pdf
¾ www.itu.int/ITU-D/cyb/events/
ƒ
Botnet Mitigation Toolkit
¾ http://www.itu.int/ITU-D/cyb/cybersecurity/projects/botnet.html
July 2008
29
International
Telecommunication
Union
Helping the World Communicate
July 2008
30