'Cybercrime exceeds drug trade' myth exploded

AT&T feeds Congress trillion-dollar FUD


A leading security researcher has unpicked the origins of the myth that revenues from cybercrime exceeds those from the global drug trade, regurgitated by a senior security officer at AT&T before Congress last week.

Ed Amoroso, Senior Vice President and Chief Security Officer of AT&T, told a Congressional Committee on 20 March that cybercrime was a $1trn a year business. It'd be nice to think that Amoroso had been misquoted or made a slip of the tongue but written testimony from Amoroso repeats the amazing claim, made before a hearing of the Senate Commerce, Science, and Transportation Committee.

The end of paragraph 5 of the written submission states:

Last year the FBI announced that revenues from cyber-crime, for the first time ever, exceeded drug trafficking as the most lucrative illegal global business, estimated at reaping more than $1 trillion annually in illicit profits.

As Richard Stiennon points out the quoted figure would make cybercrime bigger than the entire IT industry. The top 10 Fortune 50 firms turned over $2trn last year.

Put another way, revenues from cybercrime exceed those of AT&T itself ($119bn in 2008) by a factor of around eight.

Estimates of the drug trade peg annual revenues at about $400bn. There's no figure on this from the FBI much less a comparative figure comparing cybercrime and drug trade revenues, despite what Amoroso said.

Stiennon, chief research analyst at IT-Harvest, guesses that cybercrime profits might be worth about $1bn a year, which seems much more plausible.

You'd have to be on something truly mindblowing to think that cybercrime revenues exceed the GDP of Saudi Arabia ($555bn in 2007), with all its oil income.

How could anyone ever think such a thing? Stiennon comes up trumps in tracking down the origin of this meme.

The idea that cybercrime revenue trumps that of the drug trade were first mentioned by Valerie McNiven, a consultant to the US Treasury Department in November 2005. The figure cited at the time was the still-implausible $105bn, Stiennon reports.

The same figure, mentioned by a lawyer to a Reuters stringer and henceforth enshrined in clippings harvest by the PR departments of security firms, reappeared again in a September 2007 speech by the chief exec of McAfee, David DeWalt.

Eighteen months later the meme has grown so that the figure cited is $1trn but, as Stiennon points out, the form of language is virtually identical. Earlier this week security firm Finjan published a press release ("Finjan confirms cybercrime revenues exceeding drug trafficking") supporting the myth, most recently relayed by Amoroso before Congress.

We asked Finjan whether it wanted to rethink what it said. Not a bit of it, the security firm responded.

"In our Q1 2009 report on cybercrime, for example, we revealed that one single rogueware network are raking in $10,800 a day, or $39.42 million a year," it said. "If you extrapolate those figures across the many thousands of cybercrime operations that exist on the internet at any given time, the results easily reach a trillion dollars."

You can observe the ongoing capers of this implausible FUD-laden cybercrime revenues meme in Stiennon's posting on the ThreatChaos blog here. ®

Bootnote

We're aware that even leaving aside Finjan's head-spinning statistical assumptions its figures still don't stack up. When we called it to ask if it wanted to reconsider its earlier statement, contained in a press release but not published on its website, in light of Stiennon's criticism it answered that it was sticking by its guns.


Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022