InternationalTelecommunicationUnion

Financial Aspects of Network Financial Aspects of Network Security: Malware and SpamSecurity: Malware and Spam

ITU Seminar on the Economics of CybersecurityBrisbane, Australia

15 July 2008

Johannes M. Bauer*With Michel van Eeten**, Tithi Chattopadhyay*

* Michigan State University, USA, ** Delft University of Technology, Netherlands

2July 2008

Objectives of report

Malware and spam have multifaceted and far-reaching, direct and indirect, financial effects

Costs for individuals, organizations, nationsRevenues for legal but also illegal playersDirect costs could be as high as 0.2-0.4% of GDPWorst case scenario, including indirect effects, could be as high as 0.5-1% of global GDP

Available information is incomplete and potentially biased by stakeholder interestsThe report aims at documenting the state of knowledge of these financial aspects

3July 2008

Overview

Malware and spam developmentsA framework for analyzing financial flows related to malware/spamSynopsis of empirical findingsA preliminary welfare assessmentAppendix: the malware/spam underground economy

4July 2008

Malware and spam developments

5July 2008

Background

Convergence of malware and spamMalware and spam are increasingly organized for financial gainDivision of labor and specialization has increased sophistication and virulence of threatsInefficient security decisions of some players within the ICT value net (“externalities”)Many spillovers between market players, nations, and regions global problem

6July 2008

Visibility vs. malicious intent

Source: www.govcert.nlTime

7July 2008

Division of labor

Source: Based on MessageLabs, 2007

Malware Writer

Guarantee Service

Spammers

Credit Card

Abuser

Malware Distributor

Reseller

IdentityCollector

eShops

Drop Site Developers

Drop Drop Drop

Uses Services

Seller MalwareSells credit cards with identities

Buys Goods

Uses Services

Forward Goods

Ships Goods

Uses Services

Sells IdentitiesUses Services

Sells Malware

Sells Malware

Buys Drop Site Template

Drop Service

BotnetOwner

8July 2008

Malware attack trendsOverall increasesMonthly growth

trojans, rootkits slowing toward end of 2007worms, viruses, AdWareand other accelerating

As of 3/2008 (Panda)30% of computers on internet infectedabout 50% active

Postini reports 10% of websites as infected

0

50000

100000

150000

200000

250000

Troj

War

e

VirW

are

Mal

War

e

AdW

are

Ris

kWar

e

2006 2007

Source: Based on Kaspersky Labs, 2008

9July 2008

Spam trends

1210 1221 1178 1230

268 267204

189

0

200

400

600

800

1000

1200

1400

1600

Q3-06 Q4-06 Q1-07 Q2-07

Abusive Unaltered

Different metrics“Abusive” messages (MAAWG)MessageLabs new and old spamSymantecFairly consistent numbers (85-90% of total messages)Spamhaus Project (IP addresses)Source: MAAWG 2007

10July 2008

Geography of spam

Source: Symantec, 2007, 2008

0

5

10

15

20

25

30

35

40

45

50

afric

a

asia

aust

ralia

/oce

ania

euro

pe

north

am

eric

a

sout

h am

eric

a

% Internet mail % Internet spam

2007

0

10

20

30

40

50

60

afric

a

asia

aust

ralia

/oce

ania

euro

pe

north

am

eric

a

sout

h am

eric

a

% Internet mail % Internet spam

2006

11July 2008

Financial aspects of malware and spam

12July 2008

Cost of spam and malware

Benefits of cybercrime

Costs of cybercrime

Malwareeconomy

Indirectcost tosociety

Cost of law enforcement

Damages,Fraud, crime

Cost of prevention

& adaptation

Total, direct and

indirect cost

+

+

+

+

+

-

- +

+

+

+

-

-

13July 2008

Hardware, Software

Securityservice

providers

Fraudsters,Criminals

ISPs

Individualusers

Businessusers

12

13

5

3

8 9

4

10

1211

67

Government

Society at large

Selected financial flows

Legal

Potentially illegal

14

Society at large

14July 2008

Direct and indirect cost

Direct cost includeCost of prevention and adaptation

cost of preventative measures (e.g., security software and hardware, personnel training)cost of infrastructure adaptation (network capacity, routers, filters, …)

losses from fraudulent and criminal activityIndirect cost such as

cost of service outagescost of law enforcementopportunity cost to society (lack of trust)

15July 2008

Legal and illegal revenuesLegal business activities

Security software and servicesInfrastructure equipment and bandwidthLegal, spam-induced sales revenues

Illegal business activitiesWriting of malicious codeRenting of botnetsProfits from pump and dump stock schemesFraudulent commissions on spam-induced salesMoney laundering (illegally acquired goods)

16July 2008

Main empirical findings

17July 2008

Cost of preventative measures

Percentage of IT budget spent on security (2007 CSI Report)

35% of respondents: <3% of IT budget26% or respondents: 3-5% of IT budget 27% of respondents: >5% of IT budget

TU Delft/Quello Center study indicates similar orders of magnitude2006 global revenue of security providers estimated to $7.5 bnNo reliable global figures on overall IT budgets and the increase caused by malware and spam

18July 2008

Damages, fraud, crime (1)

Worldwide direct damage due to malware in 2006: $13.2 bn (Computer Economics)

Decline from $17.5 bn in 2004Effects of anti-malware efforts and shift from direct to indirect costs

U.S. Federal Bureau of Investigation estimated cost of computer crime to U.S. economy in 2005 to $67.2 bn(upper ceiling, not all malware-related)

19July 2008

Damages, fraud, crime (2)

Global cost of spam in 2007: $100 bn, of which US$ 35 bn U.S. (Ferris Research)

Cost of spam management to U.S. businesses in 2007: $71 bn (Nucleus Research)

Direct costs to U.S. consumers in 2007: $7.1 bn (Consumer Reports)

Range of estimates on online consumer fraud$240-340 million for U.S.£33.6 for financial fraud in UK

Cost of click fraud in 2007: $1 bn (Click Forensics)

20July 2008

Direct losses to businessSurveys of Computer Security Institute (CSI) members since 1996In 2007, 494 respondents of which 194 provided damage estimatesLeading categories:

financial frauddamage by viruses, worms, spywareSystem intrusion

Incomplete pictureSource: CSI, 2007

0

500

1000

1500

2000

2500

3000

3500

1999 2000 2001 2002 2003 2004 2005 2006 2007

Average cost per reporting firm (in 000 $)

21July 2008

Law enforcement & social costs

Costs of law enforcement (positive but unknown)

Diffusion of costs among agencies (regulatory, civil law, criminal law)Self-regulation, co-regulation (e.g., CSIRTS)

Costs to society at large (positive but unknown)Incremental costs due to cybercrimeare not known

22July 2008

A preliminary welfare assessment

23July 2008

Determining welfare effects

Complicated by the legal and illegal revenues associated with cybercrimeTotal costs due to malware and spam

Direct costs (damages, prevention, …)Indirect costs (law enforcement, trust, …)

Illegal underground transactions (~ $105 bn) are costs to societyParts of legal revenues are “economic bads”, no net contribution to GDP

24July 2008

Assessing global effects

Aggregation, projection to global levelProjection from country to global level?Avoidance of double-counting

A preliminary global estimateGlobal direct costs as high as 0.2-0.4% of global GDP (in 2007 ~ $66 trillion)In worst case scenario costs could be as high as 0.5-1% of global GDP

Effects on industrialized, emerging, and developing countries varies greatly

25July 2008

AppendixThe malware/spam

underground economy

26July 2008

Malware/spam

Players in the underground economy includeMalware writers and distributors (trojans, spyware, keyloggers, adware, riskware, …)Spammers, botnet owners, dropsVarious middlemen

Emergence of institutional arrangements to enhance “trust” (e.g., SLAs, warranties)Steady stream of new attacks (e.g., drive-by pharming, targeted spam, MP3 spam, …)

27July 2008

Interdependent value net

ISPi

ISPj ISPk

Usersi

Usersj

Usersk

App/Si

App/Sj

Hardware vendors

Software vendors

Security providers

GovernanceApp/Sk

Frau

dule

nt a

nd c

rimin

al a

ctiv

ityFraudulent and crim

inal activity

28July 2008

Efficient & inefficient decisions

Instances where incentives of players are well aligned to optimize costs to society

ISPs correct security problems caused by end users as well as some generated by other ISPsFinancial service providers correct security problems of end users and software vendorsNegative reputation effects of poor security disciplines software vendors, ISPs, and other stakeholders

Instances where incentives are poorly alignedIndividual users (lack of information, skills, …)Domain name governance/administration system

29July 2008

More InformationITU-D ICT Applications and Cybersecurity Division

www.itu.int/itu-d/cyb/ITU-D Cybersecurity Activities

www.itu.int/itu-d/cyb/cybersecurity/Study Group Q.22/1: Report On Best Practices For A National Approach To Cybersecurity: A Management Framework For OrganizingNational Cybersecurity Efforts

www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-draft-cybersecurity-framework.pdf

National Cybersecurity/CIIP Self-Assessment Toolkitwww.itu.int/ITU-D/cyb/cybersecurity/projects/readiness.html

ITU-D Cybersecurity Work Programme to Assist Developing Countries:• www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-cybersecurity-work-

programme-developing-countries.pdfRegional Cybersecurity Forums

www.itu.int/ITU-D/cyb/events/Botnet Mitigation Toolkit

http://www.itu.int/ITU-D/cyb/cybersecurity/projects/botnet.html

30July 2008

International Telecommunication

Union

Helping the World Communicate