Read on....
As if the news coming out of Wall Street these days wasn't gloomy enough, various security solution providers and analyst firms are projecting that layoffs and cutbacks in the tech industry will lead to a spike in white collar crime. In its fourth quarter 2008 trend report (PDF), the security company Finjan is predicting a "sharp rise [in cybercrime] in 2009 due to the current economic downturn, which makes financial gain from stealing data and selling it online even more attractive."
That sounds dire, especially considering the bleak forecasts we've heard from the semiconductor industry, but dire is scarcely a synonym for accurate. Finjan links to a November 19 Forbes article within its PDF, citing it as evidence of "an early trend of unemployed IT personnel finding new and easy income by purchasing and using crimeware toolkits." The article in question, however, doesn't really provide a solid foundation for Finjan's statement. While the piece does take note of various trends, occurrences, and vibrations in the malware market, the author notes that the data "remains largely anecdotal."
The senior manager of forensic services for PricewaterhouseCoopers, Nick Ysart, believes there's historical evidence to support Finjan's claim, telling ZDNet: "There are certain types of fraud where an understanding of technology would make it easier to circumvent controls, and IT staff have the knowledge to do that... There was a range of very well-documented frauds that took place during the recession in the early 1990s," Ysart continued. "It does not take a great deal of insight to realize we will see an increase at a time like this."
The recession of 1990-1991 may not be as reliable a predictor of future white-collar criminal activity as Ysart implies. In 1990, computer security was still almost entirely understood as a physical challenge. The overwhelming majority of computers in both businesses and homes were not networked, Windows 3.0 was a brand-new product, and we transferred data from system to system either via floppy disks (1.25" or 1.44" flavors) or possibly through a serial/parallel cable (if you hated yourself).
The IT job market, the fundamentals of computer security, the threats to said security, and the degree to which the actions of individual users can be tracked) have all evolved over the past 17 years to the point where the two situations bear only a cursory resemblance to each other. The nature and degree of the two recessions are quite likely to be different (2008's is looking worse at this point), and an entirely new market for malware has evolved that didn't previously exist.
At first glance, a number of those factors sound like reasons to conclude that Finjan and Ysart are right, but related research suggests that both companies have oversimplified an extremely complex and nuanced series of relationships. Economists and social scientists have been conducting studies into the relationship between poverty, unemployment, recession, and crime for decades, the results of which resist being broken into a handful of sound bytes.
While there is a general positive correlation between unemployment and crime, the correlation between the two can vary considerably depending on geographic area, the type of crime being measured, the age of the individuals in question, per-capita alcohol consumption, the perceived effectiveness of law enforcement, the nature of the jobs that are lost, and the nature of the available alternative employment opportunities. State intervention in the form of additional unemployment or social benefits, including job retraining, can also meaningfully impact the relationship between these variables.
There are a number of factors that could work against Finjan's predicted black hat wave. IT workers in high positions, particularly positions they earned through education and/or substantial time on the job risk compromising their ability to ever use those skills again at some point in the future when the economy recovers. Employees with greater access to personal or secure data that a competitor or botnet master would find valuable may be more likely to turn rogue if fired, but that same group of people risks more if they do so.
The economic value of the data itself must also be considered. A sudden glut of data on the black market should ultimately drive price downwards, particularly if the trend is sustained over a period of time. We've already seen evidence this year that the malware industry is driven by many of the same market trends that affect other, legitimate businesses; there's no reason to suspect it would react differently to a mid-term increase in the supply of available personal information.
Businesses will have no choice but to continue to invest in security products and personnel—no company can risk the loss of face or potential data that would come with a major security breach—but there's no reason, at this point, to assume 2009 will be the topic of the 2010 blockbuster Fox special: "When Good IT Goes Bad." Will it happen? Sure. Will it happen in such numbers as to qualify as an "emerging trend?" I'm dubious.
No comments:
Post a Comment