As the Chief Security Officer at telco giant AT&T, Edward Amoroso knows a thing or two about cybercrime. Which is why he has been giving testimony before the United States Senate Committee on Commerce, Science, and Transportation specifically assessing how vulnerable the US is on the cybersecurity front and proposing the government level action that needs to be taken in order to make things better.
Amoroso's recommendations on the solutions front were practical enough: dealing with botnets needs a smarter government procurement response, international cooperation must improve and the current arms-length relationship with service providers must be reconsidered.
This last recommendation, which suggests that the government should take a more active role in policing at the network provider level is obviously controversial. In his testimony, Amoroso argues that service providers cannot stop botnets alone and says that those agencies which run their own cybersecurity operations "should be ready to justify such decisions."
But for me, the most controversial bit of the testimony was that which compared cybercrime to drug dealing. Amoroso suggests that cybercrime revenues have now outstripped drug crime on an annual basis, being worth around $1 trillion to the bad guys.
I thought that this stank just a little of hyperbole and sensationalism, but not everyone in the know agrees. Take Ben Itzhak, Chief Technology Office at business Internet security specialists Finjan who tells me that his latest research suggests "whilst the economic downturn is reducing the income of drug traffickers, cybercriminals are becoming ever more innovative in the ways they extract money from companies and individual."
Itzhak continues "In our Q1 2009 report on cybercrime, for example, we revealed that one single rogueware network are raking in $10,800 a day, or $39.42 million a year. If you extrapolate those figures across the many thousands of cybercrime operations that exist on the Internet at any given time, the results easily reach a trillion dollars."
Against this backdrop, Itzhak argues that the Amoroso got it right: "we can confirm AT&T CSO Amoroso's testimony that cyber-security threats have increased significantly over the past five years, and have reached the point where they pose a significant threat to all organisations."