Skip to main content
Part of complete coverage on

Is chasing cybercrooks worth it?

By John D. Sutter, CNN
Some experts say chasing cybercriminals may not be the most effective way to make the Internet safe.
Some experts say chasing cybercriminals may not be the most effective way to make the Internet safe.
  • Some experts say it is futile to chase down online "bad guys"
  • Cybercrime masterminds are difficult to catch; big arrests are rare, sources say
  • This comes despite three arrests this week in connection with a "botnet"
  • Others say chasing and catching cybercriminals is a deterrent to others

(CNN) -- This week's arrests of three men in connection with one of the world's largest computer-virus networks may seem like great news -- perhaps even a sign authorities are starting to win the war against cyberthieves.

But the real situation is more complicated.

Internet crime is up, but arrests of "mastermind" hackers are rare. And the whole get-the-bad-guys effort, while it makes for good drama, is a futile way to secure the Internet, some computer security experts say.

"The virus writers and the Trojan [horse] writers, they're still out there," said Tom Karygiannis, a computer scientist and senior researcher at the National Institute of Standards and Technology. "So I don't think they've deterred anyone by prosecuting these people."

A Trojan horse is a seemingly innocuous piece of software that, once installed, gives malicious users access to a computer system.

It would be smarter, Karygiannis said, to develop new anti-virus technologies and to teach people how to protect themselves from Internet crime.

On Wednesday, Spanish authorities announced the arrests of three men in connection with a "botnet" network of nearly 13 million infected computers, which is believed to be one of the largest in the world. The infected network, called Mariposa, or "butterfly" in Spanish, was used to steal financial or personal information from people in at least 190 countries.

Botnets are networks of compromised, or "robot" computers controlled by a master for the purpose of stealing data or perpetrating other online crimes.

Some see the arrests as a sign that technologists and law enforcement officials are getting better at tracking large virus networks back to the people who author and propagate them.

Mustaque Ahamad, director of the Georgia Tech Information Security Center, which helped track down the arrested men, said preventing viruses from infecting computers was the old model for fighting this type of Internet crime. Today, going after the "bad guys" is the better long-term option, he said.

Laura Sweeney, a spokesman for the U.S. Department of Justice, said there has been a recent string of high-profile cybercrime arrests in the United States. Last August, for example, Albert Gonzalez was arrested and accused of running an Internet scheme in which 130 million credit card and debit card numbers were stolen.

The United States could always do more to fight cybercrime, but these arrests are a deterrent, she said. "We prosecute cases. That's what we do. We're not going to stop doing that because [cybercrime is] a big problem," she said.

It's impossible to say how many cybercrime prosecutions and arrests the United States has made in recent years, Sweeney said, because the federal government does not track cybercrime as a specific statistical category.

A number of cybersecurity experts, however, characterized the recent arrests as relative anomalies. They criticized efforts to prosecute cybercriminals as a waste of time and said the people who are arrested are rarely the right people: They're often the middlemen instead of the kingpins, experts said.

Starting a botnet like Mariposa "takes no more skill than it takes to run Microsoft Office," said Vincent Weafer, vice president for security response at Symantec, a company that makes anti-virus software.

All a person has to do is download the program from the Internet. Such programs are still available for easy purchase, he said.

The people who actually write these programs -- the keys to cybercrime -- are almost impossible to catch and prosecute, said Marty Lindner, principal engineer with Carnegie Mellon University's Computer Emergency Response Team.

The reason it's difficult to find these masterminds has to do both with technology and the law.

Lindner said it's unclear if the authors of malicious code are doing anything illegal.

"The U.S. doesn't have jurisdiction on the [entire] planet Earth, so even if you can identify the author [of the malicious program], that doesn't give us the legal authority to get him, one, and two, it's not clear he's committing a crime," he said. "It's not illegal to write bad software. It's illegal to use it."

Plus, botnets travel from computer to computer without the help of humans, making it very difficult to use Internet addresses to track the code back to its source, said Weafer, of Symantec.

"Viruses and botnets by their nature are anonymous," he said.

Meanwhile, cybercrime continues to increase.

Symantec says it identified 2.9 million individual viruses in the last 15 months, which the security company says is more than the total it found over the last 18 years. Complaints about cyberattacks are up, too. The federal government received 275,284 such complaints in 2008, a 33 percent increase from the previous year, according to a report from the Internet Crime Complaint Center.

"Systems are constantly under attack," said Karygiannis, of NIST.

There also are a number of notable mass-computer infections for which no mastermind was ever pinpointed, including the Conficker outbreak last year, in which 5 to 10 million computers were compromised.

In lieu of using the justice system to deter cybercrime, researchers are trying to develop new technologies and increase education efforts.

At Symantec, they're working on a new method of virus protection that looks for harmful files based on their reputation and behavior on the Internet.

This differs from current models, in which anti-virus software looks for a "signature" that says whether the file is safe for download.

"If I see a guy walking down the street and he's got a facemask on, and he's walking up to a bank, I'm probably going to determine he's a bank robber without him doing anything else," said Weafer. "And that's exactly what happens with behavioral protection."

At Georgia Tech, researchers are looking into remote monitoring for computers to ensure that users have updated their anti-virus software and can protect against attack, Ahamad said.

People who want to prevent cyberattacks are best served by working on all fronts -- searching for new tech, helping people protect themselves and chasing down hackers, said Weafer.

But, he said, consumers can do more than they are today to protect themselves.

"The weak link in all this is still the user education," he said.