£1.01 billion kept out of cybercrooks’ hands, claim UK e-cops

The UK’s Police Central e-crime Unit (PCeU) has released its final “Financial Harm Reduction and Performance Report” – a breakdown of the cybercrime cases the unit has investigated, and how much money has been kept out of the hands of cybercrooks by their investigations.

The headline figures boast of an epic total of £1.01 billion (approx €1.2 billion, or $1.6 billion) over the last two-and-a-half years.

The PCeU is run by the London Metropolitan Police but, through several regional “hubs”, covers the whole of the UK for much of its cybercrime policing needs, alongside the “Cyber Unit” of the Serious Organised Crime Agency (SOCA).

It was set up in 2008, and in 2011 was given a target of reducing the financial harm done by cybercrime by £500 million within the next four years, a target it now reckons to have beaten resoundingly in just over half of that time.

The report is something of a farewell for the PCeU, whose work will be taken over by the new National Cyber Crime Unit of the National Crime Agency, coming online next month.

The advent of the new force in cyber policing has already been pumped by the publication of details of an arrest several months ago related to the “biggest ever” DDoS attack, and the report goes into more detail on a range of similar successes.

During the two-and-a-half year period the report covers, for example, 255 “persons” have been arrested, 126 suspects have been charged, with 89 convictions and 30 more people awaiting trial.

61 crooks have been jailed, for an average of 3 years apiece, disrupting the activities of 26 different “Organised Crime Networks” (aka “gangs”).

The financial damage mitigated by these investigations is estimated at £58 for every £1 spent on the PCeU, again well above the expected targets.

These monetary values are pretty tricky to figure out, though.

It is hard enough to pin down how much money has been netted by cybercrimes that have actually happened, with the associated costs of cleaning up and shoring up defences adding an extra layer of vagueness, and that’s without considering things like the financial impact of reputational damage.

Putting a value on crimes that might possibly have been committed were it not for the swift action of the boys in blue takes the art of prediction several steps further, risking a detour into straight-out guesswork.

To be fair to the cops, they have made quite some effort to work out their stats on a scientific basis, using a “Threat Reduction Matrix” developed in conjunction with academia and beancounting giant PwC, apparently making the PCeU a “beacon of excellence” in estimating the costs of crime.

The workings of the Matrix are not detailed thoroughly, but they go beyond the obvious things such as how much cash was in a compromised bank account.

Other softer factors are taken into account, using rough estimates of their value: for example, the cost of applying software upgrades to prevent an attack is put at £0.01 (1p) per company employee.

Other vague fudges seem to be included to cover things like the emotional damage done to victims of cybercrime, the cost of time lost investigating, cleaning up from and preventing future risk from cybercrime (including “crowding-out” costs which cover things you could have been doing during this time which might have earned you money), and even “Social intangible costs” – the damage done to society as a whole by the fear of cybercrime.

Even the actual money that might be stolen can only be vaguely estimated. In most cases, figures are worked out based on probablities and past experience.

For example, in the case of a bank info phishing campaign, they might look at how many email addresses the gang had got hold of in a given period, the percentage of those addresses likely to match up with the banks being phished, how many of those users are likely to fall for the phish and how much on average those people might have in their accounts.

From that they would work out how much would be made if the gang carried on working at the same pace and with the same success rate for a further year, and use that as the figure for how much they stopped them from stealing.

It’s also worth noting that the figures are intended to only cover UK residents and businesses, and as the report points out, it can be hard, if not impossible, to work out from a list of email adddresses which ones belong to residents of which country.

As we’re now basing estimates on probabilities calculated using estimates which are in turn based on estimated probabilities, it’s pretty clear that the £1.01 billion figure should be adjusted to fit your personal taste in saltiness.

Even if they’ve overestimated the figure hugely, though, it still looks as though the PCeU has done a decent job.

It would be interesting to see how this would look compared to the overall financial impact of cybercrime – have they prevented half of all the potential damage, or only 1%? – but that would mean even more wild guesswork.

Putting the potential iffiness of the numbers aside, the PCeU has assembled some fascinating case studies of a wide range of cybercrimes that have been planned, committed, investigated over the last few years.

In short, the full report is well worth a look.