Cybercrime Is a Franchise Model That Scales
Presto Vivace notes a report from the RSA conference on the cybercrime economy, and it's not an optimistic one. Part of the problem is that in many places cybercrime pays much better than legitimate work, including security research. "As the panelists explained, a single spam message might be tied to as many as 10 separate organizations and perhaps five suppliers. Every task in the criminal economy has become a separate specialty. Some people sell e-mail lists, others sell lists of compromised IP addresses, there are sellers of credit card numbers, and those who sell access to bot nets. Then there are those who handle product fulfillment for spammers, and those who specialize in laundering money."
Not all botnets are the fault of insecure operating systems. People who exclaim "Oh, look, somebody I don't know emailed me a file called CutePuppies.exe! I think I'll click on it!" pretty well destroy any sort of security scheme. Vista tried to solve that by preventing users from running programs (under the guise of User Account Control) but that just led to rebellion because people don't want to have to explicitly grant access to every program that wants to read to disk or connect to the Internet. When I install the new Firefox I don't want to have to authorize each and every operation it performs (write to disk, read from disk, connect to Internet, etc).
We need the FBI Baltimore office taken out of the business of distributing child porn and put on this problem. After ten years of work, they've arrested over 6,000 people.
How many computer criminals have they arrested? The Department of Justice doesn't seem to provide useful statistics, but it looks like the number per year is in the 10-100 range.
This is backwards, given the relative size of the problems.
Part of the problem is that the FBI has a measurement bias against white-collar crime. See the FBI Crime Statistics page. Violent crimes are counted if they are reported; white collar crimes are only counted if there's an arrest.