A Conversation With Ross Anderson

Edge talks to Ross Anderson, professor of security engineering at Cambridge University, and one of the founders of the field of information security economics:

Meanwhile, in society at large, what we have seen over the past fifteen years is that crime has gone online. This has been particularly controversial in the UK. Back in 2005, the then Labour government struck a deal with the banks and the police to the effect that fraud would be reported to the banks first and to the police afterwards. They did this quite cynically in order to massage down the fraud figures. The banks went along with it because they ended up getting control of the fraud investigations that were done, and the police were happy to have less work for their desk officers to do.

For a decade, chief constables and government ministers were claiming that “Crime is falling, we’re doing a great job.” Some dissident criminologists started to say, “Hang on a minute. Crime isn’t actually falling, it’s just going online like everything else.” A year and a half ago, the government started publishing honest statistics for the first time in a decade. They found, to their disquiet, that online and electronic crime is now several times the rate of the traditional variety. In fact, this year in Britain we expect about one million households will suffer a traditional property crime like burglary or car theft, and somewhere between three and four million—probably nearer four million—will suffer some kind of fraud, or scam, or abuse, almost all of which are now online or electronic.

From the point of view of the police force, we got policy wrong. The typical police force—our Cambridgeshire constabulary, for example, has one guy spending most of his time on cybercrime. That’s it. When we find that there’s an accommodation scam in Cambridge targeting new students, for example, it’s difficult to get anything done because the scammers are overseas, and those cases have to be referred to police units in London who have other things to do. Nothing joins up and, as a result, we end up with no enforcement on cybercrime, except for a few headline crimes that really annoy ministers.

We’ve got a big broken area of policy that’s tied to technology and also to old management structures that just don’t work. In a circumstance like this, there are two options for someone like me, a mathematician who became a computer scientist and an engineer. You can either retreat into a technical ghetto and say, “We will concentrate on developing better tools for X, Y, and Z,” or you can engage with the broader policy debate and start saying, “let’s collect the evidence and show what’s being done wrong so we can figure out ways of fixing it.”