When it comes to fighting cybercrime, law enforcement agencies are facing an uphill struggle.
Lack of resources, conflicting international jurisdictions, and the borderless nature of the internet, all make catching coder criminals particularly difficult.
Just look at attempts to stop Gameover Zeus, a malware program thought to have infected more than a million computers worldwide.
The virus moves between victims’ computers through fake links or attachments in emails, capturing banking or other private information. It has cost victims more than $100m (£65m).
Last June, the UK’s National Crime Agency (NCA), the FBI and Europol successfully disrupted the malware by seizing “command and control” servers in several countries.
But there was a caveat – the public were told they had just two weeks to rid themselves of the program and safeguard their operating systems.
Any longer and the hackers would have found a way round the defences.
And Russian Evgeniy Mikhailovich Bogachev, thought to be the mastermind behind Gameover Zeus, is still on the run despite US calls for his arrest.
Threat to business
With the capacity of law enforcement so stretched, businesses are rightly feeling worried.
According to a global Ponemon Institute study published in October, the annualised cost of cybercrime per company stands at $7.6m, a 10.4% increase over the previous year.
But individual company losses can run into millions.
Anecdotal evidence suggests that the number of successful prosecutions of cybercriminals is dwarfed by the increasing number of attacks.
“In proportional terms [the number of successful prosecutions] may actually be going down,” says David Cook, cybercrime and data security solicitor at Slater & Gordon.
While total losses through cybercrime are difficult to assess, due in part to large-scale under-reporting by businesses worried about damage to their reputations, security company McAfee last year estimated the figure was $445bn, up from $300bn in 2013.
Some say it’s more, others less, but even if a business doesn’t suffer a direct loss, the indirect damage can still be great.
US retailer Target saw earnings drop by nearly half following the theft of payment card and personal data belonging to 70 million customers. The chief executive and chief information officer both later resigned.
Thin on the ground
The biggest problem for law enforcement agencies is lack of resources.
“It’s not from lack of desire or want, but they kind of have their hands tied behind their backs,” says Stephen Nicholls, senior manager of security advisory services at Deloitte.
Tracking down criminals who may be based anywhere in the world is labour intensive, requiring forensic skills and complex investigations.
“You might have a very large number of fraudsters involved in a crime, from the guy who’s spreading malware or sending phishing emails, to the guy receiving or withdrawing the fraudulent funds and passing them on,” Mr Nicholls says.
“Also, by the time you’ve chased them down you’re very rarely going to get any money back. It’s a low return for the effort.”
A report by Her Majesty’s Inspectorate of Constabulary last April found that just three out of 43 police forces in England and Wales had a comprehensive plan to deal with a large-scale cyber-attack.
In 2011, the UK government earmarked £860m over five years for a National Cyber Security Programme, setting up a dedicated National Cyber Crime Unit as part of the NCA.
While more money helps, collaboration is perhaps more important, cyber-cops believe.
“Collaboration between law enforcement agencies, the banking and finance sectors, and industry is better than it ever has been before,” an NCA spokeswoman told the BBC.
“The willingness from all parties to engage and work together is making a real difference in tackling cybercrime.”
The NCA is tapping into the expertise of UK spy agency GCHQ and international police organisations like Interpol, and such collaboration has led to some successful campaigns, it says.
For example, last year its National Cyber Crime Unit worked with GCHQ, the FBI, Europol and others to thwart the Shylock malware program, used by criminals to steal from bank accounts.
But David Cook at Slater & Gordon questions whether the cash is enough, as much of it has gone on tackling more sophisticated national security threats.
He also believes countries need to foster better co-operation with Russia and China – the suspected sources of many cyber-attacks.
But an added complication is that countries treat cybercrime in different ways.
“In the US, legislation governing cybercrime is fairly similar to that of the UK and the rest of Europe,” says Mr Cook.
“But when you go further afield to parts of Russia and China, you don’t have parallel offences to the UK, particularly with relation to the theft of intellectual property, which is a big problem for businesses at the moment.”
Another issue is persuading foreign-based communication service providers, such as email providers or social media networks, to disclose evidence stored on their servers.
While laws in Europe and the US permit access to such information with a warrant, it can be tough elsewhere. This greatly hinders investigations, much to the cyber-cops’ frustration.
Businesses also need to work more closely with the law enforcers trying to protect them.
“Many firms don’t report data breaches when they happen because they fear it will harm their reputations or affect their share prices,” says Jessica Barker, a cybersecurity consultant.
“But if law enforcement agencies don’t know what the latest threats are then they can’t respond fully, because they don’t know what the bigger picture looks like, let alone what they can do to fight it.”
The US has made it mandatory for businesses to report all major data breaches, but Europe is playing catch-up.
New EU laws due to be enacted in the next few years will require organisations to report a data breach within 72 hours where feasible, or face a penalty of 5% of annual global turnover.
“Google and Facebook are really pushing back on it, but it’s the kind of enforcement we need,” says Mr Cook.
In the meantime, organisations such as the Cybersecurity Information Sharing Partnership in the UK, and the NIST Cybersecurity Framework in the US, are encouraging businesses to report data breaches voluntarily and share best practice.
All these initiatives should help reduce cybercrime, believes Deloitte’s Stephen Nicholls, but we shouldn’t expect total victory.
“Cybercrime is part of the cost of doing business and it’s about managing that effectively, not necessarily trying to eliminate it completely.”