Cybercrime is big money for hackers

STORY HIGHLIGHTS

• Hackers take electronic info from eBay employees to steal customers' data
• James Lewis: Cybercrime is a growth industry and breaches won't stop
• He says cybercrime is risk free, hard to stop, and big money for hackers
• Lewis: The least that companies can do is to put in more safeguards

Editor's note: James Lewis is director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies. The opinions expressed in this commentary are solely those of the author.

(CNN) -- In the early days of the Internet boom, some thought we would enter an era where there would be one integrated world economy with no borders, where we would share similar democratic values, and where governments would be less important and civil society could pick up many governmental tasks.

But that turned out not to be the case. Many countries don't share our values. There are conflicts, and the Internet has become a good place for these conflicts to play out.

One outcome is espionage, whether it is the National Security Agency listening to foreign leaders or China's People's Liberation Army stealing trade secrets. Another outcome is cybercrime.

It seems every month there is a story about a giant retailer being hacked and the personal data of hundreds of thousands of people being stolen by faceless cybercriminals. The last big story was Target. This week it's eBay, where hackers stole electronic credentials from eBay employees and used the credentials to access and steal customers' data.

According to one estimate, more than 800 million records were stolen in 2013. Fortunately, that doesn't actually mean all 800 million people suffered financial loss. Only a small fraction of people who have their data taken become victims of fraud or theft, because it is hard for criminals to "monetize" data -- to turn your personal information into cash. But the cleanup costs for the victimized company can be gigantic. After Target's hack, its CEO was fired for not doing enough.

Cybercrime is a growth industry and online security breaches are not going to stop any time soon.

The Internet was designed to ensure easy, reliable connectivity and in this it has been an immense success. When the Internet was commercialized in the 1990s, the U.S. government thought it was better to immediately start using an imperfect technology and get the economic benefits rather than wait for a completely safe Internet.

That was the right decision. The Internet has drastically changed all facets of our lives, including the way we communicate and do business. It has brought us immense economic benefits.

But the downside is that the Internet is not a secure place. Cybersecurity would not be as big a problem as it is today if the pioneers had paid more attention to security issues.

For example, encryption (software that scrambles your data into unintelligible patterns) was decontrolled in 1999. But many encryption products turned out to be hard to use, slowing computers and adding cumbersome steps to simple transactions. Encryption is still not widely used. Many companies don't encrypt the data of their customers and rely on passwords, which are very easy to hack for many transactions.

Cybercrime is an issue that needs more attention. According to one European intelligence service, there are 20 to 30 criminal gangs in the former Soviet Union that have hacking skills as good as most nations. There are many other groups with lesser skills. These criminals are nimble and inventive, and there are thriving cybercrime black markets where you can buy the latest hacking tools. This means there are highly skilled criminals who live in safe havens but can use the Internet to commit crimes that can earn millions of dollars, for which they will never be arrested or tried. Why would they stop? While there is good cooperation among Western countries against cybercrime, Russia has little interest in stopping these groups.

Eventually, the Internet will become less risky. There are basic things that companies can do to make sure their networks are more secure -- at least from all but the high-end criminals and big intelligence agencies.

Many companies are now taking cybersecurity seriously in a way different from even a year or two ago. The United States can work with other governments to improve law enforcement cooperation and to close down criminal networks.

The question is whether there will be enough progress before hackers get better at using what they steal. Right now, cybercriminals can steal millions of records but only be able to "monetize" a few thousand of them. If cybercriminals get better at monetizing the personal data they steal, there will be a spike in losses. And if countries like China continues to hack U.S. businesses to steal trade secrets and make competing products, American companies will lose sales and jobs.

The eBay hack reminds us that cybercrime is risk free, hard to stop, and big money for hackers. Even the best defenses may have holes in them. The least we can do is to try to put in the safeguards.