Most studies place China, Brazil, and Russia among the leading sources of conventional and web-based malware. Depending on the type of malware involved, there is a good chance that one of these three countries is among the leading suppliers. Malware from these countries reflect local Internet usage patterns. In Brazil, 75% of regular Internet users access online banking services so Brazilian malware tends to target financial transactions. In China, instant messaging services and online gaming account for several hundred million active users, and close to a billion dollars per year in virtual goods and currencies. Thus malware targeting onling gaming and IM credentials are common in China. Organized crime syndicates in Russia have steered resources towards the theft of credit/bank account numbers, botnets and phishing.
Why is fellow BRIC nation India not a malware center? While cyber laws and their enforcement are important, cyber law enforcement is weak in lots of countries not known for producing malware. The most common response I got from people I queried is that crimeware centers need a steady supply of skilled workers, and the criminal know-how to identify opportunities and evade prosecution. Here are three ingredients that may be crucial to nurturing a malware industry:
1. High-standard of basic education, large supply of technical workers
2. Strong presence of traditional organized crime
3. Widespread poverty and lack of employment opportunities for recent (technical) college graduates
Compared to Brazil and Russia, where organized crime syndicates are involved in the malware industry, the many amateurish Chinese hacker groups maintain public web sites and give interviews to the press. In contrast, the strong presence of organized crime in Brazil and Russia may explain the profit-making focus and relatively low-profile of digital miscreants in those countries. Over the past few years the sphere of influence of Russian criminal groups has slowly widened to include some hacker groups in the rest of the FSU.
Contrary to the common perception that jobs are easy to secure in China, many technical graduates in China face a challenging labor market. A 2005 survey by McKinsey indicated that multinationals were reluctant to hire graduates of second-tier universities in China. Similarly, a 2006 Chinese government study (National Development and Reform Commission) estimated that 60% of that year’s university graduates would be unable to find employment in their preferred fields. The government attributes the reduced quality of many technical education programs to the rapid growth in enrollment.
Unlike its BRIC peers, India has a technology sector that can’t seem to get enough workers. Along with the usual focus on law enforcement, strengthening the IT job market in the other BRIC nations would go a long way towards weakening the crimeware industry in those places. You give people good jobs and they are less likely to work for local criminal syndicates. A good reason to not reflexively oppose IT offshoring.