It's beginning to feel like a 1950s B-movie: The Zombies are everywhere.

Resident Scholar Kevin A. Hassett

Defending ourselves against them is costing us billions, and despite our greatest efforts, we're losing the battle. A zombie probably tried to contact you today. There may well be one in the office next to you. And conspiracy-minded citizens are asking: Why isn't the government doing anything?

No, I am not talking about living-dead humans, which are killed off all the time in horror flicks. I mean “zombie drones”--innocent, unprotected computers that are commandeered by clever hackers and then used for illicit purposes. Since hackers can flit from zombie to zombie, all the while covering their tracks, the battle against illegal traffic on the Internet is turning decidedly against the good guys.

According to a recent report by University of Florida Professor Andrea Matwyshyn, about 15 billion spam e-mails are sent every day--and about 80 percent of those are sent by “spam-spewing zombies.”

It's one thing to get a spam e-mail that advises you about the latest hot stock. The latest scams are far more pernicious. One of the most troubling practices is “phishing,” where e-mails that appear to be from legitimate sources trick recipients into revealing financial information to criminals. The criminals then use what they learn to adopt the victim's identity and make fraudulent transfers and purchases.

Out of Control

The problem is spinning out of control. The FBI says total reported losses to such crime surged by 168 percent in 2005 over 2004.

The phishing stats are especially troubling. The number of unique reported phishing e-mails rose to an all-time high in May, to 20,109 compared with 14,987 in the same month in 2005, according to the Anti-Phishing Working Group, an association that spans several industries. The unique phishing Web sites that were discovered also increased to a record 11,976 versus 3,326 in the same month the previous year. And the number of brands and legitimate entities spoofed by phishers was 137.

The financial services industry was by far the biggest target, suffering 92 percent of the attacks, and the U.S., China and South Korea were the largest phishing hosts. The U.S. had 34 percent, China had 15 percent, and Korea 8 percent.

Crimeware Wave

The Anti-Phishing Group also reported a rise in “keylogging” crimeware, which infects an end-user and monitors his or her interactions with financial services and e-commerce Web sites, to acquire sensitive information. In May, 215 password-stealing code applications were reported. There was also an increase in crimeware that redirects users to fraudulent locations, often by modifying DNS server settings so the user can access the sites without following an e-mail or other lure.

This pattern of locating illicit activity across many jurisdictions is common. Matwyshyn describes a U.S. Federal Trade Commission case in which a criminal employed 514 e-mail addresses in 35 countries on six continents. The majority of spam now originates outside the U.S.

What can we do?

Safety on the Internet poses a special challenge to policy makers. Even if security experts can track down the criminals, the odds are they have located their activity in a jurisdiction that is essentially untouched by U.S. laws. That takes away a key tool in crime prevention: deterrence.

Wild West

If we want to crack down on a certain activity, we can pass harsh sentences for those who are caught engaging in it. For Internet fraud, the probability of harsh penalties being enforced may be so low that they become irrelevant.

We should try to improve international law enforcement in this area, but we shouldn't be optimistic that we will accomplish much. The Internet is so fluid that one would have to encompass the whole Earth to make law enforcement a part of the solution.

So users and policy makers need to recognize that the Internet is like a Wild West community without a sheriff. Back then, almost everyone carried a gun to protect themselves. Many on the Internet are not so wise.

Today, savvy people take personal responsibility for their own Internet safety, but unsophisticated users create a problem for everyone else. They leave their computers unprotected, allowing hackers to turn them into zombies, and succumbing enough to phishing that it becomes profitable for hackers to bombard everyone else. Even if you are smart enough to avoid having your identity stolen, all the bandwidth gobbled up by fraud slows down your Internet experience, and imposes real costs on you.

Market Solution

Markets can solve most issues, and they have done a good job of adjusting here. Many Internet-security firms offer excellent software, and Microsoft Corp., Apple Computer Inc. and other technology companies invest heavily in security.

Yet it's unlikely their efforts will be enough. Even if the best security software protects users, there will always be those who choose not to use it. To put it in economist-speak, technological neophytes impose a high cost on everyone else by creating an environment that makes Internet crime highly possible and highly profitable. Call it the technophobe externality.

So the best approach would be for policy makers to do something about such people.

The best choice would be to require that new computers contain security software, and for working and up-to-date approved security programs to be present before Internet service providers allow a user access. Want to get on line? First you will have to document that your platform is secure.

While this might seem like an extreme intrusion, it is analogous to requiring that a vehicle pass inspection before being allowed on the road.

Given the startling statistics, if we don't try something like that soon, we may soon lose the Internet.

Kevin A. Hassett is a resident scholar and director of economic policy studies at AEI.