The Human Cybercriminal

by Jonathan Lusthaus

A person checking his email opens an attachment, installing a virus that disables his computer. A major news site goes down after a distributed denial-of-service attack. An international bank’s systems are compromised, spewing out fraudulent transfers worth millions of dollars.

These and other similar stories have become familiar in our networked age. And yet as common as they now are, there is still much that is unknown, not least of which is: Who is behind such incidents?

In the past, the image that sprang to mind was of the lonely hacker sitting at his computer, tapping away feverishly in a dark room—a pimply, nerdy, maladjusted teenager in his mother’s basement. That teenager has since been joined by new stereotypes: an unemployed IT graduate from a far-off land; an idealistic political agitator toying with his opponents; a techie with links to a criminal syndicate; an intelligence operative of a foreign government.

The truth is we have very little real knowledge of cybercriminals. These electronic ghosts often remain an anonymous and mysterious threat: They could be almost anyone, anywhere.

As the threat of cybercrime has risen, an enormous amount of time, effort, and resources has been invested in developing solutions. But what emerged as a new technical threat has, up to this point, been fought largely by technical means. Defenders work tirelessly to plug holes that could allow hackers into a system, while others work to disable malicious code or develop tools to filter out unwanted traffic and communications. But few stop to think in any detail about the people behind the technical threats: where they live, how old they are, how many and how organized they are, what their motivations are.

Although new computer crime laws have been developed over the years, our primary practical response has been focused on the technology side. It looks at the specific technical threats, such as hacking, viruses, and spam, and works to address them through technical means. In the face of such challenges, we have developed security systems to counteract cybercriminal tools directly. In response, the cybercriminals developed better tools and the technology arms race has cycled on to this day.

A good example that most people are familiar with is anti-virus software. The purpose of such software is to identify malware that has infected your computer. The companies behind such software work hard to stay up to date with the latest viruses and other forms of malware. But as new viruses are continually developed, it becomes an endless task consuming enormous time and resources.

This technological response to cybercrime is fairly common at all levels of society, from the individual up through business and government. It’s effectively a fortress model of protection. The idea is to make defenses so strong that nothing can get through. Little attention is paid to who the attackers are or why they are attacking—just the how is important. It’s akin to building a whole suburb of castle-like houses to deal with a gang of thieves operating in the area, rather than trying to identify the thieves and deter or arrest them.

There is obviously great value in developing the best technological tools to thwart cybercriminals. Technological responses continue to be a very effective way of putting costs on cybercriminal behavior and should be an integral part of ongoing security efforts. But we need to augment and enhance this approach with some more human-centered elements.

So what exactly does such a strategy look like? At the core of this approach is a greater focus on attribution—the “who” behind various attacks. This could be attribution in specific cases, unmasking the perpetrators involved. But more generalized attribution would also be valuable. This would mean acquiring a better understanding of the types of people who are cybercriminals, the methods by which they operate, and their motivations and agendas.

Without some knowledge of the humans behind the attacks and their agenda, framing sensible responses is virtually impossible. Trying to comprehend attackers’ motives from the technical logs of the victim’s system alone is not good enough: You don’t know if you are dealing with a teenager down the street, sophisticated professional criminals, or an agent of a foreign government. Deeper investigations can consume significant resources, both for the victim and law enforcement, but there is no other way to diagnose an event and impose an appropriate and effective sanction, or improve risk strategies, let alone identify the proper avenues for dealing with the case in the first place.

In the fight against cybercrime, technology alone can take us only so far without the help of other perspectives. It’s time for a more human-centered approach in the way we think about, and attempt to counteract, the threat of cybercrime. Such an approach would acknowledge that cybercriminals, like traditional criminals, are human beings rather than merely anonymous sources of cyberattacks. We need to increase our understanding of their behavior, so that we can develop better means of discouraging and disrupting it.

Read more about a more human focussed approach to cybercrime in “Electronic Ghosts“.