Industry of Anonymity

Inside the world of profit-driven cybercrime

Category: cybercrime policy

“We Can’t Arrest Our Way Out”

Given the transnational nature of cybercrime, improving international cyberpolicing efforts is one major element for reducing the threat of cybercrime. But as one law enforcement agent told me, it’s not that simple: we “can’t arrest our way out” of this situation. Just as broader crime policy involves a range of nonpolicing solutions, cybercrime policy should be no different.

First, as with traditional forms of crime, the policy community should be having discussions about appropriate sentencing and potential avenues for rehabilitation. While some “conventional” criminals are making their way into cybercrime, those who are hackers or otherwise technically skilled present an interesting case. In the past, critics have complained that sentencing for cybercriminals was too lenient in comparison to “real” crimes like bank robbery. But as sentencing has become increasingly severe in certain jurisdictions, we should be careful not to move to the other extreme. (Different countries are at different stages of this process, with some still having very short cybercrime sentences.) Meanwhile, in terms of rehabilitation, some cybercriminals do possess a versatile skill set that can be very valuable for society, and could lead to their own gainful employment doing something they enjoy. But specialists need to investigate further how such reform could work effectively without greater risks of recidivism and without incentivizing cybercrime as an entry point into the IT industry.

Second, education about cybercrime is very important. As national and global societies, we are still learning what the threat is and how best to protect ourselves. The first point all users have to accept is that the Internet is not necessarily a safe place. There are unseen people out there who want to “get us” in a variety of different ways and for different reasons. That should inform the way individuals and organizations conduct themselves. There are no hard and fast rules, but just as people might be guarded when they walk around a rough-looking area at night, users should be looking around themselves online. They should be thinking about where they visit, what they click on, what pops up, what is sent to them, and so on. Users should make sure to lock their doors—in technology terms, by having basic protections like anti-virus software, security updates, firewalls, and strong and diverse passwords—and always approach online activity with a degree of caution.

Users should also be wary of the digital footprint they leave online—what personal information they choose to disclose, and whether they really trust various companies and organizations to protect it. Cybercrime is more than technical vulnerabilities; it’s just as much about leveraging available information against victims through “social engineering” (deceiving someone into revealing private information or performing certain actions). Victims might like to think they are the target of an elite cybercriminal using the latest exploits, but many supposed “hacks” might just be the result of poor password security or someone guessing your mother’s maiden name. The more breadcrumbs users leave around for cybercriminals, the easier their job.

But education is equally important on the perpetrator side. Some face a slippery slope of involvement, starting with borderline criminal activity like software cracking to more serious activities later on. It’s not hard to see why credit card fraud might seem like a game when you started your hacking career creating “cheats” for online games. It is vitally important that younger people are taught about the reality of their actions in the virtual world. It is something that many cybercriminals often realize too late: Their victims are real, as are the consequences of illegal behavior.

One hacker and former cybercriminal I’ve met with, who made a substantial amount of money from identity theft in the 2000s but was later jailed, sees things in a similar way. Now establishing a career in the IT sector, he hopes to one day run a workshop that goes into schools and identifies those who have the “hacking mindset”—the sharpness and intellectual adventurousness that defines hackers (both black and white hat). This hacker’s view was that these youths need to be acknowledged for their unusual talents and taught about the potential positive applications for their abilities. But just as importantly, they need to be warned about the dangerous paths not to go down and the consequences of such actions for their lives and others. Otherwise, they may find their own way forward, just as he did.

Finally, we have to acknowledge the significant economic factors behind a lot of cybercrime and think about how to counteract them. Cybercrime is no longer a “middle class” crime of well-educated and privileged adolescents. As Internet access and usage has become more widespread, there are now cybercriminals from all backgrounds and demographics (though anecdotally speaking a preponderance of males). While economic drivers might not explain the involvement of those from privileged backgrounds (aside from greed), for others the venture is certainly an alternative source of income or career path.

Internationally, cybercrime is a de facto method for less economically developed nations to “outsource” some of their crime to wealthier countries. Not that they are actively promoting this process, but countries with limited economic opportunities produce a lot of crime and sometimes a considerable amount of cybercrime (Nigeria being a good example). In Eastern Europe, there is a glut of technical talent being produced, but not always the best job market to support it; cybercrime can become a promising option for those open to criminality. It is a basic supply-and-demand problem.

Of course, there are complex issues of personality, individual backgrounds, and values here too. Economics will never explain everything. At one end of the spectrum, you will always find those who will not turn to crime under difficult circumstances and have clearly determined boundaries, regardless of their financial position. At the other end of the spectrum, there are those who will engage in illegal behavior despite being in a relatively strong economic position.

For those in the middle who are simply seeking financial security, greater investment in IT industries in various countries around the world may help solve part of the problem. One interesting example in this area comes from the leading security journalist and blogger Brian Krebs, who recently spoke with a major cybercriminal in Russia. This man was perturbed by his struggles to employ high-quality coders for his criminal operation. The problem was that the Russian IT sector had recently grown and many of the skilled coders the criminal wanted to employ had taken jobs in legitimate industry. In the end, this cybercriminal even had to seek licit employment himself.

Read more about cybercrime policy in “Electronic Ghosts“.

The Human Cybercriminal

A person checking his email opens an attachment, installing a virus that disables his computer. A major news site goes down after a distributed denial-of-service attack. An international bank’s systems are compromised, spewing out fraudulent transfers worth millions of dollars.

These and other similar stories have become familiar in our networked age. And yet as common as they now are, there is still much that is unknown, not least of which is: Who is behind such incidents?

In the past, the image that sprang to mind was of the lonely hacker sitting at his computer, tapping away feverishly in a dark room—a pimply, nerdy, maladjusted teenager in his mother’s basement. That teenager has since been joined by new stereotypes: an unemployed IT graduate from a far-off land; an idealistic political agitator toying with his opponents; a techie with links to a criminal syndicate; an intelligence operative of a foreign government.

The truth is we have very little real knowledge of cybercriminals. These electronic ghosts often remain an anonymous and mysterious threat: They could be almost anyone, anywhere.

As the threat of cybercrime has risen, an enormous amount of time, effort, and resources has been invested in developing solutions. But what emerged as a new technical threat has, up to this point, been fought largely by technical means. Defenders work tirelessly to plug holes that could allow hackers into a system, while others work to disable malicious code or develop tools to filter out unwanted traffic and communications. But few stop to think in any detail about the people behind the technical threats: where they live, how old they are, how many and how organized they are, what their motivations are.

Although new computer crime laws have been developed over the years, our primary practical response has been focused on the technology side. It looks at the specific technical threats, such as hacking, viruses, and spam, and works to address them through technical means. In the face of such challenges, we have developed security systems to counteract cybercriminal tools directly. In response, the cybercriminals developed better tools and the technology arms race has cycled on to this day.

A good example that most people are familiar with is anti-virus software. The purpose of such software is to identify malware that has infected your computer. The companies behind such software work hard to stay up to date with the latest viruses and other forms of malware. But as new viruses are continually developed, it becomes an endless task consuming enormous time and resources.

This technological response to cybercrime is fairly common at all levels of society, from the individual up through business and government. It’s effectively a fortress model of protection. The idea is to make defenses so strong that nothing can get through. Little attention is paid to who the attackers are or why they are attacking—just the how is important. It’s akin to building a whole suburb of castle-like houses to deal with a gang of thieves operating in the area, rather than trying to identify the thieves and deter or arrest them.

There is obviously great value in developing the best technological tools to thwart cybercriminals. Technological responses continue to be a very effective way of putting costs on cybercriminal behavior and should be an integral part of ongoing security efforts. But we need to augment and enhance this approach with some more human-centered elements.

So what exactly does such a strategy look like? At the core of this approach is a greater focus on attribution—the “who” behind various attacks. This could be attribution in specific cases, unmasking the perpetrators involved. But more generalized attribution would also be valuable. This would mean acquiring a better understanding of the types of people who are cybercriminals, the methods by which they operate, and their motivations and agendas.

Without some knowledge of the humans behind the attacks and their agenda, framing sensible responses is virtually impossible. Trying to comprehend attackers’ motives from the technical logs of the victim’s system alone is not good enough: You don’t know if you are dealing with a teenager down the street, sophisticated professional criminals, or an agent of a foreign government. Deeper investigations can consume significant resources, both for the victim and law enforcement, but there is no other way to diagnose an event and impose an appropriate and effective sanction, or improve risk strategies, let alone identify the proper avenues for dealing with the case in the first place.

In the fight against cybercrime, technology alone can take us only so far without the help of other perspectives. It’s time for a more human-centered approach in the way we think about, and attempt to counteract, the threat of cybercrime. Such an approach would acknowledge that cybercriminals, like traditional criminals, are human beings rather than merely anonymous sources of cyberattacks. We need to increase our understanding of their behavior, so that we can develop better means of discouraging and disrupting it.

Read more about a more human focussed approach to cybercrime in “Electronic Ghosts“.