In this column, and in subsequent columns, I am going to develop a set of themes about cyber-stuff. We've all heard a great deal of kerfluffle about cyberterror or cyberwar, but - what, really, is it? It turns out that the terms are being bandied about very loosely and are often used interchangeably in ways that are advantageous to the speaker and confusing to the listener.
This series of columns are written based on a set of talks I gave as the keynote for IDC's CEMA Security Roadshow in 2008, with additional material and commentary. I welcome your constructive feedback at [email protected]
Criminal enterprises have been a persistent threat throughout human history. We could almost dispatch the topic of cybercrime with this observation: it will never go away. But, as always, there's more to it than that. Cybercrime has some interesting properties that make it a more significant problem than "normal" crime:
- Low infrastructure cost
Firstly, cybercrime invents a whole new form of criminal enterprise. Typically, if a criminal wants to steal $1,000,000 he needs to steal it all from a small number of places. But with cybercrime, you have the potential of automating attacks, so that the criminal might steal $1 from one million people. That changes the dynamics of crime because human institutions have adopted fairly effective controls on large amounts of valuable items - but historically that has been at the expense of worrying less about "petty" crimes. An individual losing $1 will probably shrug it off as unworthy of attention, whereas nobody is going to write off $1,000,000. Because of the loss-levels involved in cybercrime, the burden of paying attention to the crime transfers to society as a whole - no single individual is hurt enough to care, yet it represents a massive drain on an economy. There are a few things that fall out from this: insurance models don't make sense if you're worrying about such small losses, and classical models of having the wronged individual ("plaintiff") carrying a complaint about the criminal no longer make sense. It doesn't make sense to mount a million-member class action suit against a spyware seller.
This all sounds very theoretical, so far, but there are significant issues that societies need to recognize. Namely, that the current mechanisms of justice simply are not tuned to handle cybercrime effectively. We see proof of this in the way that enforcement attempts are currently aimed at highly active criminals. Law enforcement decides "Let's bust this one guy and maybe it'll 'send a message' to the rest." Here's a hint: when law enforcement is only capable of trying to send a message then the situation is out of hand and they are signalling defeat.
It will only get worse
The low infrastructure cost of becoming a cybercriminal makes it extremely attractive. A friend of mine was involved in a case a 6 years ago in which they discovered a group of cybercriminals who had a fairly substantial IT set-up, all stolen goods purchased on Ebay with compromised PayPal accounts. Nowadays, it's not even necessary to have an infrastructure at all; the criminal can take advantage of online service providers, paid with stolen credit cards. An example of this transition is a nigerian bank scam spammer that was caught in London - he was operating entirely from a local cybercafe, commissioning spams through bot-herders, and harvesting his Email through Yahoo! and Hotmail. The criminal owned, literally, no IT infrastructure beyond a USB memory stick on which he kept track of his "customers."
Compare the cost of being a cybercriminal, and combine with it the near-zero likelihood of getting caught, and it's an incredibly attractive enterprise. This is why it will get worse - possibly dramatically - over the next decade. If you're a stick-up artist and you rob a convenience store, you need a gun and a car and you're running the very real risk of catching a bullet. The typical convenience store robbery nets between $1000 and $2000 for the criminal - compare that to the far larger potential profits of cybercrime and the lack of physical risk and I predict that the current state of affairs is just the tip of the iceberg we're going to have to deal with in the next 20 years.
I know that what I am about to say is not "politically correct" but: the current generation of young people, who do not recognize pirating music or videos online as a form of theft, are going to incubate the next generation of cybercriminals - and they will be truly horrible to deal with.
Cybercrime is trans-national; it respects no boundaries. In fact, the smarter criminals take advantage of this already by recognizing that the cost of international prosecution gives them a safe "ground cover" under which they can operate with impunity.
I predict that the trans-national nature of cybercrime is going to have a number of possible outcomes. The most likely short-term outcome is that trans-national money transfer systems will come under pressure. It will become increasingly difficult to use payment tools across national boundaries. In some cases, this is already happening - I attempted to pay for some Ebay winnings with PayPal from my laptop in a cybercafe in Poland and was surprised (and then pleased, once I thought about it) when PayPal blocked the transaction. Online banks and payment systems are going to increase in complexity in order to deal with this, I predict. In fact, it can't happen soon enough! I would dearly love to be able to go to my credit card company's website and tick off the countries I will be travelling to in the next month and "unlock" them for that month - in return for nobody else being able to use my card outside of this country. Similarly, I predict we will see things like being able to indicate that your card should only be used to pay for goods that are shipped to your billing address, etc. Right now, our defensive techniques are lagging dramatically behind the offensive techniques that the criminals are inventing! We need creativity and innovation on the defensive side - not another 3 digit PIN-code added to our credit card number.
Another longer-term outcome of the trans-national nature of cybercrime is that sometime in the next decade or two, we can expect a unified international response to the problem. It seems unlikely, now, but remember that I'm predicting cybercrime will get a whole lot worse, first. Eventually we will have a standard set of trans-national practices for dealing with online criminals. There will be no extradition, there will be a seamless process whereby trans-national crimes are prosecuted evenly based on where the crime was committed from instead of who the crime was committed against. There are a lot of tricky issues to sort out, but if the costs of cybercrime continue to skyrocket, there will be a coordinated response eventually.
The final point I'd like to make on cybercrime is that the current set of problems show us nothing about how bad it can possibly get. The current crop of cybercriminals are the equivalent of pickpockets and smash-and-grab artists. They are moving up the scale of sophistication, but they are, still, not very sophisticated. At a certain point, you move up-scale from the Reservoir Dogs and to professional gangs that are willing to invest the time and energy to infiltrate targets and take advantage of "insider" positions. We've recently seen the kind of damage that a trusted insider can do with the huge losses incurred at France's Societe Generale - nobody is asking themselves whether an insider could appear to make some incompetent trades while actually lining the pockets of a group of co-conspirators. And, if they were, how could we tell? The potential for insider-based high dollar cybercrimes is vast and the perpetrator does not need to be in a conspicuous position of trust to carry them out. A system administrator, or an operator at an outsourcer, has potential insider information on every aspect of a business. It simply takes a little creativity to figure out how to "monetize" the information. The next obvious step from that is to attempt to hire into a position with the specific intent of monetizing a specific data item. Make the right move and sell the correct copy of the right backup tape, and you could retire comfortably by age 25. What scares me is the suspicion that this could already be happening - most of the systems I've seen are woefully under-capable at backtracking and understanding such a crime, let alone detecting it.
If you're part of an organzation that does business online, cybercrime is going to be part of your personal future, for the forseeable future. How's that for a cheery prediction? Worse, still, your opposition is completely non-ideological and cannot be dissuaded or negotiated with.
Next up, we will take a look at Cyberterror. Cybercrime is the "boring stuff" and now we've gotten it out of the way.
Let's talk soon,