When Bill Gates said that he would turn Microsoft into a multibillion-dollar company, the tech world laughed at him. Similarly, when Steve Jobs said that Apple would eventually become one of the most influential tech companies in the world, he was laughed at.
Technology has changed the world. Therefore, any predictions around future growth will be educated guesses, at best. However, it is important to keep track of these trends.
Cybercrime is making a major impact worldwide and this will only grow in the future. I recently read some troubling articles about the growth of cybercrime and what needs to be done to address the challenge.
Significant growth.
The growth of cybercrime is extensive. The first article I read pointed out that the global value of cybercrime in 2019 was $3,5 billion.
The FBI said that it received 467 361 complaints from individuals and businesses during the year and has had nearly five million since its inception in 2000.
Phishing and extortion remain the most popular ways of scamming people.
The article points out that techniques are becoming more sophisticated, making it harder for people to tell real from fake.
This is especially true of web and email addresses that are fooling people because they look increasingly legitimate.
Last year IC3 had 13 633 complaints from victims of so-called tech-support fraud, which involves a scammer phoning an individual and claiming there is a problem with their computer that needs immediate fixing.
Keep reporting it.
The article points out that losses amounted to more than $54m and complaints came from victims in 48 countries. The vast majority were over 60 years of age.
Ransomware - where hackers lock down computers and demand a payment to unlock them - netted more than $8.9m over the year, according to the group.
It urged members of the public to continue reporting crimes.
"Information reported to the IC3 plays a vital role in the FBI's ability to understand our cyber-adversaries and their motives, which, in turn, helps us to impose risks and consequences on those who break our laws and threaten our national security," FBI's Cyber Division Assistant Director Matt Gorham told the BBC.
"It is through these efforts we hope to build a safer and more secure cyber-landscape."
Organized attacks.
It has been extensively reported on this blog that cyber criminals are becoming more organized and purposeful when it comes to going about their business. The second article I read illustrates how organized Chinese cyber criminals are becoming.
Hackers are adopting organized crime tactics to make billions from victims all over the globe.
The article pointed out that over just the last three years, Chinese cyber criminals have gone from relatively solitary players to adopting the same tactics favored by organized crime syndicates in Russia and other nations with lax cybercrime laws and enforcement.
These findings come from research conducted by Anne An, a senior security researcher in McAfee's Advanced Programs Group, a lesser-known division of McAfee that conducts deep-dive, bespoke cybersecurity research and intelligence gathering to help companies counter threats before they become full-scale attacks.
"I think the biggest take away from this research is that Chinese non-state actors; they're no longer low-skill hackers trying to make extra money," An said. "They have transformed from small local networks targeting mostly Chinese businesses and citizens to large well-organized criminal groups hacking international organizations."
The article added that just like their more-advanced counterparts in Russia, the motivation is simple: Money. The average income in China is around $8,000 per year, An said. Hackers can make $1,400 per day.
“China’s cybercrime enterprise is large, lucrative and expanding quickly,” An said in a blog post announcing her findings. “According to 2018 Internet Development Statistics, China’s cybercriminal underground was worth more than US $15 billion, nearly twice the size of its information security industry. The same Chinese-language source also shows that China’s cybercrime is growing at a rate of more than 30 percent a year. An estimated 400,000 people work in underground cybercriminal networks.”
Cybercrime-as-a-service.
The article points out that as Chinese hacking becomes more organized, it is moving off of platforms like Tencent's QQ, a Chinese chat platform that is used by hackers to connect with peers, sell stolen data, and collect money in a one-to-one fashion, toward Dark Web chat rooms and forums where they can reach a broader audience of customers looking for malware and buyers looking to buy pilfered data. Just a few tens or hundreds of dollars can buy all manner of illicit goods from physical counterfeits of US and Canadian driver's licenses to bank login credentials.
"They have continuously evolved their tactics to become more sophisticated, and they are learning a lot of those techniques from a more sophisticated cybercriminal underground like the Russians," An said.
The article adds that this includes adopting the same market-based approaches of any legitimate business to expand their market share. Instead of doing the hard work themselves, bad actors buy ready-made or bespoke malware that comes complete with 24/7 customer support. Buyers looking on Chinese black markets can find distributed denial of service (DDoS) botnets, traffic sales, source code writing services, email/SMS spam and flooding services, An said.
"With regard to hacking services, Chinese cybercriminals also offer modules for prospective clients to fill out their service requests, including types of attacks, target IP addresses, desirable malware or exploit toolkits and online payment processing," An said. "Through establishing a standardized model of sale, Chinese cybercriminals can expand their activity quickly without incurring additional overhead costs."
One product for sale is a business dossier, An said. "It costs around $5,000 to $10,000, depending on how difficult the hack is. And, basically, the hackers would take whatever requests to hack into like places like top-50, high-profile Chinese companies, or even Fortune 500 US businesses. I've seen online the entire employee directory being sold on the dark market."
The article points out that, because of a very strictly controlled internet in China (access to the anonymous Tor browser network is completely blocked, for example), Chinese hackers are physically moving to find more favorable locations for their activities. Specifically, they are moving into Malaysia, Indonesia, Cambodia, and the Philippines. They also are using layered virtual private networks (VPNs) from inside China to access Tor via another country where Tor is available.
Cybercrime meets cyber espionage.
The article points out that the lines between criminal activity and more traditional espionage are blurring, An said. She has seen where Chinese cyber criminals are selling full business dossiers of business and government agencies. An has seen internal employee directories and intellectual property (IP), CEO contact information, company bank account credentials, marketing strategy documents, tax ID numbers, and funding histories all available for sale on the black market. To get this information, cyber criminals often recruit insiders or plant moles inside of organizations masquerading as new hires.
"As China's cybercrime continues to evolve and advance, international organizations operating in the Asia Pacific region are facing an expanding threat landscape from cybercriminal activity targeting high-value business assets," An said.
The third article I read pointed out that Cybercrime laws need urgent reform to protect UK. Lawyers say ineffectiveness of act exposes UK to harm by ‘cybercriminals and hostile nations’
The article pointed out that Britain’s cyber-defenses are being endangered by the outdated Computer Misuse Act, which prevents investigators from dealing effectively with online threats while over-punishing immature defendants, according to a legal report.
Thirty years after hacking became a criminal offence, a study by the Criminal Law Reform Now Network (CLRNN) calls for urgent revision of the legislation governing illegal access to computers, denial of service attacks and other digital crimes.
The article added that the 144-page review, led by academic lawyers at Birmingham and Cambridge universities, argues that the 1990 Computer Misuse Act is “crying out for reform” and must develop public interest defenses for hacking.
The report, Reforming the Computer Misuse Act, identifies problems of enforcement and legal obstructions that expose the UK’s economy and critical infrastructure to “harm by cybercriminals and hostile nation states”.
Wide ranging changes.
The article points out that wide-ranging changes are needed, the report stresses, to create a legislative regime that is “fit for purpose – allowing ethically motivated cyber defenders, security researchers and journalists to pursue their work with greater legal certainty, while improving the ability of the state to identify, prosecute and punish those acting against the public interest”.
The act exposes cybersecurity professionals to prosecution for carrying out intelligence research against cybercriminals and foreign state actors, it warns, leaving the UK’s critical national infrastructure at risk at a time when threats are growing.
Simon McKay, a civil liberties and human rights barrister who was the project lead for the report, said: “One of our key recommendations is that a number of defenses need to be built into the Computer Misuse Act to allow research, and integrity testing of systems.
“The act does not even have any kind of defense for the way law enforcement carries out online work. They can only avoid prosecution through having a warrant and they have to stay within the confines of that.”
The article added that the report calls for a public interest defense to enable cyber-threat intelligence professionals, academics and journalists to explore networks to provide better protections against cyber-attacks and computer misuse.
A standard research method involves using a so-called honeypot, a computer set up to appear attractive to hackers that can identify the computer sources of an attack and capture as much code as possible.
If they strictly observe the law, the report says, researchers “would be very limited in probing the source of those attacks. This restricts the ability of security researchers to identify threats and pass vital information to public enforcement bodies.”
The report calls for greater flexibility in terms of punishments, the introduction of fines and specific guidelines for judges from the Sentencing Council when dealing with immature defendants or those diagnosed with autism or Asperger syndrome.
The article pointed out that recent high-profile cases have involved attempts to extradite British suspects to the US for hacking – such as Lauri Love, who was diagnosed with Asperger’s.
Dr John Child, a senior lecturer in criminal law at Birmingham University and co-director of CLRNN, said: “There’s very little information for prosecutors or judges … You get some cases which have led to draconian outcomes for some youths.” There should be schemes for “redirecting problem youths”, he added.
The article added that US legislators are looking at legalizing “hack back” laws that permit firms to retaliate to online attacks, Child said. The UK should not follow that example but instead create rules “in line with international obligations which target the bad actors”.
Reports of hacking incidents to Action Fraud lines are often not investigated by police because of a shortage of resources, the report warns.
Successful defence.
The fourth article I read was a report by the World Economic Forum. It pointed out that successfully fighting cybercrime requires collaboration between the public and private sectors. There is a genuine appetite on both sides to enhance cooperation and a global alliance could provide the scale needed to tackle this problem.
The article points out that cybercrime is one of the greatest risks to prosperity in the Fourth Industrial Revolution. Nation-state cyber activities tend to garner most international attention, but in fact cybercriminals are responsible for most of the malicious cyber activity - about 80% by some estimates. In addition to direct damages, which are projected to cost the global economy $6 trillion (or 6.3%) annually by 2021, cybercrime is a colossal barrier to digital trust. It drastically undermines the benefits of cyberspace and hinders international cyber stability efforts.
The article adds that, in response, the international community has taken commendable action to enhance national law enforcement capabilities and facilitate international cooperation on cybercrime – INTERPOL’s Global Cybercrime Program and Innovation Centre in Singapore, Europol’s European Cybercrime Center and the Joint Cybercrime Action Taskforce are leading results of these efforts, as are international policy dialogues such as the United Nations Open-ended Intergovernmental Expert Group on Cybercrime and the Council of Europe Budapest Convention.
The article points out that conventional government-to-government criminal justice efforts, however, are proving too limited to meet the challenge. Recent reports highlight a “stunning enforcement gap” for cybercrime, citing that even in the US, the likelihood of successfully prosecuting a cybercrime is estimated at 0.05%, far below the 46% rate of prosecution for violent crime.
Cybercrime cannot be systemically curbed without confronting the source of cyber-criminal activity, reducing the payoff and making the risk of prosecution real to offenders. With government efforts alone proving insufficient, successful approaches require a convergence of transnational public-private efforts and resources. To date, government cooperation with private-sector actors, both locally and globally, has been fragmented. Cybercriminals exploit these gaps to act with near impunity. We need to close them.
Public-private cooperation is the way.
The article adds that, traditionally, law enforcement agencies (LEAs) run the entire criminal justice process – responding to an incident, investigating the crime and prosecuting the perpetrators. When it comes to cybercrime, the private sector plays an instrumental role due to a combination of factors.
Preventing and investigating cyber incidents requires significant technical skills and capabilities. LEAs have either lagged the private sector in developing these skills, or do not have the necessary resources at the same scale as private-sector organizations.
The article points out that cybercrime incidents often result in personal data theft or customer service disruption, which may amount to a crime or lead to regulatory actions in many countries. There are a number of reasons why companies subjected to attack may not want to report cybercrime to law enforcement and will turn instead to the private sector.
Jurisdiction is often murky for cybercrime investigations. In the physical world, a crime occurs at a location with the criminals physically present, but in cyberspace criminals can live in one country, carry out crimes in another and leave evidence in a third. In these instances, government agencies often do not have jurisdiction to investigate all the aspects of crimes committed online, whereas private companies with global operations regularly operate across national boundaries. Moreover, cybercriminals abuse privately-owned infrastructures to carry out their crimes. Therefore, the private sector may provide significant assistance in countering criminal activities.
The article points out that, at the same time, the private sector cannot replace law enforcement. Private-sector companies can prevent, investigate and mitigate criminal activity, but they cannot impose sanctions on malicious actors. Only LEAs have the mandate to arrest, prosecute and take other appropriate measures against cybercriminals. The only way forward in the new context is to enable stronger operational collaboration between the public and private sectors to fully avail the parties of all the tools and jurisdictions needed to successfully reduce cybercrime.
The power of alliance…
At the World Economic Forum Annual Meeting on Cybersecurity in Geneva in November 2019, leaders from the public and private sectors explored how to meet the new challenges that cybercrime presents. While acknowledging the substantial efforts made by both public and private-sector actors, the discussion also highlighted several barriers to cooperation.
The article adds that these include legal and privacy challenges, cultural differences, a lack of shared standards around evidence collection and fear of losing competitive advantage. The lack of clear frameworks or standards for public-private cooperation could potentially cause confusion on roles, responsibilities and the purpose of collaboration. Liability and anti-trust concerns could add another layer of complexity. These as-yet unresolved issues compound the difficulties of implementing effective collaboration.
At the same time, there is genuine appetite in both the public and private sectors to intensify this cooperation. INTERPOL, Europol and several national LEAs have stepped up their efforts to foster partnerships with the private sector. Another promising approach is to bring together different stakeholders in a joint framework of cooperation on a shared goal, as do the Cyber Threat Alliance, the Cyber Defense Alliance and the Global Cyber Alliance.
The article points out that applying this approach on a much broader scale by forming a global public-private alliance against cybercrime could help to achieve a level of cooperation capable of meeting current and growing needs. An alliance could facilitate cooperation by creating and innovating mechanisms to overcome barriers, and at the same time promote a shared agenda.
A global alliance could leverage the platform provided by the World Economic Forum in partnership with INTERPOL, the Cyber Threat Alliance and other leading actors to provide a neutral and impartial environment in which to foster public-private cooperation on cyber investigations. Partners would include cybersecurity companies, tech companies, service providers and international corporations, as well as LEAs, computer security incident response teams, international organizations, information-sharing communities, action-oriented alliances and other non-profit groups. The alliance would complement and enhance ongoing partnerships, not replace or duplicate existing efforts.
The article adds that A first step is to define the principles for optimal public-private operational collaboration on cybercrime investigations, capturing “what good looks like”. This would be followed by promoting the implementation of practices and mechanisms needed – including operational concepts and technological enablers – to facilitate and support multilateral cooperation. Equally importantly, we need to present a united front, to inspire hope and a collaborative approach on the one side, and fear and restraint on the criminal side.
…at speed and scale.
Is the need for new approaches to addressing cybercrime surprising? Policy, law and behaviors in the physical world have developed over centuries; cyberspace is only 50 years old. As a global network evolving at lightning speed, cyberspace operates in a different dimension from the physical world.
The article points out that policies, laws, institutions, standards and frameworks must effectively adapt to and address this evolving environment. We can choose to create a global public-private alliance to jointly and effectively fight cybercrime. The time to do so is now.