Money makes the world go ‘round. This cliché was hardly appropriate in the early days of cybercrime. Hacking was driven by pride, competition, attention, and, ultimately, ego. The picture of the typical hacker could be taken right out of a scene from the movie Revenge of the Nerds: a disheveled, bespectacled, young male sitting in front of a computer at 3 a.m. clicking away on the keyboard, surrounded by scattered piles of laundry and junk-food wrappers. While that picture still accurately depicts some of players in the hacking world, it is a rapidly shrinking minority.
Now, hacking is very much a for-profit venture. I recently heard a presentation by Andreas Antonopolous of Nemertes Research. Andreas attempted to quantify the black market in online identity theft. While no perfect model exists, he estimated that the market capitalization of the identity theft economy is greater than that of some of the world’s largest cyber-security corporations, reaching as high as $7 billion.
The profitability of Internet crime is not news. But the manner in which that profit is being made is constantly evolving. Roughly 10 years ago, former Attorney General Janet Reno spoke of the possibility of organized crime entering the cybercrime arena. That possibility is now a reality.
With so little overhead or other costs, cybercrime pays well, and is therefore becoming a source of revenue for more than just the lonely hacker. But perhaps more alluring than the profit margin is the fact that with a broadband wireless connection, cybercrime can be perpetrated from the comforts of the home, the beautiful beaches of the Caribbean, or the protected confines of countries that do not always jump at the chance of cooperating with law enforcement when cybercrime is involved.
It is not possible to shrink the Caribbean beaches (nor would that be very popular), but there are fewer countries providing a haven for cybercriminals. A rapid-response system is already in place among law enforcement agencies in a number of countries. This system ensures that evidence is quickly preserved, allowing time-sensitive investigations to continue even when investigative leads point across international borders. This international network has permitted law enforcement to investigate and prosecute some of the most sophisticated crimes, and there should be no mistake: Cybercrime is getting more sophisticated.
The new cybercriminals are not necessarily more sophisticated in their hacking, phishing, social engineering, or botnet schemes -- albeit there have been advances in each. Instead, the truly sophisticated cybercriminals are combining all of the above methods. New cybercriminals are using social engineering to determine the people most likely to respond to a phishing email, and then targeting those same individuals, often by sending an email from a hacked account. Imagine when an employee in “accounts payable” of a Fortune 50 company receives an email appearing to come from a client’s email account that is asking for some clarification regarding bank account and routing numbers. Such an email has a much greater chance of success than an email supposedly coming from Citibank, sent to someone that does not have an account with Citibank.
Given this sophistication, I am often asked: “How will law enforcement keep up?” My response is always the same: Law enforcement has tremendous tools and resources at its disposal and has prioritized cybercrime. But as the crimes become more sophisticated, law enforcement resources alone will not suffice. So I always follow-up with this caveat: A safe and secure cyber world requires cooperation between law enforcement and private industry. As obvious as this may be, it often falls on deaf ears.
Recent surveys conducted by cybercrime research institutions suggest that less than 30 percent of cybercrime is reported by major corporations. I have heard estimates that put the number much lower, closer to 5 percent. And when I speak to corporate representatives, I am often told that being a victim of cybercrime is simply one of the “costs of doing business.”
This attitude cannot be sustained. While a number of industries actively cooperate in investigations and assist law enforcement in tracking criminal activity, the fact is that some industries seek to hide, rather than report, cyber-intrusions. The most basic, and perhaps the most important, element of cooperation is quick notification of a hack, breach, or other cybercrime. Without such notification, even if law enforcement uncovers the crime through other means, the subsequent investigation will be handicapped. In a field where evidence of an IP or MAC address is often wiped within minutes, timely notification of a crime is critical.
Notwithstanding the current under-reporting, there are signs that positive changes may be in the works. A majority of states now have legislation requiring businesses to provide prompt notification of breaches that involve personal data. As companies report a greater number of these breaches, the perceived stigma of such a breach will lessen. Once companies accept that -- just like all banks report armed robbery -- all companies should report cyber breaches, investigations of such breaches will begin earlier and have greater success.
One thing is certain: Law enforcement can only investigate or prosecute a crime that it is aware of. Recent prosecutions demonstrate that once law enforcement is informed of specific cybercrimes, even those involving the most sophisticated international schemes, arrests and convictions often follow.
— Erez Liebermann, Assistant U.S. Attorney, cybercrime prosecutor