Misha Glenny has been doing the rounds promoting his new book “Dark Market”, and I caught his talk at the RSA. Subtitled “CyberThieves, CyberCops and You”, Glenny explained that the book aimed to look at the threats from cybercrime, cyberwarfare and (computer-mediated) industrial espionage in the 21st century through the cipher of DarkMarket, an illegal online operation.
He categorised cybercrime into three different type:
- carding – high volume, low impact fraud and theft through a variety of means (including skimming, phishing and similar scams
- industrial espionage and attacks, including sophisticated denial of service attacks targeted at organisations
- cyberwarfare by state and non-state (read “terrorist”?) actors
No one knows how much money is lost to cybercrime, because it is hard to measure: countries, companies and individuals can chose not to disclose their losses, and there is no central organisation collating the figures that are released. Glenny put the figure at somewhere between $100bn and $1trn a year; perhaps $27bn a year in the UK. That is a lot of money. (Wikipedia put the global GDP at $74trn; so perhaps 1.35% of world GDP is being lost to cybercrime every year.) Organisations such as Sony PSP, Google, RBS Worldpay, Lockheed, TJ Maxx and the US National Security Agency have all been subject to criminal activity – and most cases will not be reported to minimise embarrassment. The vulnerability to criminal action is human, not technological.
Some of the illegal operations Glenny investigated were quite sophisticated. He described an organisation called Innovative Marketing which produced, released and sold (to end-users – that’s us) infectious malware. Their various software suites and fake, malicious products generated sales of $500m over three years; they had call centres dealing with “customers”(people who had paid to install the malware under false product descriptions and promises) in several languages. The people running them – the cybercriminals – Glenny described as smart, creative, ingenious and inventive. Your typical internet entrepreneur, then.
Summarising their characteristics, he said they were generally (and almost exclusively) obsessive games players, had advanced mathematical skills, developed computer skills in their mid teens, not solely motivated by money, and had poor communication skills. And they were all male. Again, these characteristics could describe any number of web-geeks.
They developed websites, and systems to support them, promoting their illegal wares and scams on an industrial scale. (I realise that last sentence was written in the past tense; many of the criminals Glenny described have been arrested and their activities halted. But it would be incredibly naieve to suggest that others are not undertaking similar activities, or that those currently in custody could not start their trade again upon release – whatever terms the court may impose.) They started escrow accounts to hold monies for transfer between criminals who don’t trust each other.
They had a certain chutzpah. As well as the structured organisation behind Innovative Marketing, another of Glenny’s subjects ran his criminal activities from the email address firstname.lastname@example.org. (No, I’ve not tried it.) Others have created videos to publicise and sell their activities.
One of the issues Glenny identified was the lack of research into the “hackers” (used in its popular rather than technical use). They are simply treated as criminals, and the police and security services are failing to learn from them. Cutting them off from the internet and technological communications is often a condition of their sentence; but these are highly technically-minded people for whom this is the main way they could legally earn a living. The technological criminals, with poor communication and social skills, are easier to catch than the “criminal brains” behind the operations.
In the main, the technological criminal represent an untapped resource. Who better to design and test security systems than hackers? It is possible that hackers may be in the employment of some security services: the FSB, the Russian security service, may be active or complicit in some criminal activities (apparently, the FSB keeps a mirror copy of all data transferred by Russian internet service providers, so they would be able to identify and track unusual activity); the Stuxnet worm which attacked Iranian nuclear systems may have been developed and distributed by US, Israeli or Chinese security services, implying that they were working with hackers. It is believed that the Chinese security services employ 2,000 to 3,000 hackers directly.
Glenny also believed that by studying and learning from hackers, it would be possible prevent them starting illegal activities. They generally start their criminal behaviour when teenagers, suggesting that school would be a good place to start identifying and rehabilitating them. Glenny’s only advice to avoid digital crime and hackers was to use Macs. But of course, if everyone did that, the hackers would attack that platform, too…