Whoever said “crime doesn’t pay” hasn’t been following the growth of cybercrime across the globe. A thriving underground economy has evolved over the past decade to become a massive industry. Estimates in the Web of Profit research paper show cybercriminal revenues worldwide of at least $1.5 trillion – equal to the GDP of Russia. If cybercrime was a country, it would have the 13th highest GDP in the world…
Which brings me around to a presentation on cybersecurity that I recently shared with colleagues. Up on the screen popped an extraordinary data visualization created by Information is Beautiful that depicts the world’s biggest data breaches over a span of 14 years in an interactive online graphic. Each breach is represented by a circular “bubble” whose diameter varies in relation to the severity of the breach. Clicking on a breach bubble opens additional details about the incident.
When it comes to spotting trends, there’s nothing like having a data-rich timeline for reference, and the ‘Information is Beautiful’ infographic does not disappoint. Scrolling through the years from 2004 through 2010, there are relatively few annual breaches. But in the 2011-2012 timeframe, the visual data dramatically changes as the number of hacks and compromised records spikes.
Why this sudden change? Threat actors were learning to more effectively monetize their efforts through highly-inventive and disruptive methods.
Take ransomware attacks on healthcare organizations, for example. Attacks through remote access systems have become the number one patient safety risk, according to the ECRI Institute’s annual Top 10 Health Technology Hazards for 2019. According to ECRI, “The consequences of an attack can be widespread and severe, making this a priority concern for all healthcare organizations. In critical situations, this could cause harm or death.” Healthcare providers quickly pay ransoms to avoid serious repercussions.
Over the past decade, cybercrime has become highly organized, evolving from disconnected individual efforts to a structured approach with a level of sophistication previously unknown. Running cybercrime schemes is inexpensive and accessible to anyone with criminal intent. Cybercrime forums and darknet marketplaces provide would-be criminals with easy access to an array of purpose-built and on-demand tools and services, including hosted infrastructure and cryptocurrency. They can anonymously pay for tools and services, as well as receive payments from victims, making it difficult for authorities to trace. All of this has led to the emergence of “cybercrime-as-a-service,” or CaaS.
Part of the problem with stopping cybercrime is that it’s trans-national. Many cybercrime organizations operate from within Russia or its former Soviet satellites. Extradition treaties with these countries are complicated or nonexistent, and law enforcement is lax. As long as hackers aren’t creating problems for the host country, authorities look the other way.
The rise of platform capitalism, a term used to describe companies like Uber, Facebook, Google and Amazon that thrive on capturing and monetizing user data, offers fertile ground for threat actors to further their gains. Whether by hacking companies to acquire user data, disseminate malware, sell illegal goods and services or set up fake shop fronts to launder money, it is evident that cybercriminals are adept at manipulating existing platforms for commercial gain. As long as there’s money to be made from cybercrime and the platform capitalism model continues to function largely undisturbed, there will be no end to CaaS.
Unfortunately for individuals, there appears to be no accountability for companies in the U.S. with lax data protection practices and no clear path for those affected by data breaches to recover damages. California passed a law earlier this year that forces disclosures about the collection of personal data and imposes significant fines for data breaches… up to $750 per violation. But it doesn’t go into effect until January 2020, and it is being challenged in court. The GDPR (General Data Protection Regulation) is a great example of legislation that protects personal data privacy but only covers EU citizens and residents.
Back in September 2017, Equifax reported that a data breach exposed the personally identifiable information of 143 million U.S. consumers, including their names, addresses and Social Security numbers. That number was later revised up to 148 million. After the breach, it was predicted that regulators and consumer outrage would force major changes to the credit-reporting industry. Instead, almost nothing of substance has occurred since the unprecedented breach. Equifax’s stock took an initial hit but has largely recovered. The company continues to receive large government contracts.
Fast forward to September 2018, when Consumer Reports noted in an editorial, “Americans remain largely in the dark about the practices of the credit reporting industry—and, more generally, largely unable to control the use of their personal information. Equifax itself has suffered minimal consequences and continues to do business more or less as before.”
In a recent New York Times article, cybersecurity expert Bruce Schneier opined, “The risks are about to get worse, because computers are being embedded into physical devices and will affect lives, not just our data. Security is not a problem the market will solve. The government needs to step in and regulate this increasingly dangerous space.”
We live in a society where much of the real change that occurs is crisis-driven. It took a housing market meltdown and a global recession in 2008 to drive tighter regulation and enforcement in the financial services industry. What kind of crisis must cybercrime and lax corporate data security precipitate before meaningful action is taken?
About the Author: John Armstrong is the VP of Marketing and Product Marketing at Zettaset, a leading provider of software-based encryption solutions. Prior to this, John led the global marketing team at LeadFormix to its eventual acquisition by Callidus Cloud. He also built and managed a product marketing consultancy, providing strategic and operational guidance to VC-funded start-ups including NetScaler, PacketMotion and Securent as well as established companies like Blue Coat, Cisco, Citi, Dell-Wyse, NetScout and SAP. For several years, John headed the networking group at Gartner as VP and chief networking analyst. John has an MA in Communications Management from the Annenberg School at the University of Southern California, and a BA from Ryerson Polytechnic University in Toronto.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.