As a cybersecurity professional, how numb have you become to vendors who try to scare you with frightening statistics in an effort to sell you a new product? It is understandable that a vendor has to present as much information in a limited amount of attention-grabbing time, so their doomsday technique makes some sense. Perhaps the vendors’ approach is faulty, as the numbers are quite frightening indeed. There is definitely a larger point to be made.
The intention of this article is not just to put scary numbers out there. We have enough FUD in the industry. But some alarming numbers are worth sharing. In 2016, the National Institute of Standards and Technology (NIST) estimated that the United States lost up to $770 billion to cybercrime. To provide some sense of scale to that very large number, the entire 2019 U.S. Department of Defense had a total budget of $668 billion. Only 20 countries have a gross domestic product (GDP) this large. But that was 2016. The losses have been growing ever since.
It's on the rise. And it is expensive.
According to Cybersecurity Ventures, worldwide losses from cybercrime will double between 2015 to 2021 from $3 trillion to $6 trillion worldwide. All these budget numbers, country designations, and accompanying statistics are a bit overwhelming. This is sort of like the vendor problem of too much information wrapped into one dire scenario.
Let’s shift the way we look at this by creating a fictional country named “Scamlandia.” If the entire worldwide cybercrime income was attributed to Scamlandia, only the United States, China, and the aggregated European Union’s GDP would be larger. To expand on this idea, if cybercrime were a tax, it would result in a 4.2% levy on the world’s GDP ($6 trillion to cybercrime / $142 trillion world GDP).
Cybersecurity Ventures notes that this sum represents the greatest transfer of economic wealth in history, creates risks of incentives for innovation and investment, and will be more profitable than the global trade of all major illegal drugs combined. This presents a very large problem. The money is not just evaporating; it’s being used to fund activities of which no law-abiding citizen would ever approve if anybody bothered to ask.
A recent bank information security publication highlights how Russia has harnessed cybercrime. “Many security experts have long said that Russian authorities continue to look the other way when it comes to cybercrime, so long as criminals abstain from attacking Russian targets, and perhaps agree to occasionally assist the state's security services with their hacking-related requirements.” One could easily posit that this illegal activity acts as a financial stimulus to the Russian economy that is paid for by Russia’s adversaries, making cybercrime a tool of state.
Beyond Russia, cybercriminals from around the world are specializing and collaborating to become more effective. According to research in the Journal of Offender Therapy and Comparative Criminology, “…organized cybercrime networks are made up of hackers coming together because of functional skills that allow them to collaborate to commit the specific crime.” They, like any good business operation, are investing their capital to increase their revenue, efficiency, and return on investment.
The efforts of drug cartels to buy and intimidate government officials exemplifies how an illegal business will attempt to decrease losses to create a more efficient operation. By extension, the negative and far-reaching effects of cybercrime should be expected to get much worse if it is allowed to continue. Imagine cybercrime cartels buying elections, manipulating markets and even conducting propaganda campaigns openly to persuade the public of their good intentions, just as the drug cartels once did.
While there is no definitive answer to all of these problems, there are ways to frame a solution.
Helping solve the small issue of Cybercrime
Initially, there must be a mechanism to discourage nation-state actors that flaunt the rule of law. Countries are harboring bad actors for their own benefit. To get them to stop doing this, bad actions must generate negative outcomes. If honest governments identified countries known to be bad actors, registered white hat hackers could then attack authorized targets so long as the operations were overseen by the government. A share of the price would be used to subsidize cyber defenses. While the concept of “hacking back” is the subject of much debate, it is worth more exploration.
As with all businesses, working together, we are stronger than we are individually. A network of honey pots which are used to identify bad actors and their methods could be used as evidence to place countries on the “cyber enemies” list. Along with that collaborative endeavor, there could be the establishment of an international forum to name bad actors. In this way, small countries would be less likely to suffer retaliation.
Repudiation of bad actors should be a scaled response. If a country is behaving badly but all out cyber warfare is not warranted, there may be options to throw sand into the attacker’s business model. If an attacker enters a honey net (and the only way to do so is illegally), then their machines can be infected in a manner that renders them useless for their role. The bad actors must clean the machine in order to reuse it, delaying their ability to initiate new attacks and disrupting their business’s efficiency.
Of course, these ideas all have their shortcomings. On the one hand, what is the minimum threshold before a cyber defense activity is deemed a cyber war? Also, what is there to prevent a mercenary mindset, which could quickly degenerate into cyber disorder?
I would be interested to hear your thoughts on the subject. Have you come up with interesting ideas about how to neutralize cybercrime? If so, send them to us on Twitter here.
