Electronic Ghosts

A technological approach to cyber crime will only lead to a tech arms race. We need a new plan that starts with figuring out who cyber criminals are.

By Jonathan Lusthaus

Tagged CrimetechnologyThe Internet

A person checking his email opens an attachment, installing a virus that disables his computer. A major news site goes down after a distributed denial-of-service attack. An international bank’s systems are compromised, spewing out fraudulent transfers worth millions of dollars.

These and other similar stories have become familiar in our networked age. And yet as common as they now are, there is still much that is unknown, not least of which is: Who is behind such incidents?

In the past, the image that sprang to mind was of the lonely hacker sitting at his computer, tapping away feverishly in a dark room—a pimply, nerdy, maladjusted teenager in his mother’s basement. That teenager has since been joined by new stereotypes: an unemployed IT graduate from a far-off land; an idealistic political agitator toying with his opponents; a techie with links to a criminal syndicate; an intelligence operative of a foreign government.

The truth is we have very little real knowledge of cybercriminals. These electronic ghosts often remain an anonymous and mysterious threat: They could be almost anyone, anywhere.

As the threat of cybercrime has risen, an enormous amount of time, effort, and resources has been invested in developing solutions. But what emerged as a new technical threat has, up to this point, been fought largely by technical means. Defenders work tirelessly to plug holes that could allow hackers into a system, while others work to disable malicious code or develop tools to filter out unwanted traffic and communications. But few stop to think in any detail about the people behind the technical threats: where they live, how old they are, how many and how organized they are, what their motivations are.

In the fight against cybercrime, technology alone can take us only so far without the help of other perspectives. The purpose of this essay is to advocate for a more human-centered approach in the way we think about, and attempt to counteract, the threat of cybercrime. Such an approach would acknowledge that cybercriminals, like traditional criminals, are human beings rather than merely anonymous sources of cyberattacks. We need to increase our understanding of their behavior, so that we can develop better means of discouraging and disrupting it.

The Threat of Cybercrime

But before we explore solutions, it’s important to get a grip on what exactly we’re facing. Over recent decades, cybercrime has emerged as a major challenge for the world. While the pioneers of hacking in the 1960s were driven largely by intellectual curiosity and were generally without nefarious intentions, contemporary cybercrime has become big business for those intent on reaping financial gain or causing other harm. Over time, mischief and minor profits gradually became a more important element, but today there is little doubt that the scale and severity of the problem is substantial. National Security Agency Director Keith Alexander has called cybercrime the “greatest transfer of wealth in history.” A recent United Nations study suggested that cybercrime victimization levels now may outstrip conventional crime. Reports by governments and Internet security companies regularly calculate the total costs of cybercrime to be in the hundreds of billions of dollars. One widely cited report estimated that there are, on average around the world, 18 cybercrime victims a second, and that two-thirds of adults online have been victims of cybercrime at some point in their lives.

It should be noted that a good deal of care has to be taken with these sorts of statements and figures. Methodologies for estimating the costs of cybercrime are subject to major disagreement and, in many cases, scarce data means a lot of guesswork is involved. Since no clean figure can really account for the current threat of cybercrime, perhaps the better way to understand the scope of the threat is to take stock of how many aspects of human life are going online. From personal relationships and communications to banking services and governmental activities, many parts of a person’s existence are now on the Internet in one form or another. This shift obviously brings tremendous benefits in efficiency and cost effectiveness. But any such benefits also bring great risk. In return for convenience, we may face compromised communications, stolen credit card data, loss of sensitive governmental information, and so on. Acknowledging that we face an equal measure of risk for the online benefits we receive helps us understand the real scale of the cybercrime problem.

Depending on definitions used and what jurisdiction you are in, cybercrime can incorporate a tremendously large range of illicit behaviors. Among a broad spectrum of perpetrators, there are five common types of cybercriminals: 1) those who break laws for personal reasons, such as revenge against a former employer, harassment of an indifferent love interest, or a predilection for child pornography; 2) recreational hobby hackers who intrude into networks and undertake other projects for kicks; 3) those driven by political ideologies, such as hacktivists or cyberterrorists; 4) profit-driven cybercriminals; and 5) nation-state actors engaging in cyber espionage against corporate, political, and military targets.

While there is certainly some crossover among these categories, each of these types of cybercrime requires tailored and distinct policy responses. This essay focuses on the world of profit-driven cybercrime and touches on other forms of cybercrime only as they relate to that discussion.

Contemporary profit-driven cybercrime is comprised of myriad schemes and ploys in an extremely dynamic environment. Such cybercriminal enterprises can encompass blackmail, extortion, fraud, identity theft, intellectual property violations, phishing, spam, and renting out resources and services (such as distributed denial-of-service attacks for hire). Many of these activities center on obtaining personal information that can be exploited for financial gain, although some schemes, such as extortion, do not. For instance, phishing involves using emails and fake websites to trick victims into providing information such as online banking credentials or credit card numbers. Extortion attempts, on the other hand, could include threatening to knock an Internet shopping website offline during a key retail period unless the business owners pay up. Laws also vary across different jurisdictions, and some of these activities (such as spam or copyright infringement) are not always classified as “crimes.”

There is also wide variation in the types of people who are involved in the business. One police officer in England told me that in his experience perpetrators of cybercrime represented many different ages, demographic groups, and backgrounds, an observation confirmed by my own interactions with former cybercriminals over the years.

The world is no longer just facing lone hackers operating for recreation in the “open” space of the Internet, as some popular stereotypes have it. It is now facing much more professional criminals, who are driven by profit rather than the old hacker code of intellectual discovery and information sharing. Cybercrime is getting organized and is now big business. While a number of cybercriminals operate in small “crews”—some online with others offline—larger structured groupings have also developed. In certain countries where some criminals operate almost in plain sight, “cybercriminal businesses” have emerged, providing services like Web hosting or payment systems suitable for nefarious activities and operating out of fixed-address offices with pseudo-corporate structures.

In an online setting, a series of cybercriminal trading forums have materialized. These online marketplaces operate as a type of black-market eBay, a place where cybercriminals from around the world can congregate and do business. As cybercriminals specialize in different parts of the industry—some without any high-level technical skills at all—these sorts of markets are important. Popular products include compromised credit and debit card data along with malware kits, as well as services like “cashing out” operations that convert “virtual” ill-gotten gains into “real” offline money.

The business of cybercrime is increasingly specialized and organized: a legitimate and serious threat. If we prefer to keep benefitting from new technologies, we need to think carefully about how best to keep ourselves safe.

A Technological Arms Race

So what is the current approach for dealing with the threat of cybercrime? Although new computer crime laws have been developed over the years, our primary practical response has been focused on the technology side. It looks at the specific technical threats, such as hacking, viruses, and spam, and works to address them through technical means. In the face of such challenges, we have developed security systems to counteract cybercriminal tools directly. In response, the cybercriminals developed better tools and the technology arms race has cycled on to this day.

A good example that most people are familiar with is anti-virus software. The purpose of such software is to identify malware that has infected your computer. The companies behind such software work hard to stay up to date with the latest viruses and other forms of malware. But as new viruses are continually developed, it becomes an endless task consuming enormous time and resources.

Or consider “botnets,” in essence armies of infected computers that can be used to send spam or steal personal information, among other things. Efforts can and have been made to take these networks down, such as seizure of the servers and domains used to control botnets. But new botnets are simply built in their place and the dance goes on.

This technological response to cybercrime is fairly common at all levels of society, from the individual up through business and government. It’s effectively a fortress model of protection. The idea is to make defenses so strong that nothing can get through. Little attention is paid to who the attackers are or why they are attacking—just the how is important. It’s akin to building a whole suburb of castle-like houses to deal with a gang of thieves operating in the area, rather than trying to identify the thieves and deter or arrest them.

In 2012, the UK Ministry of Defence requested a report titled “Measuring the Cost of Cybercrime,” in response to growing fears that previous studies had “hyped the problem.” Noting the difficulty of providing definitive figures, the team of authors nonetheless estimated that global investment in cybercrime law enforcement was dwarfed many-fold by investment in technological defenses. Given that a small number of elite groups lie behind a large number of cybercriminal incidents, they concluded that overall cybercrime may be greatly reduced by shifting some of the current focus on anticipatory technical defenses to a more responsive model centered on greater law enforcement.

At present, global law enforcement is struggling to contain the increasing threat of cybercrime. While such efforts have improved dramatically in recent years, with the United States and a handful of other countries investing in significant cyberpolicing capabilities, some countries still do not have a dedicated cybercrime enforcement unit at all. A number of others have small, understaffed, and under-resourced units with limited training. In many cases, cyberpolicing entities partner with tech companies and security-focused NGOs to shoulder a sometimes-considerable part of the investigation burden. Microsoft has even established a dedicated Digital Crimes Unit that tries to disrupt cybercriminal operations, often through civil, rather than criminal, avenues.

As a result of limited resources and the complexities of investigations centered on perpetrators in foreign countries, a number of cases are shrugged off by law enforcement. In turn, victims of cybercrime then have little incentive to report attacks, often turning to private security firms instead. It becomes a destructive spiral—if crimes are not reported, then investigations cannot be carried out. As the world has struggled to comprehend the new and evolving threat of cybercrime in recent decades, it’s not surprising that we have fallen back onto technological solutions for protection. But now the time has come for a more comprehensive approach.

Cybercriminals Are People, Too

There is obviously great value in developing the best technological tools to thwart cybercriminals. Technological responses continue to be a very effective way of putting costs on cybercriminal behavior and should be an integral part of ongoing security efforts. But we need to augment and enhance this approach with some more human-centered elements.

So what exactly does such a strategy look like? At the core of this approach is a greater focus on attribution—the “who” behind various attacks. This could be attribution in specific cases, unmasking the perpetrators involved. But more generalized attribution would also be valuable. This would mean acquiring a better understanding of the types of people who are cybercriminals, the methods by which they operate, and their motivations and agendas.

A case in point was an investigation of intellectual property theft conducted by a former Department of Justice figure I met with. The victimized company suspected corporate espionage, as a deal with a foreign government for the relevant intellectual property had fallen through shortly before the theft. But after a proper examination took place, everyone’s fears were allayed when it turned out to be high-school hackers, whose timing had been pure coincidence. As the former official put it to me, “don’t guess…investigate.”

Unfortunately, such a response isn’t standard practice. In many other cases, little attempt is ever made to identify the attackers. Without some knowledge of the humans behind the attacks and their agenda, framing sensible responses is virtually impossible. Trying to comprehend attackers’ motives from the technical logs of the victim’s system alone is not good enough: You don’t know if you are dealing with a teenager down the street, sophisticated professional criminals, or an agent of a foreign government. Deeper investigations can consume significant resources, both for the victim and law enforcement, but there is no other way to diagnose an event and impose an appropriate and effective sanction, or improve risk strategies, let alone identify the proper avenues for dealing with the case in the first place.

There has been some movement toward more attribution in recent years, but we still need greater investment in this area. And while parts of the technology industry have morphed to adopt a more human-centered approach, attribution is not really its core business. In the end, it is the role of the public sector to spearhead this shift in cyber strategy. And as cybercrime is a massive transnational phenomenon, this battle cannot be fought by single countries on their own. It will take a concerted communal effort.

Transnational Cyberpolicing

When I speak to law enforcement officials around the globe, they almost always raise the need to improve international cooperation as a primary concern. Many of their cases involve perpetrators from abroad, and they feel hamstrung by complex jurisdictional issues and a perceived lack of interest from foreign law enforcement agencies. In reality, foreign law enforcement agents may not have the resources or capacity to deal with the requests for assistance. They may also feel that their jurisdiction’s bureaucratic requirements are not being met, and they all face their own pressing caseloads. It’s not surprising, then, that these officers might prefer investigating the cases of local victims to those in a far-off land with all the jurisdictional complexities involved.

Moreover, when it comes to cybercrime, there are also vastly different agendas around the globe. For instance, a Western government agency might identify financial crimes as a major focus. Yet one can hardly blame developing countries for not seeing the security of large foreign banks and their customers as a priority. For a country in Southeast Asia, sedition might be a more pressing concern, something that wouldn’t set American or European hearts racing.

With that said, it must be acknowledged that cybercrime policing across international boundaries can work. There have been a number of successful international operations. One was the investigation in the early-to-mid-2000s of CarderPlanet, a Web forum that pioneered the cybercrime industry in Eastern Europe by offering cybercriminals a place to meet and trade illicit goods and services online. Big players were arrested, including the supposed “Godfather” of CarderPlanet, Ukrainian Dmitry Golubov (known online as “Script”). Although Golubov was later released (on the “recommendation” of two influential politicians, or so it’s been claimed) and went on to form his own political party, the investigation was an important landmark in cyberpolicing. CarderPlanet itself was shut down due to the growing law enforcement pressure. Around the same period, another successful investigation in Eastern Europe was carried out by British and Russian law enforcement, this time against online extortionists.

But perhaps the most famous international investigation involved the online cybercriminal trading forum DarkMarket. Following the CarderPlanet model, DarkMarket became the largest English-language forum on the dark Web in the second half of the 2000s. But the forum was eventually brought down by a coordinated law enforcement effort that led to arrests of major cybercriminals from the United States to Turkey. A key part of this operation was the undercover work of FBI agent Keith Mularski, a sort of cyber Donnie Brasco, who ascended to the highest rank of administrator on DarkMarket and became a powerful and trusted member of the community under the handle Master Splyntr (a reference to the “Teenage Mutant Ninja Turtles”), with a reputation as an elite Polish spammer.

But such international operations can require a tremendous amount of hard work, skill, good timing, and political winds blowing in the right direction. One former U.S. law enforcement agent I spoke with was frustrated by claims that such international cyber operations were impossible, as he had been engaged in successful foreign investigations in countries like China. In his opinion, it was difficult, but it could be done.

It will take time and there will be challenges along the way, but governments across the globe need to support and expand these international policing efforts. First, as much as training programs run by international organizations, governments, and corporations have tried to improve the technical skills and knowledge of law enforcement agencies around the world, this capacity needs to be strengthened and expanded even further. Doing so means more countries can better share the burden of investigations. As Internet usage rises around the world, “local” cybercrime victims have been increasing accordingly; in some subcategories of cybercrime, the number of victims in poorer countries appears to be outstripping the number in wealthier, more networked countries. The need for cybercrime investigations is now much more apparent in states where it hasn’t been a serious concern before. This has been the case recently in Russia, which has seen a spike in attacks against its citizens and has begun to take the threat more seriously.

Second, states need to continue investing in and expanding regional and global institutions for combating cybercrime. Some efforts are underway to establish a global cybercrime treaty. Such a treaty could codify what cybercrime is and commit states to taking a series of measures to address it, including the legislation of specific criminal offenses, the adoption of frameworks for international cooperation, and the promotion of training and technical assistance for national authorities. But attaining a treaty could be a long and difficult road, as vastly different cybercrime priorities exist among nations. Some argue that existing treaties—such as the UN Convention against Transnational Organized Crime or the Council of Europe’s Convention on Cybercrime—already fill the requirement of a convention; others want to avoid a global discussion on cybercrime out of concern that it might veer toward more contentious topics like cyber espionage.

If these concerns could be assuaged, a widely endorsed global cybercrime treaty could be an important piece of the puzzle. But cooperation need not take place only at the highest levels to achieve meaningful results. Although some cybercrimes like spam are not always targeted by legislation around the globe, many other forms (for instance, theft and fraud) should be illegal under more traditional criminal codes making cross-border policing efforts possible.

International police coordination organizations, like Interpol and Europol, have a very important role to play in such transnational enforcement. They are already moving in the right direction, each having established (or in the process of establishing) a dedicated cybercrime center. A related proposal would be to expand exchange programs among law enforcement agencies across the world. This could allow officers from cybercrime units with less training and fewer resources to gain experience from working with leading law enforcement agencies in other countries. It could also allow exchanges in the opposite direction, where well-trained agents from elite organizations could help investigate cases on the ground in other jurisdictions, thereby immediately improving capacity and providing a means for investigating “foreign” cases without overly burdening the local system. Such a program would also lead to closer relationships among officers of different nations, which can only help. Ultimately, it’s midlevel officers who investigate cases, and the ability to draw on existing overseas relationships for help would be a major asset.

Enhanced international law enforcement capabilities could also lead to a shift in the emphasis of investigations, from the low-hanging fruit of common cybercriminals—the foot soldiers who might happen to be in a jurisdiction friendly to the relevant law enforcement agency—to those higher in the criminal food chain hiding in foreign countries. Getting the “kingpins”—the organizers and monetizers—out of circulation will have a much bigger impact on reducing cybercrime overall. And the specter of a more globalized law enforcement effort on cybercrime can erode the atmosphere of impunity in which many cybercriminals around the world currently operate.

A Multifaceted Approach

Improving international cyberpolicing efforts is not a “tough on crime” approach that we often see in conventional policing debates. The approach advocated here aims to establish a baseline capability to deal with this emerging threat, a threat that presents complexities for traditional policing and that no country can address on its own. But as one law enforcement agent told me, we “can’t arrest our way out” of this situation. Just as broader crime policy involves a range of nonpolicing solutions, cybercrime policy should be no different.

First, as with traditional forms of crime, the policy community should be having discussions about appropriate sentencing and potential avenues for rehabilitation. While some “conventional” criminals are making their way into cybercrime, those who are hackers or otherwise technically skilled present an interesting case. In the past, critics have complained that sentencing for cybercriminals was too lenient in comparison to “real” crimes like bank robbery. But as sentencing has become increasingly severe in certain jurisdictions—as in the case of the three men behind the Gozi Trojan, who face maximum possible sentences of between 60 to 95 years if convicted in the United States—we should be careful not to move to the other extreme. (Different countries are at different stages of this process, with some still having very short cybercrime sentences.)

Meanwhile, in terms of rehabilitation, some cybercriminals do possess a versatile skill set that can be very valuable for society, and could lead to their own gainful employment doing something they enjoy. But specialists need to investigate further how such reform could work effectively without greater risks of recidivism and without incentivizing cybercrime as an entry point into the IT industry.

Second, education about cybercrime is very important. As national and global societies, we are still learning what the threat is and how best to protect ourselves. The first point all users have to accept is that the Internet is not necessarily a safe place. There are unseen people out there who want to “get us” in a variety of different ways and for different reasons. That should inform the way individuals and organizations conduct themselves. There are no hard and fast rules, but just as people might be guarded when they walk around a rough-looking area at night, users should be looking around themselves online. They should be thinking about where they visit, what they click on, what pops up, what is sent to them, and so on. Users should make sure to lock their doors—in technology terms, by having basic protections like anti-virus software, security updates, firewalls, and strong and diverse passwords—and always approach online activity with a degree of caution.

Users should also be wary of the digital footprint they leave online—what personal information they choose to disclose, and whether they really trust various companies and organizations to protect it. Cybercrime is more than technical vulnerabilities; it’s just as much about leveraging available information against victims through “social engineering” (deceiving someone into revealing private information or performing certain actions). Victims might like to think they are the target of an elite cybercriminal using the latest exploits, but many supposed “hacks” might just be the result of poor password security or someone guessing your mother’s maiden name. The more breadcrumbs users leave around for cybercriminals, the easier their job.

But education is equally important on the perpetrator side. Some face a slippery slope of involvement, starting with borderline criminal activity like software cracking to more serious activities later on. It’s not hard to see why credit card fraud might seem like a game when you started your hacking career creating “cheats” for online games. It is vitally important that younger people are taught about the reality of their actions in the virtual world. It is something that many cybercriminals often realize too late: Their victims are real, as are the consequences of illegal behavior.

One hacker and former cybercriminal I’ve met with, who made a substantial amount of money from identity theft in the 2000s but was later jailed, sees things in a similar way. Now establishing a career in the IT sector, he hopes to one day run a workshop that goes into schools and identifies those who have the “hacking mindset”—the sharpness and intellectual adventurousness that defines hackers (both black and white hat). This hacker’s view was that these youths need to be acknowledged for their unusual talents and taught about the potential positive applications for their abilities. But just as importantly, they need to be warned about the dangerous paths not to go down and the consequences of such actions for their lives and others. Otherwise, they may find their own way forward, just as he did.

Finally, we have to acknowledge the significant economic factors behind a lot of cybercrime and think about how to counteract them. Cybercrime is no longer a “middle class” crime of well-educated and privileged adolescents. As Internet access and usage has become more widespread, there are now cybercriminals from all backgrounds and demographics (though anecdotally speaking a preponderance of males). While economic drivers might not explain the involvement of those from privileged backgrounds (aside from greed), for others the venture is certainly an alternative source of income or career path.

Internationally, cybercrime is a de facto method for less economically developed nations to “outsource” some of their crime to wealthier countries. Not that they are actively promoting this process, but countries with limited economic opportunities produce a lot of crime and a considerable amount of cybercrime (Nigeria being a good example). In Eastern Europe, there is a glut of technical talent being produced, but not always the best job market to support it; cybercrime can become a promising option for those open to criminality. It is a basic supply-and-demand problem.

Of course, there are complex issues of personality, individual backgrounds, and values here too. Economics will never explain everything. At one end of the spectrum, you will always find those who will not turn to crime under difficult circumstances and have clearly determined boundaries, regardless of their financial position. At the other end of the spectrum, there are those who will engage in illegal behavior despite being in a relatively strong economic position.

For those in the middle who are simply seeking financial security, greater investment in IT industries in various countries around the world may help solve part of the problem. Those countries with an established IT industry but an undersupply of relevant skilled labor—Australia being one example—appear to produce far fewer profit-driven cybercriminals than, say, certain Asian countries that have limited tech opportunities for the talent they produce (although there are other factors at work here). One interesting example in this area comes from the leading security journalist and blogger Brian Krebs, who recently spoke with a major cybercriminal in Russia. This man was perturbed by his struggles to employ high-quality coders for his criminal operation. The problem was that the Russian IT sector had recently grown and many of the skilled coders the criminal wanted to employ had taken jobs in legitimate industry. In the end, this cybercriminal even had to seek licit employment himself.

Beyond the Machine

It’s time to take some of the mystery out of cybercrime. We need to acknowledge that cybercriminals are people rather than machines. Once we’ve done this, we will be able to address this key challenge in a much more comprehensive way. Technology can help us a great deal in counteracting the tools of cybercrime, but a tech arms race will only get us so far and ignores some significant pieces of the puzzle.

Some work has already been done in piercing the veil of anonymity that cybercriminals hide behind, but as a global community we need to expand these efforts considerably. A greater emphasis on attribution means greater investment in international law enforcement efforts to arrest kingpins and deter many other cybercriminals who currently operate with little fear of punishment. But we also need to learn much more about cybercriminals, who they are and how they operate, so that governments can develop effective nonpolicing strategies, to work alongside more refined law enforcement and technological responses.

As one senior officer at a major Internet security firm put it to me, even without law enforcement operations, the mere revelation of some cybercriminals’ true identities could have some effect. It would shine a light into the darkness of Internet crime and put perpetrators under pressure in their own countries and when abroad. Without being able to hide behind their electronic masks, maybe a few cybercriminals might start to think about the impact of their actions on their victims, and on themselves.

Read more about CrimetechnologyThe Internet

Jonathan Lusthaus is Director of The Human Cybercriminal Project at the Extra-Legal Governance Institute, University of Oxford. A sociologist by training, his work focuses on the organization of profit-driven cybercrime.

Click to

View Comments

blog comments powered by Disqus