A life of (cyber) crime

It seems as if cybercrime is in the mainstream media more and more often these days – and with good reason, if not an understanding of what’s actually going on. There are plenty of pundits talking about the threats from: state actors looking for political or commercial advantage; terrorists or non-state actors looking for recruits and funding, or trying to cause damage to national infrastructure; organized criminal groups looking for theft or extortion opportunities and for ways to steal monetizable information; even random individuals (sometimes including your employees) with an ax to grind who don’t like your business for some reason and use social media, “cyberattack as a service” capabilities or privileged access to business data to attack you.

If you’re a first world citizen, aware of the convenience that online services provide, you might be wondering why sophisticated businesses and governments aren’t doing more to address this global crime wave. You might also wonder how much your online information and history of behavior is really vulnerable and what risks you are actually taking when you browse the web or transact online.

Let’s start with the “why isn’t anyone stopping this?” question.

First of all, cybercrime is global, because the mechanism that makes it possible, the Internet, is also global. The standards that make “internetworking” possible also make it possible to commit from anywhere. This means that most (but not all) cybercrime is “extraterritorial” crime- the criminals are not governed by the laws that govern their victims. So even if you complain to local law enforcement (and you should) they may have no way to actually go after the perpetrators, even if they can be identified.

Second of all, the Internet – and the services that have been built on its ubiquity – depend on software. Software is written by humans and humans are fallible. As a result, all software contains “bugs” and some bugs create vulnerabilities. Smart criminals (or the people whom they hire to work for them – more on this in a moment) spend a lot of time and effort finding and then exploiting these vulnerabilities. Because exploiting vulnerabilities is much more profitable than fixing them, there are a lot more people on the exploit side of the table than on the fix (or avoid introducing vulnerabilities in the first place) side. Software has become so complex these days that even if your code is perfect, it’s only a small proportion of the total that’s needed to run the entire internet “stack” – you’re at the mercy of the weakest link, which might be code you have no control over or even access to.

Thirdly, because of the first two factors, cybercrime, even if it’s just financially motivated, is extremely profitable. As a result, cyber criminals, who are well funded, have access to a large pool of talented but amoral software engineers and no need to follow any rules, flourish. No one knows exactly how large the “take” from cybercrime actually is, bit globally it could easily be approaching 1% of global GDP.

Fourthly, good cyber defenses, implemented on a “one business at a time” or “one person at a time” basis is technically complex and expensive. Even if you know what’s involved or can hire someone who does (and there aren’t nearly enough of those) you might look at the annual cost and decide you just can’t afford it. Thus most individuals have poor “cyber hygiene”, take their bad online habits to work and become a threat vector for criminals to attack businesses through, no matter how good the businesses technical defenses might be.

I’ve seen a lot of estimates related to the shortfall in cyber security talent available to businesses. Because this is a complex discipline to master, the general scarcity of STEM-educated and experienced resources doesn’t help. But more worrying is the economic factor – if you’re any good (and live in parts of the world where employment in technical fields is limited) you can make a much better living supporting cybercrime than you can defending against it.

With all these factors, stacking up against us, a pessimist would conclude that we’re going to lose the war against cybercrime. Is there actually anything we can do to turn the balance towards the good guys?

There is, of course, but as is often the case, there’s no easy fix. While we can’t stop using the tactical, one company or person at a time approach – that’s what’s holding the line today – we need a strategy to fix the underlying problems before additional factors, like the Internet of Things and AI-based tools, make things much worse.

We need a program to fundamentally harden the underlying structure of the Internet (without rip and replace) or at least make it resilient to the most common attack vectors. This needs to be a national priority, but equally requires a public/private effort to implement. All the technology needed exists today, it’s just beyond the capabilities of any individual, or business, to go it alone.

We need a platform that educates and protects consumers and is easy enough to use (so that they don’t have to become cybersecurity experts to be safe) and cheap enough to subscribe to (so they can afford it). Over time we can influence consumers’ online habits so they are less vulnerable in the areas where we can’t completely protect them. That can make them better digital employees and reduce the attack surface while they are at work.

Ideally we also need an international framework to go after cybercriminals wherever they may operate from. Personally, I don’t see much hope for this one – but I do think we can get the first two mitigations developed and deployed – and one way to eliminate (or at least limit) cybercrime is to make it unprofitable.

Not easy, but if we want the convenience of an online capability, we may have no choice.

Send your email to