INDUSTRIALISED CYBERCRIME
Preventive measures are needed at regulatory and technological levels across industries to enhance risk resilience, writes TAMAS GAIDOSCH
CYBERCRIME is now a mature industry operating on principles much like those of legitimate businesses in pursuit of profit. Combating the proliferation of cybercrime means disrupting a business model that employs easy-to-use tools to generate high profits with low risk.
Long gone are the legendary lone-wolf hackers of the late 1980s, when showing off level 99 computer wizard skills was the main reason to get into other people’s computers.
The shift to profit making, starting in the 1990s, has gradually taken over the hacking scene to create today’s cybercrime industry, with all the attributes of normal businesses, including markets, exchanges, specialist operators, outsourcing service providers, integrated supply chains, and so on.
Several nation-states have used the same technology to develop highly effective cyber weaponry for intelligence gathering, industrial espionage, and disrupting adversaries’ vulnerable infrastructure.
Cybercrime has proliferated even though the supply of highly skilled specialists has not kept pace with the increasing technical sophistication needed to pull off profitable hacks with impunity. Advanced tooling and automation have filled the gap.
Hacking tools have evolved spectacularly over the past two decades. In the 1990s, so-called penetration testing to find vulnerabilities in a computer system was all the rage in the profession.
Most tools available at that time were simple, often custom built, and using them required considerable knowledge in programming, networking protocols, operating system internals, and various other deeply technical subjects. As a result, only a few professionals could find exploitable weaknesses and take advantage of them.
As tools got better and easier to use, less skilled but motivated young people — mockingly called “script kiddies” — started to use them with relative success. Today, to launch a phishing operation—that is, the fraudulent practice of sending email that appears to be from a reputable sender to trick people into revealing confidential information — requires only a basic understanding of the concepts, willingness, and some cash. Hacking has become easy to do.
Cyber risk is notoriously difficult to quantify. Loss data are scarce and unreliable, in part because there is little incentive to report cyber losses, especially if the incident does not make headlines or there is no cyber insurance coverage. The rapidly evolving nature of the threats makes historical data less relevant in predicting future losses.
Scenario-based modelling, working out the costs of a welldefined incident affecting certain economies, produces estimates in the tens or hundreds of billions of dollars. Lloyd’s of London estimates losses of US$53.05 billion (RM217.50 billion) for a cloud service outage lasting 2.5 to 3.0 days affecting the advanced economies.
An IMF modelling exercise put the base-case average aggregated annual loss at US$97 billion, with the worst-case scenario in the range of US$250 billion.
Crime in the physical world — with the intent of making money — is generally motivated simply by profit potentially much higher than for legal business, which criminals view as compensation for the high risk.
In the world of cybercrime, similar or even higher profits are pos- sible with much less risk: less chance of being caught and successfully prosecuted and almost no risk of being shot at. Phishing profitability is estimated in the high hundreds or even over a thousand percentage points.
We can only speculate on the profits made possible by intellectual property theft carried out by the most sophisticated cyber threat actors. The basics, however, are similar: effective tooling and an exceptional risk/reward ratio make a compelling case and ultimately explain the sharp increase in and industrialisation of cybercrime.
Cybercrime gives rise to systemic risk in several industries. While different industries are affected differently, the most exposed is probably the financial sector. A relatively new threat is posed by destruction-motivated attackers.
When seeking to destabilise the financial system, they look at the most promising targets. Financial market infrastructure is the most vulnerable because of its pivotal role in global financial markets.
Given the financial sector’s dependence on a relatively small set of technical systems, knock-on effects from defaults or delays due to successful attacks can be widespread, with potentially systemic effects.
And given the inherent interconnection of financial sector participants, a successful disruption to the payment, clearing, or settlement systems — or stealing confidential information — would result in widespread spillovers and threaten financial stability.
The financial sector has been dependent on information technology (IT) for decades and has a history of maintaining strong IT control environments mandated by regulation. While the financial sector may be most at risk of cyberattack, such attacks also carry a higher risk for cyber criminals, in part because of greater attention from law enforcement ( just like old-fashioned bank robberies).
The financial sector also does a better job of supporting law enforcement — for example, by keeping extensive records that are valuable in forensic investigations. Deeper budgets can often lead to effective cybersecurity solutions.
The situation is different in healthcare. Except in the wealthiest nations, the healthcare sector typically does not have the resources necessary for effective cyber defence.
Although also heavily regulated and under strict data protection rules, healthcare has not relied nearly as much on IT as the financial sector, and consequently has not developed a similar culture of strict IT controls. This, too, makes the healthcare sector more susceptible to cyber breaches.
What is most worrisome about this weakness is that, unlike in the financial sector, lives can be lost if, for example, attackers hit computerised life-support systems.
Utilities, especially the power and communication grids, are often cited as the next sectors where large-scale cyberattacks can have severe consequences. In this case, however, the main concern is disruption or infiltration of systems by rival states, either directly or through proxy organisations.
International cooperation i n combating and prosecuting cybercrime lags well behind the global nature of the threat. The best way to tackle cybercrime is to attack its business model, which relies on the exceptional risk/reward ratio associated with ineffective prosecution. In this context, the business risk of cybercrime must be raised significantly, but this is possible only with better international cooperation.
...the business risk of cybercrime must be raised significantly, but this is possible only with better international cooperation.
The writer, a senior financial sector expert in the IMF’s Monetary and Capital Markets Department, is a cybersecurity professional with more than 20 years’ experience, including probing banking systems to find cyberweaknesses