The way we think about cyber crime gangs is holding us back from truly addressing the harm they cause.
Changing the way we think about cyber criminals will change the way we think about security. There is a tendency to caricature cyber criminals as dodgy dudes in hoodies living in basement apartments. They do harm but almost in spite of themselves (we think).
But cyber crime gangs are, increasingly, well-funded, efficient enterprises with specialized tools and long-term goals that require complex coordination across continents and operatives. They are capitalists running businesses made to support staff and make money. The longer we hang on to the TV movie version of the cyber criminal, the longer we will fail to address the chaos they sow in our businesses and communities.
In his recent article for Security Intelligence, Mike Elgan covers the shifting tactics of cyber crime gangs in 2021. He writes, “They’ve embraced new technologies, exploited new opportunities, delivered new payloads and sought out new targets. Their aim is to maximize the amount of money they can collect through cyber crime.”
Elgan goes on to discuss the many ways that cyber crime gangs increasingly function more like businesses. There is evidence to suggest that many gangs are outstripping state-sponsored groups in terms of the technology they develop. Some are even selling their tech back to state-sponsored groups. Others are hiring native English writers to improve the quality of their phishing messages and social engineering campaigns. And, shockingly, others are engaging in in-person pressure campaigns and espionage tactics, like bribing insiders to deliver malware. (See Tesla.)
If all of this sounds like too much for a couple of non-English speaking guys in a basement apartment to put together, it is! Instead, it’s useful to consider cyber gangs in the same way that we might study a business competitor. Competitive analysis takes into consideration annual revenue, mergers and partnerships, tech stack, hiring practices, funding sources, and more.
One of the best ways to destabilize a competitor (or an attacker, in this case) is to hit them in the funding source. For cyber crime gangs, their funding is increasingly dependent on ransoms. More than one thought leader is speaking out on how current laws should be changed to discourage ransom payments.
Ciaran Martin, former chief of the UK’s National Cyber Security Centre warns that paying ransoms is funding “organized crime.” He’s not wrong that these ransoms have made cyber gangs rich. And they aren’t pulling “one last big job” Ocean’s Eleven style. They’re taking the ransom funds and reinvesting them in their organizations. Paying ransoms to terrorists is forbidden in the UK. Martin argues that the government should start a conversation with businesses and insurers about also banning ransoms to cyber gangs.
In Australia, Lynwen Connick, the chief information security officer at ANZ bank, is making similar calls for nonpayment of ransoms. Connick previously led cyber policy and intelligence for the Australian government. She says, “When organisations pay ransoms it gives the perpetrators more funding and more motivation to continue with their attack.” Her bank spends $150 million (AUS) per year on security, working to shift the cost to mitigating risk rather than to paying ransoms.
If cyber crime is going to exist and cost us money as a society, wouldn’t we rather spend it on mitigation like ANZ? Instead, our currently clouded picture of who is perpetuating cyber crimes is allowing criminal gangs to “red team” our government entities, schools, health care systems, banks, and businesses.
When we allow criminals to stress test our system, some companies will get hit and have to pay enormous ransoms. But their competitors or industry equivalents are effectively put on notice and pushed to improve their own systems out of fear. There’s a lot of societal chaos in the short term and likely some real world harm to individuals. But some businesses will see the writing on the wall on self-select for improvement.
Isn’t there a better way? We need to see cyber crime gangs as the intelligent, competitive, well-funded operators they are. Then we can mobilize the security professionals and government entities needed to maintain security without ransoms, layoffs, fuel and utility interruptions, personal attacks, and general chaos.