It is a given that if there is money to be made from illegal activity, organized crime will be a player. So it is no surprise that multiple versions of the mob are active in cybercrime.
But how much of a player the digital mobs are, and whether that has led to a qualitative difference in cybercrime that requires a change in defense strategy is less clear.
To some extent, some difficulty in estimating the penetration of organized crime is inevitable – criminals don’t want to be caught, so they try to avoid scrutiny by law enforcement in particular and the public in general.
But most experts agree that it is a bigger player than it used to be – that the trend in cybercrime is that it is increasingly more organized, in many cases operating much like legitimate businesses, complete with organizational charts, C-level executives and even human resources departments.
A recent paper sponsored by the RAND Corporation’s National Security Research Division, titled “Markets for Cybercrime Tools and Stolen Data,” said the increasing size and complexity of cybercrime black markets is because the hacker market, “once a varied landscape of discrete, ad hoc networks of individuals initially motivated by little more than ego and notoriety, has emerged as a playground of financially driven, highly organized, and sophisticated groups.”
Author and global security strategist Marc Goodman, in a recent interview, said the old image of a hacker was, “17-year-old kids living in their parents’ basements. Today, the average age of a cyber criminal is 35, and 80% of black-hat (e.g., criminal) hackers are affiliated with organized crime.
“In other words, people are choosing this as a profession,” he said. “That’s a radical shift, and it’s led to the creation of increasingly sophisticated criminal organizations that operate with the professionalism, discipline, and structure of legitimate enterprises.”
That 80% figure is a matter of some dispute. Goodman was citing the RAND paper, which included a caveat by noting that another estimate is that only 20% of the cybercrime market is operated by criminal organizations, while 70% is “individuals or small groups.”
But according to Marty Lindner, principal engineer in the CERT division of the Carnegie Mellon University Software Engineering Institute, it doesn’t make all that much difference to the defenders of networks if their attackers are organized criminals or ad hoc freelancers.
“The (good) guys in the trenches don’t really care,” he said. “Organized or not, they’re all using the same tools. That’s one of the more interesting parts of the malicious side of all this – the organized guys buy the same stuff the disorganized guys do.”
Jim Anderson, president of Americas for BAE Systems Applied Intelligence, agrees that the same tools are available to all.
“There are websites where a new thief can essentially buy a ‘starter kit’ that includes malicious code that rookies can use in their first attempts at criminal behavior,” he said.
But he also believes that today there is, “no disorganized digital crime. Because of the way criminals have organized, the threat landscape is ever evolving and more importantly, ever growing,” he said.
He added that part of that evolution is information sharing. “The rate at which information is shared among the criminal element means that an attack at, for example, one bank, could be replicated by multiple bad actors at financial institutions globally within moments,” he said.
Of course, cybercrime has various layers – not all of it is private enterprise. Nation states are generally more interested in political and economic espionage than simply making money – stealing state secrets, intellectual property and the personal information of government employees – the kind of thing seen in the recent hack of the U.S. Office of Personnel Management, which reportedly compromised the information of up to 14 million current and former federal employees. Chinese hackers are the prime suspects.
But for organized crime gangs focused on money, there is little mystery about why they are drawn to cyber – that’s where the money is.
“They recognize it’s much easier and less dangerous than traditional criminal pursuits, such as drug trafficking and prostitution,” said Phil Neray, vice president of Enterprise Security Strategy at Veracode.
And that points to ways that today’s digital mobsters are different from those portrayed in the “Godfather” movies.
Lindner said there is still the potential for violence. “Organized criminals kill off their enemies because they want to make more money,” he said. “If someone gets in their way, bad things will happen.”
But, those bad things tend to be like the massive DDoS attack nearly a decade ago on Blue Security, a software maker that was going to “out” a number of spammers.
A “hit” in that case meant nobody died in a hail of bullets. “It’s a different level of taking them out,” Lindner said.
He added that another difference is that the traditional mob generally needed to co-opt law enforcement to operate freely. “That was local. This is not local,” he said. “In the internet world, there is no fear of law enforcement.”
Still, Anderson warns that just because criminal gangs aren’t killing their competitors or demanding “rent” from local businesses doesn’t mean their activities won’t result in violence.
“There are real concerns about where money is going and what it is funding,” he said. “Various anti-money-laundering statutes for financial institutions are in place to limit the income of terrorist groups.”
How to confront and defend against the organization and sophistication of organized cybercrime is a matter of continuing discussion.
President Obama, in February, issued an executive order on information sharing between the private and public sectors, calling it, “an essential element of cybersecurity.”
Many experts, like Anderson, agree. “Those in law enforcement, security vendors and businesses need to share information about the attacker’s tools, tactics and procedures as quickly as possible and collaborate like our adversaries are doing,” he said.
Lindner also agreed that, “if you share information about bad stuff, you can defend it better.”
But he said the problem is more complex. “Let’s pretend I know that this IP address is bad,” he said. “Now I’m being asked to share it. But if I don’t know who I’m really giving it to and how well they can protect it, I don’t know if it will get exposed.
“I also don’t know if you have the tools to take advantage of what I just gave you. So those are big questions,” he said.
Lindner said other problems need to be addressed first. “Before we worry about sharing, we need to work on best practices and better architecture, to make it difficult for attackers,” he said.
“And we also need to educate the human on the value of information. Younger generations have a different sensitivity to privacy than those of us who are older.”