By Mark Galeotti
Computer crime could soon pose a greater threat to world security than terrorism
Everyone agrees that cybercrime is a problem. There is a huge cost to the global economy: an estimated $388 billion last year, with this year's tally expected to be substantially higher.
Leon Panetta, the US Defence Secretary, warns of a 'cyber-Pearl Harbor' and Robert Mueller, the FBI Director, says that while terrorism remains the Bureau's top priority for the moment, 'in the not-too-distant future we anticipate that the cyber threat will pose the greatest threat to our country'. Britain's National Security Strategy ranks cyber attacks by other states and large scale cyber crime as a priority alongside 'international terrorism' and a 'military crisis between states'.
On the other hand, it sometimes can feel as if it is considered akin to the rain. People are advised to wear raincoats and carry umbrellas, to stay indoors if the clouds are grey, to patch holes in their roofs. But there is no thought that the downpour can be averted; it instead becomes the personal responsibility of all to look after themselves.
To an extent, this makes sense. Accor-ding to the 2012 Norton Cybercrime Report, 556 million people around the world fall victim to cybercrime each year, but this is often the result of human ignorance or laziness. Proper precautions would have averted the risk.
Beyond the simple issue of having the right defences, there is a wider and much more problematic question. To what extent is the security of cyberspace compromised by a dangerous combination of criminals and states?
If one considers such major attacks as have taken place, from the use of the Stuxnet worm to damage Iran's nuclear programme to the use of distributed denial-of-service (DDoS) attacks to harass the Georgian government in cyberspace during the 2008 Russian invasion, one point becomes clear. In most of these cases, states played a key role, whether as initiators or at least indulgent hosts. Alongside government and corporate information warfare specialists are whole subcultures of hackers, hacktivists and script kiddies, who simply use off-the-shelf hacking tools devised by others, and professional computer criminals. Many have been recognized by their government counterparts as a potential source of innovation, online presence and deniability. This nexus between cybercriminals, cyberterrorists and cyberwarriors represents one of the unspoken but unavoidable challenges to controlling the problem.
In many states, corruption and a simple lack of resources, which prevents the police and courts from developing a proper capacity to deal with cybercrime, helps grant the criminals virtual immunity. This is often compounded by a reluctance to police crimes committed abroad. Brazil, for example, has seen an explosion in cybercrime to which the police have devoted little attention, preferring to conc-entrate on countering urban gang crime.
In Nigeria, long the source of many advance-fee fraud '419 scheme' emails, the problem is a combination of police under-funding and high levels of corruption within the state apparatus and judiciary.
Elsewhere, there is evidence of a more symbiotic relationship. For example, the attacks on Estonian and Georgian internet infrastructure in 2007 and 2008 respectively appear to have been carried out by individual hackers, but encouraged and even 'armed' by the Russian government, possibly working through a shadowy criminal group based in St Petersburg.
In some cases, the attacks were co-ordinated by mercenary 'bot herders' controlling networks of secretly infected computers. In others, the attacks were launched by individuals using attack scripts distributed through Russian discussion groups, complete with full instructions and a list of potential target websites.
Moscow denies any role, even though its information warfare doctrine envisages the use of internet attacks in parallel with political and military actions. It is hard, therefore, not to conclude that the Kremlin sponsored a campaign by a wide coalition of individuals and marshalled by cybercriminals who appear to have enjoyed considerable official indulgence, perhaps reflecting a willingness sometimes to do the Kremlin's bidding.
Often, though, state-sanctioned or state-initiated cyberattacks are economically motivated. In June, Jonathan Evans, the director-general of MI5, spoke of an 'astonishing' problem of state-sponsored cybercrime involving 'industrial-scale processes involving many thousands of people'. Such attacks are often directed against commercial institutions, gathering intelligence or simply raising revenue. Evans noted a 'major London-listed company' that estimated it had lost 'some £800 million as a result of hostile state cyber attack -- not just through intellectual property loss but also from commercial disadvantage in contractual negotiations'.
In countries where officials are also often entrepreneurs and where the state is a major player in the commercial economy, the lines between cybercrime and cyber-espionage can quickly blur. China is a classic case. Beijing has not only extensive intrusion and espionage capacities within its military and intelligence structures, it also draws on large numbers of individual hackers and corporate computer professionals as a 'cybermilitia' to launch attacks on foreign targets. It is often difficult to distinguish between attacks initiated by the state and those essentially for private gain.
Such fuzzy conceptual and practical boundaries are a common characteristic of the virtual world. By the same token, there are no sharp divisions between havens and targets. Indeed, many countries are both. China and Russia both note that their own companies, citizens and systems are hacked. However, sometimes definitions of crime vary. A campaign against hackers in China this year saw 10,000 suspects detained, but a substantial minority were actually anti-government activists.
While the problem of state collusion with cybercriminals is a difficult one to address, there are some grounds for optimism. Countries may come to realise that the political and economic costs of offering cybercriminals safe haven outweigh the benefits. Sometimes this is essentially cosmetic. St Petersburg was for a long time the base for the Russian Business Network, a gang specializing in providing secure sites, tools and communications for other criminals.
It enjoyed apparent impunity and it is widely believed within foreign security agencies that this was in part because of occasional services it provided the government. As pressure on Moscow grew, at the end of 2007, it disappeared from public view. The figures behind it appear to have continued their operations, though, but no longer as blatantly and through servers in Asia. On the other hand, as the Chinese economy continues to develop, it is becoming an increasingly tempting target in its own right. The number of attacks on Chinese e-commerce and banking sites in particular is rising dramatically. According to the Anti-Phishing Working Group, 70 per cent of the world's maliciously registered domain names were set up by Chinese cybercriminals to use against Chinese targets.
The result has been a debate in government circles as to how to reconcile a strategy of encouraging 'patriotic' hackers with the growing costs of domestic cybercrime. Likewise, the cost of cybercrime to the national economy is an increasingly hotly debated topic in Nigeria: some $200 mill-ion a year according to the Commonwealth Telecommunications Organisation. This may help to explain why pressure is growing for the country to introduce new cybercrime laws.
It is also clear that even countries committed to the rule of law are willing to exploit cyberspace. Many states, after all, are developing not just countermeasures to cyberattacks, but also their own capacity to launch them.
The United States Cyber Command (UScybercom) was established in 2009, NATO adopted a new Cyber Defence
Policy and Action Plan in 2011 and governments from France to Taiwan have been implicated in operations in cyberspace that seem to be more for economic advantage than anything else. Of course, there is a difference between states turning a blind eye to criminals and using criminal methods abroad in pursuit of national security. But in the virtual world, it is harder to maintain clear distinctions between the two and also between what is happening externally and what then takes place at home.
The liberal treatment of Russia's hackers, after all, has contributed to the rise of a service industry offering cybercrime tools and services at bargain-basement prices to anyone. According to a report from Trend Micro, it costs only $162 to get a Gmail account hacked, $350 to get a Trojan horse spy programme allowing someone to monitor another's computer activity remotely. By the same token, Washington has admitted that it and Israel were behind the Stuxnet attack on Iran. In the process, it could be argued that they have established a precedent that may just as easily be turned against them.
Mark Galeotti is Professor of Global Affairs at New York University's SCPS Centre for Global Affairs