Listen to the chatter from top officials, and you’d think that World War III was about to break out on the Internet. The defense secretary is warning about a digital “Pearl Harbor.” Former director of national intelligence Mike McConnell declares that the United States is “fighting a cyber war, and we’re losing.” Every new hack brings more pronouncements of network doom.
The scare talk, however, is misplaced. Yes, we’re facing enormous cybersecurity problems — just look at the high-profile penetrations of such companies as Sony and Lockheed or the millions of Americans whose personal information has been stolen online.
But these aren’t signs of some impending cataclysmic showdown. They’re markers of a rising tide of online crime that, in its own way, could be more dangerous than a cyberwar. According to the British government, online thieves, scammers and industrial spies cost U.K. businesses an estimated $43.5 billion in the past year alone. Crooks-for-hire will infect a thousand computers for $7 — that’s how simple it’s become. Sixty thousand new malicious software variants are detected every day. Forget “Pearl Harbor”; if we’re not careful, the Internet could be in danger of looking like the South Bronx circa 1989 – a place where crooks hold such sway that honest people find it hard to live or work there.
Could there be some online conflict in the future? Maybe. But crooks are draining billions from the legitimate global economy right now. Even the Pentagon’s specialists are worried, noting in their new cybersecurity strategy that “the tools and techniques developed by cyber criminals are increasing in sophistication at an incredible rate.”
Those tools also are becoming easier to use. The latest crimeware makes stealing passwords about as simple as setting up Web pages. One gang, recently arrested, used it to drain $9.5 million in just three months.
More sophisticated are corporate spies, who’ve tricked executives into giving away intellectual property worth billions. Many of these criminals are believed to be state-sponsored — part of a campaign to turn industrial-age economies into information-age ones with our know-how. Sen. Sheldon Whitehouse (D-R.I.), who chaired a classified task force on the subject, called it “the biggest transfer of wealth through theft and piracy in the history of mankind.”
But there are ways to begin stemming this online crime wave. First and foremost: Target the relatively small number of companies that support the criminal underground. There are more than 5,000 Internet service providers around the globe; according to the Organization for Economic Cooperation and Development, half the world’s spam traffic comes from just 50 ISPs. A recent study of mass e-mail campaigns showed that three payment companies processed 95 percent of the money those scams generated. When the Silicon Valley-based McColo hosting company was taken down, worldwide spam dropped 65 percent overnight.
These companies facilitate criminal enterprises, whether knowingly or not. And, unlike the criminals themselves — who hide behind disposable e-mail addresses and encrypted communications — it’s no mystery who these firms are. The independent research group HostExploit, for example, publishes a list of the worst of the worst hosting companies and networks; 20 of the 50 most crime-friendly hosts in the world are American.
Yet Internet service providers and carrier networks that move data across the globe continue to do business with these crooked firms. There’s no economic incentive to do otherwise. After all, the hosting company that caters to crooks also has legitimate customers, and both pay for Internet access.
That’s where the federal government could help. It could introduce new mechanisms to hold hosting companies liable for the damage done by their criminal clientele. It could allow ISPs to be held liable for their criminally connected hosts. It could encourage and regulate ISPs to share more information on the threats they find.
Government could also require more businesses to come clean when they are victimized. Today, just three in 10 organizations surveyed by the security firm McAfee report all of their data breaches. That not only obscures the true scope of cybercrime; it also prevents criminal trends from being identified earlier.
Taking these steps would signal that America will no longer tolerate thieves and con artists on its networks.
As the United States gets serious about cybercrime, it could ask more from — and work more closely with — other countries. China, for instance, sees itself as the biggest victim of cybercrime, even as it remains a hotbed for illicit activity. Not coincidentally, China is also only partly connected to the global community of ISPs. Dialogues to draw the Chinese further into the fold would not only make it easier to marginalize cybercriminals; it also would build momentum for broader negotiations on all sorts of Internet security issues. In other words, tackling today’s cybercrime wave could help stop tomorrow’s cyberwar.
Noah Shachtman is a contributing editor at Wired magazine and a non-resident fellow at the Brookings Institution. His study for Brookings, “Pirates of the ISPs: Tactics for Turning Online Crooks into International Pariahs,” is to be published this week.