Governments need to take the threat of cybercrime seriously and come up with a holistic cyber security strategy
The number of people using the Internet will soon reach five billion. This trend has forced businesses, governments, and other non- governmental organizations to have Internet-based business model. The simple truth is that developers of these systems prioritize increasing their functionality over improving their security. Regrettably, criminals have also moved their operation online because cybercrime will soon be more profitable than the global trade of all major illegal drugs combined. Estimates show cybercrime damages will cost the world $6 trillion annually by 2021. Thus, governments need to take the threat of cybercrime seriously and come up with a holistic cyber security strategy to improve the online safety of its citizen and their businesses.
Cybercrime now already accounts for more than 50 percent of all crimes in the UK. Computers and networks are attacked by malicious hackers at a rate of one attack every 39 seconds. To make the matter worse, 300,000 new malware is created every day. Furthermore, it is estimated that the cost of data breaches will increase to $2.1 trillion globally in 2019. More advanced countries are already allocating huge budgets to tackle the societal threat of cybercrime. For instance, the cybersecurity budget in the US is $14.98 billion.
Cyber risk ought to be a top priority if you are in Business today. The digital economy requires companies, governments and not just Banks to safeguard a wealth of sensitive information that can make hackers a fortune and ruin both a business and victim’s lives and in some cases derail the economy.
It is important to understand cyber groups are similar to criminal organizations, with clear management structure, division of labor, and accretion of proceeds towards the top of the control pyramid. Traditional crime groups have embraced cyber-crime as a new vector for profit. The hierarchically-organized cyber-criminal groups operate with structures that are similar to traditional organized crime and with characteristics that would not look out of place in any business in the “white” economy. They have management structures with no control expenditure, track profitability, identify opportunities, invest in research and development, and optimize their return on investments. These syndicates are motivated to maximize their economic profit by choosing targets and attack vectors with the lowest resistance—cost.
Economy of Hacking—Hackonomics
Putting a successful cyber-attack together requires resources. It requires skills, time, people, equipment and some amount of money. Of these the level of skills and expertise is probably most critical. Such attacks can be assessed by the level of difficulty, or ‘logistical burden’ needed to carry them out. This estimates the number of people with different level of skills needed to work together to write a malware code, perform reconnaissance on targets, explore entry points and vulnerabilities, do the social engineering to find out someone who will advertently provide a way in, implement the attack itself with sufficient proficiency to minimize detection, and fence or money launder the proceeds. If one traces back these steps one can get an approximate estimate on the effort of the recent ATM heist of Nepali Banks.
The logistical burden asses an index for a cyber stack using notional costing of personnel with different skills needed, for certain durations and for costs of utilizing equipment and obtaining technology tools. Estimates of total logistical burden make it possible to estimate, the total effort required for teams to mount a campaign of cyber stacks, monetized into dollars. Many attacks in Nepal noticed in previous counts fall into logistical burden index value estimated somewhere in the range of $4000 - $12,000. These logical burden index values can be thought of a notional budgeting cost without sunk costs or standing commitments and at professional charge-out rates – i.e., what would it cost to hire a team to carry out such an attack in Nepal. This is done simply to benchmark and compare the effort and skill requirement of one type of cybercrime with another, or select one country over another.
Such type of analysis identifies the “hackonomics” of carrying out attacks as a rational actors seeking reward from the investment of resources. Some types of threat actors do not have the ‘logistical budget’—skills, competencies and resources to carry out attacks above a certain index value. Some attacks do not provide a good enough return to merit a threat actor investing effort in them.
Overall, in designing security systems and considering how best to manage the threat of cyber security attacks, it is useful to consider the risks and rewards of the attacks from a hacker’s point of view. They may very well want to attack you, but they will take more attractive or easier target if there is such an alternative available. They have finite resources, and they are looking to get a return on the effort they will invest.
By principles of deterrence, one does not need to make their task impossible. Just to make it not worth their effort. Make the risk-return ration unworthwhile for them. Most of what is known about hackers leads us to believe they are rationale game players.
To solve this risk, we need to play them at their own game and that too by sharing information proactively working with computer emergency response teams (CERTs) through “each-one teach-one” campaign. It is important for the Government of Nepal to realize that they alone cannot fight this uphill battle, no government has. It can only be done through active sharing of information one can collectively work towards increasing the “logistical burden index” for hacking and deter International hackers.
Rana is an International Cybersecurity Professional and Shah is a Policy Wonk