Comment: The reason why cybercrime shall never cease
Economics, and my own conversations with cyber-security professionals, support Martin Courtney’s argument in this feature from the new issue of E&T that some kind of ‘cyber Armageddon’ is unlikely, despite recent attacks.
For a start, if cyber criminals were to take down the ’system’ as we know it they would be destroying their own market and any future profit. It would be nothing but self-destructive. Big crime, some argue, is rarely much different from business. You have a buyer and a seller. I enjoyed reading ’Narconomics: How to Run a Drug Cartel’ in which Tom Wainwright argues that drug cartel bosses often think in similar ways to CEOs of Fortune 500 companies. So why should it be different in cyber crime, where the rule of the club is: “Never destroy the system that keeps you alive.”
Yes, there have been cyber attacks on energy systems that have caused electricity blackouts and threatened national grids. But from discussing this with cyber-crime experts at the Infosecurity Europe conference a few months ago, it seems the incentive for dozens of private hackers to attack critical infrastructure is very low. This is due to the severe penalties associated with such offences. Some hackers do it for the kicks. Being jailed for many more years than you would be for stealing a financial identity is simply a turnoff, some argue. For the rest — the professionals — there is a big question mark over how much more profitable it is going to be to access the crown jewels of operational technology, geospatial information and ICS that are power suppliers’ core business infrastructure compared to cyber crime within the financial services and healthcare sectors.
It’s hard to see how the first malware-targeting safety systems of critical infrastructure, triton — the first malware that targets safety instrumented systems — can make money out of shutting down industrial processes “when unsafe operating conditions are reached”. While successful exploitation of such systems could lead to serious implications, does it lead to a real payoffs for most hackers?
Part of the reason why cyber crime took off in healthcare in the US was because there was something to gain, largely from a crippling and private reimbursement system. The incentive opened up a new line of credit. Who’d have guessed, in a system that hit $3.65tn in spending last year? Yes, it is undoubtedly a tragedy for patients and whoever pays into the system. But it was largely not because of ‘evil hackers’ that wanted to kill patients. That was not the incentive. It was cash. Will those ongoing attacks take down the system in the future? Unlikely.
The question we need to ask more frequently in cyber security is ‘why?’. For this, it is worthwhile to remember that both players in the game, cyber security and cyber crime, feed off each other. If crime disappears or is limited to geopolitical conflicts (a real threat for the stability of nations), cyber-security firms will not like it — unless they are hired and paid by governments. If cyber crime were to drop to a negligible level, firms could divert funds spent currently on cyber security to other things like equal pay and opportunities as well as training for employees. Simply put: with no cyber crime, a whole sector would be pissed off.
One just has to note the wealth of the number of cyber-security reports that come out every year and the jaw-dropping valuations of cyber-security firms — most of which it’s likely you have never heard of.
Anyway, reports on cyber-security development by governments (not private firms) may calm your nerves a bit. The European Union Agency for Network and Information Security suggests in its 2018 report that, despite increases in phishing/spear-phishing attacks, some hacks seem on their way out, such as consistent year-over-year decline of financial trojans. Nonetheless, the conclusions of such reports are music to the ears of cyber-security companies. Business needs to do this and that — respond to the trend of cyber-attack automation, define processes for CTI knowledge management, develop viable CTI services and similar. Despite the irony, I would suggest that cyber-security firms would not be happy to eradicate cyber crime. It’s their bread and butter. And as unlikely as it is that we will have a cyber armageddon, it is also unlikely that we’ll see cyber crime disappear.
This comment appeared first in an online article published by E&T Magazine
By Techjournalist, an investigative data journalist.
