Much has been made in the cybersecurity literature of the transition of cybercrime to a service-based economy, with specialised services providing Denial of Service attacks, cash-out services, escrow, forum administration, botnet management, or ransomware configuration to less-skilled users. Despite this acknowledgement of the ‘industrialisation’ of much for the cybercrime economy, the picture of cybercrime painted by law enforcement and media reports is often one of ’sophisticated’ attacks, highly-skilled offenders, and massive payouts. In fact, as we argue in a recent paper accepted to the Workshop on the Economics of Information Security this year (and covered in KrebsOnSecurity last week), cybercrime-as-a-service relies on a great deal of tedious, low-income, and low-skilled manual administrative work.
Drawing on interviews with providers of booter services (which offer Denial of Service attacks for small amounts of money) and a wide range of scraped data from the Cambridge Cybercrime Centre’s CrimeBB collections of forum and chat channel data (available to interested researchers by request!), we characterise this often-tedious work as a crucial part of contemporary cybercrime economies and the transition of cybercrime to a ‘volume’ crime. Maintaining the infrastructures on which these economies rely is rather different from exploit development or engineering – this work is effectively aspirational (much as low-level drug dealers tend to live with their parents). Much of this work centres around ensuring a smooth user experience for customers, avoiding law enforcement, reacting to bans from hosting companies, and in many cases enforcing the service’s own rules around how it can be used.
Although we set out to look for this ‘boring’ work, and hence it is no surprise that we identified the most boring aspects of cybercrime economies, we argue that drawing these out has some useful implications for policy approaches. First, messaging which frames cybercrime as sophisticated and exciting may be directly counter-productive, glamorising what is in fact largely a tedious, low-skilled endeavour for many of those involved. Instead, we argue that reporting should focus on how low-skilled, unexciting, and poorly-rewarded many of these activities are. Secondly, while the game of ‘whack-a-mole’ is often presented as an ineffective strategy for tackling cybercrime services, in fact the tedious additional work which this creates for already-bored administrators of these services may be useful in pushing them towards burnout (especially as many of them lack the skills to effectively automate their jobs). Interventions could usefully look at further exacerbating the irritating, tedious nature of these admin jobs. This has the advantage of avoiding some of the harms and unintended consequences of more punitive forms of intervention (such as arrests and crackdowns), which can in fact themselves lead to these jobs becoming perceived as more exciting and interesting, increasing the ‘outsider’ status and shared solidarity of these communities which otherwise tend towards being fairly fragmented and internecine.
Finally, this work has potentially broader implications beyond cybercrime. When this article was published last week, Megan Squire (@MeganSquire0), a Professor of Computer Science at Elon University and expert on far-right online extremism pointed out on Twitter that this is also the case for those running racist online trolling and disinformation campaigns, which similarly rely on a lot of tedious system administration and getting around repeated bans. This may, therefore, point to useful ways for tackling misogynist, racist, and far-right hate campaigns. Anecdotally, this is in fact a fairly well-known tactic within antifascist activism – when I used to go on street protests against neo-nazis in Scotland, an effective strategy was often to block the fascists in (with the police lines between us) so that they were denied any excitement and just had to sit around bored next to their buses.
Our arguments from cybercrime aligns with this: there are approaches other than traditional enforcement and deterrence to mitigate the scope, scale, and harm of ecrime. Treating it like crime instead of mysterious magic hacking reduces the mystique.
We made this argument explicitly in Garg, V., & Camp, L. J. (2015). Why cybercrime?. ACM SIGCAS Computers and Society, 45(2), 20-28
And argued that there will be crime havens and some of the same approaches might work in V. Garg, L. Jean Camp & N. Husted, “The Smuggling Theory Approach to Organized Digital Crime.” Sixth Annual APWG eCrime Researchers Summit, (San Diego, CA) 8-9 November 2011
And I consider MANRS an example of an approach that aligns with the observation that there will be high-crime low-enforcement equilibria for some companies and jurisdictions.