In our latest paper, we propose a better way of analysing cybercrime.
Crime has been moving online, like everything else, for the past 25 years, and for the past decade or so it’s accounted for more than half of all property crimes in developed countries. Criminologists have tried to apply their traditional tools and methods to measure and understand it, yet even when these research teams include technologists, it always seems that there’s something missing. The people who phish your bank credentials are just not the same people who used to burgle your house. They have different backgrounds, different skills and different organisation.
We believe a missing factor is entrepreneurship. Cyber-crooks are running tech startups, and face the same problems as other tech entrepreneurs. There are preconditions that create the opportunity. There are barriers to entry to be overcome. There are pathways to scaling up, and bottlenecks that inhibit scaling. There are competitive factors, whether competing crooks or motivated defenders. And finally there may be saturation mechanisms that inhibit growth.
One difference with regular entrepreneurship is the lack of finance: a malware gang can’t raise VC to develop a cool new idea, or cash out by means on an IPO. They have to use their profits not just to pay themselves, but also to invest in new products and services. In effect, cybercrooks are trying to run a tech startup with the financial infrastructure of an ice-cream stall.
We have developed this framework from years of experience dealing with many types of cybercrime, and it appears to prove a useful way of analysing new scams, so we can spot those developments which, like ransomware, are capable of growing into a real problem.
Our paper Silicon Den: Cybercrime is Entrepreneurship will appear at WEIS on Monday.
I wrote about this and presented a talk at a conference on this last year.
https://sec.okta.com/articles/2020/08/crimeops-operational-art-cyber-crime
Also have spoken about it frequently on Twitter.
Oddly, starting and running a “business” on an ice cream stall budget WAS the norm until about 30 years ago… Outside funding and investment is simply a means of jump starting a business. That said, modern infrastructure has lower the bar for quickly expanding and lowered the risks of failure. If your servers are shut down and seized now, just get a new credit card and spin up again from the ansible/automation scripts you used the last time and you’re right back in business. You’re not out tens of thousands in hardware costs.
This ease is great for legitimate business… Not so good for those dealing with cyber crime.
And I’m of the opinion that at least SOME cyber crime we’re seeing today does have “VC” funding from nation states using criminal agents to do their dirty work.
The US has such use well documented going back at least to world war II. If the US used that sort of “craft” is there any reason to think other nations don’t do it now?