If the cybercrime economy were a nation it could reasonably ask to replace Russia as a member of the G8, so vast is the plunder from one of the world’s most successful criminal industries. Oh the irony.
Some estimates, such as that by CyberVentures, suggest the global cybercrime ecosystem is already generating well over a trillion dollars with substantial growth in the proceeds of crime anticipated by mid-decade.
And the costs to business and the community are multiples of the revenues generated by the participants when the long term impact of cyber is accounted for.
The constant contest between the company and those who would steal of them has also spawned a seemingly endless technology arms race.
But technology alone is not the answer, according to the chief information security officers of some of Australia’s largest organisations.
Instead, there is a need to also address economic triggers — the incentives and disincentives that motivate and deter criminals who are for the most part driven by a profit motive.
According to Luke Barker, head of cybersecurity ANZ, for telecommunications giant BT, “As long as there's a payoff, crime is not going to go away in the physical world or in the digital world. If you've got valuable items in your home, someone is going to want those items. Unfortunately, that's the society we live in and it's how we've always been. There's no difference in the digital world.”
The better news though, according to ANZ CISO Lynwen Connick, is that increasingly the transaction cost is not always as hard as people might think.
“There's a lot of very basic things that you can do that improve cybersecurity and make it really hard. Most of the cybercriminals are actually exploiting things that people should have fixed, like running end of life systems.”
She told Digital Nation Australia that for organisations that means everything from ensuring systems are properly patched, to keeping backups up to date in case you need to recover from a ransomware attack.
And of course training staff to call out suspicious activity.
For individuals that means ensuring personal devices are properly protected and utilising things like multi-factor authentication. It is important to cover all the basics, she said and then depending on the size of the organisation look at more sophisticated controls.
“Large organisations are often going to be bigger targets. They have the resources to have things like a security operation centre, 24 by seven coverage, advanced endpoint security, those sorts of things.”
By the numbers
Locally, the Australian Cyber Security Centre said self-reported losses from cybercrime totalled more than $33 billion in financial year 20-21 with 67,500 cybercrime reports, up nearly 13 percent from the previous financial year. Fraud, online shopping scams and online banking scams were the top reported cybercrime types last year.
Alarmingly, though about one-quarter of reported cyber security incidents affected entities associated with Australia's critical infrastructure, which also explains why the Federal government has strengthened it legislative framework around critical infrastructure and extended the definition, hoovering up many more organisations into the framework.
Speaking to the Digital Nation Australia Boardroom Impact Session earlier this year, Sarv Girn, a former CIO of institutions such as the reserve back and businesses like Cuscal said it was important for boards to understand their value in the value chain.
“Directors need to think of downstream vendors that supply into your company. So you may not be the primary critical infrastructure per se, as per the old definition, but if you're a transport company, for example, delivering parcels or delivering goods to retailers, then you do become critical infrastructure for the upstream suppliers.”
The criminal ecosystem organisations need to contend with is also becoming more sophisticated as participants increasingly specialise in particular segments of the cybercrime ecosystem which continues to evolve.
According to Scott Jarkoff director of the strategic threat advisory group for Crowdstrike, in the past cybercrime adversaries had to essentially build the entire attack from A to Z. “Over a few years actors showed up on the scene that started developing very specialised tooling.”
As a result of this specialisation, the cybercrime economy started to emerge in a new form.
“It wasn't like it just magically appeared. It wasn't like in the Batman movies where you get all the gangs sitting around a table, in some kind of criminal conspiracy," Jarkoff said.
Instead, participants in the cybercrime economy discovered they had just as much to gain from a clear appreciation of the law of comparative advantage as any other rational economic actor.
Groups like Mummy Spider built best of breed malware downloaders that were used to deploy banking Trojans, said Jarkoff, by way of example.
“Later you had Wizard Spider show up, of course, they were and continue to be one of the most prolific ransomware users and developers out there, but at the time, they started off with trick bot," he said.
“All these different tools started to appear and then then the industry just gravitated towards using those tools."
Rather than adversaries building their own tools, they ran the numbers and figured out it was easier to buy a solution from another provider, or more likely these days, rent it as a service.
These days it is a robust and fully functioning supply chain.
“Now you have different providers that can offer specialities to criminals to fulfil different niches. You have the access brokers who are running operations where they're able to harvest credentials in a, say, in an automated fashion, but more from a manual perspective," he said.
"Then you have other adversaries who are engaging in tool development. It is all essentially automated, where the credentials are being harvested and then sold on the criminal underground.
“One component, access brokers, this area has exploded over the course of the last year, it's become, a vital component in that supply chain, a lot of adversaries are turning to access brokers for that initial access, rather than trying to exploit public-facing vulnerabilities."
Andrew Slavkovic, CyberArk's solutions engineering manager, ANZ meanwhile said, "People are always going to take that path of least resistance.
"The dark web has accelerated a lot of this and, bitcoin has made the payment of those services easier as well. I can go on the dark web and I can actively request that an attacker provide me with credentials for an organisation X or Y. Or I can pay as-a-service now as well.
"I might say, 'Hey, I want to attack organisation X, Y or Z, can you do the reconnaissance part of the attack phase for me and work out what the best zero-day exploit I can use against their public-facing infrastructure'. Then I pay via bitcoin and I've outsourced that first part of the attack chain to someone else."
Suppliers are also open to flexible pricing models, as long as they can get a piece of the action, Slavkovic says.
"They incentivise themselves by asking for a percentage of the reward as well. Some will even provide you with some in goodwill and say, 'Hey, we know work. We will provide you with a couple. Once you're happy with them, then we'll talk about giving you the rest for a cost'."
The motivation of cybercriminals is as old as commerce — maximising reward and minimising risk. And new opportunities for nefarious income continue to emerge.
BT’s Barker says, for instance, that the monetisation of data is increasing.
“Data is becoming more and more valuable. The payoff for cybercrime is becoming more and more valuable. We've seen a significant, increased espionage activity against global law and accounting firms purely based on the information that they hold," he said.
“Cybercrime organisation’s can utilise that information and take legitimate positions in the market, whether that be pre-IPO, or pre-merger and acquisition activity. They get a genuine legitimate payoff for it, purely from insider information. So the cybercriminals are becoming more and more sophisticated, not just in their attack methods, but the reasoning behind what they're trying to do.”
To disincentivise cyber-criminals organisations must increase the transactional cost of the attack.
Governments do this through legislation, through the criminalising of activity and by seizing the assets of those ill-gotten gains. But they are mostly hamstrung by the extraterritorial nature of most organised cybercrime where gangs operate in countries like Russia, China and North Korea beyond reach.
Business on the other hand has three levers it can pull; technology, education and cooperation.
On the technology front, Gartner estimated last year that worldwide spending on information security and risk management technology and services in 2021 would exceed $150.4 billion.
With cyber security now sitting at the top of the risk registry for many global organisations that’s likely to continue growing. But technology while necessary, is also insufficient, as the success of cybercriminals in growing their share of wallet clearly demonstrates.
Education, both of staff and employees is another critical element in driving up the cost of doing business for cybercriminals, and thus tipping the balance between incentive and disincentive.
Indeed many of the CISOs we spoke to participated in the recent Cyber Live for Safer Internet Day.
According to Westpac's group chief information security officer, Richard Johnson, "Driving awareness also plays a significant role and Westpac supports initiatives like Safer Internet Day to help educate Australians about the importance of being cybersafe, as well as focusing on upskilling our people so we can continue to better support and educate our customers and communities."
NAB’s global chief security officer Sandro Bucchianeri told Digital Nation Australia, “[Cybercrime] is a business. And if they find that your business is too difficult to get into, or they spend too much effort and time and energy on trying to get into your environment, they'll move onto the next thing.
“Banking typically runs a highly sophisticated cybersecurity function. At NAB we specifically invest heavily in securing NAB's customers and colleagues. But again, it's a cat and mouse game. Now some days we are up some days we are down. But we do the best we can — and we also don't do it by ourselves."
Collaboration is a critical way that organisations work to disincentivise cybercriminals.
Westpac's Johnson said, “A coordinated and collaborative approach is critical to reducing the impacts of cybercrime, and we continue to work closely with industry peers, government agencies and law enforcement to combat the efforts of fraudsters."
Likewise, NAB’s Bucchianeri said, “We work closely with law enforcement agencies, including the AFP, the Australian Cyber Security Centre, the ACSC and that includes sharing of threat intelligence."
“It's about collaboration. It's about working together. And working toward the greater good.”
The CISOs we interviewed described their work as a team sport, despite the competitive nature of commerce.
According to BT's Barker, "We can't just say 'well, a win for us is if the opposition doesn't kick any goals', but at the moment because that's how we approach it.
"How do we shift that paradigm? How do we win if we’re always on the back foot? How do we as an industry get on the front foot and how do we advance and how do we kick a goal?"
He said, "We can’t hold back the tide because eventually, the dam wall will break.
“How do we collectively as a community go about attributing cybercrime to an individual or an individual organisation, to enable that necessary deterrent, just like we do it in the physical world with crime?”
In BT’s case as a global telecommunications provider, it's in a position to provide law enforcement around the world with data — within reason.
“We see a significant amount of the world's internet traffic traversing our networks at some point every single day. So we can see a lot of these transactions happening," Barker explained.
“We can't exactly go in and stop it, or open up traffic packets and starting spying on people. But what we do is we take the information that we can see around illegitimate traffic, whether it's coming from a particular individual or a particular source, and then pass that information on to Interpol to give them the tools and the information for them to go and make decisions around law enforcement."