Incentives are the critical infrastructure of cybercrime. Robust responses emerge

We could shoot a few people. Leave their bodies in the gazebo beside the alligator pond for their confederates to find. That would certainly be one way of increasing the transactional cost of cybercrime.

National governments have not quite extended their legislative responses into the realm of  lethal force yet, but bringing military assets to a cybercrime knife-fight is clearly on the cards.

• Subscribe to Digital Nation Australia's twice-weekly newsletter
• Case Study: Ransomware fears drove cyber security investments at Flinders University
• Cybercrime ROI slipping as market forces and government intervention start to bite

In a letter to a parliamentary enquiry, the Dutch Minister for foreign affairs Ben Knapen wrote, "If a ransomware attack, whether or not with a financial objective, crosses the threshold of a (manifesting) threat to national security, for example, due to the failure of critical sectors, then the government also has other resources at its disposal."

Quite apart from using its intelligence services to hack the hackers, "...the Netherlands can also respond with the Armed Forces. For example, the Defense Cyber ​​Command can carry out a counter-attack at the end of the day to avert an enemy action or to protect an essential interest of the state."

In fact, as The Record reported last month, it's already happened. "Following a series of attacks carried out by a state-sponsored hacking group known as APT29, the Dutch intelligence service AIVD hacked them back in 2014, with their intrusion allowing AIVD to warn the US State Department of an impending cyber operation."

Ben Wallace the British Secretary of Defence has likewise made clear his government's intention to use its military capabilities to defend against attacks on critical national infrastructure. Indeed a £5 billion digital warfare centre is designed to do just that, although Wallace was more focused on responding to nation-state attacks.

Attacks on critical infrastructure have been building for over a decade but the last twelve months have seen an acceleration in the trend as cybercriminal organisations, some likely with nation-state sponsorship or at least acquiescence, have found rich pickings attacking core industrial and supply chain infrastructure.

Beyond those most traditional human motives — greed and power — accelerating digitalisation, and the merger of information and operational technology have dramatically increased the attack surface.

And until recently, legislative responses across the world have done little to disrupt the incentive structures, although that is now changing, and it seems, a little Keynesian intervention into the cybercrime economy is having the desired effect.

A study by Coveware in the middle of this year revealed; “Ever since the pipeline attacks this spring, we have seen statistical evidence and intelligence showing that ransomware actors are trying to avoid larger targets that may evoke a national political or law enforcement response."

"This shift from ‘Big Game Hunting’ to ‘Mid Game Hunting’ is personified in both the ransom amount statistics but also the victim size demographics from the quarter. "

Participants in the ecosystem within cybercrime are behaving like all rational actors within an economy, responding to incentives, specialising their capabilities and focusing on their comparative advantages.

And the two most significant groups, criminal syndicates and nation-states are increasingly forming coalitions of convenience, although the extent of this cooperation is a matter for debate, according to industry specialists.

According to global risk and insurance business Allianz, ransomware attacks alone have already cost businesses more than $20 billion so far this year. But that's dwarfed by estimates that the damage will grow in a decade's time to $265 billion.

In its report by Allianz Global Corporate and Speciality (AGCS) the authors note, "Ransom demands have rocketed over the past 18 months. According to cyber security firm Palo Alto Networks14, the average extortion demand was $5.3 million in the first half of 2021, a 518 per cent increase on the 2020 average. The highest demand was $50 million, up from $30 million last year, according to the firm."

The actual amount paid to hackers is often much lower, according to AGCS, which says average payments in the first half of 2021 were $US570,000 though this is an 82 per cent increase from 2020.

As Digital Nation Australia reported yesterday, a report by Coveware, which aggregates global ransomware and cyber extortion data, suggests that market forces and more robust responses from national governments are putting pressure on the criminal ecosystem.

A gathering burden

For executives charged with keeping their organisations safe, the complexity of that task becomes more difficult every year as they are forced to ratchet up their part in a seemingly endless technology arms race.

According to Greg Wells, chief information and digital officer for the NSW Government, (pictured below)  “The numbers change, but the sophistication has changed as well. That’s what I think we are seeing. It is happening all the time, and we were getting a lot better at resisting attacks." 

"But sometimes what you see is combinations of things. [In the past] You could have assumed when this was an advanced persistent threat that we knew how to deal with before. But you can’t assume that anymore. All the different threats are evolving into each other. I think it's that sophistication [that means] we really need to have patience and methodically think through as you respond. That's probably the biggest difference, as well as just the increasing number of threats. I mean, it's escalating significantly.”

As the size of the cybercrime ecosystem grows, the threat actors are behaving more like participants in an economy. Specialisation and collaboration between threat actors are increasing, making the cyber threat machine more efficient. But it also creates opportunities to respond with the kinds of legislative levels governments regularly overlay across markets they regulate.

Michael Daniel is the former Special Assistant to US President Obama and Cybersecurity Coordinator on the National Security Council and these days heads the Cyber Threat Alliance as its president and CEO. He told Digital Nation Australia, “When you think about the criminal ecosystem it is more organised and diversified than it was five or six years ago.”

You no longer need to be a highly proficient hacker to be a cybercriminal, Daniel says. “You can actually consume a lot of that as a service. The technical aspects are often outsourced and people specialise.”

One group may specialise only in gaining access to organisations and they then sell that access to another part of the criminal ecosystem which, for instance, specialises in implanting malware.

“So they buy the access, they do the next set of work, and then they sell that to the next criminal group down the supply chain,” he says.

Industrial scale

Daniel describes the cybercrime economy as a very complex and interconnected ecosystem.

“[This] has really changed the nature of cybercrime and made it much more professionalised. It's also allowed to be automated [at an] almost an industrial scale. That also contributes to the explosion of ransomware that we're seeing.”

Ransomware attacks on critical infrastructure over the last 12 months such as those on Colonial Pipeline in the US have amplified the systemic vulnerabilities in the economy. 

And accelerating digitalisation, which has been further supercharged during COVID has compounded the problem. On top of that, the world of information technology and operational technology are merging as the industrial sector becomes more connected.

Curtin University’s Iain Murray, the John Curtin Distinguished Professor at the Curtin School of electrical engineering, computing and mathematics, describes the implications of the change in a tightly networked economy.

“If you're an owner of a supermarket chain and somebody hacks into the grid and shuts down a power grid in your area, your freezers go off, you can't have a security system, your tools don't work. You know, you can't do anything.”

As the pandemic demonstrated, it doesn’t take long for the effects to ripple around the community.

Panic spreads among the community and out to other industries and society starts to shut down, at least for a time, Murray says.

Some of the implications of critical infrastructure attacks are far more personal and potentially deadly, he says.

“If we look at some of the less important critical infrastructures, such as hospitals, every piece of equipment in a modern hospital is connected to the internet. That means there is the possibility that you can get in and control the life support system on a particular patient. You will know who that patient is because that's also part of the connection. I can turn off their life support by hacking it.”

In the world of operational technology, there is a vast array of such threats which until recently went unnoticed.

Culture clash
It's a two-way street.

As the IT sector moves more aggressively into operational technology, the cultural differences between these worlds are exposed. IT tends to focus on availability and privacy. 

If your paycheck is late, that's bad. If your search history is exposed that's potentially embarrassing. But when industrial systems fail, people die. That tends to create a level of fault intolerance that can be challenging for some IT professions.

Cisco's Finn says in the operational technology world the cost of failure is measured in lives as well as dollars.

Now, those same safety systems present a target-rich opportunity for threat actors.
“Safety systems themselves can be used to disrupt the entire industrial control system by sending either a false positive or false negative. They can have catastrophic consequences in these places."

To compound the issue, he says, “The financial impact of disrupting industrial systems is also considerably larger too.”

But as industrial businesses seek to gain the kinds of operating efficiencies and data analytics insights already captured in the commercial world, industry specialists say the security problem will get worse. 

According to Matt Tett, Chair of the Cybersecurity & Network Resilience Workstream for the IOTA, traditionally industrial systems such as SCADA control networks were essentially air-gapped from the rest of the world. “Then people thought instead of paying for these leased lines, and this proprietary technology, let's just put gateways in and connect them to the internet.”

That changed the security outlook dramatically, he says.

“When they were proprietary and offline, they didn't even have a password.“

Digitalisation is also blurring the distinction between commercial and industrial systems. 

Tett says that the trend of connecting operational technologies to the internet is accelerating with IoT.

“A lot of people traditionally think of the internet as being a gateway in your house. You have a residential modem or router which sits in the corner, and that's your internet connection. But now we have cellular, we have 4g, we have 5g. And then there's Bluetooth is considered an Internet of Things technology. You can have an app on your phone, which has Bluetooth your phone is connected via the cellular network. That's part of the IoT ecosystem.”

Another point of intersection is in the world of smart buildings and smart precincts. Attacks are still rare here, but the attack surfaces are increasing, according to Dane Meah CEO of Infotrust, a cyber security specialist firm based in Adelaide. 

Meah told Digital Nation, “We've all read about some of the examples that have occurred globally, such as interruptions to elevator systems, heating and air conditioning systems. Now, admittedly, they are quite rare, and we don't see them on a day to day basis.”

Despite the relative rarity of such issues at the moment the attack surface keeps increasing as we continue to layer in more connected devices, he says. 

While there is a temptation to open everything up and make full use of lots of connected devices, there are times when a more SCADA like environment might be a better bet, he says.

“With a complete separation of that network, you're limiting the attack surface as much as possible, tends to be the more prudent approach.”

A wider net

Many more Australian organisations are getting caught up in the critical infrastructure debate, in part because the government is extending the definitions to include a wider array of sectors.

It is also updating its legislative responses. As iTnews reported last month the Commonwealth government is introducing mandatory ransomware incident reporting for business as part of a suite of legislative reforms to crack down on cybercrime, defining new offences for cyber extortion aimed at criminals that target critical infrastructure criminalising the trade of stolen data and the buying or selling of malware.

It s also extending the definition of critical infrastructure according to Simon Finn, National Cybersecurity advisor, Cisco, "We're expanding it to 11 different sectors, and including things like food and grocery, education, healthcare, transportation, energy, water, and space, all of the things that essentially Australians as a whole and business especially, depends upon."

The rationale is straightforward. "The world is growing more interconnected. We're all dependent upon each other. We've started to see things like supply chain attacks and the massive effects that we can experience from these types of supply chain attacks."

"Those types of attacks have demonstrated that we are all dependent upon [not only] your own supply chains, but we're also part of supply chains to other people."

Universities are another part of the economy now considered critical infrastructure.

According to Kim Valois, chief information security officer of Flinders University, the sector is targeted both for its own resources but also due to its industry connections.

“There’s legislation here in Australia that is mandating and legislating obligations on part of Australian universities as part of critical infrastructure. And for us, that's a real game-changer in terms of how we deal with it.”

Australia’s universities have already been on the receiving end of unwanted attention from both criminal syndicates and nation-states.

Attacks on ANU in 2019 revealed the potential vulnerabilities of the sector and the attractiveness of Universities as a target. In that case, the government believed the attack was initiated at the behest of a nation-state. 

According to Valois, “I'm not sure that everybody realised why ANU was targeted. I think the fact that it was a very well entrenched nation-state attack was significant.”

In early 2020 Valois and a colleague attended an industry threat briefing and realised the need to do things differently to protect the university infrastructure. 

“We heard about what's called the rise of ransomware operators, the big game hunters. Big game hunters refer to criminal gangs and ransomware operators that are out for big attacks, big payouts. They know their job really well, they get into your infrastructure, they are looking to make a big ransom request to get paid out.

Contemporary privateers

While much of the discussion about the cyberthreat ecosystem tends to treat nation-states and criminal syndicates as discrete operators, there is growing evidence of a cross over between them.    

According to Valois, “Your big criminal cybersecurity gangs have got a lot of money. One of the biggest ones was a $3 billion revenue, enterprise last year."

"When you have that much money, you can buy whatever talent you want, pretty much. And in some of these countries, they're hiring talent out of intelligence organisations, defence operators and other types of government agencies.”

When the threat actors are imbued with the resources of multinational enterprise, or the power of a nation-state, the inevitable result is a technology arms race. 

There need to be other responses.

It is critical for governments and companies who want to fight back to better understand the incentive structures that exist so they can respond accordingly, Michael Daniel explains.

“Cybersecurity is fundamentally not just a technological problem. It is also an economic problem, a human behavioural problem and a business problem,” says Daniel.

“We really have to be thinking defender side, how do we actually incentivise companies to invest in cybersecurity? Every company has a private level of interest in investing in cybersecurity, but because of the networked nature of things, and because your risk is my risk, to a certain degree, there's a shared risk there,” he says.

Governments clearly have a role to play, he believes.

“How do you structure you know, your tax code? How do you construct your regulatory framework to encourage investments in cybersecurity?”

It is just as important for governments to look at the disincentives they can develop on the black hat side of the ledger.

“You also want to be looking at all the different ways that you can impose costs on the bad guys, particularly the criminals. It's not just about arresting them, nice as that would be," he says.

Instead, legislators need to think about what are all the different ways they can disrupt the cybercrime economy — by attacking the threat actors' critical infrastructure.

"How can you force them to spend time and money rebuilding regularly? How do you interdict the money flows that are going to them so that it's harder for them to get their money out so their return on any given investment is lower? How do you make it riskier for them to do certain things that they would like to do like travel and things like that?”

Fighting back

The more aggressive posture adopted by governments especially in the US after high profile attacks on critical national infrastructure, such as the Colonial Pipeline hack by Darkside seems to be working.

In its Q3 Report, Coveware describes three ways governments are directly attacking the incentive structures in the cybercrime economy; 

• Attack the revenue earned by ransomware actors. This involves strategies to reduce the percentage of attacks that successfully convert into ransom payments and also limits the size of the average ransom payment. Coveware says organisations that are harder to compromise and have sufficient backups to recover without paying are less susceptible to blackmail. As an example, the company says the Ransom Disclosure Act in the US will require companies to report ransom payments to the federal government as a way of discouraging ransom payments.  
• Drive up the costs incurred by ransomware actors and degrade ROI, which is believed to run at higher than 90 per cent for professional criminal syndicates. There are a range of legislative approaches around the world focused on this such as the National Cryptocurrency Enforcement Team (NCET) in the US which investigates and prosecute criminal misuses of cryptocurrency, European legislation designed to would increase the cost on criminal syndicates of hosting infrastructure. In Australia, the government has released a comprehensive plan involving mandatory reporting, new interagency law enforcement collaboration, new tougher criminal penalties on ransomware actors, as well as resources to help small businesses stay safe.
• Increase the transactional cost to the cybercriminal of getting caught. Ransomware attacks are regarded as low-risk endeavours since arrests and retribution are rare, according to Coveware. It notes that the White House National Security Council convened the Counter-Ransomware Initiative, a 30 nation summit to better connect international law enforcement agency collaboration on disrupting ransomware operations. The plan is to also apply geopolitical pressure on states that condone or protect ransomware actors will increase the risk of ransomware operations residing in those geographies. 

And then of course, there's the Dutch solution. Terminate, with extreme prejudice.