To most, the world of cyber crime exists as a shadowy universe of hoodie-wearing hackers or nation state gangs pilfering identity data and hawking intellectual property (IP) on the dark web for big bucks. In reality, however, cyber crime has morphed into an economy in its own right, spawning new platforms and illicit marketplaces now generating close to $1.5 trillion in revenues every year.
The evolution of cyber crime from an overt criminal act or specific attack vector to a booming economy was the subject of a study conducted by Dr. Michael McGuire, senior lecturer in Criminology at the University of Surrey, in England. The Web of Profit research, presented at April’s RSA conference, makes a case that cyber crime is now a hyper-connected economy capable of generating and supporting revenue at an unprecedented scale. In fact, McGuire argues that the cyber crime economy is nearly a mirror image of contemporary capitalism, including the rise of disruptive business models built on platforms and a place where data reigns supreme as the commodity currency used for trade.
“Both the legitimate and illegitimate economies come together within an increasingly cyber-criminogenic world—one where the tools and cultures of information crime become blurred and interchangeable with the tools and cultures of an information society and vice versa,” writes McGuire in the 178-page report.
The $1.5 trillion annual revenue figure, equivalent to the 13th highest ranked global GDP, takes into account money made in illicit and illegal online markets ($860 billion), theft of trade secrets and IP ($500 billion), and data trading ($160 billion), among other sources. Because the illegitimate cyber crime economy is increasingly interconnected to legitimate business, McGuire contends companies must radically broaden their perspective in order to rally the right tools and partnerships that will ensure the enterprise is adequately protected.
“Cyber security professionals tend to look at the point of the attack vector, which results in most responses being very limited to a few types of criminality,” he explains. “If we take a more holistic view of how the system is working, we can intervene more effectively.”
One of the more significant themes of McGuire’s research is that cyber crime, following in the footsteps of mainstream business, is shifting to a platform economy mimicking what you see with Facebook or Uber. Those existing platforms as well as new crimeware platforms serving up everything from hired cyber talent to DIY Criminal-Infrastructure-as-a-Service capabilities are now the frontlines for nefarious activity with data the coveted asset, McGuire maintains.
Existing online platforms are enabling and supporting crime (whether unwittingly or not) in a variety of ways. They’ve become key targets for data theft and hacks as witnessed by the Yahoo and SnapChat data breaches; they are fertile ground for malware distribution; they are increasingly used to distribute or sell illegal products and for money laundering; and they have become a resource for connecting criminals with victims, McGuire’s research found. Another interesting parallel with the legitimate economy: McGuire says criminal enterprises are embarking on their own digital transformation journeys, diversifying resources to explore new areas of crime. In fact, McGuire claims cyber crime enterprises are reinvesting up to 20% of their revenue streams back into new efforts to advance criminal activities—a figure he estimates at about $300 billion.
All along the way, data is the centerpiece, requiring C-suite and security professionals to rethink enterprise security protections. “The cyber security attitude towards data is prehistoric,” McGuire contends. “We need a more flexible attitude in understanding what data is and how it can be used so we can design more effective policies and strategies. It’s not just about protecting access to data in a simplistic sense, but a ground up rethinking of what cyber security is doing.”
McGuire’s report makes a number of recommendations to help cyber security professionals revamp strategies to address the new realities of the cyber crime economy. Among them:
- Approach cyber crime more holistically, as a dynamic and evolving field of multiple actors and interdependencies.
- Consider cyber attacks through the lens of economic gain, not just damage or data breaches, which creates a path to different solutions in areas like visualization or scanning and tracking technology.
- Recognize the shift towards platform criminality, including new illegal online markets, which will require new tools for infiltrating and blocking activities.
- Initiate more sensitive policy solutions and invest in software tools that go beyond simple surveillance and monitoring to mitigate corporate IP theft.
- Work closely with financial agencies and law enforcement to identify strategic nodes and weak points within the ecosystem where protections and interventions can be applied.
- Evolve data protection beyond privacy—data needs to be handled like traditional currencies and safeguarded with the requisite restrictions.
The bottom line, McGuire says, is that security professionals need to move beyond firefighting mode to something bigger and more strategic. “We have to move beyond locking up [the enterprise] with keys to thinking about the whole terrain in which crime occurs,” he says. “That’s the most productive way to take cyber security forward.”
We encourage you to share your thoughts on your favorite social platform.