By John Thornton | 12 March 2014
An increasingly sophisticated online black market is posing a growing threat to the public sector by offering cybercrime ‘as-a-service’
It was both frightening and fascinating as the chief technology officer of a very large security technology company explained the economics of cybercrime and described what he calls ‘cybercrime-as-a-service’. The ‘as a service’ description usually denotes provision of technology solutions to businesses, where the infrastructure and operational arrangements are provided by a third party, allowing purchasing organisations to focus on their core competency, which in this case is ‘crime’.
I was chairing a forum into the impact of cybercrime and cyber espionage on government and public services at Bletchley Park, the Buckinghamshire home of the Second World War codebreakers; a fitting setting for a discussion of these issues.
The speaker showed how easy it is to buy drugs, guns and a range of tools for cybercrime over the internet and have them delivered to a location of your choice, at a time to suit you.
Most surprising was the easy access to an established ‘supply chain’ to support criminal activity. You can, for example, commission research to identify targets and select the tools for the job. Then you can buy individual components, the appropriate toolset or a complete service. You don’t have to be a cyber-expert, he said, and in most cases you don’t need a computer, just a credit card.
Apparently, you can buy a million email addresses for a few hundred dollars and send 30m emails for a few thousand more. To target multiple countries, there are ‘rated’ translation services. Or, you can very cheaply purchase credit card details, with their pin numbers and balances.
Not surprisingly, there has been a big decline in physical crimes such as bank robberies, while cybercrime has increased at an alarming rate.
Cybercrime as an industry is getting more and more sophisticated as individual organisations concentrate on niches in the supply chain and technology gives criminals easier ways of hiding and laundering the proceeds, as well as the flexibility to operate from anywhere at any time. As we move into a world of digital-by-default and information sharing, trust and confidence in our systems becomes ever more important. At the same time government and the public services will increasingly become targets for cyber-gangs.
There has been a lot of press coverage about criminals and ‘hacktavists’ bringing down banks, companies, government departments and indeed whole governments (Cyber insecurity, Public Finance, p47, November 2013) using what are termed distributed denial-of-service attacks (DDoS). This is when huge amounts of information are sent to targeted websites simultaneously, causing them to overload, freeze and make services unavailable to users.
Building a cyber army capable of generating enough traffic to bring down a big organisation would require, you might think, a big investment in time. It might therefore be tempting to think that your organisation is too small or not strategic enough to warrant the effort. Think again. It seems that the ‘as-a-service’ cybercrime market has made it cheap and easy to commission a ‘professional’ DDoS attack. We were shown prices of a few dollars an hour to commission attacks lasting anything from a few hours to a month.
Does your organisation understand its potential exposure to cybercrime and attack? Have you carried out a risk assessment? Do you know what online services must be available 24/7, and which ones you could afford to do without for a few hours? Have you adequately protected your most confidential information assets?
John Thornton is an independent adviser and writer on business transformation, financial management and innovation [email protected]
This feature was first published in the March edition of Public Finance magazine
