2010 Workshop on Cyber Security and Global Affairs & Security Confabulation IV, with a focus on International Cyber Security Governance Including Low Resource Environments - Human Factors, Policy and Technology. The topic of this abstract is related to Workshop item 6, “Cyber crime and other malicious activity.”
The underlying premise of this presentation is that malicious cyber activity is flourishing around the globe because the current efforts against “cyber crime,” spearheaded almost exclusively by law enforcement, are largely reactive in nature and fail to appropriately engage the private sector and non-law enforcement stakeholders in government, in a strategic effort to reduce the frequency, impact, and risk of malicious cyber activity. Significantly, a major part of the global problem is not being addressed – the cost of entry for wrongdoing is as low as the rewards are great, and there are virtually no consequences for malicious cyber activity.
Malicious cyber activity consists of a wide range of activity by a spectrum of bad actors – from hackers, to spammers, to criminals, to terrorists, to those who seek to steal intellectual property for financial gain or advantage, to sophisticated organized criminal groups, to nation states and those who work on their behest. The more sophisticated actors – such as organized criminal groups and nation states (sometimes through surrogates) – can conceal their more sinister activity within the white noise of cyberspace. They are aided by the fact that, too often, the continuum of activity and actors is viewed, and responses framed, in terms of its components rather than holistically and strategically, with an often, stove-piped response. Governmental intelligence and defense forces concentrate on the activity by nation states and surrogates, terrorists, and major organized criminal groups.
Cyber crime is an important component of the continuum and is placed under the jurisdiction of law enforcement. Law enforcement looks to the private sector to be a partner who provides timely, but largely one-way information about suspect activity, and helps to spread the word on awareness of the threat of online criminals. Admittedly, law enforcement is at least partially proactive and strategic; specifically, in their efforts to raise awareness and promote the legal framework and available of resources to investigate and punish wrongdoers. However, their main function is reactive: to find wrongdoing and punish offenders.
This presentation will emphasize that all of government, not just law enforcement, must partner with the private sector to take the same approach that is recommended to reduce cyber risk in an organization – a people, processes, and technology approach. The purpose of this robust partnership should be to reduce the frequency, impact, and risk of malicious cyber activity. Public and private organizations need to collaborate to identify the most frequent and most significant kinds of malicious activity, including those that pose the greatest risk, and work to identify the most significant players in that activity, and – and this is critical – those who ENABLE that activity. Malicious actors need others – the knowing, the reckless, the negligent, and the blind -- enablers to facilitate their activity. These enablers can be ISPs, payment processors, shippers, web hosting companies, legitimate front businesses, and many others.
This presentation will recommend that the cyber community learn from one of the most effective public-private collaborations – the effort against child pornography -- and apply those lessons to malicious cyber activity. It is not enough to go after the wrongdoers, because they are quite fungible; the enablement fabric must be attacked. Light must be focused on those who enable this malicious activity so there can be accountability. As we get a better handle on the who and the how, we can better identify actions that are necessary to help solve the problem, in addition to trying to punish the wrongdoers.