At the beginning of the 19th century, piracy was an ongoing threat and an accepted military tactic. By the end of the century, it was taboo, occurring solely off the shores of failed states and minor powers. The practice of hijacking did not vanish entirely, of course; it is flourishing now on the world’s computer networks, costing companies and consumers countless billions of dollars.In a recent item in The Conversation I pointed to research by Levchenko et al arguing that around "95% of spam-advertised pharmaceutical, replica and software products are monetised using merchant services" from a handful of financial institutions such as the Latvijas Pasta Banka, State Bank of Mauritius, St. Kitts & Nevis Anguilla National Bank and Azerigazbank. There is scope for crimping the pirates' sails - and sales!
Cybercrime today seems like a nearly insoluble problem, much like piracy was centuries ago. There are steps, however, that can be taken to curb cybercrime’s growth — and perhaps begin to marginalize the people behind it. Some of the methods used to sideline piracy provide a useful, if incomplete, template for how to get it done.
Shutting down the markets for stolen treasure cut off the pirates’ financial lifeblood; similar pushes could be made against the companies that support online criminals. Piracy was eventually brought to heel when nations took responsibility for what went on within its borders. Based on this precedent, cybercrime will only begin to be curbed when greater authority — and accountability — is exercised over the networks that form the sea on which these modern pirates sail.
In this new campaign, however, private companies, not governments, will have to play the central role, as Harvard’s Tyler Moore and others have suggested. After all, the Internet is not a network of governments; it is mostly an amalgam of businesses that rely almost exclusively on handshake agreements to carry data from one side of the planet to another. The vast majority of the Internet’s infrastructure is in the hands of these 5,000 or so Internet Service Providers (ISPs) and carrier networks, as is the ability to keep crooks off that infrastructure. If this relatively small group can be persuaded to move against online criminals, it will represent an enormous step towards turning these crooks into global pariahs.
The most productive thing ISPs can do to curb crime is put pressure on the companies that support and abet these underground enterprises. Currently, registration companies sell criminals their domain names, like "thief.com". Hosting firms provide the server space and Internet Protocol addresses needed to make malicious content online accessible. But without ISPs, no business, straight or crooked, gets online. A simple statistic underscores the ISPs’ role as a critical intermediary: just ten ISPs account for around 30% of all the spam-spewing machines on the planet.
ISPs are well aware of which hosting companies, for example, are the most friendly to criminals; lists of these firms are published constantly. But, currently, ISPs have little motivation to cut these criminal havens off from the rest of the Internet. There is no penalty for allowing illicit traffic to transit over their networks. If anything, there is a strong incentive for maintaining business-as-usual: the hosting company that caters to crooks also has legitimate customers, and both pay for Internet access. So ISPs often turn a blind eye, even though the worst criminal havens are well-known.
That is where government could help. It could introduce new mechanisms to hold hosting companies liable for the damage done by their criminal clientele. It could allow ISPs to be held liable for their criminal hosts. It could encourage and regulate ISPs to share more information on the threats they find. Government could also encourage more private businesses to come clean when they are victimized. Today, just three in ten organizations surveyed by the security firm McAfee report all of their data breaches. That not only obscures the true scope of cybercrime; it prevents criminals and criminal trends from being caught earlier.
Government can alter that equation by expanding the requirements to report data breaches. It could require its contractors to purchase network security insurance, forcing companies to take these breaches more seriously. And it can pour new resources into and craft new strategies for disrupting criminals’ support networks.
These steps will serve as important signals that America will no longer tolerate thieves and con artists operating on its networks. After all, 20 of the 50 most crime-friendly hosts in the world are American, according to the security researchers at HostExploit.
As the United States gets serious in curbing these criminals, it can ask more from — and work more closely with — other countries. China, for instance, sees itself as the world’s biggest victim of cybercrime, even as it remains a hotbed for illicit activity.
Not coincidentally, China is also only partially connected to the global community of ISPs. Dialogues to bring the Chinese closer into the fold will not only make it easier to marginalize cybercriminals; it will build momentum for broader negotiations on all sorts of Internet security issues.
Shachtman offers 13 recommendations -
1: Begin US-China Talks, Centered around cybercrime (It’s not just the most pressing issue; it’s the one with the most common ground)
2: Draw the Chinese into the larger community of ISPs and network carriers (It should speed the resolution of major network issues — and encourage China to become a more responsible actor on the global network stage)
3: Avoid national retaliation as a cybercrime solution (It is too blunt an instrument for the nuanced issue of cybersecurity; besides, many of the worst criminals set up shop in the United States)
4: Lean on the criminal support networks (Online crooks depend on these businesses. That makes them nodes of pressure and of vulnerability)
5: Motivate ISPs to pressure the criminal ecosystem (They are perfectly placed to interrupt illicit traffic)
6: Hold the worst hosting companies liable for their criminal clients and the worst ISPs liable for their criminal hosts (This will provide financial incentives to turn against the criminals, instead of profiting from their traffic)
7: Encourage ISPs to notify customers of infections (It is easy for the providers to tell which clients have been compromised, and it is better for everyone if those breaches get fixed)
8: Amend the laws to allow ISPs to share attack data (Spotting criminal trends early requires more information)
9: Push companies to expand reporting of network breaches (It is good for consumers; it may shame some firms into shoring up their networks; and it provides more data for cybercrime detection)
10: Require government contractors to carry cybersecurity insurance (It builds the market for insurance, which encourages companies to get more serious about network protection)
11: Expand and improve training for cybercrime specialists in law enforcement ("The FBI is underinvesting in cyberthreats right now in the same way that it underinvested in
counterterrorism in the 1990s")
12: Pursue Civil Strategies to disrupt criminal networks (The crooks move fast – and are often beyond American jurisdiction. Civil courts may be the only way to fracture their support system)
13: Avoid Schemes to strip away internet anonymity; continue to promote freedom of online expression (Corralling cybercrime does not mean curbing our ideals)