I have a rather odd memory from middle school (I think, though, after the past year-and-a-half, what is time, really?). In some magazine that I found either at my grandparents house or in our school library, there was an article from a pair of reformed burglars who were now advising people on how to make their homes more secure. One of them said something to the effect of this: “if it takes me more than about 60 seconds to find a way into your home, I’m probably moving on.” Psychoanalyze me if you wish, but for over two decades now that line has stuck in my head.
Now, there’s several ways to read this, one of which is as a statement about risk vs. reward. There’s a clear risk to being a burglar: if you get caught in the act you might be arrested, injured, or even killed. The reward is a payday: stolen valuables to be pawned off and turned into cash. This particular burglar was saying that a significant part of the calculus around his risk-reward analysis is the amount of time required to find a way in: the longer that time, the more likely you are to be caught and as that likelihood increases, the value of the potential payoff becomes less significant in comparison.
Similarly, there is a risk-reward analysis for bad actors in cyberspace, though in the current cyber crime landscape the risk of externally imposed consequences (like jail time) is very small. Compared to the amount of cyber crime perpetrated each year, the prosecution rate is tiny,
only 3 out of every 1,000 cybercrimes according to Third Way. Partially this is a product of bad reporting (people don’t like admitting they were conned), but an additional factor is that cyber crime makes it fairly trivial to perpetrate your activities across jurisdictional lines, making it harder for law enforcement to track you down. In other words, if you’re a reasonably competent cyber criminal, you have a very good chance of never being caught and standing trial. This is why cyberspace can feel like the wild west at times.
But there’s another kind of risk that exists in anything that resembles a market: the risk of failure. Every business person understands this risk. When you open a restaurant, you know that you are risking your capital on the possibility that the business will flop. The same is true if you are the founder of an internet startup, investing in the stock market, or attempting to make money as a hacker: there is a certain amount of front-end investment of resources (time, money, equipment, etc), and there is a risk that the entire value of that investment can go to zero (or something close to zero) if the venture fails. If that risk of failure becomes too high (for you) in comparison to the potential reward, you are likely to pass on an “opportunity,” just as the burglar I read about would “pass” on a house he couldn’t quickly find a way into.
We can exploit exactly this economic risk-reward calculus to change the nature of the cyber crime ecosystem. Contemporary cyber crime is no longer a game for lone-ranger rebel-geeks, it has evolved into a complex economic ecosystem consisting of “expert” engineers/developers (who produce hacking tools and exploits based on discovered vulnerabilities in target systems), “users” who deploy those tools to break/steal things (depending on the tool and their goals), markets for selling/reselling both the tools and the stolen goods, and infrastructure providers who underpin the whole ecosystem (see
this post for an interesting read on those guys). The “elite” hackers of this community tend to be the developers/engineers, but outside of a few high-value attacks they tend not to be the principle users of the tools they develop. Instead, the majority of cyber crime seems to be perpetrated by relatively lower-skilled individuals who purchase/rent tools from these elite hackers and use them to target a wide array of victims. The connections between these elites and their customers (the majority of the on-the-ground/mass-market “hackers” active out there) are facilitated through a variety of underground markets and forums. This entire ecosystem is essentially a market in the economic sense of the term: a relation between buyers and sellers based on supply and demand. In this case, however, the market resembles a b2b relationship, not a b2c one: the buyers are themselves “in business”, using the tools and services they purchase to pursue their own “hacking” agendas which should theoretically net them a profit. Therefore, the entire ecosystem is, from an economic standpoint, dependent on the success of those lower-skilled “mass-market” hackers who are purchasing the tools/services, using the markets and forums in the largest numbers, and driving the demand for all the work done by the rest of the cyber crime ecosystem.
So what if we could engineer a “demand-shock” to this ecosystem? What if we could make it such that being a lower-skilled mass-market hacker was highly unlikely to be profitable? Or, in the terms of risk-reward analysis, make it such that the risk of economic failure was likely too high in comparison to the potential rewards? In economic modeling, when the demand curve contracts (or shifts left), suppliers find themselves with an excess of material and are forced to cut prices (or let their inventory “rot”). One of two things can happen next. Either (a), this results in a new “market equilibrium” in which suppliers simply live with lower prices and fewer sales (because presumably it’s still profitable for them to do so, just not as profitable). Or (b), the reduced profitability drives some of the suppliers out of business, reducing the available supply. Reduced supply tends to increase prices, but also decrease gross sales volume (because the demand curve will not support the same degree of sales at a higher price). So in the end, a long-term and substantial reduction in demand tends to result in a market equilibrium that reflects a smaller marketplace in terms of gross output with fewer actors (on both the buying and selling side). In the case of the cyber crime ecosystem: if the demand from “mass-market” purchasers of cyber crime tools contracted (because many of them dropped out of the market, let’s say), elite hackers and cyber crime infrastructure providers would find their profits squeezed, too. Eventually, many of these suppliers would then respond by either (a) going out of business themselves or (b) reducing the availability of their products to a smaller number of customers able to pay higher prices so they could maintain profitability. In either case, this means fewer “cybercrime-for-hire” services, fewer hacker forums/marketplaces, fewer exploits being sold by elite hackers to skids, and so on. This doesn’t eliminate cyber crime, by any stretch. But it could substantially reduce it.
To be clear: I’m arguing here for an approach that is motivated more by economics than technology, more by trying to direct market forces than rely on criminal interventions, and that aims not at “perfect” security but at a “better” overall operating environment, giving defenders some much needed breathing room and (hopefully) the upper hand. This approach is not meant to be the “complete” solution to cybersecurity. There is still a need for software patches, intrusion detection, back-ups, encryption, and all the other goodies that go into a cybersecurity program. But what if we could tremendously shift the advantage from attacker to defender by letting market forces work for us, clearing the field of many of our opponents and letting us concentrate on the few “big guns” that remained? That’s what this approach is hoping to accomplish. How do we do that? We target both supply and demand in the b2b criminal underground markets:
-
Targeting Demand: Eliminate much of the “profitability” that goes along with being a mass-market hacker. If you’re much more likely to fail in the hacking business than succeed, many fewer people will try. This will contract the demand for the materials produced by elite hacker devs/engineers and infrastructure providers, hopefully putting many of them out of business (or at least really squeezing their profits).
-
Targeting Supply: Increase the incentives for elite hackers and criminal infrastructure providers to play on the right side of the law. Especially if much of their illicit income from selling their “warez” to mass-market hackers is drying up, recruiting them to be on the good-side helps reduce our opponents and infuse cybersecurity with more skilled workers who understand who they are fighting. From an economic perspective, it also reduces the supply of those materials, which tends to raise the price. Raised prices act as a “gate” for customers, meaning fewer mass-market hackers will be able to afford the services of the remaining suppliers. The result is an overall smaller criminal ecosystem on all sides.