Proposal: Putting Cyber Criminals Out of Business

Using Market Economics to Level the Playing Field

I have a rather odd memory from middle school (I think, though, after the past year-and-a-half, what is time, really?). In some magazine that I found either at my grandparents house or in our school library, there was an article from a pair of reformed burglars who were now advising people on how to make their homes more secure. One of them said something to the effect of this: “if it takes me more than about 60 seconds to find a way into your home, I’m probably moving on.” Psychoanalyze me if you wish, but for over two decades now that line has stuck in my head.

Now, there’s several ways to read this, one of which is as a statement about risk vs. reward. There’s a clear risk to being a burglar: if you get caught in the act you might be arrested, injured, or even killed. The reward is a payday: stolen valuables to be pawned off and turned into cash. This particular burglar was saying that a significant part of the calculus around his risk-reward analysis is the amount of time required to find a way in: the longer that time, the more likely you are to be caught and as that likelihood increases, the value of the potential payoff becomes less significant in comparison.

Similarly, there is a risk-reward analysis for bad actors in cyberspace, though in the current cyber crime landscape the risk of externally imposed consequences (like jail time) is very small. Compared to the amount of cyber crime perpetrated each year, the prosecution rate is tiny, only 3 out of every 1,000 cybercrimes according to Third Way. Partially this is a product of bad reporting (people don’t like admitting they were conned), but an additional factor is that cyber crime makes it fairly trivial to perpetrate your activities across jurisdictional lines, making it harder for law enforcement to track you down. In other words, if you’re a reasonably competent cyber criminal, you have a very good chance of never being caught and standing trial. This is why cyberspace can feel like the wild west at times.

But there’s another kind of risk that exists in anything that resembles a market: the risk of failure. Every business person understands this risk. When you open a restaurant, you know that you are risking your capital on the possibility that the business will flop. The same is true if you are the founder of an internet startup, investing in the stock market, or attempting to make money as a hacker: there is a certain amount of front-end investment of resources (time, money, equipment, etc), and there is a risk that the entire value of that investment can go to zero (or something close to zero) if the venture fails. If that risk of failure becomes too high (for you) in comparison to the potential reward, you are likely to pass on an “opportunity,” just as the burglar I read about would “pass” on a house he couldn’t quickly find a way into.

We can exploit exactly this economic risk-reward calculus to change the nature of the cyber crime ecosystem. Contemporary cyber crime is no longer a game for lone-ranger rebel-geeks, it has evolved into a complex economic ecosystem consisting of “expert” engineers/developers (who produce hacking tools and exploits based on discovered vulnerabilities in target systems), “users” who deploy those tools to break/steal things (depending on the tool and their goals), markets for selling/reselling both the tools and the stolen goods, and infrastructure providers who underpin the whole ecosystem (see this post for an interesting read on those guys). The “elite” hackers of this community tend to be the developers/engineers, but outside of a few high-value attacks they tend not to be the principle users of the tools they develop. Instead, the majority of cyber crime seems to be perpetrated by relatively lower-skilled individuals who purchase/rent tools from these elite hackers and use them to target a wide array of victims. The connections between these elites and their customers (the majority of the on-the-ground/mass-market “hackers” active out there) are facilitated through a variety of underground markets and forums. This entire ecosystem is essentially a market in the economic sense of the term: a relation between buyers and sellers based on supply and demand. In this case, however, the market resembles a b2b relationship, not a b2c one: the buyers are themselves “in business”, using the tools and services they purchase to pursue their own “hacking” agendas which should theoretically net them a profit. Therefore, the entire ecosystem is, from an economic standpoint, dependent on the success of those lower-skilled “mass-market” hackers who are purchasing the tools/services, using the markets and forums in the largest numbers, and driving the demand for all the work done by the rest of the cyber crime ecosystem.

So what if we could engineer a “demand-shock” to this ecosystem? What if we could make it such that being a lower-skilled mass-market hacker was highly unlikely to be profitable? Or, in the terms of risk-reward analysis, make it such that the risk of economic failure was likely too high in comparison to the potential rewards? In economic modeling, when the demand curve contracts (or shifts left), suppliers find themselves with an excess of material and are forced to cut prices (or let their inventory “rot”). One of two things can happen next. Either (a), this results in a new “market equilibrium” in which suppliers simply live with lower prices and fewer sales (because presumably it’s still profitable for them to do so, just not as profitable). Or (b), the reduced profitability drives some of the suppliers out of business, reducing the available supply. Reduced supply tends to increase prices, but also decrease gross sales volume (because the demand curve will not support the same degree of sales at a higher price). So in the end, a long-term and substantial reduction in demand tends to result in a market equilibrium that reflects a smaller marketplace in terms of gross output with fewer actors (on both the buying and selling side). In the case of the cyber crime ecosystem: if the demand from “mass-market” purchasers of cyber crime tools contracted (because many of them dropped out of the market, let’s say), elite hackers and cyber crime infrastructure providers would find their profits squeezed, too. Eventually, many of these suppliers would then respond by either (a) going out of business themselves or (b) reducing the availability of their products to a smaller number of customers able to pay higher prices so they could maintain profitability. In either case, this means fewer “cybercrime-for-hire” services, fewer hacker forums/marketplaces, fewer exploits being sold by elite hackers to skids, and so on. This doesn’t eliminate cyber crime, by any stretch. But it could substantially reduce it.

To be clear: I’m arguing here for an approach that is motivated more by economics than technology, more by trying to direct market forces than rely on criminal interventions, and that aims not at “perfect” security but at a “better” overall operating environment, giving defenders some much needed breathing room and (hopefully) the upper hand. This approach is not meant to be the “complete” solution to cybersecurity. There is still a need for software patches, intrusion detection, back-ups, encryption, and all the other goodies that go into a cybersecurity program. But what if we could tremendously shift the advantage from attacker to defender by letting market forces work for us, clearing the field of many of our opponents and letting us concentrate on the few “big guns” that remained? That’s what this approach is hoping to accomplish. How do we do that? We target both supply and demand in the b2b criminal underground markets:

The first step of this approach is aimed at dramatically reducing or eliminating the methods for converting whatever successes mass-market hackers have into cash. What follows are a couple of ideas of ways to dramatically reduce the value proposition behind some of the more popular “specialties” in cyber crime. None of these methods are foolproof. However, if implemented widely enough they may crush the profit margins of many cyber criminals. It’s the equivalent of a burglar discovering that all the shiny jewelry they stole from a house are worthless when they take them to the pawn shop: that night’s thieving was a totally wasted effort. Too many nights like that and our burglar is going to realize this isn’t paying off and do something else. Too many hacks that turn out to have little or no payout and our cyber criminals are going to do the same.

One of the earliest, and still most prevalent and infamous, forms of cyber crime is stealing credit card and other payment info. Stolen cards and account info (name, address, etc) can be sold for a couple bucks each. That doesn’t sound like a lot, but when you realize that corporate breaches often involve at least 20,000 accounts (and can number in the hundreds of thousands or even millions), then $2 a pop adds up fast. For example, the infamous Target breach in 2013 included up to 70 million accounts. At $2/each, the value of that data haul was up to $140 million. Not a bad payday for somebody.

But what if most of those cards were worthless to a potential buyer? What if most of those cards, even if they came with accurate names and addresses for their owners, could never be used outside of the merchant they were stolen from or required also stealing a physical device to use them? And what if it was impossible to know by looking at a list which cards were good and which ones were worthless? The value of stolen lists would plummet. Suddenly, instead of needing to steal 50,000 accounts to make a six figure salary (the equivalent of 2-3 corporate breaches a year), you might need to steal 3-4 times that number for the same pay. That’s a big change that could really drive a lot of cyber criminals out of business.

How cold this happen? Some of the tools already exist. For example, the “privacy.com” service will let you generate one-time or merchant-specific card numbers that route back to them, and then through them to your real card. That means that the card sitting in a corporate database is either tied to that business (and can’t be used anywhere else) or to that transaction (and is unusable for any other transactions), providing a sort of automatic protection for users against card theft and throwing a monkey wrench in the system for card thieves. Similar offerings exist from services like mySudo. Another approach is that taken by Apple Pay, which generates a device account number for each of the cards in it’s wallet. That account number cannot be used without the phone/device associated with it, so again, the card numbers are worthless if stolen unless the crook also happens to have stolen your phone (highly unlikely for a volume theft scheme like a database breach). If protections like these became the standard/norm across the payment industry for online transactions, stealing credit cards would become a much less profitable business, and the decline in criminal actors engaged in this type of crime would result in significant ripple effects throughout the cyber crime ecosystem.

Two Factor or Multi-Factor Authentication (2FA or MFA) has long been touted as one of the most basic and effective measures of cybersecurity for protecting individual accounts. Though there are workarounds that can break or bypass MFA, they require a certain level of additional work and sophistication that puts them out of the reach of the majority of cyber criminals. So from the perspective of identity and access management, MFA is a great way to make sure that almost no-one except your intended user can log into a given account.

That’s a great technical control, but it’s not the only benefit of MFA. In our economic approach to security, MFA also functions similarly to the payment account protections we discussed above: “Credential Harvesting” is a niche in the hacker economy, but if the purchased credentials can’t actually be used by the vast majority of buyers the value of stolen credentials will plummet, cutting the profit margins of harvesters and driving many of them out of business. By making MFA the default, we won’t solve all problems of account take-overs or intrusions. But we might dramatically shift the underground market that exists for stolen credentials, with benefits accruing to everyone whose credentials stand to be stolen.

A similar argument can be made about the value of “unique passwords” for different accounts (and, correspondingly, the use of password managers to generate and store those unique values). This isn’t quite as effective as MFA, but it does cut down on the value of password lists/dictionaries that hackers might buy because the likelihood of getting another hit from the same password drops substantially.

These approaches aren’t the only ones that could be used to stymie cyber criminals, but they illustrate the basic idea: by undermining the value of a major cyber commodity in the criminal underground, we stand to reap major benefits through the force of the “market” alone. These aren’t silver bullet solutions that will fix everything, but they may be interventions that drive significant change. For example:

Stage two in the economic plan for fighting cyber crime is to target the criminal “providers”: the more elite hackers who tend to develop the tools/exploits used by mass-market hackers and the infrastructure providers who underpin the whole system. The basic idea here is this: improving the appeal of being “legal”, especially after decreasing the appeal (though reduced demand/cash-flow using the above interventions), will lure at least some of these criminals out of the underworld and onto the side of the defenders. The larger the migration, the better for everyone. Again, this isn’t a silver bullet solution that totally eliminates cyber crime. But it can move the needle for us and give us the breathing room necessary to focus on the attackers who remain.

To do this, we need to be basing our strategies on data gleaned from the underground world:

The effect of these interventions targets the supply side of the underground market. If tool makers become more scarce, tools will, too. The ones that remain will become more expensive (because there will be a shortage of options). The increased price will decrease the overall volume of sales (because fewer buyers can afford them). The overall decrease in front-line sales will benefit the rest of us, as it will mean fewer run-of-the-mill attackers using these tools to target victims (ie, us).

For an economic approach to security to be effective, it has to be widely adopted. MFA and single-use account numbers will only result in a substantial reduction in the value of stolen credentials/cards if a large majority of credentials/cards are so protected. Incentives to join the ranks of the defenders will only be truly enticing if “competitive” pricing for bug bounties/pen testing/systems administration is the norm, not the exception. In some cases, this may require policy intervention (such as the forthcoming mandate on MFA for federal contractors, which we can hope will extend to the consumer/non-federal facing sides of those same contractors’ businesses, too). In other cases, market forces might be a substantial help (such as Bank of America’s recent announcement that they will allow Yubikey as a second factor for their account holders, which may drive other banks to improve their MFA offerings as well). Even after the sort of interventions proposed here are adopted, cyber crime will not go away. We’ll still need to pay attention to all of the security fundamentals and worry about new exploits from “elite” actors. But if the ranks of the run-of-the-mill criminal underworld are substantially cleared out by market forces that make those roles much more difficult to succeed in, then we will see the advantage shift substantially towards defenders. From this firmer footing, more effective interventions targeting the remaining actors can be designed. These might include regulations for cryptocurrencies (making them a much less reliable way to move/launder funds), targeted take-downs/arrests, and more. The efficacy of such steps will become much more clear once some of the noise of the heal-biting mass-market skids is cleared away. To get there, though, we all have to row together.