Académique Documents
Professionnel Documents
Culture Documents
!!!!!!!!!!!!!!"#$%&'()*(+&*! "#!$%&'!(%&)*+!
NILS GILMAN is the Director of Research at Monitor 360. He focuses on matters related to transnational governance, globalization, black market economies, climate change, and other nontraditional security threats. For more information about this report, please send an email to info@monitor-360.com Adapted from an article in Engineering and Technology Magazine, 2009.
From a sad hobby of lonely social dropouts, hacking has turned into a multi-billion-dollar industry and a real threat to global security.
Say the word 'hacker' and the image that jumps to mind is of a pimply teenager, sitting by himself in the basement of his parents' home, picking his nose and writing a 'Love Bug' virus. The 'hacker' stereotype is one of an anti-social technophile, motivated by mischief and malice. But while this particular cap may once have fit a sizeable proportion of virus writers, today it simply does not. These days, millions of people are participating in a globalised hacker culture that has evolved from a narrow subculture of alphanerds into a highly collaborative 'industry', increasingly populated by seasoned professionals, many of whom are not even technologists. This industry is enormous. Cybersecurity professionals and the US Federal Bureau of Investigation estimate that the global hacker criminal economy is currently worth at least $10bn annually, causes perhaps $100bn in annual damage, and sports an up to 30 per cent growth rate. With these kinds of profits at stake, hackers are increasingly disciplined and profit-motivated.
"!
Cyberwarriors
What's driving the growth and transformation of the hacker industry? In a word: globalisation - albeit of a deviant sort. Ten years ago, the Internet was an almost exclusively American domain, and computer skills were concentrated in the high-connectivity countries with well-educated populations. Since then, Internet access has exploded - with over a billion users now online - while technical skills have proliferated across middle- and low-income countries. Economic opportunities commensurate with this connectivity and these skills have not kept up, however. In many countries, above all in the former Soviet bloc, skilled programmers can make more money developing malicious software (top earners garner hundreds of thousands of US dollars annually) than they can working in the legal local software industry. The push by many governments and NGOs to bridge the 'digital divide' has, ironically, exacerbated the problem: without legitimate outlets for the technically skilled, a programme like 'One Laptop Per Child' translates all too easily into a "hacker in every home." The motive and opportunity to hack has thus expanded exponentially, and as the barriers to entry have fallen, the hackers have responded by going pro. As security vendor Finjan concludes, "Profit-driven cybercrime has evolved into a booming cybercrime business, operating in a major shadow economy that closely mimics the real business world." Even more ominously, in some countries, these hackers also represent an emergent reserve army of asymmetric cyberwarriors - a force whose potential is only now dawning. The professionalisation of the hacker industry has been defined by a rapidly expanding range of products and services, designed to increase profit margins and reduce operational risks. As compared with five years ago, the hacker industry now offers a radically different mix of exploits, delivered not just as products but also as services. Innovation cycles within the hacker industry, moreover, appear to be accelerating. Self-propagated worms and hard-drive munching viruses - the dominant computer security concerns of the late 1990s and early 2000s - have given way to intellectual property and identity theft, spamming, phishing, and denial of service (DoS) attacks. What distinguishes the new generation of malware from the older generation of worms and viruses is that they are all designed to be useful as tools for generating revenue. This shift has been facilitated by the creation of 'botnets' - collections of compromised computer - which are deployable not just for a variety of profitable purposes, but also as a tool of cyberwarfare.
#!
$!
In the future, commercialisation of crimeware may get to the point where criminals will simply get the feed of data from victims that interest them - perhaps completely unaware of the means by which the data is being obtained. The result is that it is increasingly difficult to delineate who counts as part of the hacker 'community'.
Global operations
In the 1980s and 1990s, hackers were typically 'lone gunmen', or worked in small teams where the skill level was fairly uniform. While such individualist hackers still exist, today the vast majority of cyberattacks involve complex teams of people with functionally differentiated skill sets. With the amount of money at stake, the management of the hacker industry has become increasingly sophisticated. As one security professional at a large bank put it recently, hacker organisations are better run and managed than many others: "They're properly funded, they have a clear goal, they're performance driven, focused on a single mission. It's like an MBA case study of success." As in the legitimate software industry, the hacker industry consists not just of engineers, but also includes people with a variety of specialised skills, offering differentiated services - marketers, sales people, tech support, and so on. As often as not, it is non-techies who will use the stolen identities, credit cards, or bank accounts to purchase goods, withdraw money from bank accounts and launder it. These 'downstream' activities, crucial to the operations of the hacker industry, entail traditional criminal rather than technical hacking skills. However, seen globally, the structure of the hacker organisation is distinct from its legitimate software industry counterpart. The majority of teams in the global hacker industry appear to operate in a less hierarchical fashion, with the functional roles brought together via a network of independent contractors. This networked managerial model reflects the burgeoning cross-border nature of the global hacker industry. In fact, attacks that cross physical borders are today the norm rather than the exception. As the Organisation for Economic Cooperation and Development notes, "While a certain amount of crime is always 'local', the vast majority of online crime crosses jurisdictional boundaries and international borders, thus reducing the criminals' risk of identification and prosecution. Rarely is the attacker located in the same geographic region as the attacking hosts."
%!
In April and May 2007 a series of major DoS attacks, launched from botnets in Russia, crippled government and corporate websites in neighbouring Estonia. These attacks were apparently executed by Russian cybernationalists - whether at the behest of the Russian government or not - in response to Estonian plans to relocate a Russian Second World War monument located in Tallinn. It was later discovered that the botnets used in these attacks had originally been developed for profit-oriented criminal purposes, that is, for spamming, phishing, extortion and so on. Likewise, during the 2008 Russo-Georgian war, it appears that the cyberattacks against the Georgian government were launched from known cybercrime servers in Russia and Turkey. These attacks appear to have been centrally facilitated, but executed at least in part by Russian nationalist volunteers. The Russian government denied involvement in the attacks. What the Estonian and Georgian cases suggest is that botnets and other criminally-focused hacking technologies and services are 'dual use' ones. For this reason, it is crucial that those concerned with national cybersecurity pay close attention to developments in the criminal hacker industry, as innovations there may be the source of emerging national security threats. Cybercrime, in other words, is not just a law enforcement problem - it's a growing national security threat.
&!