Picture of Horror
Cybersecurity has become an increasingly important feature in our daily lives over the last 15 years, but it has never been such a hot topic, and never before have the consequences so severe. Ransomware attacks, the number of victims, and the amounts demanded, are constantly increasing.
Underground platforms are full of adverts for the recruitment of specialists in ransomware. Criminals are ruthless, methodical, and opportunist. They deploy old and new modi operandi such as double-extortion, DDoS for ransom, and cold-calling journalists, clients and investors.
Although investment in cybersecurity and employment in the sector have increased worldwide, experienced cybersecurity professionals highlight the distinct disadvantage of the current protocol by which only a single falsely flagged alarm may lead a breach. The attackers have the advantage of an unbalanced relationship between attack and defence. While the defensive line must be victorious every single millisecond, the offensive side needs to penetrate the defences only once.
With the support of illegal business experts and 24/7 dark market services, the crime industry is making every attempt to pierce every defensive measure companies take. The situation is becoming increasingly problematic, and the consequences more severe and scary.
At this point, this question stands out: How should companies be protected against coordinated and targeted attacks? Protection is possible both by defending the full IT ecosystem, this includes information security practices as well, and at the same time using legal tools to stop the attackers.
The first phase, creating a full suite of cyber defence, is necessary for every moment of the organisation's operational lifetime. The defensive measures should be in alignment with each of the organisation's services without limiting new business initiatives. Cyber defence can be described as similar to filling all holes of the strainer and, at the same time, allowing the hot water to drain before the pasta gets cold. On top of that, the chef needs to be responsive and adaptive to the customer's order changes and should provide a new and delicious pasta for each new type of order.
The second solution is to detect and stop the problem creators. This doesn't mean simply hacking the hackers. Hack back discussions have increased, and there are rumours that hack back is already in action among some countries; nevertheless, these are not officially verified. If hack back is implemented, maybe some of the seemingly unstoppable state actors will slow down for a period of time, but the legal and practical ramifications will inevitably lead to disaster. Pandora's digital box has already been opened, and hack back may cause the poison in Pandora's box to leak into the pipelines of the world, so it's not recommended.
The Role of Blue Light
In today's legal systems, the detection and legal apprehension of aggressors is a process performed by the entire criminal justice system, with law enforcement at the frontline. Being at the frontline and finding the chance to meet and chat with hackers and analyse seized materials provides a unique opportunity for law enforcement to predict and evade an attacker's next possible moves, this subject that will be discussed further in a separate article.
The role of law enforcement is crucial, and essential to make online networks safer. Stopping the attacker in a legal form is as efficient as each companies' self-defence protocols. Let's consider a ransomware group targeting corporations A, B, and C, and producing 10,000 attacks for each target monthly. Three victim systems and experts need to repel all those 10,000 attacks to keep their business running. When zero-days attacks, human error and lack of enough human and equipment resources are taken into consideration, keeping the systems breach free is a seriously tough mission to succeed. The systems can't be protected by only cyber defence without limitless resources. Considering this, focusing on attacking sources gains an important role due to increased efficiency in preventing future coordinated cyberattacks.
A successful investigation and prosecution may put the attacking group members behind bars. If sentencing does not end up with imprisonment, the process may at least damage the hackers' setup, and may lead to their assets being confiscated. In the meantime, companies A, B, and C, and other vulnerable businesses, will be attack free from that specific source.
Many companies prefer to avoid taking legal actions against any means of successful attacks because of concerns for their reputations. However, there are some methods to track down perpetrators and hold them accountable without risking the reputation of the organisation, and that's a topic for another discussion. The attackers should be stopped and pay the bill, and this journey starts by revealing the attackers' profile.
Tens of thousands of operations have been successfully completed by law enforcement agencies around the world have putting cybercrime perpetrators behind bars.
On the other hand, each passing day, cybercrime and its number of victims are increasing, and law enforcement's sophisticated cybercrime detection and investigation capacities are constantly facing new challenges. Although there are hundreds of local and global circumstances that lead to the creation of this situation, it is possible to list the most important reasons as follows:
a) Fast Phase & Verified Actions: The digital criminal ecosystem has been evolving at an alarming pace. When the crime industry recognises any lucrative business, they change all their tools and practises in a day. At the same time, changing laws and administrative regulations are gradually becoming subject to and controlled by long processes. Law enforcement's actions are limited by procedural laws, and all actions need to be approved with safeguards before going to the next phase.
State administration practices are the legacy of previous generations. Public power has been abused in the past and is no less prolific today; because of that, public service administrations always proceed with cautious increments, careful to act, and hesitant to generate instant innovative solutions to new challenges. However, industry, civil communities, and criminals are result-oriented and changing rapidly.
b) Anonymity and Encryption: The increased usage of encryption and anonymisation technologies that meet the users' legitimate and justified needs is abused by cybercriminals.
The emergence of blockchain, associated cryptocurrencies, and related products have changed business and financial practices. Criminals convert illicit earnings by using cryptocurrency obfuscation methods like swapping services, mixers and coin joins.
c) Human Resource: Law enforcement agencies can not retain experienced cybercrime investigators in the face of the lucrative opportunities the industry offers.
d) Jurisdiction: In most cybercrime cases, the victim, perpetrator and evidence are typically located in different jurisdictions, and the international data acquisition processes are slow, not always successful, and sometimes impossible. Dual criminality, validation of procedural processes, the rule of law factor, data retention periods, the volatility of electronic evidence, lack of enough human resources, and politics are among the factors can be listed as the main reasons behind this cumbersome system.
Fortunately, things aren't as bad as they may seem. There are several old and new initiatives that understand the matter and support the investigations for a cleaner internet, such as Team Cymru, newborn startup Cybera and including few others.
New and Upcoming Challenges
There are some specific developments limiting the success of investigations.
The available data resources for investigations are changing every day. For example, whois databases were an excellent resource to start researching a case. Due to users' demand, ICANN policy modifications and industry products availability, most of the whois records are concealed behind privacy and proxy services now, and they are not aid to investigations anymore or difficult to obtain.
Government investigators are about to lose another investigative data source and believe this will negatively affect cybercrime prevention in general.
Global criminal justice experts constantly need data from the global ISPs to investigate crime cases assigned to them. Most giant ISPs are located in the USA, and the advantage of the US legal system is it allows ISPs to directly support investigations in other jurisdictions. Most American giant ISPs help global prosecutions with their own consent. However, this support is limited to certain criteria, and most cybercrime offences do not find themselves on the green light list, and the help is much more focused on prevention rather than investigation. Users` privacy should be protected more piously than the Bank of England's Gold Vault. The data request reliability, legality, intention to use, and potential risks should be monitored carefully with no question. Nevertheless, the ISPs current available offering doesn't seem to be enough to slow down cybercrime.
While global ISP support is limited, global investigators have local aid. Local authorities can request data from internet connection providers in their home countries depending on the country's legal criteria. However, this is about to change.
Megaproject's entrepreneur Elon Musk aims to convert the human brain into an SSD disk and colonise Mars soon. His internet-based project, Starlink, which beams internet from satellites in orbit to user terminals on Earth, is about to complete its goal of providing sufficient internet connection to every point of the globe, specifically where connectivity has been unavailable until now. The January 2022 report claims SpaceX's Starlink has 145,000 users across 25 countries. Starlink is not the only satellite-based internet provider; 8 - 10 other projects similar to Starlink will be active in two-three years, including Amazon, Russia and China's initiatives. Some of these initiatives target service to companies and some target end-users. Lynk has already succeeded in transferring mobile broadband data from space to a simple unmodified mobile phone and this seems to be signal how technology could evolve.
Starlink, for example, is an American company under the jurisdiction of US regulations, and MENA operations are orchestrated from Ireland, the same as Google and Facebook. It is a shared global ISP practice to keep all company and user-related data where the company HQ was founded.
When similar technologies to Starlink gain ground and sky access will be a common connection method, investigators will have another layer to accessing data, and manoeuvring around international jurisdiction. With so much time and effort spent dealing with these new layers, it may result in no organisation being able to focus on small and medium level cybercrime victimisation due to lack of resources and cost-benefit comparisons. This doesn't mean that investigation will completely die, but fewer cybercrime cases will be investigated, the process will be slowed down, and there will be many more shelved cases. If legal actions don't stop the perpetrators of crime, criminals will gain experience and money, and this situation can create better-equipped and larger-scale digital thunderstorms. In return, more significant attacks may soon emerge, and this is not only the criminal justice system's problem.
I remember that law enforcement colleagues from different parts of the world were worried about unreported and uninvestigated cybercrimes while criminals were gaining money from their victims under the radar. The situation hasn't changed much. Most corporations are hesitant to pursue the perpetrators because their financial risks are covered by insurance. Insurance providers, in most cases, balance their charges and recovery payments. Criminals are succeeding in penetrating these funds. Rarely are all parties happy, however, the crime industry is raising a considerable amount of money, and they now have capacity to ransom more money or more than money. Ten hacking groups have trafficked approximately $5.2 billion in only the past three years according to US Treasury reports. The crime industry is equivalent to the economic power of the tech giants or a small country, and current developments show that there is more to come. While ransomware groups are calling the ransom payment a "cybersecurity consultancy fee", I wouldn't be shocked if these data kidnappers show up as fancy industry actors such as an ISP or cybersecurity firms soon, camouflaging and legitimising themselves in the mainstream so they won't need to hack again.