Increased Law Enforcement Action – Is it Enough?

We’re finally getting to the point of seeing more successful law enforcement activity against cybercrime groups. From the FSB arresting the REvil gang to the takedown of tools like VPNLab, there’s obvious signs of progress. I feel rather good about it, and it makes my security heart happy to see things actually happening. However, I think there’s still a lot of work to do. Let’s dive in. Of course, everything here is just my opinion.

Why the increased success?

First and foremost, why are we seeing more success? I think there are some key reasons to explore:

1. Increased Intelligence Activity. In particular for attacks against five eye nations, the intelligence community is stepping up. In the US, I believe that the IC and agencies like CISA and the DoJ are becoming better partners. This leads to an increased flow of information and better use of our vast resources to track down the source of incidents. If we’re being honest with ourselves, cybercrime, and the use of cyberspace to commit/coordinate illicit acts are both prime examples of why spooky intelligence programs exist.
2. Improving Security Community. There’s no denying that – while we’ve still got maturing to do as an industry – our cybersecurity community is getting stronger. We’re seeing better transparency, increased sharing of data such as IoC and TTP’s, and other critical data. This leads to more evidence at the end of the day, evidence that can be slowly and methodically pieced together to identify culprits (and eventually make arrests).
3. Increased Brazenness. Over the last couple of years, cyber gangs have become straight up cocky. Super high-profile attacks attract the attention of super high profile, and well-equipped defenders and investigators. Knocking out oil to an entire seaboard grabbed a lot of attention, as did the Kaseya incident.
4. Better Mousetraps. Like it or not, Bitcoin is not some magical untraceable way to move money. Yes, it’s decentralized. No, it doesn’t pass through the Federal Reserve. You know what it does pass through? The internet!! This means that rat traps can be laid for criminals to fall into. The FBI, Secret Service, and other federal and international agencies have really stepped up their game in being able to trace transactions on the blockchain.
5. Human Nature. No, I’m not saying the bad guys reconsidered. The first time REvil went away was out of fear, not remorse. However, when you have a criminal organization with enough people, someone is going to make a mistake or turn into the state’s witness. Just ask Cosa Nostra.
6. Better International Cooperation. This is the most important one. Organizations like Interpol are doing much better at sharing intelligence and resources, increasing the ability to get at criminals in their host nation.

There’s a lot more than those six reasons but, in my opinion, those six points really contribute to the increased success of our law enforcement and intelligence communities. However, I think there’s a real problem that makes this challenge almost impossible…

The Bad News

The bad news is simple. It’s just not hard to be a cybercriminal. Plain and simple. It’s not hard to stand up the infrastructure, learn a few skills, and pick on unskilled consumers. In fact, if you do it right, you can get away with it for a good long time still. In fact, I think a really smart cybercriminal would pull off one campaign and disappear. Just my two cents.

But really, the problem is that cybersecurity vs cybercrime is one horrific, Earth-scale game of whack-a-mole. The plain and simple truth is that if we knock out one gang, three more pop up. Even if that “gang” is one person pulling one job. It’s not like the hard drug trade that tends to be controlled by a few large, sophisticated cartels. We’re talking about a bunch of small groups of bad people who can mobilize quickly. It takes a while to build a case against just one of these organizations, and they’re constantly popping up.

What that really means, in a simplified way, is that I don’t think this game ever ends. All we can do is continue to improve as cybersecurity practitioners. All law enforcement agencies can do is improve as investigative professionals.

So, where to from here?

Honestly, I’m not sure. I don’t think anyone is. What I do know is that we all need to continue to band together. We need to become better defenders, better collaborators, and continue to foster the growth of our cybersecurity community. We need to embrace partnership, work with the agencies who take this head on, and keep improving.

If we all band together, keep working hard, and keep constantly improving, I think we’ll accomplish a couple of things:

1. Make it harder. Right now, cybercrime is a super attractive gig. It’s so damn easy to pull off, it’s an easy decision for some folks. Unfortunately, for some groups, it’s the best way they can make a living. If we keep getting better and better, it becomes harder to pull off huge cyber heists, making the whole thing less attractive. It’s the same reason a gas station is more likely to be robbed than a bank. The bank is the ‘juicer’ target, but it’s very hard to steal that much US currency and get away with it.
2. Make it riskier. Until recently, it wasn’t all that hard to evade authorities, especially in certain parts of the world. These increased arrests and enforcement actions will go a long way in making cybercrime a riskier business. We need to keep the pressure on, and continue to get better. For private sector cyber practitioners, that means sharing information.
3. Make the ‘good people’s team’ more attractive. If we continue to work together to make cybersecurity a more attractive career by making it accessible, more standardized education wise, and welcoming to newcomers, more folks who otherwise wouldn’t be a criminal will be less likely to join up with a cybercrime gang. Essentially, I’m saying create ample opportunity to do the right thing and make it harder to do the wrong thing.

I’m pretty pleased with the news I’ve been seeing lately. We’re on the right track. That said, we’ve got a long road ahead of us. It’s up to every single one of us working in tech to continue this push. From developers, to administrations, to the CISO, to the law enforcement community, we all need to keep pushing to make cybercrime the less attractive option.