June 29, 2022
The 5×5—Cybercrime and national security
From bank fraud to malware to romance scams, cybercrime is everywhere. The Federal Bureau of Investigation’s 2021 Internet Crime Report cited $7 billion in cybercrime-related losses, double the losses reported in 2019. The totality of these losses has a major impact on the US economy, in addition to the lives of affected individuals and businesses that may watch their bank accounts drained and confidential information stolen.
But cybercrime is far from a purely economic problem; real national security concerns are wrapped up in the issue as well. Just as cybercriminals learn from each other, state hacking groups learn from cybercriminals, and vice versa. Cybercriminal infrastructure and even cybercriminals themselves have been coopted by governments in the past, and there is evidence of states potentially acquiring tooling from the cybercriminal underground.
Cybercrime is, of course, not a uniquely US problem. Like with all forms of crime, cybercriminals seek to connect with and learn from each other. Criminal forums, marketplaces, group chats, and even Facebook pages are watering holes for this underground economy, allowing threat actors to adapt techniques to their unique environments and targeting all around the world. British fraudsters have targeted customers’ sensitive personal information online in order to commit tax fraud. Brazilian malware developers have manipulated electronic invoices issued in the country to their names. Financially-motivated threat actors have targeted Australian superannuation accounts.
We brought together five experts with a range of perspectives to weigh in on emerging trends in cybercrime and their impacts on national security.
#1 How does cybercrime impact national security?
Marina E. Nogales Fulwood, global head – cyber external engagement, global response & intelligence, Santander Group:
“Cybercrime impacts national security in different ways, including by offering a fertile ground for organized crime and hostile nation states to obtain and launder illicit profits; threatening the economic stability of households, enterprises and governments; and, in some cases, disrupting supply chains and leaving critical sectors paralyzed. The paradigm shift ‘from online criminal activity to national security threat’ was bolstered by the recent ransomware attacks against Colonial Pipeline and Kaseya that prompted the classification of ransomware as a national security matter. The nationwide Conti ransomware attacks against Costa Rica’s public and private sector, and the country’s subsequent state of emergency declaration, is another clear example.”
Ian W. Gray, senior director of intelligence, Flashpoint:
“To understand how cybercrime impacts national security, it is important to have a proper understanding of the motivations of cybercriminals and adversaries alike. There also may be substantial overlap with the tactics, techniques, and procedures (TTPs) employed by various threat actors, regardless of motivation. Cybercrime is often financially motivated. However, the same threat actors that are monetizing initial access to a network may also be selling that access to a state-sponsored adversary, whether they know it or not. State-sponsored adversaries may be employing proxies to deflect attribution attempts, thereby providing plausible deniability. The same TTPs that are often associated with less sophisticated cybercrime—social engineering, credential stealing malware, brute-forcing or credential stuffing—are also effective in state-sponsored attacks that can have a larger impact on national security.”
Matthew Noyes, cyber policy and strategy director, US Secret Service:
The views presented are his own and do not necessarily reflect the views of any agency of the United States Government.
“For over forty years, cybercrime has presented the risk of unauthorized access to national security information and associated information systems. Today, this risk is heightened by the growth of highly profitable transnational cybercriminal networks. These transnational criminal networks have both conducted and enabled highly disruptive cyber incidents that have impacted the operation of critical infrastructure and essential services. These criminal networks may serve as proxies for malicious foreign government activities or provide a degree of plausible deniability to foreign government security services for their own malicious cyber activities.”
Mario Rojas, cyber security and threat intelligence subject matter expert, Maltego:
“Cybercrime impacts our society on all levels, and national security is not exempt from the reach of cyber criminals, who target government agencies for financial gain, cyber warfare, or simply as a challenge. These cyber criminals undermine the security of our countries by attacking critical infrastructure such as hospitals, gas pipelines, and even military networks.”
Dmitry Smilyanets, principal product manager, Recorded Future:
“Espionage, attacks on critical infrastructure, account takeover (ATO) for government officials and employees, election meddling, and disinformation, are among the top threats to national security that I can see coming from the financially motivated actors.”
#2 Given limited resources, should counter-cybercrime efforts focus on a particular country/region or does the issue warrant a holistic approach?
Fulwood: “Cybercrime is borderless, and combatting it requires the widest level of international cooperation possible, encompassing stakeholders from government, law enforcement, and the private sector. As an example of this, most successful law enforcement counter-cybercrime operations have benefitted from internationally-coordinated frameworks, while many private sector companies have acquired a leading role in disrupting and providing investigative support to the public sector.”
Gray: “Holistic. Employing a fractured approach to countering cybercrime would have detrimental effects on developing internet standards. The globe is already interconnected, save for a few countries that choose to isolate in order to impact state control over internet usage. While certain countries are often associated with specific cybercrimes (like Russia and ransomware or China and intellectual property theft), it is vital that defensive efforts are implemented in a coordinated manner, even if attack vectors or objectives are varied. As a result, improving the defense of domestic networks, including strong public-private partnerships, is the best approach to countering cybercrime. This should be followed by building the capabilities of our multinational partners, including best practices and intelligence sharing.”
Noyes: “Resource allocation is the key question. Ross Anderson, et al. well captured it in a 2012 paper: “As for the more direct question of what should be done, our figures suggest that we should spend less in anticipation of cybercrime (on antivirus, firewalls, etc.) and more in response that is, on the prosaic business of hunting down cyber-criminals and throwing them in jail.” This analysis still holds up when you consider estimates of $1.75 billion in global spending on cybersecurity products and services, relative to the modest investments in law enforcement efforts and overall decline in fraud prosecutions. Transnational cybercriminal networks are global, and a wholistic approach is necessary to deter their criminal activity, reduce the profitability of their crimes, and successfully arrest and prosecute those that engage in these crimes.”
Rojas: “Governments and private institutions should cooperate, not only sharing knowledge and resources but also creating and supporting organizations to fight cybercrime and help educate the public.”
Smilyanets: “This decision should be made after the proper evaluation of risk is done, as well as the assessment of potential losses. Human life is first, but then, I believe the priority should be aligned with expectations of future damages.”
#3 What is an emerging cybercrime trend that we should be keeping an eye on?
Fulwood: “An emerging trend commonly observed is the symbiotic relationship that access brokers and ransomware groups enjoy. According to industry experts, in 2021, the average time between a network access offer and a ransomware group breaching the same company was seventy-one days. Therefore, closely monitoring access sales in underground forums and other channels used by cybercriminals can provide invaluable early-warning alerts for soon-to-be-breached companies.”
Gray: “The types of ways to steal someone’s identity have changed significantly over the last few years. Whereas username and password may have once been sufficient to gain access to an individual’s account and personal information, increased user awareness, multi-factor authentication, and cybersecurity have mitigated these types of attacks. The introduction of log shops that sell browser fingerprints, new methods of bypassing multi-factor authentication—like social engineering, SIM swapping, and more automated bypass methods like OTP bots, for example—all demonstrate the evolution of identity fraud that could result in account takeover.”
Noyes: “The growing illicit value transfer through the theft and illicit use of digital assets. Kevin Webach’s 2022testimony before the Senate highlighted this risk, stating, “When digital asset and DeFi firms demonstrate their inability to safeguard assets, and engage in behavior that suggests ill-intent or inconsistency, it should result in a drop in trust. The fact that many such firms, and the market as a whole, do not experience such a reaction, indicates that investors may not rationally be assessing risks. This could be a recipe for disaster.”
Rojas: “Supply chain attacks are an emerging threat that targets software developers and suppliers intending to access source codes, build processes, or update tools by infecting legitimate applications to spread malware. A great example of these attacks was the one that involved SolarWinds and affected thousands of customers, including government agencies around the world.”
Smilyanets: “Credential stealers such as RedLine, Vidar, and Raccoon pose a very serious threat to corporations, governments, and individuals. We see steady growth in that market as well as a strong correlation with ransomware attacks growth. 50 percent of ransomware attacks start from ATO of network access credentials previously compromised by information stealers.”
More from the Cyber Statecraft Initiative:
#4 What forms of cybercrime are impactful but do not get enough attention?
Fulwood: “While sophisticated and emerging forms of cyberattacks are widely reported by industry and news outlets, other types of cybercrime, like phishing, have been normalized. Despite its simple nature, phishing is a pervasive threat that every year yields countless economic losses.”
Gray: “Synthetic Identity Fraud (SIF). This crime involves leveraging legitimate personally identifiable information (PII) to create a false identity that can be used for several malicious purposes, including establishing lines of credit or committing financial fraud. During the COVID-19 pandemic, threat actors would leverage stolen PII to take advantage of the US government relief programs, like the CARES Act. Some agencies estimate that over $100 billion in taxpayer money was stolen by fraudsters stealing or creating fake identities to claim unemployment benefits from state workforce agencies.
Attacks like ransomware and business email compromise (BEC) generally attract a lot of attention for their high payouts and business disruptions. However, “smaller” forms of fraud are more common and also generate major losses when employed en masse.”
Noyes: “More attention is warranted on BEC and similar fraud schemes, which are the economic foundation for transnational cybercriminals. While ransomware understandably gets significant attention due to its potential to disrupt critical infrastructure and essential services, the known and estimated financial losses to BEC and related cyber-fraud schemes are far greater. For example, in 2021 the Internet Crime Complaint Center received19,954 BEC complains with adjusted loss of $2.4 billion relative to 3,729 ransomware complaints with adjusted loss of $49.2 million.”
Rojas: “SIM swapping is a technique utilized by cybercriminals for diverse purposes, more recently to sidestep two-factor authentication solutions, granting them access to resources that otherwise would be out of reach; a passive reaction from service providers increases the efficacy of this technique.”
Smilyanets: “With every year, a digital identity becomes more and more valuable. The average internet user has approximately fifty passwords saved in his browser. Threat actors steal not just your passwords, but the browser’s fingerprints, and cookies with session tokens. That allows them to create synthetic identities, impersonate victims with high fidelity, and gain access to corporate infrastructure protected by multi-factor authentication.”
#5 How can the United States and its allies encourage cooperation from other countries on combatting cybercrime?
Fulwood: “The United States and its allies can encourage cooperation by enabling more public-private collaboration and incorporating industry expertise in task forces and initiatives.”
Gray: “The relationship between international cybercrime, state-sponsored threat actors, and a burgeoning effort to establish coordinated and like-minded initiatives to thwart cybercrime, is quite complicated. However, existing international treaties like the Budapest Convention on Cybercrime, aims to establish a cooperative framework to combat cyber threats, and non-binding efforts like the Tallinn Manual, actively aim to address international legal issues when operating in cyberspace. Russia, meanwhile, has pushed back on the Budapest Convention and proposed its own Cybercrime Treaty to the United Nations (UN Resolution 74/247), broadening the definition of cybercrime and scope of their authority. Suffice it to say, it is extremely important for the United States and its allies to establish a firm understanding of the threat landscape and its shared security goals.”
Noyes: “Skillful diplomacy, public engagement, and coordinated application of various forms of sanctions and incentives have proven effective at fostering international law enforcement cooperation on a range of issues. Even when some states limit their cooperation, or actively interfere in the law enforcement activities of other countries, law enforcement agencies have proven effectiveness in apprehending persons and seizing assets when they are in cooperative jurisdictions. For example, consider the case of the arrest of Alexander Vinnik coupled with the shutdown and civil complaint against BTC-e, which was described as a major exchange converting ransomware payments from cryptocurrency to fiat currency. Enforcing the law in this manner not only helps to deter and disrupt transnational cybercriminals, but also reinforces norms of the rule of law, international stability, and encourages further international law enforcement cooperation.”
Rojas: “Sharing resources, tools, case studies, and white papers have proven invaluable for the private sector as cybersecurity professionals learn from those and can prevent and even disrupt the work of cybercriminals. Governments can also take advantage of these techniques to get other countries and organizations involved in the fight against cybercrime.”
Smilyanets: “Leading by great example in investigations and prosecutions will encourage partner states.”
Simon Handler is a fellow at the Atlantic Council’s Cyber Statecraft Initiative within the Scowcroft Center for Strategy and Security. He is also the editor-in-chief of The 5×5, a series on trends and themes in cyber policy. Follow him on Twitter @SimonPHandler.
Liv Rowley is an assistant director at the Atlantic Council’s Cyber Statecraft Initiative.
The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.