by Solange Ghernaouti-Hélie
An overview of the cybercriminal ecosystem
All the individuals and groups involved in cybercriminality, their ways of working, and the processes they have adopted to maximize their profits while minimising their risks of legal consequences; these elements go together to form an ecosystem. Like all ecosystems, this is lively, dynamic and undergoing permanent adaptation in order to exploit new opportunities in the marketplace, new vulnerabilities, new tools and new means of communication.
This ecosystem is a part of, and inseparable from, the ecosystem of the digital society. It possesses its own specific structures while involving legal users of the Internet and benefiting from the services that these provide. This is notably the case of entities that provide the facilities for financial transactions, such as, to name but two, Western Union or Liberty Reserve.
Cybercriminals are rational beings that follow the laws of the market and of supply and demand. They are above all criminals who have learned to extend their activities, knowledge and techniques into cyberspace. And in the same way as there exist a black market and a hidden economy in the physical world, the same can be found in cyberspace. These cybercriminal black markets work in the same manner as classical markets, with the objectives of performance and profitability, feeding the whole chain of cybercriminality and relying on the communications tools and opportunities for contacts provided by the Internet.
These markets use the same mechanisms, knowledge and tools as those activities linked to on-line advertising and legal e-commerce. They can be found at all stages of the performance of cybercrimes, of their preparation and their monetisation. In addition, the Internet contributes in a major way to realising their profits. Among the different possibilities offered by the black markets, it is possible to:
- Buy an on-line phishing kit, install it on a bulletproof server (classic hardware and software platforms), operate it (carry out phishing), collect the data gathered, and sell these through forums, on-line shops, and financial transaction services;
- Buy and sell exploits, malware and ransomware, software that allow cyberattacks to be carried out;
- Rent zombie machines and create and operate botnets;
- Buy and sell, wholesale or in small quantities, personal data such as banking details.
The stakes involved in protecting personal data and ensuring digital privacy
Cybercriminals know how to exploit personal data in order to optimise their activities and to reduce the risks of being held responsible for their own actions. Recent years have seen the development of a real economy based on the collection and sale of personal data, as well as the formation of a certain “criminal intelligence” around the use of these data. Without going into detail on these subjects, one can recognise the need for individuals and for society as a whole to have access to effective measures that will contribute towards protecting their personal data and their digital privacy, particularly with the objective of preventing, or at least limiting, the criminal use of these data.
At the same time we need to recognise that nowadays a lot of commercial organisations do use the personal data of Internet users within the framework of their entirely legal activities. This is true in general of the many service providers who propose services that are described as free. The Internet users pay in kind, indirectly, through supplying personal data, without necessarily having been aware of this or having given their express and informed permission.
An important number of large Internet companies such as service and social networking platform providers take advantage of this situation to develop their economic models. They make large profits through commercialising and exploiting personal data, which users have either given freely or which has been collected without their knowledge.
To this kind of usage, which may be considered abusive by some, we can add the fact that these service providers that hold the personal data of their clients can themselves be the victims of cybercriminals (theft of data, infection and spread of malware, for example), and be an arena for cybercriminal activity insofar as their clients constitute numerous and attractive prey for the criminals.
In addition, all digital activities leave traces linked to personal data, which allows the permanent surveillance of Internet users by all kinds of operators.
This question should therefore not be seen solely in the perspective of the struggle against cybercriminality, but also in the perspectives of consumer protection (the consumers being Internet users) and of the protection of fundamental rights and of civil liberties, which include the freedom of speech, freedom of association, freedom of movement (the right to travel and to navigate freely on the Internet), the right to knowledge and information, and the right to respect for private life, family and correspondence. In order for these to be assured, it will be essential to be able to guarantee the protection of personal data and privacy, for these are elements that contribute to self-determination, to democracy, to liberty and, as a consequence, to human dignity. This all presupposes:
- Specific technological and judicial measures for protecting data;
- A genuine political and economic will in respect of the fair and honest handling of personal data which will require the rethinking of economic models to ensure that personal data is not just considered as an asset to be traded;
- Coherent behaviour on the part of Internet users in respect of their data and of what they reveal about themselves on the Internet.
The place of the struggle against cybercriminality in the cybercriminal ecosystem
When considering the cybercriminal ecosystem, it is essential not to forget everyone else who is concerned by it, that is to say the individuals and the organisations who, depending on the circumstances, can find themselves the targets of, or the willing or unwilling participants in, cybercriminal acts. This latter distinction can be illustrated, for example, by the way that users can become a link in a criminal chain unwittingly as a result of fraud or manipulation. This is the case, for example, when a user’s machine or an organisation’s server acts as a relay or becomes a zombie member of a botnet used to carry out denial of service attacks on a third party. At the same time, a user can knowingly lend his machine to a botnet run by hacktivists, out of ideological, political, economic or religious convictions, for example. Public and private organisations, completely legally, can also be led to use the same weapons as cybercriminals in order to defend their interests. This can occur in the context of both offensive and defensive cybersecurity. An additional point to consider is that whenever an organisation represents certain values prized by the cybercriminals, as is the case of banks or commercial organisations offering on-line services, or whenever an organisation is responsible for the creation of assets, services, software or ICT or security solutions, that organisation by definition becomes a part of the cybercriminal ecosystem. Their presence in cyberspace, like that of Internet users who are very visible on social networks, for example, in some way explains the presence of cybercriminals and their activities.
The cybercriminal ecosystem would be incomplete if we did not include the police forces and judicial institutions that contribute in a very concrete operational way to combatting cybercriminality. They run criminal investigations and can be led to create honey pots. They use the same technical knowledge and the same tools as the cybercriminals. They can draw upon the specific technical knowledge of specially trained officers, of external civilian experts, or even of genuine cybercriminals, who may have repented or who simply have no other choice but to collaborate with the police. They can become full partners of the police, or act as informers, or actively work to deceive other cybercriminals, or track criminal activities and unmask their perpetrators, applying both their technical skills and their knowledge of the criminal environment.
As with classical investigations, this work requires a real police skill-set as it is not sufficient to be technically sound to be a good cybercrime investigator. They can sometimes have to operate undercover in order to infiltrate discussion forums on the black market, for example, or to infiltrate digital networks, which can sometimes be necessary in operations against Internet paedophiles.
The challenges for combatting cybercriminality
This would essentially consist of implementing technical, procedural, legal and organisational measures that would raise the number and quality of the difficulties in committing cybercrimes, increasing the level of risk for criminals and reducing the encouragements and the expected profits.
Such a programme would also include:
- The implementation of ICT infrastructures and services that are resilient and robust;
- The availability of comprehensive, transparent, manageable, effective, efficient security measures that are easy to implement, use and control;
- The global, integrated and effective strategic and operational management of information security as it concerns hardware, software, networks and cyberspace;
- The coherent and non-abusive use of information and communication technologies; and
- The faultless and ethical behaviour of all the members of the digital chain (users, managers, service providers).
There can be no fight against cybercriminality without a strong political and economic will to do so, without international agreements, without these agreements being respected, without the respect of fundamental human rights, without international cooperation and assistance, without considering the needs for justice, for peace, and for stability both in cyberspace and in the real world.
"Cybercrime, Cyberconflicts and Cybersecurity: a comprehensive approach", Ghernaouti-Hélie S, EPFL Press 2012
“La cybercriminalité: le visible et l’invisible”, Ghernaouti-Hélie S, Le Savoir Suisse 2009, ISBN 978-2-88074-848-7
“In the world of Big Data, privacy invasion is the business model”, http://news.cnet.com/8301-31322_3-57388097-256/in-the-world-of-big-data-privacy-invasion-is-the-business-model/, retrieved on 11 June 2012
“A Global Treaty on Cybersecurity and Cybercrime”, Schjolberg S and Ghernaouti-Hélie S, Second Edition, 2011. ISBN 978-82-997274-3-3
Director, Swiss Cybersecurity Advisory and Research Group
Faculty of Business and Economics HEC, University of Lausanne