December 10, 2020

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

In a major speech yesterday, President-elect Biden said that notwithstanding the great work that had been done to create a vaccine for COVID-19, it was his responsibility to “level” with the populace about how we still had a long difficult and dangerous winter ahead of us.

For many of us, this candor, while difficult to hear, is what we need and expect from our government’s leaders, who are charged with providing for the common defense and promoting the general welfare. Without the straight talk – “leveling,” in Mr. Biden’s words – we can’t be adequately responsive to the threats we face and can’t provide adequate support to the front-line personnel who we rely on to protect us.

For some reason, however, our government representatives have been unwilling to be equally honest with us regarding the epidemic of cybercrime that has been devastating us for years – even decades.  And there is no vaccine for cybercrime in the horizon.

Case in point: Last week at a major cybersecurity event, a very senior federal law enforcement leader , was asked to speak on the topic of international cybercrime. The moderator, Pete Williams of NBC News, asked him about the growth in ransomware in recent years.  Our federal official demurred that “there is not necessarily a huge uptick in cybercrime, it’s just an increase in awareness.”  Mr. Williams, I assume having trouble believing that answer, pressed and our federal law enforcement leader doubled down. “I really can’t say there is an uptick in ransomware.”

No, I’m not kidding. The message from senior law enforcement to a pretty elite group was that he really can’t say there has been an uptick in ransomware in the past few years.

Perhaps we should take our government official’s comments literally.  It’s not that he doesn’t know that cybercrime – including but by no means limited to ransomware – is going through the roof. It’s that he can’t “say” that.  For years I have been puzzled by the persistent, and wildly inaccurate, messaging law enforcement delivers on the issue of the extent of cybercrime. 

In my experience, including this week, law enforcement gives an excessively rosy perspective on cybercrime and all that is being done in the area.  While those of us in the cybersecurity industry may take these speeches with a grain of salt, understanding we all need to be nice and work together, still the excessively rosy picture deprives us of the straight talk we need.  I have made it a habit of late at these conferences to get into the audience, especially with board members and senior executives who I interact with of late and ask them what they are “hearing”.  The message too often I hear is “seems like you guys have a handle on this”

No, no we don’t. It is NOT true that we have a handle on this.  The reality is, regarding cybercrime, we are getting crushed. In the president-elect’s words, it’s time we need to level with each other. 

Make no mistake, as someone who comes from a law enforcement family, I get how hard, and dangerous, these jobs are.  However, that’s the point. We have lacked a properly funded effort to fight cybercrime for decades.  We have lacked a truly functional international framework to address international cybercrime for just as long.  I do realize there are some people working – hard – on this but it’s not nearly enough.  And we are not going to get our law enforcement community the resources they need if we keep underplaying the problem, and in that regard our law government partners – by trying to rigorously put their best foot forward – are part of the problem.

Perhaps ironically, the previous day’s sessions at this same conference included a session entitled    RANSOMWARE — PAY AND PLAY: The official session summary read “The work from home revolution driven by COVID-19 has driven a startling rise in ransomware – disrupting businesses, schools, cities, and health care systems. How do industry and government combat this scourge which mixes criminal groups and nation-states?”

During this session we learned that not only have instances of ransomware gone through the roof in the past few years but the crime itself has metastasized.  Whereas just a few years ago we noted ransom demands of modest five-figure amounts – in bitcoin – now we are more typically seeing demands in six and seven figures. Panelist Charles Carmakal, Senior Vice President & CTO of FireEye, noted he had even seen eight-figure ransomware demands (that’s 10 million plus).  In addition, the criminals now demand separate payments for different ransom services (one cost to release your data, a separate charge not to publicize your data and a third payment for information as to how they committed the crime – how helpful).

Is it possible that our government is unaware of these developments or seriously chalks them up to “greater awareness?”  I honestly don’t know, but I seriously doubt it.

I don’t have a fully informed explanation of why the messaging from government is so – what is a diplomatic word? – inaccurate. I can only say this messaging, which I have been hearing from government related to cybercrime for years, is unhelpful

Just like government needs to “level” with the people on the COVID epidemic, they also need to level with us regarding cyber-crime.

The reality is we are getting crushed by cybercrime.

CSIS and McAfee came out with a stark report on cybercrime last week documenting a $1 Trillion drag on the global economy from cybercrime.  At the G-20 Digital Economic Committee meeting earlier this year, the World Economic Forum reported they are seeing cybercrime costs currently at $2 Trillion a year – and will grow to $6 Trillion in two years.  Cyber Crime Magazine reported a study earlier this month that showed, based on current growth rates, cybercrime would be a $10.5 Trillion a year industry by 2025. 

The major law enforcement agency we have to fight cybercrime is the FBI.  The FBI’s budget to fight cybercrime about $450 million a year.  By contrast there are multiple U.S. financial services companies that have budgets to fight cybercrime just against their facilities that are 20 percent higher than the FBI’s budget.

That’s a $450 million government effort to prosecute a multi-trillion-dollar criminal enterprise.  It can’t realistically be done.

Best estimates for successful prosecution of cyber criminals about half of one percent.

Now fighting cybercrime is a really, really hard job. And the fault in our inadequate – our persistently inadequate – response to cybercrime doesn’t lie with the law enforcement personnel. They are fighting hard but fighting way over their weight class.

We need to seriously rethink our collective effort to fight cybercrime, which will include spending a lot more money. However, before we get to spending the money, we need to level with ourselves and each other and develop a plan that has some prospect of actually working. A simple doubling of successful prosecutions – from half of 1 percent to a full 1 percent would be great progress.  Certinly we can do that.  

The new administration has an opportunity to bring a fresh, candid perspective to the issue.  ISA has recommended the new administration create a commission – equal parts former law-enforcement personnel (current personnel will be compromised), industry victims, and citizen victims – charged with laying out a pragmatic approach to begin to make progress on this critical issue.

Join the Rethink Cybersecurity Community click here