This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here
The lead story in today’s New York Times on the investigation into the January 6 attack on the U.S. Capitol reports that yesterday’s Senate hearing “also showed that the overlapping jurisdiction of the Capitol Police, District of Columbia government and other agencies created utter confusion that hindered attempts to stop the assault.”
Virtually this exact same statement could be made with respect to law enforcement and cybersecurity.
In fact, we did make this statement in our post just yesterday, discussing the critical need to rethink and reorganize our law enforcement efforts to fight cybercrime. We noted that an overwhelming volume of cybercrime is now being placed on law enforcement agencies at the local, state, and federal levels. However, federal and local law enforcement departments and other government agencies remain confined to structures inconsistent with the realities of the digital age.
These departments and agencies include the DOJ, SEC, DHS, FBI, ICE, Treasury, USPS, and USAID. We are already not funding cyber law enforcement adequately to address the chronic threats they face (Cybercrime is a $2 trillion plus industry – the FBI’s cyber budget is under $500 million), but the uncoordinated structure of our cyber law enforcement effort further undermines the ability to effectively address the threat and wastes critical resources.
No less an authority than County Sheriff’s Department Chief Bill McSweeney said: “With so many domestic government entities competing for enforcement there tends to be duplicative projects, misapportioned funds, and confusion of authority. All of these issues lead to inefficiencies and a decreased chance of successfully capturing and prosecuting cyber criminals.”
Now some might argue that this analogy is a stretch… I don’t think so.
Yesterday’s Senate hearing on the Capitol attack also noted a failure to heed adequate warnings of the threat. The Chairman of the Senate Homeland Security committee Gary Peters himself said “There is no question in my mind that there was a failure to take the threat more seriously dispute widespread social media and public reporting.”
Again, this is the same phenomena as with cybercrime. Just as we failed to appreciate the threat that radical, violent, and well-resourced domestic extremists were growing in our midst, so too have we been ignoring the growing threat of massive cyber criminal enterprises. We are essentially the fog in the boiling pot blithely unaware of the threat boiling around us and not jumping to safety before it’s too late.
With just a little historic perspective in the cybersecurity field, one might be better able to feel the heat more keenly. Take ransomware for example. The ransomware attack strategy is fairly new. It was just a few years ago that we heard of reports of hospitals being held for a few thousand dollars in ransom to get their data decrypted from criminal attack.
In just a few years, the fundamental nature of this attack strategy has changed. Ransoms are now routinely in the hundreds of thousands of dollars – in some case reportedly even higher. And the ransomware industry (including ransomware as a service – you can buy your attacks now wholesale and just be in the ransomware retail industry) has morphed.
Now there are multiple “products” you can purchase if your data is invaded and held for ransom. You can purchase getting it decrypted for one price, and for an additional price, you can buy off the attackers’ threats to publish the data they have stolen, and for an even higher price they may be willing to share exactly how they compromised your system – call that the good Samaritan ransom service.
The increasing innovation and sophistication of the cybercrime industry stands in unhappy contrast to the stale 20th century structures and jurisdictions we retain for cyber law enforcement.
Just as the explosion of the domestic extremist threat emerged at the U.S. Capitol, so too we should be aware that the cybercrime threat is growing at an extremely worrisome pace. The World Economic Forum estimates cybercrime had revenues of $2.2 trillion in 2021. Cyber Crime Magazine has calculated that at its current growth rate cybercrime revenues could reach $10 trillion by 2025. That would make the cybercriminal “nation” (and the criminals are quite highly organized) larger in annual revenue than all but the biggest nation state superpowers.
It might be worth serious consideration to think through how big a threat it is to have even a loosely affiliated group of well-resourced – nation-state level resourced – criminal empires possessing highly sophisticated digital attack technology and strategy integrated into our digital ecosystem.
Adding further sad irony to this picture, we are functionally funding this growth with our relative inattention to substantially addressing the worldwide problem of cybercrime.
To complete our analogy, between disorganized law enforcement at the U.S. Capitol and disorganized cyber law enforcement, we note that some on Capitol Hill have indicated that similar issues of poor coordination were evident in the 9/11 attacks and are now calling for a 9/11 style commission to look into the January 6 attacks on the U.S. Capitol. We have a similar, possibly larger, issue with cybercrime and a similar cybercrime initiative ought also to be considered – in part because the congressional structures also are not well coordinated to address cybersecurity.
Join the Rethink Cybersecurity Community click here