By Larry Clinton
In this series of posts, we have been arguing that now is a time to rethink our efforts to create a sustainably secure cyber ecosystem. The core notion of this rethinking would be to, finally, begin focusing more on programmatic changes that will truly impact the security of cyberspace, as opposed to the traditional micro-operational focus — which can be maintained — but our focus needs to be expanded. One such domain we discussed earlier was to go BIG on cyber workforce development. A second, equally important, and largely ignored issue is law enforcement.
The Cybercrime Problem is Massive and is Getting Worse
Our current, well-intentioned efforts to fight cybercrime, much like the efforts to develop an adequate cyber workforce, are starkly failing to meet our needs. A study from Cybersecurity Ventures reported economic losses of $2 trillion in 2018, and the World Economic Forum estimates that cost will increase by nearly 500% to $10.5 trillion by 2025. These numbers rival the annual incomes of major nations. While the precision of the numbers can be debated – given multiple methods of measuring impacts of cybercrime – the magnitude and trend lines are not in serious dispute.
In contrast, the FBI, the government’s primary tool for cyber law enforcement, gets an annual appropriation of about $500 million. With this ratio of criminal resources to government resources, it’s unsurprising we successfully prosecute only about 1% of cybercriminals.
The vast majority of cybercrime is economically motivated. Analyzing cyber from an economic perspective, it’s clear that all the economic incentives favor attackers. Attack methods are comparatively cheap and easy to acquire, the profit margins are enormous, and the business model – targeting a worldwide set of victims simultaneously – is extremely attractive. A recent McAfee analysis concluded that cybercrime presents an excellent risk-reward ratio for the criminal and that a clever criminal can make millions without much fear of being caught. As a result, without substantial change, cybercrime will be relentless and shows no indication that it will be seriously abated.
In contrast, defenders must protect an inherently vulnerable system (that is getting more vulnerable all the time) against increasingly sophisticated (often nation-state-affiliated) attackers, and the victims are almost always in response mode while law enforcement provides virtually no deterrent.
Fortunately, we do have a dedicated and professional digital law enforcement workforce, but it is too small and vastly under-resourced. In addition, our law enforcement structures – both domestically and internationally – have not been adequately adapted to the digital age (that is 20 years into the digital age). We need to fundamentally rethink and recalibrate our approach to cybercrime.
Government Needs to Create Clarity with Respect to Cybercrime Roles and Responsibilities
Law enforcement is unambiguously a governmental responsibility. After more than two decades of increasing cybercrime, the government needs to finally clarify its own roles and responsibilities. There should be a clear, properly resourced location for victims of cybercrime (which is routinely interstate if not international) to report. Lines of authority between the FBI, Secret Service, Armed Forces, and local law enforcement must be properly channeled through this call center, and victims’ expectations for follow-up should also be clear.
Due to the immense size and urgency of the problem, we will need to quickly evolve a program that takes immediate steps to improve cyber law enforcement while launching a more comprehensive strategy to address the longer-term systemic problems.
Learn From Current Successes: Expanding the Colonial Pipeline Law Enforcement Response
The Colonial Pipeline ransomware incident was one of the highest-profile and damaging cyber events of 2021. It’s also a case study in how effective law enforcement – properly resourced – can achieve positive results. In the Colonial case, the FBI was able to recover approximately half of the $5 million ransom. Obviously, the prominence of the Colonial case provided the motivation for this extraordinary government action. The question is, why can’t all the thousands of ransomware victims receive the Colonial treatment? One obvious answer is lack of resources.
We should evaluate this effort and expand it. Recovering money paid in ransom denies cybercriminals a large portion of profits, thus reducing the incentive to attacks. It would also aid in prosecuting the criminals, further mitigating the impact of these rampant crimes. In drug cases, law enforcement is entitled to keep a portion of recovered value. This process might be adapted to ransomware cases to provide law enforcement with increased incentive and resources to pursue cybercriminals – the equivalent of a “users-fee” for enhanced services. Due to current resource shortfalls, initially, only more significant crimes (e.g., ransoms over $1 million) could trigger this “Colonial-style” response. As law enforcement recovers more funds from successful recovery efforts, the trigger level for this enhanced response could be lowered. Criminals would then be essentially funding advanced law enforcement and undermining economic incentives to attack.
Government Could Adapt Successful Private Sector Cybercrime Models
Research by McKinsey has documented that major financial institutions, operating with cybercrime budgets similar to the FBI, have maximized their resources by reorganizing their structures to fight cybercrime. Financial institutions have had success eliminating disparate criminal divisions, unifying their structures and leveraging modern analytics. These modernized structures have increased effective cybercrime mitigation through better teamwork while reducing costs. McKinsey found that removing these organizational constraints has helped personnel become better able to “think like a criminal” and anticipate criminal activities with enhanced risk management. These same models should be adapted for government law enforcement agencies, creating further efficiencies and effectiveness.
Modernizing law enforcement organizational models would also support smaller state and local law enforcement agencies. Larger law enforcement agencies could establish a working environment to provide state and local law enforcement access to tools, tactics, and services to investigate cybercrime on a smaller scale. Models like these are already being adopted in the Defense Industrial Base. For example, the RAND Corporation has proposed a cloud service to disseminate cybersecurity tools and information to smaller firms in the DIB supply chain. This service would offer advanced email screening, data filtering, and data loss prevention. Adopting these kinds of tools could help state and local agencies expand their capabilities at a modest cost and facilitate sharing information and best practices across jurisdictions, while increasing coordination, to create clear standardized protocols for reporting cybercrime.
This notion of adapting successful cyber programs in one sector to address similar, even if not identical, issues in another has already been shown to be an effective model. For example, the Pathfinder program, initially launched to address cyber issues in financial services, has been adapted and adopted in other sectors such as energy and defense. These successful collaborations are proof-of-concept for an expanded notion of collaboration. The newly created Office of the National Cyber Director, headed by Chris Inglis, would be an ideal location for taking this idea and evaluating it into a systemic program.
While most of the above steps could be undertaken fairly quickly, a comprehensive cybercrime strategy, which would consider cybercrime in its full national and international context, also needs to be developed. This process should begin in the Office of the Cyber Director, which should establish a commission charged with developing a plan to prosecute criminals in an effective, sustainable format. This commission would consist of individuals representing former law enforcement, military, industry, and victims of cybercrime. The commission would tackle essential questions, such as the military’s role in cyber-attacks of national significance and coordinating and unifying the multiple government agencies addressing cybercrime, along with consideration of a unified federal cybercrime budget. It could clarify the meaning of key terms like “significant attack” and “critical infrastructure” so that clear jurisdictional and actionable guidelines are established.
As a large proportion of cybercrime is international, the State Department’s cybersecurity efforts need to be revitalized (something the Biden Administration seems to already be working on). However, this process needs to go well beyond the previous cyber office in the State Department. There is an enormous amount of work that needs to be done to update the international infrastructure to fight cybercrime. Given the presence of state-sponsored or de-facto, state-tolerated cybercrime, this work may need to be elongated with smaller steps at first, but the effort needs to be made. If some significant domestic success can be demonstrated, the U.S. might be a catalyst for greater international efforts.