February 23, 2021

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

Last week, we posted a series of startling statistics about our ineffective effort to combat cybercrime. Items like the cybercrime nation is as large, by annual revenue (over $2 trillion a year), as the UK. The FBI receives less than $5oo million to fight this 2 trillion-dollar behemoth. Cybercrime is a massive growth stock increasing from 12 to 25 percent a year.  And my favorite, we successfully prosecute less than 1 percent of cyber criminals. 

If you thought things couldn’t get worse than that, you thought wrong.

CrowdStrike just posted their latest research on cybercrime and found that intrusions threatening organizations’ cybersecurity across the globe grew – not 25 percent – but 400 percent in 2019 and 2020 combined. Nearly four out of five of those compromises in 2020 stemmed from cybercriminals, and attacks are unlikely to let up in 2021. 

The report also describes how the ever-innovative cybercriminal business is continuing to evolve its techniques. “Threat actors are not going to rest on their laurels,” according to CrowdStrike. “They’re going to continue to kind of adapt their operations to this new normal. It’s getting to be a crowded space.” 

Meanwhile our law enforcement structures remain, fundamentally unchanged.  Last week we started our blog by referring to legendary 1950s TV cop Joe Friday of Dragnet fame.  Friday would probably be fairly comfortable if he was dropped into the 2021 legal system; it really hasn’t changed in response to the specter of digital crime.

Contributing to the funding problem we focused on last week is the antiquated organization around cyber enforcement. In an era where cyber-criminals utilize advanced technology to achieve heightened efficiency and effectiveness we are still operating with a disparate and often uncoordinated law enforcement structure rooted in a 20th century model.

Federal departments and other government agencies remain confined to structures inconsistent with the realities of the digital age. These departments and agencies include the DOJ, SEC, DHS, FBI, ICE, Treasury, USPS, and USAID. Outside of the DHS, the FBI has the largest budget for cybersecurity-related matters.

An overwhelming volume of cyber reported crimes is being placed on law enforcement agencies both at the local, state, and federal levels. Los Angeles County Sheriff’s Department Chief Bill McSweeney said:

“With so many domestic government entities competing for enforcement there tend to be duplicative projects, mis apportioned funds, and confusion of authority. All of these issues lead to inefficiencies and a decreased chance of successfully capturing and prosecuting cyber criminals.”

Part of the irony is that criminal syndicates often collaborate in pursuing their criminal objectives but law enforcement, both domestic and international, often are mired in turf disputes and there has been little done to enable private sector entities or the better resourced military to collaborate in perusing better resourced and internationally based cyber attackers.

We Need to Modernize Law Enforcement to Better Address Cybercrime

Ironically, major financial institutions, some operating with cybercrime budgets of similar size to law enforcement, have been facing similar stress in attempting to maximize scarce resources to fight cybercrime.

To address these issues financial institutions have leveraged advancements in organizational development. Research by McKinsey has found these organizational innovations can improve the efficiency and effectiveness of their cyber-crime efforts. Similar innovations in law enforcement organizations could be helpful in addressing multiple issues law enforcement faces.

As is so often the case, McKinsey found it is leadership that is the key to progress. “As criminal transgressions in the financial sector become more sophisticated and break through traditional boundaries, banks are watching their various risk functions become more costly and less effective. Leaders are therefore rethinking their approaches to take advantage of synergies available in integration… Most forward-thinking institutions are working toward integration creating, in stages, a more unified model across domains based on common processes, tools and analytics.”

The McKinsey research describes several models that can be used based on the size and sophistication of the financial institution to move through stages of integration based on their unique circumstances.  It notes how many financial institutions are integrating previously disparate criminal divisions to leverage better use of modern analytics and stimulate increased teamwork to fight cybercrime.

“The integration of cybersecurity with other crimes is “an imperative step now since the crimes themselves are already deeply interrelated.  The enhanced data and analytics capabilities that integration enables are now essential tools for the prevention, detection and mitigation of threats…Most banks begin the journey by closely integrating their cybersecurity and fraud units. As they enhance information sharing and coordination across silos, greater risk effectiveness and efficiency becomes possible. To achieve the target state they seek, banks are redefining organizational lines and boxes and utility.”  

Among the noteworthy outcomes McKinsey found was that personnel freed from some organizational constraints felt better able to “think like the criminal” and anticipate criminal activities which enhanced risk management.  They cite one leading US bank that set up a holistic cyber-crime “center of excellence” and made “significant efficiency gains” while another major institution went “all the way” combining all their operations related to financial crimes and reduced operating costs by approximately $100 million dollars. Such an efficiency saving if applied to the FBI’s 2020 budget would be the equivalent of a 25 percent budget increase. International jurisdictional disputes often keep law enforcement from effectively operating. What may be legal in one country may not be legal in the U.S. and may be treated differently in a third country. We will discuss how to address these complicated issues next.

Join the Rethink Cybersecurity Community click here