On Cybercrime, Economics and Education
So i just watched Mikko's talk at TED, introducing a lay audience to the fun that is actor-attribution in cybercrime; very much an introductory session, but at the end of it, he touched on a subject rather near and dear to me: the issue of education and economics as a driver of criminal activity, and how it has taken an interesting twist in the modern world.
So, full disclosure, a little about me.. a looong time ago (ok, not that long, it was the early 1990's), I was what would today, be considered a "Black Hat" hacker (but compared to today's Black hats, would be much more in the 'Gray hat' camp)... I pirated software, I cracked copy protection systems, oh, and I was part of a very creative group of people called the Amiga Demo Scene, that created fantastic audio/visual demonstrations on hardware that would be considered archaic today. I was young, I was a rebel, I read Mentor's Hacker's Manifesto and, although I had some philosophical arguments with it, I took it as a sign of the world to come....
... and then, before the end of the decade, the wild, fun, creative days were over, because Organized Crime started moving in on my rebellion. Here, I'll say it now , that before 1996 "I used to be a cracker until organized crime started moving in and taking my fun away". In truth, being a black hat back then, is more like what we would call 'gray hat' today: cracking systems for monetary gain was extremely rare in comparison to today, and was largely frowned upon in the community. When organized crime started realizing there was money to be made, that's when much of the glamour started to fade from the glory days of hacking, and with the onset of cheap personal computer systems and broadband in the home, many of the old justification were no longer necessary - who needed to crack a companies FTP site to act as a distribution point for transferring pirated software, for instance, when you could just as easily set up your own FTP server from your own cable internet access. The conditions that made our ethically-questionable activities necessary in those days were removed. It's hard to find anyone these days who was around during that era, that didn't get involved in one aspect of another of the 'good old days' of hacking, it's even more difficult to find any of us now that aren't middle-aged, responsible law-abiding citizens, fighting against the wave of confusion and pollution that is the modern information security theater.
Organized Crime's move into the digital age was slow and incremental at first (but then started reaching critical mass around 2002) - individual cases made the news, and started to have chilling effects amongst the underground. When we heard the story of what happned to Tron (http://en.wikipedia.org/wiki/Tron_(hacker)) and his all-but-certain death as a result of dealing with orgcrime, several of us put together a T-shirt in his honor, reading:
"If You're So `Leet, Why Aren't You Dead?"
It was around this time that the dotcom boom was, well, booming, and myself and many many many others, all decided that from here on out we were utterly legit; we took the experience we'd accrued over the years, pursued rewarding careers in Infosecurity.... in the face of more dangerous bad guys than we had ever been, we became the good guys. The High Plains Drifter puts on the Sheriff's badge and settles down to look after a local town. By the mid-90's my days as a rebel on the borders, were over and done with.
Unfortunately, my story is not universal; I remember my time in the Amiga Demoscene very vividly, we had no access to the internet, but we still managed international communication. The BBS scene was alive and strong, but many of us could not even afford a modem, we used, horror of horrors, the postal system. I learned a lot in those early days, my first exposure to a truly international culture. No longer did my world stop at the limits of the small English mining town I grew up in; The Amiga Demoscene cast a wide net, throughout all of Europe.. including the parts that weren't part of the EU yet; And back in those early days, I made contact, and friends, with many people in Eastern Europe; at the time, the fallout effects of the civil wars in Yugoslavia and Czechoslovakia were still ongoing (yes, those names were still the names of those countries back then, barely), and for the first time, this was not just something on the news, but real people, with real lives, I was talking with; of course, they had time to engage in their own pursuits, war was not a day to day reality for them any more by this time; but, they were Eastern Europeans, in their late teens, early twenties, with a solid education, a passion for technology.
What was very apparent, was that these were people with a keen intelligence, their grasp of both the English Language, and infotechnology (both things conceived of outside their borders), were intrinsic and passionately held. They had all fought to attend the best education they had available, and then worked on their own time to excel beyond what that education afforded them....
Well, let's look now to the common American viewpoint of Eastern Europe, post 1990: a war-torn field of displaced peoples, bad memories, destroyed families, and escape from things best left unsaid (Thank you very much, Grand Theft Auto 4). well, that's never the whole picture, life goes on, and smart kids, with a good education, despite the travails of their nation, look towards a rewarding life and career.
Unfortunately, the economy of many of these nations cannot match pace with the aspirations of the education and ambitions of some of their residents: the economy lags behind the demand for highly skilled, highly-paid infotechnology people, and few things are more frustrating than possessing skills you've worked on for years to acquire, with no rewarding (and preferably, paid) outlet for them. Once you start to look at the ecomics of cybercrime, it's really not that difficult to see where we get so many of our 'evil programmers' from: most of them aren't 'evil', they're just taking the best-paying job available to them that makes use of their skill set. It's a common story, turned into a trope in stories of early 20th century New York, the innocent but desperate guy who gets an offer to do a few favors to someone for a little extra cash...
I haven't been in touch with many of the people I met on the demoscene and underground back in the early 90's; I talked and shared notes with people from Hungary, Estonia, Slovenia and many others back in those days, and I wonder how their career paths matched ours. Many people who were part of the amiga underground went to become famous names in the videogame industry, a siginificant portion of us work in technology and infosecurity now; but largely, these are all the people from western Europe and America I'm talking about.
I'm sure that, were I to look at the statistics for this sort of thing (if any have ever been gathered, I'm unaware of it), that it's more than certain that at least some of the friends I made in Eastern Europe in the early 90's, have gone on to work as cybercrime developers, assuming they haven't (as many of them discussed with me), found better paying and more rewarding jobs in the West.
Now, while we know that there will always be people whose greed and pride turns them to crime, no matter how smart they are (look at Max_Vision, here in America for a prime example of that kind of hubris), the vast majority of smart, creative people, will chose a legitimate, less risky source of income over the higher-paying criminal path if that option is available to them in the first place . The economic factors that generate crime have been known in sociology for centuries now, and cybercrime just, as Mikko says in his talk below, is just a matter of criminals that could only operate regionally before, now having a global reach thanks to the internet; the game has not changed, only the board.
We talk a lot about actor attribution and takedowns in fighting cybercrime these days, almost as if there is a fixed number of criminal actors out there, and that it we make a significant dent in that number, we can claim some kind of Pyrrhic victory in the fight. This is of course a Sisyphean task - there will always be desperate or greedy people to take their place. However, just as we realized during world war two, and the ensuing Cold War, the key to winning an arms race is to deny your opponent access to the most advanced technology. In Infosecurity, we have been fighting against more and more advanced malware, always playing catch up to the latest techniques, always trying to build defences that last a little longer than the previous one before being routed around.
While we can safely assume that the people turning to cybercrime, from the top-down and bottom-up, will never disappear, removing their ability to produce their most advanced materials and keeping them several steps behind us in the digital arms race, is an entirely valid approach - the best-and-brightest of cybercrime programmers are the 99th percentile of them. Now, attribution and arrests only go so far, the only long-term solution is (as it is with so many other aspects of international competition) to lure them away from chosing this as their career path in the first place.
The Second World has invested great amounts of time and resources into improving their education over the last few decades, justifiably so; but this has created a window of incongruousness between the education of the population and the economy of the nation: when you have a first-world education, you want first-world economic opportunities. If you live in a Second-world economy, then crime is often the shortest path to rectify this.
I have no magic bullet solution here to recommend, only a few more observations; as anyone in software development will tell you, outsourcing development overseas is cheap, but often sub-par; there is value to be had in increasing the value of a programmer, no matter where he lives globally, in raising the value of software development as a career choice in any economy. Providing opportunities for the truly talented to transcend the economic restraints of their resident nation could go far to removing the lure of taking a paycheck from a criminal employer greatly. Continued investment and grown in Second-World technology sectors can do the same; All of these factors and approaches are the same as with any other kind of crime, treat the cause, not the symptom. I talk a lot about Eastern Europe here only because of the currently-held stereotype of it being a n incubator for cybercrime, much can be said about any area on Earth where talent outmatches economic opportunies, such places certainly exist here in the USA, and there are plenty of people involved in cybercrime for the same reasons; having that community relationship with so many talented programmers in Eastern Europe in those pre internet-populism days however, has given the events of the last decade a touch of 20/20 hindsight to the current situation for me however. A similar scenario has played out in Nigeria, the results of which everyone witness in the flood off 419-scam email in their Inbox.
In summary, cybercrime is just crime, same as it always was: and smart, desperate, but essentially-good people will always become lured into it, given the right conditions. removing the conditions that make this a viable option for them, is far more effective than deterrent or punishment. Cybercrime seems strange and novel to many people in the first world, because it brings what was remote, and rare, often invisible, directly to their front door. The game is still the same, only the board has changed. It used to be that crime was considered the outlet of the poorly-educated, with poorer prospect; today however, extensive investment in education, and increasing free access to information and learning, is creating a wave of educated individuals, with rational risk-assessment skills in their own choices; and many of them are making the choice to turn to crime in the face of a dearth of rewarding, legitimate career options.
Just as with so many things, you change the ratio of the components just a little, and the outcome swings out of balance once again.
Anyway, here's Mikko's talk, it's interesting, some parts have raised some reactions of controversy from people already, but it's a worthy use of a few minutes of your time in any case.