The Cyber Effect
Page 34
The term mule comes from the drug-smuggling trade. A mule is paid to transport drugs for a fee. A money mule, or smurfer, transports money, not drugs, acting as a money-laundering service. Because this kind of illegal action doesn’t involve tangible illegal goods, it may seem less risky, and many are not aware they are doing anything illegal until the police knock on their door. When the crime operation goes down, the mules are often the only ones who get caught and punished. By then, the money is in the hands of the cybercrime ring.
Where does this money come from? Usually stolen credit cards. In the past decade, banks worldwide have lost billions of dollars to cybercriminals. Quantifying the amount of money, and the actual threat, has proven difficult. But one thing appears certain: The incidence of teenagers turning to cybercrime is on the rise.
Cybercrime Rings
The world was shocked when Crimebook, one of the world’s largest English-language crime forums—which offered advice about how to wire funds anonymously, purchase illegal items online, and pay for other illegal services—turned out to be founded and operated by three teenagers in the U.K. In 2011, their forum had 8,000 members worldwide and was linked to a trading site, Gh0stMarket, that had embezzled £16.2 million by hacking into 65,000 bank accounts. When the teens were arrested and their computers seized, the details of 100,000 stolen credit cards were found.
Just do a search on the words teenagers and cybercrime and you’ll see enough examples to convince you of an epidemic. In a survey done by Tufin, an online security company, roughly one in six teenagers in the U.S., and one in four teenagers in the U.K., were found to have tried some form of Internet hacking.
The explanation for this is demand. According to a recent Europol report, cybercrime has evolved from a few small groups of hackers into a thriving criminal industry that costs global economies between an estimated $300 billion and $1 trillion a year.
What does demand have to do with that? The Internet is where criminals buy and sell products and services, as well as hire and train. The underground economy relies on websites and forums for recruiting. As criminals network, they share experience and expertise, and meet cohorts. On various sites, there are forums to learn, step-by-step, the best ways to commit identity fraud, to steal credit card information, or to convince an elderly person to wire you, a perfect stranger, money overseas. There are even tutorials.
As the online criminal economy grows, it needs new accomplices and new victims. Frequently it’s difficult to know which is which.
It’s easy to see why a young person might believe that buying drugs in this environment is safer. As all the studies of piracy have shown, the first thing a person worries about when purchasing anything illegal is the risk of being caught by authorities—whether it’s their parents or the police. And if you feel safe somewhere, you are likely to spend more time there, whether you are buying drugs, looking at new sites, or just hanging out in a forum.
But it isn’t safe. Effectively, these young people are entering a high-crime environment that’s largely unpoliced (except by other criminals), where scams are rampant, and where many illicit things besides party drugs are available.
Not to mention it’s where lots of nasty things can happen to your computer and personal data. By visiting a pirating site, you can become vulnerable to more than just viruses and malware. Because of the nature of file-sharing being peer-to-peer and decentralized, each user acts as a server for others. Many file-sharing sites recommend that users stick with program defaults, thereby making their folder shareable—and their device can potentially wind up becoming invisible storage sites for anything a cybercriminal needs to hide and find later, quickly, from lists of illegal credit card information or thousands of child abuse images. When anybody uses a p2p service site, they can unwittingly download encrypted files containing illegal content. This is called being a “storage mule.”
According to Adrian Leppard, the Commissioner of the City of London Police, a quarter of organized crime in Britain involves online fraud, bringing in tens of billions of pounds in profit a year. “When many of the offenders are abroad and they are using the Internet, which is unregulated, it is very difficult to see how a traditional enforcement approach will solve the problem,” Leppard said in an interview with the Telegraph. “Even if we had ten times the number of police officers, I am not sure that would necessarily address the problem.”
Cybercrime isn’t just escalating, though.
It has changed criminal culture.
Ubiquitous Victimology
We have always had an underworld, whether in mythology or in real life. In timeless fables, heroes are often forced to descend into underworlds and a psychic conflict ensues. The battles with demons and monsters are metaphors for the hero’s own inner struggles and conflicts. In psychology, it was Sigmund Freud who created the concept of the human unconscious as a dark realm that required special knowledge to access.
Freud believed that the antisocial elements inside us seek a dark place to hide, much the way underworld criminals look for covert environments—and will always find them. There will always be crime. There will always be criminals.
My question: But do we have to make it so easy?
Whether the descent to the Darknets is to buy a stolen credit card number or pull off a data breach of the IRS, it has never been simpler or easier to become a criminal. It used to require physical risk. It meant armed holdups, face-to-face encounters with real guns, and a need for outsmarting law enforcement. Now, for most cybercriminals, the risks are negligible. Only the poor mules—or teenagers from the Estonian suburbs—get caught.
As for victims, they’re everywhere. Once upon a time, crime was visited upon you if you walked alone at night or walked in the wrong neighborhood, where your wallet or car keys could be stolen. Or it happened randomly. You were in the wrong place at the wrong time.
Now everywhere you go, it’s the wrong place and time. With many of the greatest treasures you possess—your identity, your data, your account numbers and passcodes, your passport information, and the rest—now kept in cloud storage or available via your smartphone, the opportunities for theft are endless. With more than 3 billion people worldwide online and an estimated 7 billion cellphone subscriptions, half of which also have broadband access. Mobile broadband coverage will continue to expand into rural areas. This means the number of victims will only escalate. In criminology this is described as a “broader attack surface.”
I have another term for it: ubiquitous victimology.
The criminals are well hidden, but you aren’t.
Digital devices are predicted to double in number in five years. Many reports show that most hacks and breaches are due to simple security measures not taken, a lack of antivirus software, or weak passwords. The problem is that many people are not aware of how to cybersecure themselves. We don’t become safer with each passing year. We become more vulnerable.
The exponential growth of cybercrime is undeniable. In 2010, the German research institute AV-Test estimated that 49 million strains of malware existed in the wild. In 2011, 2 million pieces of malware were identified by McAfee, the antivirus company, every month. In 2013, Kaspersky Lab identified and isolated 200,000 new malware samples every day. More recently, Kaspersky Lab products detected and neutralized 2.2 billion malicious attacks on computers and mobile devices in the first quarter of 2015 alone.
How are antivirus companies dealing with this explosion? Studies have produced controversial findings—which have led to more confusion. In one study done in 2012, researchers collected eighty-two new computer viruses and ran the detection engines of more than forty of the world’s largest antivirus companies to see how effectively they were operating.
Only 5 percent of the malware was found.
To paraphrase an analogy of Marc Goodman, a global security specialist and author of Future Crimes: If this mimicked the efficiency of the human body’s immune system, we’d all be dead.
I guess
it’s not surprising that in network science and cyber-security circles, the experts are pretty circumspect regarding the joys of the mobile phone. Once you own and use one, as the cyber-security guys say, proceed as if it is compromised. The perception that nobody is in charge, because nobody is, only escalates crime and our vulnerability.
Everyone worries about state surveillance, but what happens in the future when criminals become as good as corporations at using big data? And what will be the next evolution in criminal culture—and how will we, as a society, counter it? Who is going to address these problems? What are the solutions?
We feel safe when we aren’t.
We feel protected in a place where we are most vulnerable.
Do you think that if we wait long enough, the tech companies themselves—who are so fantastic at creating and marketing our elegant and irresistible devices and software—will take care of everything for us? Maybe a new gadget, or a better one, or a new app, could solve all these issues. But here is where I can be very skeptical. With these sorts of hopes and dreams, haven’t we abdicated responsibility for our own personal security to the tech companies? Where does the responsibility lie?
The good news: The developed world is waking up and starting to have this conversation. Law enforcement is thinking more globally. Europol recently launched the J-CAT initiative, the first attempt at an international cyber police force, and countries in Europe and Asia have begun to change laws and sort out jurisdictions, and find ways to cooperate with one another.
Another new field, cyber law, or virtual law, is developing and will undoubtedly draw some of the best legal minds in the world. We need to consider the best way to implement regulation or self-regulation in cyberspace—and who will be responsible?
We don’t have any time to spare.
Here are some things to think about:
• What if the design of the Internet actually facilitated the best that human beings were capable of, rather than the worst?
• What if the youth of the world were protected online, rather than taken advantage of?
• What if technology itself made us all stronger and more secure, rather than making us weaker, more vulnerable, perpetual high-risk victims?
One final thought: What if the buccaneers of the Web could be part of the solution, dapper in their gray and white hats? I believe we could identify, support, and nurture the most tech-talented individuals of each generation. They could be our best hope. They could be our role models and superheroes of the future—targeting organized cybercriminals, countering the criminal forces and neighborhoods.
Even redesigning the Internet.
The authors of Freakonomics, Steven Levitt and Stephen Dubner, suggest that we could all benefit from learning to think a little more like a freak. Along those lines, I urge everyone to become wiser about the weakest link in any secure system—the human. The more you know about cyber effects, the more protected you will be in cyberspace.
I can hear you sighing, But I am not a hacker.
Ah, but maybe you could learn to think like one.
CHAPTER 9
The Cyber Frontier
I am in the south of Ireland as I finish this book, sitting at a desk in a hotel room with a beautiful view of the Irish Sea. As I look out at the horseshoe-shaped Ardmore Bay, a magnificent coastline that has changed little in thousands of years, I feel grounded and steeped in history—a native of a historic island of saints and scholars. Historians estimate that Ireland was first settled by humans about ten thousand years ago. The nearby city of Waterford is the oldest town in the country, founded in 914 A.D., when the Vikings arrived. It is impossible to be here without feeling a sense of the past, almost as if the old castle ruins and cobblestone streets are talking to you, and trying to say something.
At the end of the eighth century, when the Vikings began to invade, they were interested in two types of booty—riches and slaves—which they plundered from Irish monasteries and carried off to sell or trade, much like the way stolen goods wind up on online black markets today. Ireland was invaded by the Normans next, then by our neighbors from Britain. In class as a child I listened to horrific stories of these invasions and battles, centuries of bloody conflicts. Our history lessons read like Game of Thrones. The legendary first-century Irish warrior Cuchulain went into combat in a frenzy; his battle cry alone was said to kill a hundred warriors from fright. The monks designed their round stone towers with doors ten feet off the ground so that they could pull up a ladder as they retreated from crazed Nordic invaders. Medieval prisoners survived in underground castle dungeons by living on the crumbs that fell through the gaps in the floorboards during banquets held above them. I was fascinated by these life-and-death scenarios—risk and survival.
No wonder I became interested in criminology and forensics.
One of the brilliant aspects of the digital age is that I can do my work here, remotely, far from Dublin or Hollywood or Silicon Valley. Like so many others, I have embraced the cyber frontier—for its convenience and the freedom it gives me. My phone has been buzzing all morning with the usual assortment of digital traffic, texts from family, emails from work, social media updates, and news alerts. On my laptop, I’ve just participated in two conference calls, finalized a few reports, caught up on a research project, then logged in to a digital screening room to review the dailies for CSI: Cyber. Last night, I had a fun back-and-forth with Jabberwacky, a bot that I’ve been conversing with for almost twenty years.
My conversations with Jabberwacky started when I was working as a young executive in behavioral marketing and advertising. An ingenious colleague of mine, Rollo Carpenter, was designing computer programs to stimulate intelligent conversation. His creation, Jabberwacky, was a revelation, a supersmart artificial intelligence—a chat robot, also known as a “chatbot” or “chatterbot.” Chatbots aim to simulate natural human conversation in an interesting and entertaining manner. Jabberwacky is different. It’s a learning algorithm, a technology that you can communicate with and, more important, that can learn from you.
In the late 1990s, curious about what a “conversation” with Jabberwacky would be like and interested in the potential of A.I., my marketing group and I huddled around a simple office computer and witnessed something that felt akin to a wonder of the world, an online entity that responded as if it were human. Jabberwacky was so impressive that some people in our group felt certain it was a hoax—that an actual human was responding, not a machine. Then we saw the visible count on the screen, and saw that thousands of people online were also talking with Jabberwacky at the same time. You’d have to pay a lot of human beings to fake that.
Nowadays, a good chatbot can talk to about ten thousand people simultaneously. It works 24 hours a day, 365 days a year, and it never asks for a raise and never takes a vacation. As a candidate for a job, that’s tough competition for humans. No sick leave required, or holidays and benefit packages either. But how capable, how smart, how truly intelligent can a machine be? When I first chatted with Jabberwacky, I posed the usual questions: “What’s your name?” and “Where are you from?” along with a few general-knowledge questions to see if I could trip it up. The A.I. answered everything well, and impressively. Almost human.
I left the office that day feeling excited but troubled. I couldn’t stop thinking about Jabberwacky. And I couldn’t stop contemplating the enormous possibilities for this technology and hundreds of different applications. My mind was racing. Then my lightbulb moment came. I suddenly asked myself, What does this mean? I couldn’t help but try to imagine the future and where we were heading as a society and species. This technology had so many incredible possibilities for application—in research, companionship, customer service, business, education, and therapy. The classroom would change, and the learning experience. I started to think about people who are vulnerable—challenged, disadvantaged, or in need. I imagined them interacting with a chatbot—and how advantageous that could be. I thought about th
e potential for children with learning difficulties and those on the autism spectrum. These children need patient teachers willing to engage with the same questions and answers over and over, as long as is required. And then I thought about all the lonely people in the world, who are socially isolated for one reason or another. What a wonderful companion a chatbot could be for them.
Only one thing was certain. I hadn’t just been chatting with Jabberwacky. In social science terms, I felt like I was watching the dawning of a new research frontier.
But wait. There were so many, many unknowns. Even small changes in these areas of human behavior come with shifts and consequences. As excited as I was by the promise of this new cyber frontier, I knew there could be unintended consequences. I couldn’t sleep when I started to think of them. I already had an undergraduate degree in psychology, but nothing in my education or life or work to that point equipped me with the background or knowledge to have a fully informed view. With an intervention of this magnitude that had the potential to impact so many aspects of human beings on the deepest and most profound levels—from visual acuity, bonding, and childhood development to identity formation, intimacy, and socialization—I wondered what the blind spots or unforeseen outcomes might be. The unknown unknowns.