The Industrialization of Cyber Crime and How to Stop it From the Ground Up

The organizational chart of today’s cyber crime syndicates is stumpy compared to those of legit tech giants like Alphabet and Microsoft; they resemble dwarfed pyramids with no more than eight or nine horizontal layers. But those layers represent highly-specialized skills, the sort of specialization that the economist Adam Smith would have recognized as a fully mature industry.

As Smith noted by observing the work of pin making in 18th century England, dividing the work into more than a dozen distinct operations allowed a mere ten men to make 48,000 pins a day. A lone craftsman performing all tasks, Smith concluded, could not have made more than 10 a day.

Economies of scale may be text-book familiar in most of our visible industries. But cyber crime, which began its rise two decades ago as the work of lone hackers, and which retains that shadowy image for most of us, has adopted this industrial business model. Today it is organized, complex, globally connected, and full of entrepreneurs, as Oxford sociologist Jonathan Lusthaus makes plain in his new book, Industry of Anonymity: Inside the Business of Cybercrime.

Lusthaus, who is the director of Oxford’s Human Cybercriminal Project, doesn’t concern himself with the technical arms race between crooks and the cyber security industry trying to foil them. Instead, his concern are the lives of the criminals and the sociology of profit-driven cyber crime.

“By looking at cyber crime in social and economic terms,” he says, “we can think about what makes businesses succeed and fail and that opens up a broader discussion on how to stop them.”

Lusthaus spent seven years visiting cyber crime havens in places like Russia, Ukraine, Romania, and Brazil, interviewing hundreds of criminals, hackers, security experts, and law enforcement.

What he found were crime rings organized like firms and carrying out a familiar litany of illicit acts that cost the global economy hundreds of billions of dollars a year—malware ransom, phishing, fraud, blackmail, and identity theft, and even renting out resources (malware) and services (hacking) in online bazars resembling criminal eBays. At the tip of their org charts are bosses who direct the work of coders, hackers, malware marketers, translators to write convincing phishing emails to foreign victims, social engineers to convince banks that fraudulent transfers are legit, and cash-out crews whose job is to turn virtual gains into real-world cash.

There is such a demand, for a variety of online criminal services and goods, that savvy bad guys have developed niche skills to exploit every single illicit opportunity. One US law enforcement agent who Lusthaus spoke to (he uses only first names for both the good guys and bad guys), said these tasks are analogous to animals stripping a carcass in the wild. Criminals, Lusthaus writes, “have found ways of extracting value from every piece of data and every specialist role.”

As a sociologist, Lusthaus’ primary solution for making these businesses fail is not a battering ram to their front doors, but a softer sociological and economic approach. “Some of the more serious offenders in Eastern Europe are highly educated and technically talented people,” he says. “But there’s not always an economy or tech sector that can support that scale of talent.”

So, says Lusthaus, these wannabe Zuckerbergs and Gateses, with no access to venture capital or tech incubators, “are forced to become entrepreneurs of a criminal kind. Their startups become shadow industries that are then supported by talented coders, marketers, and other specialists.”

Counter Strategies

To break this cycle is a large and difficult problem. It will take a lot of planning, money, and international cooperation. But with the costs of cyber crime so high, Lusthaus and others say, it is worth the undertaking. The first route is for legitimate industry to recruit these bad actors, preferably before they commit crimes. Tech companies in the US and UK already do this to some extent, but if they want to stop these crimes they should expand recruitment programs.

Particularly valuable to the cyber security industry, in desperate need of talent to help fend off the millions of cyber attacks on businesses every single day, are the bad actors themselves.

“I hear all the time about the skill shortage in the cyber security industry,” says Lusthaus. “If you get people of appropriate skills, with knowledge of the cyber underground, and who can speak multiple languages, they would have major advantages.”

Investing in nations friendly to cyber criminals, and providing the funding for legitimate tech businesses, is another way to create a pinch-point to stop the flow of talent to the dark side. That route is much harder because of localized state corruption and a lack of working legal systems.

But companies can sponsor conferences and local competitions to draw in the technically savvy and introduce them to lucrative online professions. For instance, programs like The Cyber Security Challenge in the UK is a series of national competitions and networking meetups created to identify, inspire and enable more people to become cyber security professionals.

Parents also play a role. Jason Nurse, an assistant professor of cyber security at the University of Kent who studies pathways into cyber crime, says a lot of kids stumble into this world through gaming. “They’ll be looking for gaming cheats and mods on games like Fortnight, where they can sell skins (character costumes) and skills and then the find their way into criminal forums.”

Next thing you know, the kids are strolling into the house with expensive sneakers and jackets, a sign that they may be making illegal money online. “It used to be that if kids stayed in their bedrooms, the parents didn’t worry about them, as long as they were home and not out getting into trouble,” says Nurse. “Now the world, and the underworld, is right at their keyboards.”

Of course, the online criminal world is full of the untalented as well, the piggy backers who don’t know code from a comb, but can find their way to the dark web and buy malware for a few bucks and fire it off indiscriminately, something hitting their target and reaping a few thousand dollars in ransom. Or the cash out crews, who are no more than real-world illicit money runners.

“This lower level criminal that is living off the work of other talent is a much bigger challenge,” says Lusthaus. “It’s a traditional problem. How we deal with people in crime is an old problem, throughout the whole through history of human time. We’re not going to get rid of crime ever.”

But it helps not to think of battling it solely through software updates and patches. “Most people think cyber security is a technical issue,” says Nurse. “But the sociotechnical, human, and organizational factors are all are massively important and different than traditional data security. So, we can’t only think about technical solutions. We have to consider the human solutions.”