Interview: Misha Glenny on Internet Crimes, Espionage and National Security
BY Rebecca Chao | Friday, October 4 2013
It has been a punishing week for cyber criminals, with the indictment of 13 members of the hacking group, Anonymous, charged with attacking government and credit card websites, as well as the arrest of one of the leaders behind Silk Road, a billion dollar Internet narcotics market known as the "Amazon of illegal drugs." Who exactly are the individuals behind these schemes and what does it mean for the future of the Internet?
Misha Glenny, an award-winning journalist and best-selling author, talks to TechPresident about the dark side of the Internet. Mr. Glenny is known for his expertise in globalized organized crime and his coverage of central and eastern Europe during the collapse of communism. In his most recent book, Dark Market: How Hackers Became the New Mafia, Mr. Glenny gained access and spoke to a large number of criminal hackers from all over the world, as well as those working in law enforcement, intelligence, and the digital security industry.
TechPresident spoke to Mr. Glenny via Skype. Below is a lightly edited and condensed version of the conversation.
The nature of today's 'new mafia'
TechPresident: The characteristics of those behind these cyber attacks sounds more like a description of your typical comp-sci "geek": young, some training since the age of 13, a bit anti-social, non-violent, and some with, as you say, “brains the size of a planet.” But you also mention this is shifting, that Mexican cartels seem to be developing a hacking capacity. Can you explain how these two worlds – violent crime and non-violent cyber crime are colliding?
First of all we’re at an early stage of this but there is evidence emerging that it’s taking place. In terms of the character of those people engaged in online crime, there are two basic types: social engineers and hackers.
The great majority are those we call social engineers as opposed to genuine hackers. Social engineers are people who are basically behind phishing attacks and things like that. They are trying to persuade you to download viruses on your computer by clicking on a link or with the Nigerian 419 scammers, offering you millions of millions of dollars if you use your bank account to move money.
Social engineering is behind a lot of criminal attacks on the web. For that you need creative skills, imagination, and a good organizational brain. You usually need the help of hackers as well, in order to distribute and deploy the malware. That, however, is becoming less important because you can now purchase so-called ‘off the shelf’ malware, which means you can just buy or rent networks that distribute your malware.
Hackers are those whose skills are so advanced that they can break into and find vulnerabilities in computers. They are a rarer breed than social engineers. They can, if they put their mind to it, usually do a lot more damage if it’s damage what they want to do.
So what they don’t have to do, whether they are social engineers or hackers, is that they don’t have to have a capacity for violence. They don’t need to enforce the market that they are operating in with violence, which is at the core of traditional organized crime.
The industry of traditional organized crime has attracted a very different type of person. Usually not quite as young, though those engaged in traditional organized crime can start at a fairly young age, just not as young as the sort of 12 or 13 or 14 year olds in the developed world who start engaging in cyber criminal activity. Their social profiles, their backgrounds and their abilities tend to be very different from those involved in traditional organized crime.
Traditional organized crime is slowly waking up to the fact that cyber is a very useful tool. What has been happening in a lot of traditional organized criminal activity up until now is that cyber is used to assist in their operations. So it’s simply a business tool. It makes their business more efficient. One example is the enormous criminal syndicate that engaged in large parts of Brazil called the PCC or the First Capital Command. It has an inventory of the cocaine it buys and sells on computers. So it can keep track of the cocaine. It can keep track of who’s selling it, whether they are getting the right price for it, and whether they’re paying up the money that they owe. I’ve now seen spreadsheets like these. So that’s just making your business a better business. That’s not actually using cyber as a tool to commit crime.
Some of the cyber criminals known as carders, people who buy and sell and illegally use credit and debit cards, are younger people who have emerged from traditional organized criminal families and milieus. They are beginning to persuade their elders to see cyber as an important division of their criminal activity. We see some evidence of that going on in a variety of places. But also, there are some people, like the Mexican cartels and the Russian groups who are actually using cyber as a means of enforcement and a means of underpinning their core service.
The shift into cyber has increased also since 2008 in the collapse of Lehman Brothers. That’s because at times of recession it is habitual for traditional organized crime to move somewhat away from their core commodities businesses like narcotics or trafficking of women because it’s a recession and people don’t have as much money to spend on that sort of thing. The criminals will move over to either gambling or financial fraud.
There’s been a big increase in financial fraud since 2008 and it is traditional organized crime groups moving on over to the Internet and seeing that the Internet has revolutionized the way that crime is perpetrated.
So there are two things: One, the movement of youth into traditional organized crime groups who are fully aware of the Internet and its value. And two, the recession and the shift to financial fraud as a consequence. This is what is largely driving a slow but perceptible moving of traditional organized crime groups into cyber criminal milieus.
TechPresident: Do these hackers see themselves as criminals? Or is cyber crime nowadays also about an ideological, political struggle – like with Anonymous for example.
Anonymous is a rather different thing. Anonymous members would certainly not see themselves as criminals. They see themselves very much as driven by an ideology which believes that the Internet should be kept free for citizens, that corporations should not be allowed to exploit the Internet in terms of access to the Internet, that security companies should be held to account and that disparate groups of organizations, from Anonymous to the occupy movement and Wikipeida should be engaged in mutual support. And Anonymous is driven very much by ideology, and to an extent, they fill a space created by a vacuum in conventional politics, in terms of engagement with young people in particular. Young people are adapting technology in order to express themselves politically. However, as I would stress, Anonymous does break the law and that means they straddle this area between the political and the criminal.
Anonymous has an underdeveloped, what I call, half-baked anti-statist ideology, which is not coherent. They reject leadership, in favor of what is called swarming techniques, which is basically people talking to each other and saying let’s attack so-and-so. And then gradually, more and more people do it. That absence of leadership and the swarming strategy and the absence of a clear ideology, other than the half-baked anti-statist one, means that Anonymous is, to my mind very self-limiting.
People in cyber crime, when you talk to them, will often articulate the same anti-statist ideology, similarly half-baked or even less well-baked. And this is partly to justify, I think, internally, the fact that they are engaged in serious crime. For those people, I think it’s fairly straightforward. Most of those I spoke to knew they were involved in crime, knew that they were there to make the money.
There is, however, a large element, particularly amongst low-level cyber criminals who see it as a challenge, and particularly among the younger perpetrators, who are fired by a certain idealism and the excitement that goes with being young and idealistic. It’s a grey area but when you move onto commercial espionage, then you aren’t dealing with anyone who gives a damn about ideology, unless they are doing it on behalf of state, in which they may be ideologically motivated. But mostly the attacks on business are attacks to gain commercial or financial advantage. This is identifiably criminal and the perpetrators are not motivated by ideology as a whole.
The nature of cyber crime
TechPresident: You have called cyber crime “an industry that innovates at speed beyond comprehension.” If that’s so, how do law enforcers stay ahead of cyber crime? Is it always a cat and mouse game?
It is a cat and mouse game. One of the things we know from the Snowden revelations is that U.S. agencies have much greater access to the Internet than even some of the most paranoid or most conspiracy-minded people had believed. For example, something that’s happened this week, the arrest of Ross William Ulbricht, one of the founding members of the Silk Road, a website on the dark web, which you can’t access by putting in the normal URL in your browser, means the FBI has the capacity of breaking through the anonymizing structures of so-called Tor. Tor is a system whereby you can access things on the dark web by bouncing the signal around from a series of virtual private networks. What this is essentially doing is masking your activity from people who are trying to track you.
What the arrest of Ulbricht seems to indicate – we don’t know the full facts behind the case – is that Tor is not a fully adequate method of protection, not just for hackers but for people who want to communicate privately without others snooping on them. And this of course, is a very very difficult and sensitive area, which we have seen on more than one occasion: the balance between security on the one hand and individual civil liberties on the other hand.
This issue with the speed of innovation is a really serious issue, in as much that we can’t possibly comprehend on a daily level – whether we’re involved in cyber security, cyber crime, state activities or as ordinary individuals – how the Internet is changing and what the implications will be for security, civil liberties and freedom of the press. Trying to grasp the enormity of the Internet and what it does is going to require a lot of thought.
The economic impact of cyber crime
TechPresident: You cite some startling figures. Globally, we’re spending about $67 billion this year on cyber security and it's projected to hit $89 billion in four years. Why so much money? How much do you think it costs a hacker to launch an attack?
Not very much. And that’s the problem because you have a real disconnect with what is required to invest in mounting a cyber attack and what is required to invest in protecting yourself from a cyber attack. Frankly, the biggest winners of this are the companies engaged in cyber security. They tend to, frequently, not exaggerate the threat but to highlight the threat wherever they can because they are making so much money.
If you look at the compound annual growth rate at the moment year on year, the lowest is here in Europe and that’s about 5.9 percent for that industry. In the U.S. it’s about 6.2 or 6.3 percent. In the developing world, it’s about 16 percent. At a time of global recession, when our economies continue to contract, that is a phenomenal pay off in terms of growth.
Why is that? Because even though the threat is actually exaggerated in terms of what it is costing the global economy, and to be perfectly frank, it’s very difficult to define accurately how much it’s costing, we do know that if you don’t protect yourself properly, you will be hacked, you will be compromised, and your core business or activity as an individual can be very seriously damaged, very easily. So you’ve got to undertake security measures and it’s not cheap.
The social and political impact of espionage
TechPresident: As you know, the President of Brazil, Dilma Rouseff, bashed the U.S. last week at the U.N. about its espionage program. Do you think Edward Snowden’s revelations about cyber espionage and warfare create greater tension or are forcing a greater cooperation among countries – will we see an international accord over espionage or is this just wishful thinking?
She also canceled a visit with Obama. That was also a huge diplomatic [slap].
The Snowden revelations have basically demonstrated exactly what the United States is up to. And in that sense, they are quite important. The Brazilians are angry for a reason and that reason is pretty clear. The United States has been spying on a friendly country, on the largest company in the southern hemisphere, Petrobras, and they’ve been spying on the president. If I were the Brazilians I’d be pissed off as well.
So, has it does damage? Well, yes it has. The U.S. program, as far as we know, is the most extensive espionage program in the world. They’ve damaged their reputation. Some of this activity undertaken by the N.S.A. was illegal, according to U.S. law and it was certainly not designed to make friends around the world now that it’s been revealed.
What does that mean? Well, it means that, we’re on a more level playing field. The first Snowden revelations came just in advance of the summit meeting between Xi Jinping and Obama in San Franciso, two days before, in fact. Obama had already announced that the core of the discussion was going to be about outrageous spying and commercial espionage that the Chinese habitually undertake on Americans and other Western companies. But when Xi Jinping walked into that room, although I don’t know, I haven’t seen the transcript, when Obama said to him, what about all this spying, I’m sure Xi Jinping just handed him a copy of the New York Times and said, who are you talking about, you or us?
So we have a level playing field, in which we know everyone is up to no good. So do they want to regulate this? What does regulation mean? What bits of the Internet are you going to regulate? These are huge headachy subjects, which will be developed, as most issues like this are, piecemeal. There will be no huge agreement regulating the Internet. There may be informal forms of agreements restricting its use for certain military capabilities, although there is no sign of that at the moment. There may be an exchange of information about criminal activity, for example. Again, we’re not entirely sure how that will develop.
Clearly the Internet needs some sort of regulation. You can’t have a telecommunications device that is so powerful and not expect states to get involved in it and leave it entirely unregulated. Frankly, that is utopian nonsense.
Interestingly, before the Internet came along, the international telecommunications union, which was set up in the 1860s, has reached every single agreement by consensus and that includes during the first and second world wars and cold war. There has never been a dispute within the ITU, within its member states. Everyone has always wanted communications to continue bubbling along as an uncontested zone.
I would say that this is now a contested zone. The ITU is one of the areas where it is being contested. At the moment, we effectively have a free for all, in regards to the Internet, and I’d be interested to see over the next two to five years, whether there is any even outline recognition of the part of the major states involved that there will need to be some form of coherent global regulation of the Internet. But I doubt it.
Personal Democracy Media is grateful to the Omidyar Network and the UN Foundation for their generous support of techPresident's WeGov section.