Cybercrime and cybersecurity affect every aspect of digital life. The potential of data and identity compromises or outright theft of resources have triggered correspondingly vast cybersecurity efforts. Cybersecurity and cybercrime often seem to be top priorities in technology news.
In a recent interview at the University of Pennsylvania’s Wharton School, author Kate Fazzini explained her view of the state of cybercrime and cybersecurity, as outlined in her recent book Kingdom of Lies: Unnerving Adventures in the World of Cybercrime.
An Evolving Conception of Who a Cybercriminal Is
First, it may be necessary for most Americans to shift their understanding of what and who a cybercriminal is. In the web’s early days, hackers were seen – stereotypically, but broadly – as tech geeks in a basement. But, the truth is that much of cybercompromise and cybertheft is now run almost like a business. The businesses, Fazzini says, mirror that of a startup, with chief executive officers, business developers, and customer service agents. The latter, for example, will walk victims of ransomware through what they need to do to regain control of their computers.
Second, cybercrime rarely takes place in a basement. A great deal of cybercrime is based in certain global regions, such as Eastern Europe. Some nations, such as Russia and China, are compromising or searching for data in western nations on a fairly widespread basis.
In fact, Fazzini observes that the Equifax data breach, one of the largest in the U.S. to date, may have been done by a national actor for purposes of spying rather than by cyberthieves after credit card and similar information. Why does she think so? Because the massive trove of compromised data has apparently never been used for consumer identity theft, at least in a known law enforcement context. It also doesn’t seem to have appeared on the dark web, where it might have been purchased and used by individuals.
If countries are larger actors in cybercrime than many people realize, though, the field has also evolved so that cybercriminals do not need a great deal of technological expertise. Users of ransomware, for example, can use a purchasable kit – they do not have to be sophisticated coders.
Some cybercriminals are national actors.
What Companies Need to Do
Are companies doing the right thing in their cybersecurity efforts? Yes, they are addressing it to some degree. But one inadequacy that the author points out is the nesting of cybersecurity efforts in information technology (IT) departments, likely the most common organizational structure in the U.S.
IT departments have a vested business strategy interest in the adoption of their recommendations. When they recommend the purchase of a set of computer systems or software, for example, they want those purchases to be approved. They want to make sure that their budgets are intact and even to foster the probability that they’ll be raised in coming years.
Cybersecurity experts, though, can issue (or want to issue) conflicting recommendations. If they feel a given system or software is more easily compromised than others, for example, they may be in direct opposition to the department they are in.
The solution? It may be a department of cybersecurity separate than an IT department – one prepared to keep up with the changing nature of both cybercontainment and cyberdefense.