The internet is more dangerous than any of us knows. The New York Times recently highlighted the longstanding problem in figuring out how many and what sort of crimes occur in cyberspace: People largely fail to report them. According to the FBI’s Internet Crime Complaint Center, cybercrimes—the ambiguous grouping of illicit activities that includes everything from the facilitation of sex trafficking to comedic Nigerian prince phishing schemes to ransomware attacks targeting hospitals—may only be reported a mere 10 to 12 percent of the time.
The article rightly addresses the need for proper reporting so that those tasked with fighting crime—be they police or the FBI—have the necessary data to understand the scope and scale of crimes committed. Yet what the article fails to mention is that the issue of underreporting should be understood not just as a serious hindrance to combatting domestic crime, but also as an impediment to addressing national security threats.
In recent years, we have witnessed the rise of state-sponsored cybercriminals, such as the notorious Fancy Bear and Cozy Bear hacking groups linked to Russian military intelligence (GRU) and the Lazarus Group tied to North Korea. The Department of Homeland Security and the FBI report that North Korea has been attacking U.S. businesses in the media, aerospace, financial, and critical infrastructure sectors since 2009. While these groups have famously used hacking methods for espionage and to interfere in the U.S. political system, North Korean hacking groups in particular have been linked to cyber theft of foreign currency from banks and businesses. This theft is likely intended to compensate for the economic sanctions on North Korea’s illicit nuclear program.
State-sponsored cyber theft should be a particular cause for concern for those studying the underreporting of cyberattacks. Because such attacks have the same aims, either outright theft or the coercion of users via ransomware demands, a cybercrime that originates from U.S. territory may look the same as one from an adversarial state. As a result, the same disincentives for reporting non-state-sponsored cybercrime also discourage the reporting of state-sponsored cybercrime. For instance, a business seeking to report a security breach would have to reveal its cybersecurity weaknesses, which may lead customers to leave the business for a more secure competitor. This means that by reporting, a business could suffer not just one loss from the original attack, but a second loss from the wave of vanishing customers.
While businesses may have economic reasons not to report, the government depends on security breach reports to develop strategies for combating state-sponsored hacking groups. It needs that information to halt sanctions-evasion schemes, such as efforts by hacker groups to transfer stolen money to North Korea to prop up its nuclear programs. What’s more, having a clear picture of what these state-sponsored groups are doing better equips the U.S. government to undermine them before they escalate to actions with more serious repercussions, such as attacks on infrastructure that result in casualties.
The Federal government already requires banks to report cyber-theft information through the Suspicious Activity Reporting system for fraud that results in losses over $5,000 if a suspect is identifiable, or over $25,000 whether or not there is a suspect. In cases that incur smaller losses, the bank is not required to report the theft. Banks will generally refund money to individuals that suffer bank fraud. In such a case, a victim has little incentive to involve the police or FBI.
Likewise, hospitals also must disclose certain cyberattacks to the Department of Health and Human Services, though they do not have to make ransomware attacks public, as these don’t necessarily result in stolen patient data. Less-than-clear guidance from the Securities and Exchange Commission also calls for publicly traded companies to disclose material cyber risks and intrusions to investors, but the guidance doesn’t define the term “material,” leading companies to underreport cyber breaches. Perhaps most troublesome, there is no clear, general national reporting requirement to disclose cyberattacks against other types of private businesses.
There are potential problems with mandatory reporting. For instance, it may be better for a company to address a cyber breach quickly rather than focus on reporting requirements, and such requirements could impose yet another burdensome mandate on businesses. These drawbacks may make it unwise or politically infeasible to pass mandatory reporting. However, the potential benefits of reporting are such that the government should encourage businesses to regard reporting cybercrimes as a best practice, with the understanding that it will contribute to strong cybersecurity nationwide.
How can the government persuade businesses to voluntarily adopt this best practice? And how can it increase the incentives for businesses to report cyberattacks while reducing the disincentives?
The national security implications of underreporting, while problematic, could actually be a boon in convincing businesses to report cybercrime. By reporting these crimes, businesses may be able to help the U.S. government more effectively undermine illicit groups bent on injuring us. Convincing companies that they have a patriotic obligation to help combat the efforts of adversarial states, even if it sounds a bit hokey to some, may lead businesses to see theft as a larger attack on the country, not just a failing of their own security. The FBI can work with partners at the state and Federal levels, as well as with the Department of Homeland Security and the Secret Service, to raise awareness among large and small businesses alike of the fact that foreign adversaries are actively targeting them either to inflict damage on the United States or to prop up their own illicit activities.
The FBI can also make clear to businesses why solving the underreporting issue will fortify national cybersecurity. For instance, if businesses were more likely to report cybercrime, the government would be more capable of defining the scope of the problem and the impact of state-sponsored hacking groups. Reporting would also give the government a better idea of the range of cybercriminal targets, any patterns in the types of organizations subject to attack, and any novel methods of cybercrime it hasn’t yet seen. What’s more, the government may be able to better understand whether a given group of cybercriminals is working toward a broader goal of undermining U.S. interests, as the Russian internet trolls were during the 2016 election.
Businesses should be made aware that, as more companies report cybercrimes and give sufficient information to authorities, those authorities will become better equipped to attribute crimes to a certain group or particular cybercriminal. Current victims of cybercrimes may not believe reporting will lead to a solution to the crime, and in the current environment, they may be right—local police are ill-equipped to deal with cybercrimes that span jurisdictions and require technical sophistication. Believing that reporting any crime—including cybercrime—will do nothing to resolve the issue poses a significant deterrent to reporting. Altering that impression may encourage those businesses that are nervous about reporting to change their calculations.
The problem with attributing cybercrimes to certain criminals or state actors is, of course, that the same tools people use to remain anonymous online are the tools that allow bad actors to hide from authorities. For instance, certain tools allow hackers to “spoof” evidence; they can also borrow tools used by other well-known hacking groups to disguise the origin of their attacks. Yet attribution, while difficult, is becoming more feasible for the government, even with regard to sophisticated state-sponsored cyber actors. Director of National Intelligence James Clapper testified before the Senate Armed Services Committee in early 2015 that both the government and private sector security companies are making “significant advances” in attribution.
Certainly, attributing a cyberattack to a state or state-sponsored entity could push the attacker to adopt new methods, or attempt to find better ways to conceal its identity in future attacks. This may lead to an arms race of steadily increasing complexity in attacks and the U.S. defenses against them. In addition, efforts to “name and shame” a country for its bad actions could have repercussions for ongoing U.S. diplomatic efforts, so any public attribution requires a fairly high level of certainty and a great deal of forethought. Yet when possible, public attribution may serve to discourage states and state-sponsored entities. Research indicates that “naming and shaming” can positively alter other types of illicit behavior by foreign states.
In the case of cyberattacks, the U.S. government has already seen positive repercussions from its efforts to “name and shame” bad actors when prosecuting state-supported cyber hackers. In the wake of United States v. Wang Dong, where U.S. officials indicted five Chinese hackers for commercial espionage against U.S. nuclear power, metals, and solar industries, China and the United States agreed to forgo the state-supported “cyber-enabled theft of intellectual property.” While this has only partially reduced Chinese efforts to conduct commercial espionage in the United States, it has created a precedent both for developing an international norm against cyber-based commercial espionage and for future criminal prosecutions when the U.S. government detects state-sponsored espionage.
In addition to indicting Chinese hackers for espionage, the U.S. government has publicly attributed cyberattacks to hostile actors a few times in the previous years, including attributing the WannaCry ransomware and Sony Pictures Entertainment attacks to North Korea, the Democratic National Committee attack to Russia, and the Las Vegas Sands Casino attack to Iran. These actions are a step in the right direction, and not only for foreign policy—even small businesses might be encouraged to report cybercrime now that they see the government cracking down on these attacks.
Reporting cybercrimes on the business side, and attributing cybercrimes to specific illicit actors on the government side, may eventually cause cybercriminals to alter their calculations regarding the potential benefits of a cyberattack. And once our cybercrime-fighters are better equipped to understand the patterns and scale of cyberattacks, they will also be more effective at punishing cybercriminals (currently a difficult undertaking). In a deterrence-by-punishment scenario, a cybercriminal may be dissuaded either from committing the crime in the first place or from committing more in the future by the threat of painful or costly countermeasures.
As unappealing as it may be for businesses to report cyberattacks, they will find it less costly once more companies begin to do so. The U.S. government cannot eliminate cybercrime, whether by states or independent criminals. But it can encourage the best practices that will make the pickings slimmer and harder to reach for our online predators.
Image credit: Faizal Ramli