Traditionally, defense in cyberspace has been based on the “Risk equation,” a loosely calculated product of Vulnerability, Asset value and Threat. Vulnerability means the degree to which computing infrastructure is exposed to intruders. Asset value represents the importance of information to an organization and its constituents. Threat is a subjective assessment of the danger posed by intruders, capturing their intent and capabilities. Defenders “calculate” the product, R, representing overall Risk, as R = V x A x T. Purists note that this “equation” is not helpful in terms of producing a numerical value. Rather, the benefit derives from the observation that if one can reduce V, A, and/or T, then R will decrease accordingly.
Network defenders tend to concentrate on V, the vulnerability of computing infrastructure and information, because it is the part of the risk equation that they can influence directly. Patching flawed software, deploying security controls and implementing better processes will decrease V. Business operations have the greatest effect on A, or asset value. It is difficult to reduce the value of the data created, processed and stored by an organization, although initiatives to eliminate the need for processing credit card numbers can indeed reduce A. Where does that leave T, threat? Is it possible to decrease T, and thereby decrease R, Risk?
Threats take many forms. In 2013, news headlines featured stories about Chinese hackers, leaks of classified information by insiders and varying degrees of “cyber war” by international actors. In 2014, however, criminal organizations appeared to take the lead. Commercially-motivated hackers stole credit card and other personal data from prominent retailers, financial institutions and other organizations. A common thread woven throughout last year’s stories was the use of malware, or malicious software, to accomplish the hackers’ goals.
Although malware is a tool, and not a threat itself, it does enable threat actors to accomplish their objectives. Malware transforms an actor with malicious intent, but little to no capability to inflict harm, into a threat who can accomplish his objectives. By buying, repurposing or stealing malware written by skilled programmers, even low-skilled intruders can punch above their weight in cyberspace.
The question for those concerned with network defense, then, is how many of these highly skilled malware authors are there, and where are they located? Are they within the reach of law enforcement, such that their arrest and prosecution could reduce the Threat component of the Risk equation?
In an October 2014 interview on the BBC’s Tech Tent radio program, Troels Oerting, then-director of the European Cybercrime Centre at Europol, offered an insight into the malware production ecosystem. He stated that when it comes to malware authors, there are “around 100 good programmers globally right now… We roughly know who they are. If we can take them out of the equation the rest will fall down.” Oerting added that “it’s downloaded by all kinds of criminals that could be Western European criminals and Eastern European criminals or African or American criminals, but the majority of the kingpins seems right now to be located the Russian speaking area. It’s not all from the Russian federation, but it’s all Russian speaking.”
Oerting’s assessment paints the cyberinsecurity problem in a different light. Pundits are often quick to point their fingers at companies that lose personally identifiable information to hackers. Some even criticize users for falling victim to phishing emails or other scams perpetrated by computer criminals. Few critics, however, direct their ire towards those facilitating these crimes: the malware authors who make money selling their software to criminals of all kinds, worldwide.
Security professionals have assumed that there must be thousands or even tens of thousands of these malware writers. With millions of malware samples discovered every year, affecting many millions more computers and users, the scale of the problem seems so large as to defy mitigation. Feeling helpless to reduce the threat, enterprise and consumer users turn to patching devices, deploying security software, and trying other processes and programs that have continued to yield questionable results. While these measures are helpful, perhaps they need not consume defensive strategy.
Rather than continuing to pour resources and manpower towards reducing vulnerabilities, defenders should direct efforts towards the threat. Law enforcement at the local, state, national and international levels should receive the support they need to identify, prosecute and incarcerate the “around 100 good programmers globally” at the center of the malware ecosystem. No one expects a stronger law enforcement program to completely eliminate the global malware factory. Other programmers will step forward to create new malicious software. However, the return on investment likely to be realized by increased law enforcement activity will dwarf that of similar resources applied to traditional government security programs.
Even if one accepts the argument for nudging cyberdefense towards more threat-centric approaches, is it reasonable to expect law enforcement to be able to arrest and prosecute the 100 or so key malware authors? A recent case demonstrates that it is possible to reach criminals located in uncooperative locations, such as the Russian Federation. Recent news reports describe the 2012 arrest of two Russian hackers, Vladimir Drinkman and Dmitriy Smilianets, while the pair vacationed in Amsterdam. After the FBI observed Smilianets posting pictures of himself in Amsterdam on Facebook, federal agents worked with their Dutch counterparts to arrest him and his friend Drinkman. In late January 2015, a Dutch court ruled that it would extradite Drinkman to the United States. Smilianets is already awaiting trial in New Jersey.
Instead of seeking so-called “game-changing” technologies or creating yet more “best practices” for enterprise and consumer defense, governments should equip and authorize their law enforcement communities to target and mitigate criminal malware writers. What makes more sense: expecting the two billion Internet users worldwide to adequately secure their personal information, or reducing the threat posed by the roughly 100 top-tier malware authors? It’s time to make it less attractive to be a malware kingpin.