Report

Pirates of the ISPs: Tactics for Turning Online Crooks Into International Pariahs

Noah Shachtman

Executive Summary: At the beginning of the 19th century, piracy was an ongoing threat and an accepted military tactic. By the end of the century, it was taboo, occurring solely off the shores of failed states and minor powers. The practice of hijacking did not vanish entirely, of course; it is flourishing now on the world’s computer networks, costing companies and consumers countless billions of dollars.

Cybercrime today seems like a nearly insoluble problem, much like piracy was centuries ago. There are steps, however, that can be taken to curb cybercrime’s growth—and perhaps begin to marginalize the people behind it. Some of the methods used to sideline piracy provide a useful, if incomplete, template for how to get it done. Shutting down the markets for stolen treasure cut off the pirates’ financial lifeblood; similar pushes could be made against the companies that support online criminals. Piracy was eventually brought to heel when nations took responsibility for what went on within its borders. Based on this precedent, cybercrime will only begin to be curbed when greater authority—and accountability—is exercised over the networks that form the sea on which these modern pirates sail.

In this new campaign, however, private companies, not governments, will have to play the central role, as Harvard’s Tyler Moore and others have suggested. After all, the Internet is not a network of governments; it is mostly an amalgam of businesses that rely almost exclusively on handshake agreements to carry data from one side of the planet to another. The vast majority of the Internet’s infrastructure is in the hands of these 5,000 or so Internet Service Providers (ISPs) and carrier networks, as is the ability to keep crooks off that infrastructure. If this relatively small group can be persuaded to move against online criminals, it will represent an enormous step towards turning these crooks into global pariahs.

The most productive thing ISPs can do to curb crime is put pressure on the companies that support and abet these underground enterprises.

Currently, registration companies sell criminals their domain names, like “thief.com.” Hosting firms provide the server space and Internet Protocol addresses needed to make malicious content online accessible. But without ISPs, no business, straight or crooked, gets online. A simple statistic underscores the ISPs’ role as a critical intermediary: just 10 ISPs account for around 30 percent of all the spam-spewing machines on the planet.

ISPs are well aware of which hosting companies, for example, are the most friendly to criminals; lists of these firms are published constantly. But, currently, ISPs have little motivation to cut these criminal havens off from the rest of the Internet. There is no penalty for allowing illicit traffic to transit over their networks. If anything, there is a strong incentive for maintaining business-as-usual: the hosting company that caters to crooks also has legitimate customers, and both pay for Internet access. So ISPs often turn a blind eye, even though the worst criminal havens are well-known.

That is where government could help. It could introduce new mechanisms to hold hosting companies liable for the damage done by their criminal clientele. It could allow ISPs to be held liable for their criminal hosts. It could encourage and regulate ISPs to share more information on the threats they find.

Government could also encourage more private businesses to come clean when they are victimized. Today, just three in ten organizations surveyed by the security firm McAfee report all of their data breaches. That not only obscures the true scope of cybercrime; it prevents criminals and criminal trends from being caught earlier. Government can alter that equation by expanding the requirements to report data breaches. It could require its contractors to purchase network security insurance, forcing companies to take these breaches more seriously. And it can pour new resources into and craft new strategies for disrupting criminals’ support networks. These steps will serve as important signals that America will no longer tolerate thieves and con artists operating on its networks. After all, 20 of the 50 most crime-friendly hosts in the world are American, according to the security researchers at HostExploit.

As the United States gets serious in curbing these criminals, it can ask more from—and work more closely with—other countries. China, for instance, sees itself as the world’s biggest victim of cybercrime, even as it remains a hotbed for illicit activity. Not coincidentally, China is also only partially connected to the global community of ISPs. Dialogues to bring the Chinese closer into the fold will not only make it easier to marginalize cybercriminals; it will build momentum for broader negotiations on all sorts of Internet security issues.