“There’s not a danger of a cyber Pearl Harbor… it’s more like the South Bronx circa 1999, where there’s a danger that it becomes such a tough neighborhood that no one wants to set up shop there and people move out,” Noah Shachtman, editor of the Danger Room blog at Wired magazine and non-resident fellow at the Brookings Institution, told an IPI audience at a panel on cyber security on May 3, 2012.
Speaking along with Mr. Shachtman were Andre DiMino of the Computer Crimes Unit in the Bergen County Prosecutor’s Office in New Jersey, and Jody Westby, CEO and Founder of Global Cyber Risk. The forum took a non-technical look into the world of malware.
Mr. Shachtman said that, “despite what you might read in the paper, or hear on radio or TV, there’s no such thing as cyber war. There may never be a thing called cyber war.” There is however, “a real, serious crime problem,” that amounts to tens of billions of dollars in profits annually, he said.
He said that cyber crime has become easier to commit over the years; it’s now cheaper to conduct—the market rate to infect 1,000 machines is $75—and there are more tools available as the variants of malicious software continue to grow significantly on a daily basis.
He compared today’s cyber threats to piracy in the eighteenth and nineteenth centuries. “Like piracy back then, it could be both a tool of the state… and also like then, cyber criminals seem to feel outside of the bounds of state control, outside of the laws, geographically remote. So what do you do with that?” he asked.
To tackle the problem, he said, “I do think you can see some of the lessons that are used to contain piracy that contain cyber crime.” He continued, “Today you see, with maritime piracy, although you see [piracy] off the Horn of Africa, you see a broad international coalition that has sought to limit it.”
Mr. DiMino said the key areas of cyber threats were cyber crime, “hacktivism” for political purposes, APT-targeted attacks and cyber espionage by states, industrial espionage, and a growth in mobile malware.
He said that the tactics and capabilities of adversaries are advancing at an asymmetric rate to our ability to detect and attribute them, saying that significant compromises have happened that haven’t been publicized.
“While [technical] solutions are a crucially important part of defense, a technical solution is only one component in addressing the problems of securing the Internet,” he said. “In my opinion, we don’t need new laws, we need updated and improved laws” that more clearly define cybercrime and improve law enforcement’s ability, he said.
Ms. Westby, a lawyer who works on these issues, said that the main actors are “rogue actors, organized criminals, and nation-states,” saying that “it’s almost the perfect crime, because they rarely get caught.”
In addition to profit-making criminal activity, cyber crime could be used to oppress civil rights. She cited the current example of Syria, where she said the government is “paying botmasters to use a botnet” to conduct “a phishing scam through webcams and Skype and email.” Using this information, they can hack into users’ webcams and then track down and persecute people who are anti-government.
She also said there is a lot of uncertainty over how many computers worldwide might be infected with malware. Because of this uncertainty, she said, “Maybe launching an attack is going to result in our destruction. We don’t know what we don’t know.” “When you have countries that have no cyber crime laws or have very weak cyber crime laws, what we have is the ability then for criminals to take advantage of that,” she said.
“We have a lot of work to do, and we really need some leadership around the world to advance the issue,” she concluded.
The event was moderated by Warren Hoge, IPI Senior Adviser for External Relations.