- Neil Hare-Brown
Fighting Cybercrime with Regulation
Is it just me or is the world going crazy? The current scourge of cybercrime is a bit of a blight on the copybook of many governments around the world whose citizens and businesses are suffering enough with COVID-19 to have to experience life-changing losses due to cybercrime. People are losing their livelihoods, houses, and life savings. Businesses are losing their reputation and revenue; some are literally going to the wall.
Whilst law enforcement fights valiantly with the limited funding they have, they operate in a world where the good guys are bound by national [and limited international] law and powers. Meanwhile, in a vastly different world, the cybercriminals operate with impunity. In their world, jurisdictional borders simply don't exist. Victims can be found anywhere and there is relatively little chance they’ll be caught, let alone convicted.
Many people, even cybersecurity professionals, think that responsibility for addressing this dire situation is that of the potential victim - they need to protect themselves. In the case of business, they need to protect themselves and protect others who entrust their data and money to them. I don't think anyone would disagree with this; however, the potential victims have limited capability to prevent the juggernaut of global organised crime.
Whilst they have been largely ineffective in regulating sufficiently to make a positive change to business security, governments have at least recognised that something needs to be done. However, data protection/privacy laws (and in a few cases critical infrastructure laws) seem improper tools for the job. This recent article by Mashable, explains the scale of the problem of unauthorised access to global social media platforms and the much broader need to make online security much more reliable for citizens and businesses.
However, it seems to me that there are areas where effective regulation would make a significant, even game-changing difference to the levels of cybercrime we are currently witnessing. Yet those who can legislate for such changes to save their citizens are simply not being active enough. Here are a few suggestions that will make a measurable impact on online cybercrime and fraud:
Cybercrime-Stopper #1: Regulate domain registration services. Cybercriminals are running roughshod over services where they pay as little as 1 cent to register a domain - they buy thousands and use these in many different attacks. We need both national and international laws and regulations to immediately outlaw the bulk domain registration service. We need to tax domain name registration so much that it keeps the cost of registering a domain still reasonable for small business, but unfeasible for many cybercriminals. Those who wish to register a domain should be authenticated with a reasonably high degree of due diligence. ‘Whois’ records should not be obfuscated unless owners are authenticated and pay an additional fee. A scaling system must be adopted so that businesses in developing countries are not disadvantaged and online business continues to grow. But in any case, there should be a high bar to pass to register a new domain; a bar that legitimate organisations can reach but cybercriminals cannot.
Domain name registration needs to be completely remodelled from the legacy, frictionless and ridiculously low-cost service, to one of integrity, dependability and higher cost. New models should force re-registration, even before expiry, on bulk domain purchasers to significantly reduce the ability for cybercriminals to leverage their domains for harm.
Cybercrime-Stopper #2: Force MFA/2FA on mainstream cloud service providers and those who offer online purchasing. We all know that it is far too easy to phish passwords. Password strength makes no difference to a phish because most users use the same password for many – if not all of their online accounts, it makes it a breeze for cybercriminals once they steal credentials, to compromise many systems. Whilst multi-factor authentication is not perfect, it is still a serious impediment to online crime. Many cyber insurers now understandably require businesses to implement MFA/2FA before they will consider covering them. For some inexplicable reason known only to the captains of digital industry, they are not applying MFA by default. I can only assume that they consider the security of their users as subordinate to their drive to onboard as many users with as little friction as possible.
As a result, it is necessary for regulators to step in with mandatory baseline security rules and meaningful penalties for those who do not implement MFA by default and severe penalties for online service providers who do not even offer it. Although not yet comprehensive, I applaud the work of https://twofactorauth.org/ in listing those sites who support this good security practice.
Cybercrime-Stopper #3: Improve Default Security in Network Operating Systems. When it comes to resilience against attack, I am afraid that network operating systems are still in the dark ages. Too much focus on NetOps and not enough on SecOps. All bells and whistles aside, Network OS; even all OS, should have a degree of data and activity awareness baked-in. Suggestions would be: file copy control, fixed default logging, dual control over administrative tasks - including account creation, detection/blocking of unauthorised encryption operations, limiting admin account sessions and forcing MFA on their use. Come on OS suppliers, raise your game! Come on Governments, force them to raise their game - do not procure from them unless they do so. Protect your citizens and businesses.
Cybercrime-Stopper #4: Enact global laws on Cybercrime. Whilst there has been some progress on improving the laws against cybercrime, one of the reasons it is the 'crime of choice' for many criminals (who are turning to it in droves) is because, for the criminal, it is a low risk activity.
Of the 17,600 cases reported for computer hacking in 2019, only 57 led to prosecution (source RPC) and whilst UK police expertise in this area is among the best in the world, it simply costs too much to bring cybercriminals to justice in the current legal landscape.
Much cybercrime law is too jurisdictional and restricted by international hurdles. These need to be broken down and, for countries who fail to comply with internationally agreed law and cooperation, harsh sanctions should be imposed. In support of this, an international fund must be made available to reward law enforcement officials in non-compliant jurisdictions, for assisting with international investigations. The UN has a huge role to play in such an activity.
Cybercrime-Stopper #5: Cybercrime needs harsher penalties. At the moment, another one of the attractions for organised cybercrime is that even if they do get caught, the penalties are not harsh enough. Cybercrime is an example of a new type of crime, where victims are harvested at rates hitherto not possible with more traditional crime. The punishment needs to fit the crime. It should be usual for cybercriminals to receive sentences that are aggregated according to the scale of their crimes and numbers of victims. Frankly, such victims do not get justice any other way. Thus, a life sentence (with no internet access) should be a common stretch for a life of cybercrime and criminal fraternity should be aware that they are risking life in a cell.
Cybercrime-Stopper #6: Cryptocurrency needs significantly better regulation. It seems crazy to me that various cryptocurrencies can be so easily used by criminals to steal, mix, launder and distribute stolen funds. Financial regulators in many countries and internationally are really letting us all down. They must know that the fight against money laundering traditional fiat currency is one they have been regularly losing. The lack of accountability in fiat currency systems (from account operation to transaction) means that they are flawed and vulnerable to money laundering. Enter cryptocurrency and the blockchain - an immutable record of transactions. So, one might think that strict regulation of cryptocurrency exchanges, especially those trading cryptocurrencies preferred by cybercriminals (Monero, ZCash et al) would put a sizeable dent in money laundering and cybercrime. One particular focus, for instance, would be strict monitoring of all wallets with defined fiat accounts. All cybercriminals need to cash out at some point.
These are just a few (perhaps radical) suggestions to what IMHO is needed to address the current scourge of cybercrime. Whilst governments in many countries have certainly raised their game in the fight; they are not thinking in a way which is revolutionary enough to take back the high ground from what is now a multi-billion-dollar criminal industry. Appreciating the harsh reality and reacting with sufficient moral energy to make the paradigm shift needed to combat cybercrime effectively and give true support to business, consumer and citizen alike is what governments and digital industry now need to do. I appreciate that lobbying from online service providers and traditional financial businesses may be hard to resist, but there is no doubt that their current business processes enable cybercrime. The current status quo is unacceptable to modern society. We need action.