Tuesday, July 14, 2009

The Social World of Cyber Crime

No one has a greater interest in the integrity and safety of the Internet than the companies that provide the technologies for its infrastructure. Cisco probably leads the pack among those companies and has probably done so since "Internet" became a part of everyone's working vocabulary. Unfortunately, the safety of the Internet will never be strictly a matter of technology, which is why I have always valued Udi Manber's metaphor for safeguarding against abusive and criminal practices on the Internet as an arms race. Just as Edsger Dijkstra used to say that program debugging techniques only work for the bugs that have been detected, technologies for Internet safety only work for known abuses. Every time such a technology is deployed, malefactors across the network take it as a challenge to come up with circumventions through which they can continue their activities. The Internet itself may be an objective technology artifact, but the aggregation of all of its users constitutes a complex social world that we barely understand. We are reminded of this practically every day with news reports of events such as the recent Facebook "exposure" of the newly appointed head of Britain's MI6 intelligence operations.

In such a setting, which is as complex as it is disquieting, there is little comfort when a company like Cisco makes naive statements about the problem. Unfortunately, this seems to have been the case when BBC Technology Reporter Maggie Shiels decided to file a story from Silicon Valley about the current "state of the art" of cyber crime. It was clearly important that Cisco have a say in this story; I just wish they had sounded a bit more serious about the task in saying it. Here are some opening paragraphs from Shiels' story:

Networking giant Cisco said online criminals were increasingly using proven business practices.

In its mid-year security report, Cisco said this new approach puts the bad guys way ahead.

"When your enemy is financially motivated you have to be on alert," said Cisco fellow Patrick Peterson.

"Capitalism is a powerful force and these criminal types are collaborating with one another and sharing resources, renting out botnets and forming alliances."

He pointed to the popular model known as "software as a service," or SaaS, where a provider licences an application to a customer for use as a service on demand via the web saving costs for the user.

He said cyber-criminals were increasingly acting like virtual MBA (Master of Business Administration) students.

The naïveté begins almost immediately with a vacuous statement about financial motivation. There are, of course, plenty of Internet users not interested in making money; but my guess is that they are in the minority. Furthermore, the history of malfeasance has always been about getting control over some resource or another; and, as Niall Ferguson has pointed out, money is just the most convenient abstraction for controlling those resources. That the "bad guys" on the Internet are "financially motivated" is, as we used to say at MIT, insight into the obvious.

Such obvious observations continue with the "discovery" that those "bad guys" are "forming alliances." There may never have been honor among thieves, but alliances are seldom held together by matters of honor. Even the idea that those alliances are based on "business practices" is hardly anything new. What, after all, was it that made "organized crime" so "organized" in the first place? Indeed, it may have been the premise that criminals could be as good at business practices as "legitimate" businessmen (using the masculine form for the sake of historical accuracy) that threw J. Edgar Hoover into almost apoplectic denial that "organized crime" could exist at all. If Hoover's denial did not encourage the growth of organized crime, it certainly did not impede it. The thought that Cisco is now making the same mistake about cyber crime that Hoover had made is, to say the least, chilling.

The cherry that tops the sundae, however, is that observation that the new criminals of the Internet are "increasingly acting like MBA students." Has it occurred to Peterson that the simile may not have been necessary? Given the current unemployment conditions coupled with the rate at which universities are still cranking out new MBAs, I doubt that it would surprise anyone that some of the most successful cyber criminals are MBAs or hold other equally prestigious advanced degrees that currently offer no advantages in finding "legitimate" work. Furthermore, these are people who have grown up in a Hollywood culture of narratives about smart people who, for one reason or another, are not "making it in the system" and succeed in turning against that system. (Remember, also, that the collection of Ken Auletta's profiles of the first generation of Internet-based entrepreneurs was entitled The Highwaymen.) Willie Sutton robbed banks because that is where the money was. These days most banks seem pretty feeble compared to the money that can be harvested through the Internet; and, as we are reminded almost every day, the line between legitimate and criminal practices is far from well defined.

For better or worse, every one of us who makes any use of the Internet is dependent on Cisco technology. Those of us worried about such things as safety should not be encouraged by Shiels' report. Hopefully, this only reflects that she did not do a particularly good job in preparing it, preferring what she thought were cool sound bytes over navigating more complex explanations about security. If this is not the case, then it may be time for Cisco to restore our trust (which is really all we have) that they really are concerned with protecting us from criminal activities perpetrated over the Internet.

No comments: