The Rise of the Hacker Industrial Complex

What does it look like to commit a cybercrime? My guess: You’re probably conjuring up an image of some tech-savvy 20-something trawling the “dark web” in a dimly-lit basement.  

But at New America’s Cybersecurity conference on Monday, Niloofar Howe, chief strategy officer and vice president of RSA, dispelled that image. During a discussion on the new place of hackers in the global economy, the audience watched in awe as Howe, live on stage, did a simple search on Facebook to show us how easily she—and anyone else—could access someone’s stolen credit card information on social media. (And just for good measure, she showed us again, the second time on Twitter.)

This was key to her argument: that anyone can be a hacker nowadays, and that anyone can profit from these crimes, such that it’s now morphed into an “industrial complex.” Or in other words, the widespread use of the internet, and the proliferation and democratization of data, has let cybercrime become accessible to all.

Recent numbers indicate that 1.86 billion people use Facebook monthly. Out of a world population of roughly 7.5 billion, that’s nearly 25 percent. Those 1.86 billion people have all put their personal data into their Facebook accounts, locking it away behind passwords that often offer insufficient protection, to say nothing of the millions of users on other forms of social media, such as Twitter. Beyond simply social media, we also put our credit card data into companies like Amazon and PayPal, and even into the ever-expanding “internet of things” that governs our everyday lives. As we do so, we continue to put our faith in networks that are increasingly difficult to protect. Devices ranging from voice-activated AI speakers to refrigerators all connect to the internet, and have little protection from malware.

Protecting a network is a full-time mission. The proliferation of hacking knowledge and technology means that networks are under constant fire—which presents a unique problem, according to Howe: Defenders are required to be right every time, while hackers only have to be right once. When trying to defend a system, it’s necessary to anticipate and block every attack that comes in. When trying to break in, hackers send thousands of attacks to wash against the network’s defenses—but only one needs to succeed. To make things worse, hackers often know the network better than we do.

The same forces that democratized information on the internet have democratized the technology needed to exploit it. Howe explained that the attack chain process has been completely crowdsourced. She laid out several steps in the attack chain, each of which demonstrates a different skill needed to learn the network, infiltrate, install tools, and exploit the system. While this was once a difficult hurdle for hackers, it's now possible to work with a different person or organization every step of the way. With many hands now on the trigger, pinning down one culprit is nearly impossible. Even worse for victims of cyberattacks, retribution is almost unheard of. Worldwide, the rate of prosecution is less than 1 percent.

Beyond the ease with which hackers can outsource the attack chain, they also no longer need to let such things as skill get in the way of committing a cybercrime. Malware, and the tools needed to use it, are readily available for a modest fee. For example, the Mirai botnet, which was part of a massive denial-of-service (DDoS) attack in October 2016, sells its bots at around ten cents apiece. While this would add up when purchasing hundreds of thousands of bots, it would still be a manageable price for someone who could stand to profit off such an attack (or alternately, someone using a stolen credit card off Facebook or Twitter).

In addition to such a democratic model of access, the tools available are more sophisticated than ever before. Technology that individual hackers use now was available to countries only a few years prior—today, it’s readily in the hands of cybercriminals. Even an otherwise unskilled hacker can perform phishing attacks using simple ransomware, which would lock a computer’s data until the right price was paid. The Mirai botnet was innovative in its method of operation, leading to its rampant success last year. Instead of using computers like other denial-of-service botnets, it uses those “internet of things” devices that we pour information into. Harder to secure, and more difficult to detect when infected, these cameras, routers, and other “smart” devices are providing easy targets for widespread infection.

Our sweeping acceptance of smart devices, which let the internet become a part of our daily lives, has made cybercrime a lucrative business. Howe concluded her talk by showing the audience professional-looking websites that offer bespoke hacking services and even customer support. Need a stolen credit card? There’s a hacking website for you to patronize. If you want to use that credit card without raising any suspicions, there are step-by-step instructions to teach you how to do just that. Make sure to call the customer service hotline if you’re not sure how to use your 50,000 bots to make a DDoS attack.

The factors that make hacking so easy—cheap yet sophisticated technology, inefficient prosecution, and readily available data—allow hackers to turn a profit and coalesce into what Howe calls the “hacker industrial complex.”