October, 2012

Tech and Law Center interviews Misha Glenny an investigative journalist, author and broadcaster. He is one of the world’s leading experts on cybercrime and on global mafia networks. He has written McMafia, which was widely acclaimed for its dissection of criminal networks worldwide, and led to his 2009 TED Talk on the subject. He contributes regularly to the Guardian, Observer, The New York Times and New York Review of Books as well as specialist journals and books dealing with south-eastern Europe. His last book is “Dark Market: Cyberthieves, Cybercops, and You.

For more details on his bio and work, click here.

Your last book is titled “Dark Market: Cyberthieves, Cybercops, and You”. The end of that title says “and you.” That implies that this is a problem that affects every one of us. Can you please explain us why you decided to focus the attention on “us” as well?

Until now cyber security has largely been that the domain of a very small elite. These are mainly people with advanced technical ability, geeks, or civil servants who are interested in security issues. As the world of cyber security has become more complex, so has our dependency on networked computer systems. The difference between cyber and something like nuclear, four example, is that in the cyber world all of us can access the Internet. This means that we are all potential vulnerabilities. In the nuclear world, you cannot access fissile material through individuals. You can in cyber. But very few people understand the nature of cyber security, the issues around cybercrime, and the issues around cyber espionage. I believe that this has to change. And so I decided to write a book which is not exclusively about the technical aspects of cyber security. Rather it focuses on the human aspects of this issue. I decided to research a number of criminal hackers engaged in the DarkMarket website, as well as the police officers who were investigating them.

The book is written like a thriller so that people who don’t usually engage with issues around cyber security would be able to find a way into this subject. My inspiration furthers was the trilogy of thrillers written by the late Swedish author Stieg Larsson. When I discussed the use of computers in The Girl with the Dragon Tattoo, I noticed that people were not interested in the technology but instead in the character of the heroine, Lisbeth Salander. And it struck me that in cyber security almost all the attention is focused on technological aspects of the problem and virtually nothing is devoted to the study of the human aspect. So I wanted, as a writer, to discover a way of getting people engaged with the subject who normally wouldn’t care or would be too intimidated by the geek speak.

What do you think about the recent White House’s admission of responsibility in Stuxnet creation and in what is called operation “Olympic Games”? From your perspective and knowledge, which can be the consequences at the diplomatic level worldwide.

The admission by the White House that the United States and Israel were jointly responsible for Stuxnet marks a significant watershed in the issue of cyber warfare and cyber security in general. Essentially, it is the starting gun for them arms’ race in cyber outside of any regulatory framework. There has been a striking change in policy over the last two years on the part of western powers as demonstrated by the case of Stuxnet and it’s related family of viruses. Spooked by the amount of cyber attacks particularly on commercial interests that have been generated from different parts of the world during the past three years or so, the West has now decided to increase its deployment of offensive cyber capability. The problem here is that issues of cybercrime, cyber espionage and cyber warfare impact on other critical issues such as freedom of speech and the right to privacy. And as the United States, Europe, China and Russia attempt to come to an agreement over the regulation of the Internet in the military sphere, they discover that this has profound implications the issues such as freedom of speech and privacy. And what’s that basically means is that there is no agreement on the militarisation of the Internet. It is my belief that one of the consequences will be the breaking up of the global Internet into a series of giant intranets. Some countries such as China have already placed considerable restrictions or surveillance capacity over their part of the Internet. Iran, suffering from attack by Israel and the United States, has already announced that it will cut off its Internet from the rest of the world. Of course, if this type of response increases, it rather undermines the point of the Internet!

Do you believe there is a way to really curb the knowledge gap and misconceptions regarding the “hackers”? Which can be good practices in engaging with the young hackers more than prosecuting and punishing?

First of all I think it is worth noting that there is considerable confusion regarding the definition of the word “hacker”. Twenty even fifteen years ago the word hacker had a positive connotation. But nowadays the word hacker is invariably used negatively. Let us get one thing straight: a hacker is somebody with an advanced ability to explore networked computer systems and find their flaws. This ability can be used in good ways and in bad ways. In general hackers learn the skills while they are still in their early teens. This means that they have yet to fully develop their moral compass. And, as teenagers, they are curious and fascinated to explore the world around them. In that case of people with hacking ability that environment is the Internet and the computers attached to the web.

Our dependency on networked computer systems is now so extreme that we need all the hacking ability we can get. The challenge is to find those hackers and channel their remarkable skills for the good of society. At the moment, governments tend to deal with hackers who are caught in two ways. Either they are put to use by the state – this is particularly true in countries like Russia and China. Or they lock them up for a long time, which is more characteristic, of Europe and the United States. There is no country which has a programme designed to facilitate the rehabilitation of hackers but given that we have a severe shortage of the skills they possess throughout industry and government, I think we urgently need a new approach.

Furthermore, there is the complicated issue of the socio-psychological profile of young hackers. Although for the moment be evidence is anecdotal, there is a lot suggesting a high incidence of young men (primarily) who suffer from some form of spectrum-related disorder such as Asperger’s Syndrome. This is not to imply in any respect that sufferers from Asperger’s are prone to hacking – it is more complex. They generally display along with specific behavioural patterns varying skills and abilities, notably in Maths and Sciences. Combine this with the challenges that they face in developing real-life relationships, the relative anonymity of the Internet offers them a safe environment to develop their skills.

There is a desperate need for properly funded research into this and other aspects of the human side of hacking culture. Currently, the cyber security industry spends annually some $100 billion worldwide and almost every cent is invested in expensive digital products that are designed to enhance the security of networked computers. Research into the culture of hackers and the human aspects of hacking is badly neglected but it must now start to embrace a wider range of disciplines – psychologists, anthropologists, political scientists, lawyers and more.

Regarding the possibility of reducing the threat from cybercrime, given that some of the countries from which cybercrime originates (China, Russia) are in strategic competition with Europe and the US, do you think it’s actually possible for our governments to work with them to reduce the threat?

This is, of course, a central question at the moment. In brief, the Pentagon has made clear that the US needs to maintain its superiority in cyber offensive capability. The Russians and the Chinese are prepared to invest considerable sums in catching up. But Beijing and Moscow also seek international agreements on the regulation of cyber to get the Americans’ and Europeans’ tacit consent for the extensive monitoring and content control that they impose on the web inside their borders. So essentially the motives of the great Internet military powers are irreconcilable. There is a key meeting taking place in December in Dubai when the International Telecommunications Union will be attempting to reach consensual agreement on the global regulation of the Internet. But this is very unlikely to succeed and certainly not in the first instance.

In the meanwhile, of course, all sides as well as some digitally well endowed countries such as Israel continue to develop and deploy malware and weaponry outside any regulatory framework.

Picking from your research, which changes and developments you can foresee in the next future regarding the cybercrime evolution, actors and countries involved? Which might be the “next big thing” to worry about?

This is an easier question in a way with the caveat that predicting behavioural patterns in cyber is a very risky business. But in the short-term, malware for mobiles is obviously going to be a boom area as people seem even less likely to pay serious attention to security on their mobiles than they do on their computers. Then, of course, we have to recognise that the Internet is spreading very fast and expanding in areas such as South America and Africa. Recently I had an extraordinary experience when one morning I spoke to a representative of the World Bank who hailed the development of broadband capacity in East Africa to be one of the greatest socio-economic advances for the region in years; in the afternoon I spoke to a cyber officer of the FBI who described the same thing as perhaps the greatest boost to cyber crime in years. Take your pick!

Do you think technology can be used not only from law enforcement but also from the general public to help preventing some forms of crime, such as corruption?

I think technology as a tool against corruption is a very exciting area but one which has yet to be fully explored. Some anti-corruption campaigners and indeed businesses have floated the ideas of introducing real-time monitoring of extractive commodities like oil or diamonds but they have met considerable resistance from the industries themselves. This is an area where I would personally welcome some research from the Silicon Valley (or anywhere else for that matter) so we could see some of the extraordinary creative energy from the hi-tech industry being channeled into something, corruption, which is profound blight on the global economy and which is an accelerator of major crimes.

Mc Mafia touches on the fact that many governments, notably that of the United States, have diverted precious resources away from crime control in order to address the threat of terrorism. As far as you know, it is still the main focus of Government spending?

Yes – I’m afraid anti-terrorism programmes are simply more valuable for political PR than the equally difficult but often more destructive industry of organized crime. There are many reasons for this, none of which are likely to change any time soon.

Since crime has now become globalized, where should we concentrate our efforts for improvement? No one country or even region has enough power to affect change. What kind of global governance should people be agitating for?

This works on two levels. There is the policy level, and there is the operational level. The policy level is more complicated because it affects so many areas of governments. Let us take one example - the banking industry and in particular off shore company registration. It is still possible to set up shell companies to channel money through without revealing who the true beneficial owner of those entities are. Such facilities do not exist because organized crime syndicates want them to but because large corporations and many governments find them useful to mask some of the murkier business transactions they are involved in (either because they are morally dubious or illegal or facilitating tax evasion). Criminals simply make use of a facility that policy makers in the licit world refuse to confront usually because they are in thrall to the lobbying of big corporations. We have seen this in action during the interpretative discussions at the Security and Exchange Commission (SEC) in New York with regard to the Dodd-Frank Act which congress passed to ensure greater oversight in Wall Street. One part of the Act deals with transparency in the extractive industries which, if implemented, would go some way to reducing the opportunity for the sale of commodities like so-called ‘blood diamonds,’ or ‘bunkered oil’. Several major corporations have spent over $100 million in lobbying fees to block the maximum transparency measures from being implemented. This is a practical demonstration of how anti-corruption measures are vital in combating both corporate or government malfeasance as well as organized crime.

On the operational level, law enforcement agencies are still faced with the age-old issue of trust both within their own countries and with their counterparts from across borders. In cyber crime, we have recently witnessed a very interesting development in Europe where Europol has been named as the lead operational agency for cyber investigations. Until this decision, Europol was essentially a data gathering agency, pooling information from across its members. Legally, it was extremely limited in what it could regarding sharing that information with individual police forces for investigations. But in its new role, Europol is now something quite dramatic – the first trans-European police force. Much depends on Europol’s ability to manage this but if successful it could become a very interesting model for future policing in larger confederal areas.

In your experience, how big is the threat represented by cyber espionage and how it can effect the balance among States?

The threat exists but it can be exaggerated in the sense that there Is much that a security conscious civil service or military can do in order to limit the damage inflicted by espionage. The habit of keeping sensitive data offline is central to the rational management of data and risk reduction. Most data held by companies and institutions is not sensitive in any respect and so who cares whether this material is stolen or not! Nonetheless, the pervasive culture of espionage on the web must result in a slowing down of efficiency in business and government. And of course until sensible cyber security and data risk management become established for companies and government agencies, there is also the very real possibility that serious damage can be done to national or corporate interests around the world.

In a recent article you mentioned the Royal Bank of Scotland case, arguing that banks and big corporations should declare when they are victim of hacking, explaining as well the possible vulnerabilities in their system. How do you envisage this type of sharing and exchange of information? Do you think it should be made through public statement or directly to the interested clients only?

If companies were to agree to a policy of disclosure, they would understandably need reassurance that there anonymity would be guaranteed. The point of this is for government to understand what is going on with regard to coordinated cyber attacks against itself and industry. It can then develop its policy accordingly. There is also, however, anecdotal evidence that in some industries, companies who admit to having been breached, are honest about what was attacked, why and what the implications are, and then explain what they are doing to remedy the vulnerabilities of their system, actually go up in the public’s estimation for their honesty and for projecting a sense that they are taking the matter seriously.