Industry Of Anonymity: Inside The Business Of Cybercrime
Author: Jonathan Lusthaus
Cambridge, MA: Harvard University Press, 2018. 289p.
Reviewer: Peter Grabosky | January 2019
At the beginning of the digital age, the archetypical computer criminal was a “lone wolf” hacker who did it for kicks, or for attention. Individuals such as Kevin Mitnick became folk heroes, or folk devils, depending on one’s perspective. Soon enough, like-minded individuals working in concert began to enjoy the fellowship of collective mischief-making, and lived by the catchcry that “information should be free.” Organized cybercriminals set about “liberating” intellectual property, primarily for bragging rights rather than for personal enrichment.
As the take-up of digital technology grew exponentially, the wealth to be gained from legitimate electronic commerce became increasingly apparent. Fortunes were made by astute entrepreneurs. Just as night follows day, the principle that crime follows opportunity was no less apparent to criminals than it was to criminologists. So it was that the scale and complexity of cybercrime grew to resemble that of e-commerce itself. Willie Sutton’s observation that banks are “where they keep the money” became equally applicable to cyberspace. There are still lone adventurers lurking out there, but much cybercrime today is, quite literally, big business. Cyberpunk values have been eclipsed by sophisticated business models. It is this profit-driven cybercrime that is the focus of Lusthaus’s interesting book. The book is not intended to be comprehensive of all types of cybercrime, or of all cybercriminal organizations. It does not deal with matters relating to child exploitation, or to offensive cyber operations by nation-states (Sanger 2018). It is focused on economic crime, primarily on the criminal exploitation of commercial systems, as targets themselves, or as instruments of criminal enrichment.
Initial scholarly attention to organized cybercrime took the form of description. This was presented in collections of war stories, then later took the form of typologies based on crime type and basic organizational form. Most recently, academic analyses have focused upon the structure and dynamics of organized cybercrime. Lusthaus shows the reader that large scale cybercrime today is the work of organized professionals. In essence, it reflects the division of labor among specialists. His intriguing analysis reveals that organized cybercrime tends to mimic the structure and practice of legitimate e-commerce. One sees ordered marketplaces that have been organized to smooth the progress of business-to-consumer or consumer-to-consumer transactions. Unlike markets for legitimate products, these “dark markets” exist in order to facilitate exchange of illicit products such as malware, stolen credit card details, and drugs, as well as services such as distributed denial of service attacks. They may also offer escrow services that provide assurance to parties engaged in purchase or sale. Products may be rented, their use governed by licensing agreements. “Help desks” assist consumers in the use of one or more products, and consumer satisfaction ratings may be available for particular vendors and merchandise.
The book is based on 238 interviews, conducted around the world over a seven year period with current and former law enforcement officials, IT professionals, cybercriminals, and other knowledgeable individuals. It comprises eight chapters. Following on from the book’s general introduction, Chapter Two maps the historical trajectory of cybercrime from the lone wolves of the late 20th century to the industrialized environment of today. The chapter provides useful historical background and a good literature review. The following chapter discusses the characteristics of contemporary organized cybercrime- its sophistication, specialization, and corporatization. Chapter Four discusses nicknames and identity, introducing one of the fundamental dilemmas facing commercial cybercriminals today: balancing the need for anonymity with the imperative of managing one’s brand. Two following chapters discuss how, faced with this paradoxical constraint, cybercriminals cooperate on line– and offline — should they choose to do so. Reputation is critical. Key issues here include the building and maintenance of trust, and how breaches of trust are handled.
There is not always honor among thieves, in cyberspace or on the ground. In terrestrial space, the penalties for crossing a criminal competitor can be fatal. Lusthaus notes that the resolution of a cyber-dispute may not lend itself to the most extreme tool of terrestrial social control: the use of physical violence. As an alternative, mechanisms of private governance have emerged, particularly in online markets, where administrators create rules and police them, often with the help of buyers and sellers. Here again, one sees analogues with self- regulation of licit markets. Further afield, there are other ways of making an adversary pay for their transgressions. Lusthaus reports that Nigerian cybercriminals have been known to put a voodoo curse on those whom they regard as transgressors.
One does not immediately associate terrestrial organized criminals with high technology. But as digital technology becomes increasingly pervasive, indeed democratized, its use by conventional criminals will increase. By now, most criminals are familiar with technologies of encryption. Payment processing companies may tailor services to criminal customers. Criminal organizations themselves may function as internet service providers. Specialized expertise is available for particular jobs. Drug traffickers have engaged chemists and logistics specialists. Communications engineers and other “geeks” are now in on the act. Lusthaus observed that terrestrial thieves have engaged technicians to disable alarm systems. Of course, as we continue further into the digital age, “ordinary” criminals will become even more technologically literate.
An unsurprising, but nonetheless significant finding is the under- representation of females in the world of organized cybercrime. Thus far, the involvement of women in commercial cybercrime has tended to be limited to “cashing out” in furtherance of money laundering or ATM fraud. This seems likely to persist, as long as women remain relatively disinclined to pursue studies in science, technology, engineering and math.
Another common refrain noted by Lusthaus is the limited capacity of police to cope with the volume and complexity of sophisticated commercial cybercrime. Although this has been a fact of life since the dawn of the digital age, one cannot help but note the many successes that have been achieved, often as a result of complex cross-border investigations by law enforcement agencies of multiple countries. The control of commercial cybercrime is certainly easier said than done, but it is to some extent manageable.
State actors are accorded less attention, presumably because state and state-sponsored cybercrime tend to entail espionage and sabotage rather than revenue enhancement (the recent activities of North Korea being an apparent exception). Similarly, little attention is accorded child exploitation, presumably because greed as an explanation for criminality tends to be subordinate to other motives. Perhaps future scholars might productively engage in systematic comparisons of criminal organizations with different raisons d’ être.
As is the case with life in general, cybercrime is characterized by porous distinctions. Hybridity confounds simplistic dichotomies of state/non-state, licit/illicit, virtue and vice. To his credit, Lusthaus does note the significant involvement of the Russian state in organized cybercrime. The pervasiveness of corruption in Russia is such that the state commonly serves as protector of cybercriminal organizations, so long as criminals focus their attentions on targets outside of Russia. As is the case in terrestrial space, protection can entail tipoffs of impending operations, or the subversion of ongoing investigations.
It is a fact of life that many commentators view the world in Manichean terms. Fortunately, cybercrime helps us think beyond the simple dichotomy of Good vs Evil; the concept of “gray hat hackers” is illustrative. It is hardly astonishing to learn that there are some otherwise reputable businesses that engage in questionable conduct.
The book should appeal to an informed lay readership, as well as to academic specialists. Two lengthy appendices include a listing of interview subjects (by alias), and a detailed discussion of sampling, methods and ethical considerations. The latter will be very instructive for students. Lusthaus also discusses alternative data sources. His reassurance that lack of statistics is no impediment to quality research should encourage those who would otherwise be dismayed by the abysmal state of statistics on cybercrime. He points to some significant sources of useful information such as indictments, at least in US federal courts. These are generally available online and contain a wealth of detail about the structure of criminal enterprises that have been identified and investigated by US authorities.
Acutely sensitive to his ethical obligations, Lusthaus uses pseudonyms and codes to refer to his subjects and to attribute quotes or other insights to them. At one point, in referring to a common platform used by cybercriminals, he cites his informants as follows: “(US-LE-2, UDL-CSP-1, NLD(E)-CSP-1, US-(F)LE-1).” Such alphabetical parades tend to be rather distracting, and one wishes that the editors had devised a more reader-friendly system of attribution. The author also tends to use the word “context” excessively. Today, with a thesaurus literally at one’s fingertips, there is a rich variety of euphonious synonyms from which one can choose.
Lusthaus concludes his book with the observation that there would be less organized cybercrime if there were more legitimate opportunities for highly trained and exceptionally clever young people, particularly those living in Eastern Europe. He cites the case of Gorshkov and Ivanov, skilful electronic extortionists from Chelyabinsk, Russia, who were lured to the United States by the prospect of lucrative employment with a Seattle IT firm. The firm itself was an FBI front, established for the purpose of a sting. Lusthaus muses that perhaps the offenders were merely seeking an honest job.
There may well be some would-be offenders who would be tempted by the prospect of a stable, law abiding life. But there are already plenty of employment opportunities for gifted “techies” in both public and private sectors in locations as far-flung and diverse as China, the Koreas, Iran, Russia, and the US. And the fundamental motives for acquisitive crime—greed, power, and to some extent, defiance, are deeply embedded in the human behavioural repertoire and not always readily amenable to fulfilment by legitimate means.
Crime continues to follow opportunity. While only about half the world’s population is connected to the internet, this proportion is certain to grow. The number of prospective offenders and the number of potential victims will increase. Moreover, the interconnectivity of devices colloquially referred to as the “Internet of Things” will intensify, which in turn will amplify the number of pathways for criminal exploitation. Lusthaus has made an important contribution to the study of criminal organizations. His valuable discussion of the organization of commercial cybercrime will enhance our understanding of the problem, and will help stimulate our thinking on how best to manage it.
Sanger, David (2018) The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age. New York: Crown Publishing Group.
Peter Grabosky, Professor Emeritus, Australian National University