To fight cybercrime, we need to understand its economics

Economics is driving digitalization – both for businesses and for criminals. As the great digitalization of everything continues, distributed remote workforces and new digital dependencies that touch every facet of personal and professional life present a double-edged sword.

On the one hand, tech-enabled digitalization delivers efficiencies and flexible, agile processes. On the other hand, individuals and organizations find themselves connected to the expansive economy of threats that pervade the digital sphere.

The trade-off is clear: the more digitally dependent we become, the more we increase our attack surfaces and the more risk we incur. The economics of cybercrime takes advantage of these trade-offs. To understand it, we need to recognize that cybercriminals' ecosystems are fundamentally driven by sensitive personal information and our collective failure to protect it.

The 2021 Identity Breach Report published by digital risk protection firm Constella Intelligence shows how two major technological threats – ransomware and disinformation – can be explained by looking at the economics of cybercrime.

The commodification of ransomware attacks

Ransomware is one of the most talked-about cyberthreats of 2021 so far. It involves cybercriminals installing malicious software that blocks access to an organization's computer system—including sensitive data and any assets stored on that system—until the owner pays up or meets the cybercriminal’s demands. Major, high-publicity ransomware attacks in 2021 have crippled the critical infrastructure of school systems, hospitals, and energy companies, with devastating effects.

The commodification and commercialization of ransomware seems to have peaked with the rise in ransomware as a service (RaaS) attacks. Such methods involve ransomware developers working with affiliate groups that distribute their ransomware and then benefit economically from the attacks. The ransomware groups can provide these affiliates with tools so that they do not even need advanced skills to participate in the attack.

The ubiquity of personally identifiable information (PII) is critical to the continued deployment of these potentially devastating attacks. Since one of the weakest links in cybersecurity is usually the human factor, a common entry point is through phishing. This kind of attack uses PII to generate a false sense of security in the victim and dupe them into falling for an attacker's advances. Through phishing, employees' devices are infected, internal corporate systems are infiltrated, and data is stolen using encryption that forces a company to pay to recover its own data. In this way, there is a clear and intimate relationship between PII and ransomware.

The impact of ransomware attacks on SMEs

The commercial viability of small ransomware attacks—with small and medium-sized enterprises (SME) as principal targets—appears to be surging. The US Senate Judiciary Committee even highlighted the impact of these developments on SMEs in July 2021.

The commodification of the tools and capabilities that enable successful ransomware attacks has enabled this threat to be repeated on a local scale. This shows the real effects of a fluid and dynamic economy in which threat actors can leverage diverse resources and data points to execute attacks.

The market-based features of the threat economy make it challenging to shut down. Understanding how this economy works, however, enables us to seek more effective solutions that target the network of incentives and actors driving these threats.

PII and disinformation

Disinformation, while often characterized by a more diverse set of motivations, also showcases the economics of cybercrime. Deliberately spreading false or manipulated information has proven highly effective at distorting key conversations on the public agenda, negatively affecting elections and public health initiatives, and jeopardizing the reputational and financial health of executives and companies. What seldom gets mentioned, however, are the economic goals and resources available to the producers of disinformation.

Constella's 2021 Identity Breach Report highlights how commodification and weaponization of PII contributes to the commercialization of the building blocks of the disinformation ecosystem and the broader threat economy. These include automated networks of bots, false accounts, and deepfake production capabilities – all of which are for sale in deep and dark marketplaces.

Like in any marketplace, the price of digital assets vary based on their functionality. Botnets and false accounts are frequently priced higher when they have an older creation date because this increases their chances of evading the detection algorithms of platforms like Twitter, Facebook and Instagram. Thus, the more PII that can be purchased in deep and dark marketplaces, or scraped from open sources like public social media channels, the more effectively cybercriminals can operationalize their efforts.

An ecosystem with incentives

Taking an ecosystem-level approach to understanding cybercrime pushes us to consider the relationships between the human, technological, and geopolitical spheres of influence that inform the interactions, behaviours, and outcomes driven by different actors in the digital sphere.

Incentives are tough to map and quantify. Through advanced analysis of trends and activity on the surface, deep and dark web, however, we can better understand threats and vulnerabilities as building blocks of a wider ecosystem of threat actors and their tactics, techniques, and procedures (TTPs).

In taking this view, disinformation or ransomware are not isolated, anomalous occurrences involving a few malicious actors. Rather, they are enabled by other structural factors in the ecosystem such as the proliferation and availability of PII, or the lack of effective regulation in a fragmented and rapidly evolving online sphere.

Creating more secure connections

In order to make real progress in addressing these challenges, institutions and technologists need to understand the incentives that drive the exploitation of vulnerabilities. And they must be able to assess these challenges within the context of the bigger picture of our shared technological and communications infrastructure.

At the World Economic Forum's Centre for Cybersecurity, leaders from governments, businesses, and academia work collaboratively to understand these incentives. Together we are building a collective response to cybercrime that makes our connected world more secure and more trustworthy.