The best way to stop the tide of global cybercrime may be to sue the pants off of the hosting companies and Internet Service Providers Online that are backing the crooks.
That’s the central conclusion of my policy paper, out today from the Brookings Institution. (You can find a very condensed version in Sunday’s Washington Post.)
No one knows exactly how big the cybercrime underground is. But it is huge. According to the British government, online thieves, scammers, and industrial spies cost U.K. businesses an estimated $43.5 billion in the last year alone. Crooks-for-hire will infect a thousand computers for seven dollars – that’s how simple it’s become. 60,000 new malicious software variants are detected every day, thanks in part to a new breed of crimeware that makes stealing passwords about as hard as setting up a web page. Even the Pentagon’s specialists are worried, noting in their new cybersecurity strategy that “the tools and techniques developed by cyber criminals are increasing in sophistication at an incredible rate.”
Top U.S. officials keep bleating about a digital “Pearl Harbor.” But if we’re not careful, the internet could be in danger of looking like the South Bronx, circa 1989 – a place where crooks hold such sway that honest people find it hard to live or work there.
But there are ways to begin sidelining these crooks. First and foremost: Target the relatively small number of companies that support this massive criminal underground. There are more than 5,000 Internet service providers around the globe; according to the Organization for Economic Cooperation and Development, half the world’s spam traffic comes from just 50 ISPs. A recent study of mass e-mail campaigns showed that three payment companies processed 95 percent of the money those scams generated. When the Silicon Valley-based McColo hosting company was taken down, worldwide spam dropped 65 percent overnight.
These companies facilitate criminal enterprises, whether knowingly or not. And, unlike the criminals themselves — who hide behind disposable e-mail addresses and encrypted communications — it’s no mystery who these firms are. The independent research group HostExploit, for example, publishes a list of the worst of the worst hosting companies and networks.
Yet Internet Service Providers and carrier networks that move data across the globe continue to do business with these crooked firms. There’s no economic incentive to do otherwise. After all, the hosting company that caters to crooks also has legitimate customers, and both pay for internet access.
So here’s my idea for providing that incentive — turn the criminal ecosystem on the scammers and thieves. We should enable victims of cybercrime to sue the worst of the worst hosting companies for the damage their crooked customers cause. Here’s how it might work:
- Take an independent list of bad hosts, like HostExploit’s.
- Once the roster is published, a listed company would have some time (two weeks, say) to either drop their illicit customers — or explain why it doesn’t belong in the rogues gallery.
- If the company complies (or explains itself sufficiently), then it is granted safe harbor from any lawsuit that might arise from the harm generated by the spammers, phishers, or botnet herders it once helped.
- If the hosting company fails to comply, however, it becomes open to liability lawsuits. The company has already been warned that it’s facilitating harmful activities and given a chance to correct its negligent behavior.
- If that same company ignores the warnings and appears on the worst-of-the-worst list again, the firm’s ISP should also be liable. (Of course, the provider should be given at least as much time and opportunity to address the problem.)
For the plan to make any kind of sense, the publisher of the rogues gallery would have to be crystal clear about how it reached its conclusions — and what a company could do to get itself off. The list could only cover a few, few universally recognized crimes, like theft, fraud, and criminal trespass. In other words: this wouldn’t work for politically inflammatory speech or copyright infringement; they’re too open to abuse and overly broad interpretation. And because the legal precedents are so confusing, it’ll probably take an act of Congress to put it all in place (a tall order, considering those jokers can’t even figure out a way to pay our debts).
Even if that happens, this plan won’t help in all cases. Crooks will still be able to turn to so-called “bulletproof hosting” services, which promise to keep customers’ content online no matter how many threats or complaints are received. Or they can relocate to hosting companies in places like China and Russia. Still, the United States isn’t such a bad place to start. 20 of HostExploit’s 50 worst are American.
Such a system gives ISPs enormous incentives to disconnect criminally-connected hosts, even if it means a temporary dip in revenue. Unlike a lot of the plans making their way through Congress (or already on the books) this one provides a clear standard for bad behavior, and a clear path for leaving the rogues gallery. It applies pressure on the broader ISP community to weed out the worst-of-the-worst – without heavy-handed government intervention.
In my year of research for this paper, I kept finding parallels between modern cybercrime and piracy of the 18th and 19th Centuries. Both were pervasive. Both were seemingly beyond the reach of the law. Both were employed by individual crooks as well as big state militaries. Both relied on their economic support systems.
“In all of the notable eras of piracy,” University of South Carolina historian Donald Puchala writes (.pdf), “relationships between pirates and those who abetted their projects amounted in effect to conspiracies of greed. The relationships were symbiotic: pirates could neither accomplish their ends nor convert their booty into profits without the aid of their protectors; for their part, the protectors could not so readily and splendidly enrich themselves without the booty brought in by the pirates.”
One of the turning points in global attitudes toward piracy occurred when pirates began to threaten the economic interests of the states that previously sponsored them. The pirates picked fights with allies, hijacked friendly ships, and, as a result, made new enemies in cities like London and Paris. And when the governments decided to definitively retaliate, one of the first steps they took was to shut down the markets for pirate booty. The most effective way to target the hijackers was through their economic support system.
Maybe there’s a chance of seeing a similar shift online. If ISPs start seeing rogue hosting companies as financial time bombs instead of as paying customers, it would represent a huge step forward in marginalizing cybercriminals globally. For that to happen, some hosts may have to go to court.
Photo: Wikimedia
Authors: