The question of why people hack is a common one, but increasingly, it’s to fuel a vast, immensely profitable underground economy. Google researchers suggest the best way to slow or stop it is to undermine that economy, rather than the conventional methods which try to make hacking harder.
This makes sense. Many of the things criminals use are free, or of negligible cost. Making those things cost something, even only a little, cuts into profits. And when things cease to be profitable, they move on to other things.
The above-board economy offers an excellent example that most people are familiar with. A decade ago, flipping houses was a big thing. People were doing it, people were talking about it, and making TV shows about it. Then the housing market imploded and it wasn’t profitable anymore, so people stopped doing it. Now that the housing market is recovering, people are starting to flip houses again.
Even small companies spend hundreds of thousands of dollars a year fighting online crime by trying to make it harder. Larger companies spend millions. And in my experience, the companies who think they are doing a bad job of it are doing a better job than the companies who think they’re doing a good job. Security is a lot like math: The more you know, the more you realize you don’t know.
Increasing security budgets is inevitable, but increasing the cost of the services the criminals use is likely to be more cost effective–the problem is that the companies providing the services are rarely the companies that are defending themselves, and that’s why disrupting the economics is difficult. But we’re going to have to find a way.
For the last couple of years, there’s been a lot of talk about federal agencies facilitating the sharing of information between companies about threats, but most companies are already getting that information via other means, and prefer it that way, so they won’t expose their sensitive data to Freedom of Information requests. Helping to disrupt the economy of exploitation, however, is a place where the government may be able to help. I don’t think anyone disagrees that the government is pretty good at disrupting the economy–the disagreement is over which party is better at it.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.