Two recent initiatives against transnational organized crime provide reasons for optimism. They suggest that we are finally moving out of the doldrums of a protracted 10-year period during which there was only confined space available for developing new approaches to address organized crime. During this period terrorism had closed down the organized crime debate. There was limited opportunity within institutions and governments for creative and candid assessments of what is required to counter organized crime.

Now there is a shift. It is caused by the growing realization that the policies and approaches of the past are not working. Global organized crime is expanding. Key to the success of international crime networks has been their ability to rapidly exploit the benefits of globalization. They have surged ahead in a world that for them has no borders, leaving behind law enforcement agencies that are stuck within their national borders.

The two initiatives are encouraging, even though they are not yet operational and relate to specific regions only. The first is the announcement in March 2012 that a European Cybercrime Centre is to be established at the Europol offices in The Hague during January 2013. The center will be the European focal point in fighting cybercrime and will focus on illegal online activities carried out by organized crime groups, such as online fraud involving credit cards. It is estimated that worldwide more than one million people become victims of cybercrime every day. The global turnover of cybercrime could reach an overall USD 388 billion, making it more profitable than the global trade in marijuana, cocaine and heroin combined. The agreement to adopt a EU regional approach towards countering cybercrime is a significant advance and should be replicated in other regions.

In a recent Wall Street Journal op-ed, FCC Commissioner Robert McDowell attempted to make the case that the United Nations, through the Internet Telecommunications Union (ITU), is poised to take “unprecedented powers over the Internet.” The main thrust was that a group of states, including Russia, China and Iran, were pushing a set of recommendations on Internet governance through the upcoming ITU World Conference on International Telecommunications (WCIT-12) in December. This threat is widely exaggerated. However, it holds a seed of truth that can help to illuminate preparations for WCIT-12 as well as the cyber “arms control” agenda more broadly.

To begin with the broad: Mr. McDowell’s point about some nations attempting to do away with some of the freedoms found in the current system is actually true. In recent history, especially the last decade, the threat of cyber aggression has loomed large on some national agendas, especially the agendas of developed nations, where issues such as critical infrastructure vulnerabilities to a cyber attack are a troubling possibility.

While much of the activity in response has been focused on developing better defensive, and, in some cases offensive systems, there have been initial talks in the international arena about some manner of cyber “arms control” treaty. There are a number of ways to parse this agenda, but, for our purposes, it makes sense to see it as three distinct issues rolled into one.

The first is the threat posed by state and non-state actors to network, data, and physical infrastructure security. For an effective response, this is an area that should be addressed multilaterally, although some states that stand to gain from state-sponsored espionage might except to this approach.

Of chief concern for nation states dealing with cyber security is the protection of critical electronic infrastructure. A core piece of that infrastructure is the supervisory control and data acquisition (SCADA) systems. These computer systems are used to monitor and control industrial processes, physical infrastructure (such as water treatment or oil and gas pipelines), and facility-based processes (such as airports or seaports). SCADA systems are notoriously insecure and are increasingly becoming accessible via networks. Governments must work with the private sector in order to address security concerns before a major disaster.

Key Conclusions

The vulnerability of critical infrastructure is central to the challenge of international cyber security. Over the last few decades, there have been a number of technological advances that brought efficiency and reliability to service delivery and systems management alike. Today, things as diverse as air traffic control, telecommunications, water sanitation, manufacturing, and power production are all heavily dependent on computer networks and automation in many contexts. Because of the ubiquity and interconnectedness of today’s world, disruptions in these systems can have far-reaching consequences.

In this interview, Misha Glenny, author of a recent book on cybercrime, discusses how technology has infiltrated every aspect of life, from our personal phones to complex infrastructure systems, giving cyber criminals more platforms and opportunities to strike at increasingly higher risks to the population at large.

The latest example of this is Stuxnet, the worm that infected two of Iran’s nuclear facilities in 2010 and is said by many to have started a cyber arms race. “What Stuxnet did was to accelerate those programs around the world,” Mr. Glenny says. “Basically, countries said, this stuff is out there, we have got to get engaged with this.”

However, there is no international framework or convention for developing these types of weapons. “Anyone can start developing cyber weapons,” he says. “It’s not that difficult.”

Competing priorities between countries is impacting the development of an international approach. “For the United States, the issue of intellectual copyright protection is extremely important,” he says. “For the Chinese, or for the Brazilians, they don't really care about that.”

Mr. Glenny also discusses the real cost to consumers around credit card fraud, and how he justified hacking into his own daughter’s Facebook account, which would have made him a cyber criminal in the United States.

The interview was conducted by Warren Hoge, IPI Senior Adviser for External Relations.

Listen to interview (or download mp3):

Interview Transcript

Warren Hoge (WH): I am here today with Misha Glenny, a longtime BBC correspondent in central Europe and the author in 2008 of McMafia, a best-selling book on organized global crime. His new book explores the threats of cyber crime, cyber warfare, and cyber industrial espionage and portrays the creation, the function, and the ultimate shutdown of the vast criminal website known as DarkMarket. The book is appropriately entitled DarkMarket: Cyberthieves, Cybercops, and You.

Misha, the end of that title says “and you.” That implies that this is a problem that affects every one of us, and in the book you say it can no longer be swept under the carpet. Tell us about that.

Misha Glenny (MG): Well, what you have seen over the past, 10, 15, 20 years is the development of an exceptional dependence on networked computer systems and the Internet in every aspect of our lives, both in terms of the infrastructure of the countries we live, in terms of—you know, how your water gets to you, how your electricity is delivered, that sort of thing, but also, of course, in your own personal life.

One interesting thing is, I don’t know if you noticed, but we don't remember telephone numbers anymore. They are all in our contact books, in our phones and, of course, if we have made the silly little mistake of failing to back up the data on our phones, we are lost, because we can't tell—sometimes you can’t tell your own phone number anymore. That's just a tiny example, but you can think about it in almost any aspect of your daily life.

So, with that, and given that each of us, with our own devices—and it used to be just one computer per family; we all have three or four devices of our own. Each of those devices is a vulnerability, is a device which digitally can come under attack. So, you have to know yourself.

Last week, I attended the International Conference on Cyber Security (ICCS 2012) at the Fordham University campus in New York. This is the third iteration, which is a joint venture by the US Federal Bureau of Investigation (FBI) and Fordham. The three-day event brought together hundreds of experts from law enforcement, military intelligence, academia, and the private sector for more than 50 presentations covering a wide array of topics. I attended as part of IPI’s expanded focus on cyber security,  part of IPI's ongoing work on transnational organized crime through our Coping With Crisis program.

Topics ranged from practical applications of network security to field experience in prosecuting international cybercrime to emerging threats and techniques of malicious actors. In the interest of brevity, I’ve teased out a few broad themes, though interested readers can find the full list of speakers, biographies and abstracts here.

• Cyber Realpolitik: The virtual world is becoming more of a highly-contested space. The US Department of Defense followed along this reasoning when they declared cyber the fifth domain of warfare in 2011 while initiating US Cyber Command as a sub-unified command under US Strategic Command. Cyber security shares the characteristics of other global threats such as transnational organized crime and nuclear proliferation: they have a transnational and overlapping nature; involve a myriad of technical issues; and require international cooperation to create a framework of norms and institutions to deal with the threat.

Unfortunately, this last need seems to be unrealized at the moment. At this juncture, nation-states are more apt to talk in terms of realist competition as opposed to multilateral cooperation. This will need to change if we are to keep conflicts and actions from moving from the virtual to the kinetic. There are lessons to be learned from similar processes, both as formal diplomacy as well as Track II methods.

• Movement From Defensive to Offensive Posture: Somewhat related was talk of the need for firms to move from a defensive posture of maintaining the security perimeter towards a more offensive posture. At the most fundamental level, this runs headlong up against the problem of attribution. High-value targets such as the Pentagon and multinational corporations can face millions of unique attacks per day. Many of these attacks utilize anonymizing software such as TOR or botnets to covertly infect hundreds to hundreds of thousands of computers owned by unknowing users. If an offensive posture means remotely disabling or destroying computers and webservers, the possibility of collateral damage looms large. This is especially problematic as offensive hacks against misattributed networks are not likely to have much long-term positive effect.

On June 26th, the Anonymous hacker group Lulz Security—formed in May 2011, and known as LulzSec—ended their 50-day reign of (sort of) terror and voluntarily shut down their operations. LulzSec victims included PBS, whose site was defaced in retaliation for a negative portrayal of WikiLeaks; CIA.gov, which was taken down for a couple of hours by a DDoS attack; and Senate.gov. Though there was no explanation given for this abrupt end beyond “our work here is done,” speculation is that the group is disbanding because of leaked personal details and increased attention by various national authorities.

On August 2nd, the computer security firm McAfee released a report detailing its recent discovery and investigation of a long-term hacking operation dubbed “ShadyRAT.”  ShadyRAT, which extends as far back as 2006 and appears to have state backing, clearly stands apart from other recent high-profile attacks carried out by ambiguous hacktivist groups such as Anonymous and LulzSec, which seem to have been done more for making a politically charged statement or notoriety.