Tens of millions of Americans will have their credit-card numbers, hospital records, or digital identities hacked or stolen this year, RAND research suggests — victims of a cybercrime industry that now rivals the illegal drug trade in reach and sophistication.
The numbers are more sobering than surprising. For years now, RAND researchers have documented the growing threat posed by a digital underworld where hackers sell their services like mercenaries and credit-card numbers can be had for pennies on the dollar.
Their research has helped define that threat from the perspective of attackers, defenders, and the everyday consumers caught in the middle. Taken together, it offers a rare glimpse inside the secret world of cyber hacks and counterattacks — and some hard lessons for anyone with a computer or a credit card.
The Hackers Are Winning
The numbers alone are damning. A recent RAND report estimated that 64 million American adults had been notified in the previous year alone that their personal data had been breached — more than a quarter of the adult population.
The survey was the first of its kind to examine consumer attitudes and responses to the data breaches that have become a near-daily fixture in news headlines. Most of the cases it found involved stolen credit-card numbers or financial records, the staples of cybercrime.
But at least a fifth of the victims said they had lost health data or social security numbers. That’s a troubling statistic, the researchers warned, because those records are much harder to recover and repair — and that makes them valuable for identity theft, medical fraud, or blackmail.
“I want to be optimistic. But currently, the attackers are outpacing the defenders.”
— Lillian Ablon, information systems analyst
The survey also revealed that consumers don’t always respond to breaches as expected — and often don’t even act in their own best interest. Around two-thirds of the respondents said they accepted free credit-monitoring services after a breach, much higher than previous estimates. But barely half bothered to change their account passwords, and nearly 90 percent said they continued to do business with the companies that lost their data.
“Consumers seem to be pretty forgiving,” said Lillian Ablon, a cybersecurity and emerging technologies researcher at RAND. “There doesn’t seem to be much incentive for companies to change.”
Costs Are Rising, but Security Isn’t Keeping Pace
The chief information security officers in charge of network defense face a costly catch-22: No matter how much they spend on cybersecurity, there’s no way to know when it’s enough — only, in the aftermath of a successful attack, when it wasn’t. RAND researchers call it the defender’s dilemma.
Worldwide spending on cybersecurity now totals around $80 billion a year. Yet in interviews with public and private cybersecurity executives, RAND researchers found little confidence that they will gain the upper hand anytime soon. They live by a grim maxim: People who run networks should always assume the hackers have already gotten in.
Those interviews also revealed that it’s not the loss of data that most concerns corporate and government security officers; it’s the loss of reputation and public trust. That raises the stakes exponentially, making even a harmless breach cause for alarm and driving up security costs, sometimes out of proportion to the actual threat.
“Maybe the problem is, we collected too much stuff and connected too much stuff. We made it too easy.”
— Martin Libicki, senior management scientist
What is needed, the researchers wrote, is a new way to think about cybersecurity. Organizations could more effectively defend themselves if they focused more of their security spending on the most pressing and likely threats, and less on the nightmare scenarios sold by software vendors.
“A lot of cybersecurity spending comes from the fear we have,” said Martin Libicki, a senior management scientist at RAND. “But in practice, very little happens. Yes, the bad guys can bring down a network, but very few want to.”
Cybercrime Has Become a Multibillion-Dollar Industry
RAND researchers call it the hackers’ bazaar: a teeming marketplace where hackers and other cybercriminals meet and deal in clandestine chat rooms or secret forums. They found that its inner workings can be as sophisticated and structured as any commodities trading floor. Some of its online storefronts are as bright and welcoming as Amazon or eBay.
Its underground markets often have their own rules and regulations, their own administrators to keep order, their own brokers, vendors, middlemen, and moneychangers. Consumers who know the way in can find anything from hospital records to hackers for hire to devastating exploit kits, botnets, and off-the-shelf ransomware programs. For the right price, they can even buy their way into private computers or public servers through secret pinprick vulnerabilities known as zero-days.
One expert estimated that the cybercrime market generates billions of dollars.
“It’s very easy to become a cybercriminal. All you need is an internet connection.”
— Lillian Ablon, information systems analyst
There’s even a kind of brand-name hierarchy, the researchers found. Russian hackers have a reputation for quality. Some Vietnamese groups focus on e-commerce. Chinese hackers are known for targeting intellectual property, and Americans tend to specialize in financial crime.
One expert estimated that the cybercrime market generates billions of dollars, at least. It can be more profitable than the illegal drug trade in some aspects, the researchers concluded — with lower costs to enter and much less risk to participate.
“It’s very easy to become a cybercriminal,” RAND’s Ablon said. “All you need is an internet connection.”
There Are Reasons for Optimism — and for Pessimism
The very pessimism that shrouds the cybersecurity industry might also be cause for some guarded optimism, the RAND researchers concluded. Companies are paying far more attention to network security than they did just five years ago — driving a market for security tools that will at least make it more difficult and expensive for hackers to break in. And Apple’s iPhone has shown that it’s possible to protect data so well that even the FBI has trouble getting to it.
“People don’t realize how badly this affects your life. I literally have been fighting to prove that I pay my bills. Here it is, three years later, and I’m still fighting. It tears you apart.”
— Tina Mather, a South Carolina resident who lost her identity in a data breach in 2012
At the same time, though, the sheer number of things connected to the internet surges by the day — not just phones and laptops, but medical devices, home thermostats, even kitchen appliances. By one widely quoted estimate, there could be six times as many devices online by 2020 as there are humans — every one a potential new vulnerability to be bought and sold in the hackers’ bazaar.
As the researchers wrote: “Will consumers understand that a refrigerator with a 20-year lifetime also needs 20 years’ worth of software [security] patches?”
— Doug Irving
This originally appeared on The RAND Blog on June 24, 2016.