A new study by Cambridge Cybercrime Centre titled Cybercrime is (often) boring: maintaining the infrastructure of cybercrime economies concludes that cybercrime is boring and recommends authorities change their strategy to highlight the tedium in order to dissuade the growth of cybercrime.
Limited focused research, which does not look at the big picture as it evolves, leads readers to poor conclusions that are oversimplified and not couched in reality.
Do these researchers really think that cybercrime is driven by motivations about it being sexy, a fun work environment, or exciting? This report suggests that if we market cybercrime roles as being tedious, then people will not go down that path. Ha!
Wake up! The vast majority of cybercrime is motivated by personal financial gain. Period. Additionally, the massive number of new followers of digital crime won’t care about tedium or the opinions of people that live a lifestyle where convenience plays a significant role in how to put food on the table.
Throughout history organized crime has aligned to a pyramid model where the greatest number of participants are at the bottom, doing grunt jobs. They are poorly compensated, take on more risk, terribly treated, and generally suffer in their daily grind. Most don’t aspire to be there, rather they do it because there are not better options.
Consider that one million people join the Internet every day. The majority of the next billion that will come online will be from economically struggling regions where people hustle to scratch a living every day. Unemployment is high and there are almost no opportunities to make money. Half the world makes less $10 a day and over 10% live on less than $2 a day. Even a basic job as a mule, social engineer, CAPTCHA reader, ransomware distributor, phishing scammer, etc. will make many of these people more money than they could otherwise. The people in warehouses that support click-farming, earning pennies, aren’t there because they want to be. They simply don’t have many options to earn a wage. They do what is necessary to subsist. Much of the next billion people joining the internet will see connectivity as a doorway for more opportunities to stay afloat.
Unfortunately, cybercrime will see an explosion over the next few years as people with the greatest needs see the Internet as an opportunity to sustain their family. Some estimates are as high as $6 trillion in overall impact. Cybercrime-as-a-Service is positioned for tremendous growth as it allows for people to join the support base of online criminal groups, without any requirements for hacking skills. The pay is low and the work is grinding, but the rewards may far exceed what is available to them otherwise. It does not matter if law enforcement communicates that such roles are boring for the majority of those joining the bottom ranks.
Discussions from people, in economically wealthy countries, about tedium is irrelevant and myopic when the greater scale is evaluated. For many millions of people, cybercrime will be an avenue for subsistence. For these people, the economics of survival and scarcity of alternative opportunities will drive decisions. This is the realistic risk we must address.
Matthew Rosenquist is an industry-recognized pragmatic, passionate, and innovative strategic security expert with 28 years of experience. He thrives in challenging cybersecurity environments and in the face of ever shifting threats. A leader in identifying opportunities, driving industry change, and building mature security organizations, Matthew delivers capabilities for sustainable security postures. He has experience in protecting billions of dollars of corporate assets, consulting across industry verticals, understanding current and emerging risks, communicating opportunities, forging internal cooperation and executive buy-in, and developing practical strategies. Matthew is a trusted advisor, security expert, and evangelist for academia, businesses, and governments around the world. A public advocate for best-practices, and communicating the risks and opportunities emerging in cybersecurity. He delivers engaging keynotes, speeches, interviews, and consulting sessions at conferences and to audiences around the globe. He has attracted a large social following of security peers, is an active member on advisory boards, and quoted in news, magazines, and books. Matthew is a recognized industry expert, speaker, and leader who enjoys the pursuit of achieving optimal cybersecurity. Matthew Rosenquist is experienced in building world class teams and capabilities, managing security operations, evangelizing best-practices to the market, developing security products, and improving corporate security services.