The cyber domain is difficult for law enforcement. Even if they figure out who is responsible for a cyberattack, putting handcuffs on a criminal is a tough challenge.
If a criminal resides in, for example, Germany or the Netherlands, it might take only a few calls before he is arrested. But if a certain cyberattack was coordinated from countries such as Russia or Ukraine, the attacker might never be caught. The cyber domain is challenging for law enforcement. Therefore, we can't stop ransomware pandemics by putting together some cyber force just like from the Marvel movies. Instead, we have to find a way to drive the number of cyber incidents down, Maurits Lucas, Director of Intelligence Solutions at Intel 471, said during the MIT CyberSecure conference.
Why is it so challenging to go from an incident to where you have a person in custody and hold them accountable?
"Our current society is governed by rules, regulations, laws, and institutions that we've built to uphold those laws. It has taken about 400 years for us to build them. The Internet is basically in the medieval stage. If you look at all these institutions, laws, and concepts that we've come up with, they are all based around this concept of jurisdiction," he said.
It means that if you break the law in the US, local police, or the FBI, if the crime is more serious, will come to arrest you. If you violate a law in France, the French police will deal with it.
"It's all about which law applies where, who's competent, and whose task is upholding the law. When you look at jurisdiction, it is always defined in terms of geography. What's the one funny thing about cyberspace and the Internet? It knows no boundaries, no geography. That means that when you go into cyberspace and say which law applies, it immediately becomes a rather thorny issue," Lucas explained.
That also means that when you want to put handcuffs on people, you have to figure out where they are, and you have to look at all the components of a cyberattack, where they were, what impact they have, who needs to be involved in this.
How many police officers, prosecutors, judges, and juries are there who understand the finesse of the cyber realm?
"Think about the laws that were written that are basically out of date the moment they hit the books. It's a very challenging environment from a law enforcement perspective," he said.
Lucas is an optimist and believes that ransomware will not be a daily problem worldwide in five years to the extent that it is today. But we shouldn't rely just on law enforcement to deal with this problem. Instead, we need to find a solution to reduce the number of cyber incidents.
"I think a part of the solution will be much like a car analogy - we are going to have to introduce standard safety measures. Instead of thinking that we will create a super cyber force or whatever, which sounds exciting, straight out of Marvel movies, it will be the invisible technologies in cars like safety cells, ABS, seat belts. These kinds of things will help. We need the IT equivalent of that. There's much to be gained by simply improving the security or the robustness of the networks, the infrastructure, and the products that we build," he explained.
Cybercrime has been in the spotlight this year, with the US trying to crackdown ransomware.
"It's almost as if some ground rules are being established," Lucas said. Clever criminals follow specific rules to stay out of the radar.
"If you are a financially motivated actor, don't be number one. Because numbers one through five will end up in the FBI's most-wanted list. Be a ten, be number fifteen. That's a quiet life, still pretty profitable. Make sure you are not the biggest or the worst with the Lamborghini and with the most stripes. Leave that to someone else. They can be on the front page, and they'll get their picture splashed across the pages. You operate in the background," he said.
The same thing goes for ransomware operators. They now realize they can't be too big or too successful because everyone will come looking for them, and it will not end well.
"Don't be a Colonial Pipeline. That's too big. Do something a little quieter, a little less noisy, a little less visible, maybe," Lucas added.
Who are these hackers that law enforcement is after?
According to Lucas, all the theories about business apply to ransomware. There are three main roles: access brokers, affiliates, and ransomware-as-a-service developers.
"When you want to run a ransomware attack on a victim, you need access to the organization. Many people think that all these things are extremely targeted. The truth is, a lot of these things are not. Access brokers use a variety of means, and they try to get access to as many networks. They don't care what they get access to," Lucas explained.
Access brokers offer their "product" to affiliates who do most of the heavy lifting, such as data exfiltration, etc. The final step is to launch the RaaS that does the actual encryption.
"Initially, when this model started, ransomware software was rather complicated. That part got outsourced to individuals who developed that and then rented that out to people running ransomware, RaaS operators. Over time, though, that changed because RaaS operations, names like DarkSide, REvil, became household names. RaaS is also a brand," Lucas said.
And when affiliates work with an established RaaS brand, it makes it more likely that the victim will pay up. Victims search for more information about the RaaS on the internet, find out that many other entities fell victim to the same ransomware family, and had no other choice but to pay up.
"The fundamental thing, if they have proper operational security, you can successfully hide your actual physical location on the internet. If you make one slip up, and it turns out you are in Germany, then a quick phone call, and hopefully you can get the German law enforcement involved in that one," Lucas said.
But with countries like Ukraine, Russia, or other former Soviet countries, it becomes more challenging.
"There's a presumption that everything is dictated from the top. You often find that it isn’t, and everybody is just trying to make it up as they go along. Local law enforcement is very motivated to do things, but they are limited. They are limited in budget, in their capabilities, resources, and time. Think about it. A cybercrime happened. Maybe the victim is in a different country. No crime figures in your country went up, yet you have to spend a lot of effort to bring this person to justice. They have other priorities," Lucas said.
In Ukraine, for example, the constitution prevents extradition. Also, there's what Lucas called an "ugly spectrum of corruption."
"I do have a colleague who's a former FBI agent and was on the raid. They got to the location, and it was self-evident that something was wrong. It seemed that the actor they were after had been tipped off. We learned that the officer who was leading that raid now is a rebel fighter in the Donbas region," he said.
More from CyberNews:
Subscribe to our newsletter