The neverending stream of high-profile, large scale data breaches has lawmakers searching for answers on how hackers are benefiting and how to stop them.
At a hearing Thursday, the House Financial Services Subcommittee on Terrorism and Illicit Finance heard from experts about how to find and crack down on cybercriminals who are swiping and trading massive amounts of individuals’ compromised private information.
“The victim of a breach can become a victim repeatedly as their identity can be used to apply for credit cards, mortgages, and other financial products over and over again,” subcommittee Chairman Steve Pearce, R-N.M., said. “Unfortunately, this activity is only becoming more widespread as criminal organizations realize the low cost of entry, the ease of using hacking tools, and the difficulty law enforcement faces trying to apprehend hackers.”
Lillian Ablon, an information scientist at the RAND Corporation, explained some ways law enforcement can crack down on black markets for stolen data. One approach, she said, is covertly to weaken the markets wholesale.
“Finding ways of tarnishing the reputations of the markets, by wasting a criminal’s time or making an exploit tool purchased on the black market ineffective, can help to prevent the loss of information and cut the value chain early in the attack cycle. Solutions might include spreading misinformation or injecting false products into the markets,” Ablon said.
Even as they observe the black market, law enforcement agencies are running into problems identifying the individuals and entities lurking within them due to the increasing use of cryptocurrencies, which largely anonymize their users.
“A good trick would be to steal your credit card, to buy the cryptocurrency online using your credit card, and then it can be anonymous as to who is actually acquiring it after that,” explained Jim Lewis, a senior vice president a the Center for Strategic and International Studies (CSIS). “Just as you’ve done with money laundering you can go through a number of steps to obscure the trail.”
But even with the widespread use of cryptocurrencies, there are still weak points where they can be exposed, Ablon said.
“They’re anonymous until you get to the [cryptocurrency] exchange,” Ablon said. “That’s the point where you can tie a human being to the wallets, to the digital currencies. That’s really the weak point to go after.”
The subcommittee also sought insight as to how U.S. adversaries like Russia, China, North Korea and Iran benefit from state-sponsored hacking. In those cases, the end goal isn’t always financial gain as it is with independent criminals, the panel said. While those hackers’ objectives aren’t always known, the goal is usually espionage or counterintelligence, the panel explained.
“The reality is we are in some state of cyberwar with these nations now. It’s a cold war, if you will,” said Joe Bernik, a chief strategist CTO with McAfee. “They are gathering this information to launch attacks against our populace potentially, to influence, to direct individuals to do things on their behalf.”
Lewis, of CSIS, said that one way to tell if a state is behind a hack is to see whether or not the stolen data is openly being exploited.
“When I see a a big breach … and the data doesn’t appear on the market, I usually assume that it’s an espionage related case,” Lewis said.
Lewis also told the panel about how nation-states might recruit capable hackers to conduct such operations. In North Korea, he said, they’re usually already members of the military or intelligence agencies. But in Russia, China and Iran, the governments seek out domestic hackers and, “it’s suggested that they cooperate with the state.”
“If you monitor the internet you can always see when somebody’s doing something bad, and then you go to their house and say: ‘Jail or play ball?’” Lewis said.
Lewis authored a CSIS-McAfee report published in February that put a $600 billion price tag on the annual economic impact of cybercrime. The report also called out Russia and North Korea, among other countries, as “state sanctuaries” of cybercrime where the governments looks the other way if they can leverage the hacking for state objectives.