It’s been more than a month since online hackers hijacked Baltimore city government computers, demanding ransom and crippling city services. As the city labors to restore its systems and services, blame and recriminations are flying up and down the B-W Parkway. Some blame the NSA for creating and then losing a set of secret cyber tools that hackers have been using to wreak havoc across the country. Others blame the city for not upgrading and patching its systems.
We’re all overlooking the one party who’s clearly to blame — the people who unleashed this attack and are waiting for bitcoin to flow into their wallet. And while blaming Baltimore or the NSA for their possible failings is a human reaction, it gets us no closer to attributing, finding and punishing the human attacker.
This is critical because the United States is drowning in a national cybercrime wave. From the brazen cyberattack last year on the city of Atlanta to Marriott International’s data breach, hackers now target every sector of the economy in every state. The FBI’s internet crime database received reports on more than 350,000 U.S. cyberattacks in 2018. Even that figure is optimistic as surveys suggest that one in four American households is victimized by cybercriminals and half of all property crime is digital.
Yet, rarely is a cybercriminal identified, much less caught. Based on our review of the U.S. government’s own data, less than 1% of cyber incidents result in an actual arrest. And the conviction rate is even lower, just nine in fiscal year 2016. Cyber criminals are acting with near impunity, and that must change. But how?
First, law enforcement needs to modernize and enhance efforts to identify the criminals. Recent studies have found that law enforcement doesn’t have the training, expertise or resourcing necessary to handle cybercrime. Transforming law enforcement will require improving cyber forensics for local police, building out federal cybercrime labs and training — and retaining — digital cyber sleuths. Everyone should know how to deal with cybercrime, not a select few. We can’t have analog cops chasing digital robbers.
Second, once they identify the perpetrators, law enforcement needs help to catch them. The borderless nature of cybercrime means many attackers are outside the U.S., making it difficult, but not impossible, to bring them to justice. The U.S. made high-profile arrests in cyber cases like the Yahoo hacker extradited from Canada or the Chinese PLA officer arrested in Belgium. Some hackers, like those harbored by nation-states like Russia, China and North Korea, may never be arrested. But hackers travel, and many are just in it for the money. Improving diplomatic efforts and helping other countries get their cyber cops up to speed will help. Tools such as sanctions and restrictions on travel for nation-state supporters may also cause them to think twice about further attacks.
Third, this is a massive effort, but little progress can be made without political leadership to transform the government’s cyber enforcement efforts. When the president refuses to acknowledge that Russia’s hacking affected our election, there’s little chance the White House will do what is necessary to address the other kinds of cybercrime that are victimizing Americans in Baltimore, Atlanta, Colorado and everywhere else. Without political consensus and a strategic approach that recognizes that this cybercrime wave isn’t just a trend, reform efforts will be slow and piecemeal.
Finally, we need better metrics to assess the government’s progress in stopping cybercrime. If we can’t measure the problem, we have no idea if the handful of cases that get made are making a difference. When asked what success against cybercrime would look like, former Deputy Attorney General Rod Rosenstein noted it’s a question he asks himself often, yet doesn’t have an answer for.
That was the day before the Marriott hack.
There are a finite number of cyber attackers capable of pulling of hacks like the one in Baltimore. That’s the good news. It’s now time to modernize law enforcement so that instead of blaming the victim, we can punish the perpetrator.
Mieke Eoyang (MEoyang@thirdway.org) is vice president of national security at Third Way, a D.C.-based think tank; Allison Peters (firstname.lastname@example.org) is the deputy director of national security there.