By Michelle Harven
Many people are making money off cybersecurity — private companies, the insurance business, law firms, educational institutions. The list goes on. It’s hard to gauge exactly how much these businesses are making and what it’s worth.
Josephine Woolf, a cybersecurity researcher at Harvard University, guesses that out of all the different cyber markets, the hackers are probably the ones that are making the most money. And there’s data along with anecdotal evidence to support that.
According to Kapersky Labs, cybercriminals could be raking in profits 20 times greater than the cost of their attacks. A report by RAND Corporation in 2014 found that the black market is growing in size and complexity and is highly organized and sophisticated. The report states that in certain respects, the black market is more profitable than the illegal drug trade.
(credit: Kaspersky Lab)
During a Reddit Ask Me Anything by a self-proclaimed black hat hacker, or a hacker that uses the Internet for malicious reasons and often for personal gain, he stated “I can make 15-20k in a hour. Jail doesnt concern me.”
Paul Roberts, the editor of the Security Ledger, said cyber attracts a certain type of person. “Not necessarily coming up from a highly academic track, but just more curious, highly intelligent puzzle solvers, who are also a bit outside, kind of contrarians, and outside the norm. For certain types of work within cyber those are all pretty common characteristics.”
Roberts cites Kevin Mitnick, who was the most wanted computer criminal at the time of his arrest and now owns his own security firm, and Kevin Poulsen, a former hacker and now a digital security journalist. There was also the story of Chris Putnam who hacked into Facebook and then got a job at the company afterwards.
“Figuring out how to break stuff is kind of an integral part of being a hacker and a cybersecurity guy or woman,” said Roberts. “In the days before there were cybersecurity companies per se you were just doing it for fun with your friends and chances are it wasn’t something that was necessarily sanctioned or approved of by your employer, by your community, or by society at large.”
David Kaeli, professor of electrical and computer engineering at Northeastern University, said every security problem is like a puzzle and people are drawn into this field because they are looking at this as a challenge. “You get some of the very bright people going in and doing the attacks, which is a shame,” said Kaeli. “Their talents could be put to much better use, but that’s why it takes some very sophisticated protection to thwart that.”
Getting involved in hacking may draw some talented computer scientists, but once they get started, their job is pretty easy. One of the most popular methods hackers use are botnets, which is a group of computers referred to as “zombie” computers that spread viruses and generate spam, although the owner is generally unaware of it. Having a “zombie army” makes hacking pretty simple. One unnamed hacker told the International Business Times, “Making money with a botnet is easier than brushing your teeth.” It’s one of the most popular methods for this reason.
Arthur W. Coviello Jr., the retired executive chairman of RSA, the security division of EMC, a data storage provider, said it’s easier to hack than to defend against the hackers. “I might have as many as hundreds of thousands of desktops and tens of thousands of servers and I have to protect in theory all or almost all of those, whereas a hacker only needs to get through one or a couple.”
Not only that but there are more Internet connected devices than ever before, so the attack surface has gotten bigger. “We’re using web apps for everything in our lives,” said Coviello. “In another 10 years we’ll have big data applications measuring us and the world around us, so all those apps are exposed to the greater Internet. Think about how we access those apps, we access them through smartphones that didn’t even exist 10 years ago.”
The pool of technologies that can be hacked are widening and becoming more pervasive, and the hackers themselves are even becoming an upgraded version of what they were before.
Ted Julian, vice president of product management and co-founder of Resilient Systems, a security company in Cambridge, said the overarching change in the industry over the last 20 years is how the hackers have gone pro.
Watch the video to hear Ted Julian explain the complexities of the professional hacker business.
Julian said the hackers are always finding new ways to get around defenses and they’re constantly exploiting technology to find vulnerabilities, which in turn makes for a constantly evolving security business. “You have this innovation in a way where these crafty bad guys are an accelerant to the business model because they are always pushing the edge and creating new opportunities to create new businesses to solve the new problems they’re creating.”
The security industry needs to keep evolving because the hackers seem to have had the upper hand from the beginning. “Unfortunately the way the model of security developed was in a fairly reactive way and it depended on erecting higher and higher walls around a perimeter,” said Coviello. But that’s changing.
“Technology is starting to catch up and we’re never going to stop attacks if we’re tracing the last type of virus or malware,” said Coviello. “The attacks that we haven’t even seen before, we have to have enough data to be able to sense something is amiss and be able to respond quickly.”
In this way the security industry and practitioners are moving away from being reactive to being proactive and understanding who’s going to attack and how.
“They’re also being a lot more proactive in terms of not necessarily preventing intrusions, which has gotten harder and harder to detect, but that an attack is on the way and responding quickly enough to prevent loss,” said Coviello. “The technology and the practitioners are headed that way and that’s going to change the game I believe over the next several years.”
(Photo credit: Brian Klug)