Connected economies Connected economies: Dark web challenges

An underworld of anonymous platforms and cryptocurrency dealing is placing new pressures on infrastructure stakeholders.

An exciting new dawn may be rising for global infrastructure, with governments sharpening their focus on investment as a path to economic growth and new technologies creating innovative ways to accelerate development and control costs. But as the horizon brightens, new threats are emerging beneath the cover of the dark web.

The alarming reality is that, as the infrastructure world continues to embrace opportunities for remarkable current-day approaches and capabilities, the dark web is providing a covert, decentralized, unregulated `black cybermarket' that's enabling development of dangerous new cybercrime attack tools and techniques.

Today's infrastructure systems are becoming digitally interconnected and automated as never before. There is increasing reliance on sophisticated, often remotely managed, industrial control-system architectures designed to manage infrastructure via networked computers and data communications. Sounds complex? It can be.

Simply put, our infrastructure is now computerized and networked - an interconnected digital web controlling everything from transportation, telecommunications and power utilities to healthcare, financial systems and the internet itself. At the same time, a sordid array of anonymous hackers-for-hire, cybercrime syndicates and organized crime networks - operating `below the radar' of authorities - are busy trading information and attack methods to exploit any infrastructure vulnerability they can find.

The dark web's threat to critical infrastructure is real and rising. And the currency of choice that's keeping cyber-mercenaries in business is Bitcoin and countless other virtual currencies in circulation - each anonymously held and exchanged for illegal services rendered. Ransomware attacks illustrate just how well cryptocurrency serves as the ideal tool for dark web cybercrime to flourish, protecting perpetrators under a cover of anonymity as they demand these currencies from victims and then cash in the proceeds undetected.

“The ability of cybercriminals to trade information, collaborate on projects or pay for attacks is much greater than it used to be as a result of the dark web and the unregulated environment and anonymous transactions it provides today,” says Professor Talis Putnins, a professor of finance and co-author of Sex, Drugs and Bitcoin: How much illegal activity is financed through cryptocurrencies?

“The exchange of information on how to engage in illegal activity is greater than ever and allowing many types of illegal behavior and transactions to go a little more mainstream. It takes the threat beyond a handful of highly specialized, well-trained computer scientists to include many more players, dramatically broadening the pool of people engaged in cybercrime.”

Putnins' team's findings suggest cryptocurrencies are transforming the way black markets operate by enabling 'black e-commerce'. The paper he co-authored estimates that about half of all Bitcoin transactions are associated with illegal activity - about US$72 billion per year. The total market capitalization of Bitcoin alone exceeds US$250 billion as of January, 2018, with a further US$400 billion in over 1,000 other cryptocurrencies.

Should we view last year's WannaCry ransomware cyberattack - crippling hospitals, banks and businesses around the globe - as a harbinger of what's to come for infrastructure? Perhaps so when you consider, as just one example, the emerging potential for dark web cybercriminals to access today's rapidly advancing transportation infrastructure. Authorities have already warned of this possibility. Or consider a scenario in which a major urban center is paralyzed by hackers disabling an entire network of traffic signals.

The possibilities are alarming, disturbing and increasingly real as the threat to interconnected infrastructure systems widens and advances. Witness recent terrorist attacks on so-called `soft targets' in places like Canada, the UK, Spain, Sweden, Germany and France, forcing authorities to rethink how they secure today's mass transit, public spaces and heavily traveled pedestrian thoroughfares.

Unfortunately, no sooner do law enforcement and authorities marshal enough resources to train some light onto the dark web's cybercrime marketplace, organized cybercriminals are already pursuing sophisticated new methods and platforms. The problem becomes a rapidly moving target that authorities have struggled to keep up with so far.

The closure of the so-called Silk Road is a classic example. The online black market serving as a platform for illegal drug sales was shut down by the FBI in October 2013. By early November 2013, Silk Road 2.0 came online, run by former administrators of Silk Road. It, too, was shut down, but that murky ecosystem's remarkably quick re-emergence illustrates the challenges facing law enforcement and authorities today - not to mention critical infrastructure owners, operators and stakeholders.

While a trend toward increased investment to improve cybersecurity and combat criminals targeting infrastructure is underway, efforts to strengthen defences are typically impeded by the fact that most infrastructure operators and owners are private enterprises possessing many decades worth of major legacy systems. These are not easy to retrofit with modern cybersecurity requirements, and that's proving to be a major challenge in the face of increasing threats and risks.

We've moved quickly from yesterday's `IT issues' - involving servers, networking gear, local IT infrastructure, PCs, laptops, tablets and smartphones - to today's digitally interconnected infrastructure ecosystems featuring new platforms such as autonomous vehicles. And the risk of major disruption is multiplied when you consider how increasingly dependent societies and economies are becoming on the critical infrastructure web that surrounds us today.

Regulators are increasingly concerned and playing catch-up amid the confusion that has reigned over the explosion of digital currencies in circulation globally and across the dark web.

“Regulators and governments have so far been bamboozled by digital currencies, unsure whether to treat them as personal assets, derivatives, shares or investment schemes,” says Kate Allman, a multimedia journalist at the Law Society of New South Wales who authored an article titled The Dark Side of Bitcoin. “But there is definitely a sense of urgency to exert a greater level of control and authorities are closing the gap thanks to the focus they are placing on digital currencies and their illegal uses on the dark web.”

The good news for authorities, and an increasing area of focus, is the simple fact that cybercrime players always need to move back and forth between anonymous digital currency and real-world cash. So authorities are zeroing in on the points at which criminals are making those conversions between cryptocurrencies and real money - the so-called on-ramps and off-ramps to the dark web, where the virtual and the physical intersect.

It' s at these key points, which are coming under increasing surveillance by authorities such as the FBI, where monitoring and tracing of activity can accelerate the prosecution of the players involved. Scrutinizing computer hardware - laptops, mobile phones, tablets - and software gateways into and out of the dark web will throw a new spotlight on hackers.

Meanwhile, the World Economic Forum has proposed global cryptocurrency strategies that include: enforceable new international rules; virtual currency providers verifying who their customers are; creation of an international e-forfeiture fund to combat money laundering; and modernizing existing authorities like the Financial Action Task Force (FATF).

The FATF is a global policy-making body whose stated objective is to set standards and promote implementation of legal, regulatory and operational measures to combat money laundering, terrorist financing and related threats to the integrity of the international financial system.

President Santiago Otamendi says that among the FATF's network of 204 countries and jurisdictions, all are committed “at the highest political level” to implementing FATF recommendations. He adds that financial innovation in the form of cryptocurrencies carries new risks that must be mitigated to ensure they are not abused.

“The cross-border nature of this new industry requires a global response,” he says. “So far, there has been a wide range of government responses. This has resulted in a patchwork of regulatory approaches, which is increasing the risk of money laundering and terrorist financing. In the coming months, with the support of the G20, the FATF will review its guidance on virtual currencies - or crypto assets - and consider if changes to its recommendations are necessary.”

The caveat on managing illegal use of digital currencies is to avoid a `knee-jerk' response that cramps or crushes their legitimate, productive and innovative uses. While some nations are actively adopting cryptocurrencies and encouraging uptake as a stimulus to economies, others remain far more skeptical. But cryptocurrencies are here to stay and authorities are catching up in earnest to better monitor and manage their illegal use.

While regulators and law enforcement are zeroing in on organized cybercriminals and working to shrink their dark web playing field, it's time for infrastructure owners, operators and stakeholders to step up their game as well.

Unfortunately, we still see an alarming gap between the risk perception of regulators versus that of infrastructure players, many of whom seem unable to acknowledge the severity of today's threats from organized cybercriminals and nation states. In KPMG International's 2018 CEO Outlook, we saw only 14 percent of 79 CEOs say that cybersecurity poses a threat to their organizations.

That's a serious disconnect that has authorities in many cases worried about the potential for catastrophic - and life-threatening - disruption of sprawling infrastructure systems. There's no more time to lose for infrastructure owners, operators, stakeholders and future investors to become better informed and more closely aligned, in order to respond strategically to today's and tomorrow's risk realities. A new way of thinking is needed now. A wait-and-see stance will only court disaster that puts public safety and lives at risk.

In Europe, the NISD - Network and Information Security Directive - is just coming into law across the continent, placing new cybersecurity obligations and best practices on critical national infrastructure providers. It essentially introduces cyber security requirements, testing and breach-reporting obligations and includes demands for emergency-response processes to manage a breach or major disruption.

If we are to see infrastructure's full emergence into a bright new era of progress and advancement, an informed and strategic approach to security should be at the top of the agenda for everyone involved.

Every infrastructure sector needs to take a more aggressive and strategic stance today to ensure that increasingly complex and interconnected infrastructure systems are adequately safeguarded. This includes:

• Greater cooperation and collaboration among infrastructure owners, operators and investors with law enforcement and government to collectively tackle the growing threat to infrastructure in a strategic manner;
• Better understanding of the growing threat from the perspective of today's ruthless, rational, organized and increasingly sophisticated cybercrime entrepreneurs. Know what is of value to attackers and take measures to fully protect those assets;
• Taking ownership of the issue by being proactive rather than reactive to emerging threats and growing risk;
• Striking a strategic balance between centralized versus decentralized infrastructure services and capabilities in order to mitigate risk;
  
• Preparing for disaster and crisis scenarios via a comprehensive response-and-recovery program;
• Raising awareness across the organization - from the C-level on down - encouraging organizational leaders to act as change agents dedicated to enhancing capabilities for infrastructure security.