How did this happen? Why is cybercrime so pervasive and fast-growing? This story begins back in the middle of the last century and affects everyone who uses the Internet today.
In 1958, the Department of Defense formed the Advanced Research Projects Agency (ARPA) to address the rapid growth of military and space technology by the Soviet Union. One of ARPA’s major goals was to keep US military and government communications alive in case the Soviets destroyed the core of the US telephone long-distance network. ARPA scientist J.C.R. Licklider recommended the military create a “galactic network” of computers that communicated with each other. This network would enable government and military leaders to communicate, even if the Soviets destroyed the telephone system. The Department of Defense launched ARPANET on October 29, 1969. It was a network with only two computers, each being the size of a small house. The first message was only one word, “Login”, and this was enough to crash the system. Over the next few years, France, the United Kingdom, and the US made immense technological improvements and created additional networks calling this group of networks the Internet. Initially, the primary users of the Internet were the military, government agencies, universities, and large corporations.
If your average person could not access ARPANET, could they tap into another computer network? Ward Christensen and Randy Suess figured this out on Feb. 16th, 1978 and announced the first public dial-up Bulletin Board System or BBS. This service used regular telephone lines to log in to remote computers to post messages, stories, and documents in text (.txt) format. BBS and all other dial-up online service providers to follow were point-to-point systems and home computers to one central computer. This was unlike today where home or work computers connect through many servers to innumerable Internet websites and can email practically anyone, anywhere. BBS users would connect their computer to a phone line and dial the online service phone number to connect only to that online service’s computer. If you dialed into a BBS out of your area code, the phone company charged you long-distance fees. For example, in 1981 the cost for access at the speed of 300 baud was $5.00 per hour at night (6 p.m. to 5 a.m.) and $22.50 per hour during the day. This was a text-based communication medium, with no photos, videos, music, or audio. Eventually, there were 17,000 BBS serving their subscriber’s specific interests.
In 1968, CompuServe began in Columbus, Ohio. It provided computer timeshare services to businesses through telephone lines. This was a big success, and they became a major provider servicing over 700 cities. CompuServe only had business customers and took a big risk when it started MicroNET ON September 24, 1979. It was sold through Radio Shack stores. Radio Shack’s Tandy Model 100 computers were popular, and salespeople easily convinced consumers that MicroNet would be a great service to have on them. Unlike a BBS, CompuServe provided email and became the dominant online services provider. CompuServe was innovative and introduced electronic email to the public, then live chat and file transfer capability which America Online, Prodigy, and other early online service providers adopted as services for their customers as well.
Though most BBS users were honest, early hackers shared stolen data with each other through BBS sites. Some hackers committed credit card fraud. Others illegally visited military, government, and corporate computers to steal confidential information. Organized crime heard about these cases and decided online crime was a great new opportunity. Congress did not understand the scope of the problem and passed the poorly written Counterfeit Access Device and Computer Fraud and Abuse Act of 1984. As the years passed, Congress passed more effective laws and regulations to identify cybercrimes and punish violators.
In November 1989, a business named “The World” became the first Commercial Internet Service Provider (ISP). Other ISPs soon followed, enabling a user to visit the Internet sites (which MicroNET could not do) as well use email and send digitized documents over the Internet. That same year Tim Berners Lee was working as a consultant at CERN, the European Organization for Nuclear Research. Located in Switzerland, it had the largest Internet network node in Europe. The primary function of CERN was to be the largest high-energy physics research facility on the planet. Lee found it was cumbersome and tedious to communicate on the Internet and after working for many months developed a way to correspond, search for information, and navigate from any connected computer in the world. He called this Internet architecture the World Wide Web, or more commonly, the Web. Critics praised the Web because non-tech people could easily use the Internet for free or at an extremely low cost. By 1996, 40 million people were Web users.
Although corporations, governments, other institutions, and private citizens own pieces of the infrastructure and information on the Internet, there is a vast amount of data on the Internet out of the control of governments, universities, and corporations.
Here it is important to distinguish the difference between the Internet and the Web. The Internet is decentralized. Some organizations and individuals own pieces of the infrastructure to access it and use it, others own some of the information on it, but no one owns the Internet. Governments can demand that large ISPs block all Internet traffic, as Egypt did in 2011 during the Arab Spring protests, or that ISPs block specific information daily in China. Yet, no government has knowledge of or the ability to block all ISPs and users of the Internet.
The Web is an infrastructure of the Internet. It is a method of sending and receiving information on the Internet. HTTP protocol is the “language” used by the Web, making communications easy and extremely fast. The Web uses browsers like Google Chrome and Mozilla, to access webpages by clicking on or typing in hyperlinks. Webpages and email documents now can contain graphics, music or audio, text, and video. 17 years later, Tim Berners-Lee saw that much of the potential of the Internet was walled off for the benefit of companies and governments at the expense of what he called human network rights. “Unless technology respects human needs, it is worthless,” he said. In 2006, Berners-Lee launched Web Science Research Initiative (WSRI) as a joint project with MIT and the University of Southampton. The project focuses on making the Web more viable for scientific study and helping to fulfill its potential to help humanity.
George Gilder, the world-famous technology advisor, and bestselling author, said that Big Data (Google, Facebook, Amazon, Microsoft, Yahoo, and the companies that gather most of the Internet data) have created enormous problems they cannot solve on the Internet. They offer speed and ease of communications or financial transactions but are very weak on data security. Big Data gives away free services to eliminate the natural resistance people have to giving away valuable personal information about themselves. Then Big Data sells that information to data brokers who in turn resell it to others. This puts the burden of security on the person using the free digital service and releases the digital provider from liability even though that data now can be easily stolen. When digital services are free, people’s data is the currency and is far more valuable than if they paid for these services. The Internet made it easy to share data and to communicate almost anywhere on the planet with a phone or satellite connection. However, Internet soon became a tool to exploit people’s private information. In 1999 Scott McNealy the CEO of Sun Microsystems said, “You have zero privacy anyway. Get over it.”
The “Surface Web” represents about 5% of the Internet which is accessible to standard browsers. The “Deep Web” comprises 95% of the Internet, where sites are not indexed by search engines, yet can be accessed with deep web browsers such as Tor, Epic, and SubGraph Os. Most sites are legitimate on the Deep Web and contain data such as legal documents, scientific reports, government resources, bank data, or medical records. Additionally, political dissidents, whistleblowers, investigative journalists, and others who need to keep their communications confidential use the Deep Web. The “Dark Web” is a subsection of the Deep Web, where illegal and questionable information and transactions occur. The US Government created the Dark Web to allow spies to exchange data anonymously. Since then, it has become far more sinister. The size of the Dark Web is unknown, but many analysts say it is 5% of the Internet a few think the Dark Web is far larger. Estimates say a quarter of the Dark Web is used by sites that are sometimes legitimate, such as political or ideological websites, drop sites, or information storage. The rest of the Dark Web activity ranges from the selling of stolen property, conducting human trafficking, to the communications between members of over 50,000 extremist groups.
It is impossible to trace and prosecute enough of the criminals on the Internet to slow the explosive growth of cybercrime. Government monitoring of the public and organizations has become pervasive. Politicians pass more laws, but law enforcement cannot suppress the expansion of online and computer-related crime.
Internet security is broken. Financial data and private information is not safe behind the firewalls and encryption, even in the largest companies and government agencies. There are three big problems. One is storage of precious data in huge, centralized locations which makes it extremely easy for cybercriminals to locate and hack. The second problem is that the Internet is built for easy, quick access and sharing of data because of this, websites and accounts have a low level of protection from serious hackers, and security is not the primary concern. The third problem is that Big Data is not compensating users for using their personal or business data. Instead, Big Data offers free services and continuously gathers information on the users of the free services, analyzes it, collates it, and then sells the data. Personal data has become a huge cash source for Big Data companies. Additionally, Google takes pictures of every home and property in the developed world, collects articles, photos, videos, and even digital copies of books but compensates no one for displaying these “free” services on Google or YouTube (sharing YouTube ad monies with the owners of a YouTube channel does not apply here). US courts have not been friendly to those seeking protection from Big Tech, which has muscled in taking assets that others built. For example, courts ruled in Google’s favor in Authors Guild v. Google and Authors Guild, Inc. v. HathiTrust, stating that Google’s digital copying of authors’ books and then displaying the books was “fair use”. Google also streams 52% of the world’s music listened to online yet, pays only 13% of online music royalties.
Most people want to keep some level of data privacy. However, only a few people know how much information is being constantly gathered about them. In 2013, the Organization for Economic Cooperation and Development (OECD) published an extensive report entitled, “Exploring the Economics of Personal Data: A Survey of Methodologies for Measuring Monetary Value.” This report illustrates how personal data is used as a form of currency by corporations, governments, and public sector agencies. Data is gathered, analyzed, and sold often without the individual’s knowledge. Some of the personal data people hand over voluntarily, the rest of personal data is observed (via browser history, shopping habits) or inferred (from profiles, online activity, and credit ratings.)
The following collect people’s personal or financial data:
- IoT (Internet of Things) devices such as smart TVs, home security systems, smart appliances, and wearable health meters
- Mobile phones
- Loyalty Programs offered by companies for deals or memberships
- Social Media profiles, posts, likes, and shares
- Websites that require one to provide personal data to get a benefit
- Browser cookies and Internet search history
Data such as credit histories, Location app history on mobile phones and PCs, Medical records, Social Security and Driver’s License numbers and what transactions used them as an ID, Tax Filings, Property Records, Mortgage and Rental payments, and Financial History, Phone numbers and computer IP addresses, Email addresses, and Utility bills, and Smart Meters can be collected. Criminals search through public records and buy data on the open market like those mentioned above. Much more often they trick people into providing credit card numbers, driver’s licenses, and other personal data through email phishing scams, impersonating company Internet sites, fake sweepstakes/lotteries, and fake delivery scams. On a much larger level, criminal organizations in the US and other nations continuously attempt to hack into government, corporate, and hospital databases to steal personal and financial data.
Between 2010 and 2019, data breaches in the US exposed 38 billion records, according to the Risk-Based Security company. These exposed records were from a combination of over 40,650 data hacks, companies carelessly permitting their customer data to be publicly visible, and organizations storing data on insecure servers, etc. Cybersecurity Ventures, the leading global researcher on the world’s cyber economy, projects that cybercriminals will cause $10.5 trillion in losses to organizations and individuals by 2025. This will make the cybercriminal industry larger than the global illegal drug trade and the 4th largest economy after the US, China, and Japan.
How do cybercriminals make money from stolen personal or financial data? One way is advertising it for sale on Dark Web sites. Cybercriminals often resell stolen data to the ever-increasing criminal customer base who uses the data to steal cash or property from unsuspecting citizens. Simon Migliano of Top10vpn.com researched the prices of people’s stolen data listed on 5 large dark web marketplaces.
Here is a small sample of his findings:
|Item for Sale||Avg. Sale Price|
|Match Online Dating||$7.86|
People should be furious about how easy it is to steal personal data and for cybercriminals to sell it. Yet Big Data aggregators and marketers such as BlueKai, Datalogix, and CrossWise generate cash by legally selling personal and financial data to legitimate buyers every minute of every day. Websites of businesses, health care providers, ISPs, utilities, and employers place a tracking cookie on your Internet browser which assigns every computer a unique identification number. Facebook and Google provide free services and they track every choice Internet users make then sell that data to businesses. Over time they create a large profile of each person’s interests, purchases, browsing history, medical conditions, online contacts, etc. The Internet has grown immensely over the past decade, but even as early as 2010 Blue Kai tracked 300 million users, breaking down their data into an excess of 30,000 data attributes. Each day Blue Kai processed over 750 million data events and conducted over 75 million auctions for personal information. Blue Kai’s client list includes Facebook, Twitter, Huffingtonpost.com, Microsoft.com, and Walmart.com.
The OECD report (mentioned above) estimated the average retail prices for personal data from companies (such as LexisNexis, DocuSearch, Experian, and Pallorium) to be 50 cents for a physical address, 2 dollars for a birthdate, 8 dollars for a social security number, 3 dollars for a driver’s license number, and 35 dollars for a military record.
In 2019, Identityforce.com reported that 33 percent of adults in the US were victims of I.D. theft and lost over $1.9 billion to I.D. fraud. Surprisingly, children have a much greater chance of experiencing I.D. theft than adults.
Ransomware is malware that blocks users from accessing their computer files or networks and demands a ransom for removing the blockage. People unknowingly download ransomware onto their work or home computers by opening email attachments, clicking ads, clicking hyperlinks, or viewing webpages embedded with malicious software. In 2016, the FBI’s Internet Criminal Complaint Center, known as the IC3, received 2,673 reports of ransomware and 17,416 reports of online extortion, which, combined, accounted for more than $17.4 million in reported losses. Ransomware attacks on home PCs make demands in the hundreds or thousands of dollars.
However, cybercriminals see the big money in threatening organizations that have a lot more assets than individuals. The FBI told NBC News that it determined 2016 ransomware payments were probably $1 billion, but they could not provide accurate numbers because of people’s unwillingness to report these crimes because of embarrassment or a belief that law enforcement cannot help. Educational institutions, government agencies, healthcare companies, utilities, retailers, financial institutions, HR departments, and mobile devices are the primary targets of ransomware attacks. Ransomware attacks don’t just cause monetary damage, in 2019, they temporarily stopped operations at 764 healthcare providers, 113 government institutions, and 1,233 universities and school districts. In 2020, 73 percent of all ransomware attacks were successful, where 55 percent of attacks hit businesses with fewer than 100 employees. This ransomware will hit a company every 11 seconds.
Lost opportunities and reduced productivity may be as large as the ransom paid. In 2020, the average downtime from ransomware cost each business $283,000. The average ransom for all businesses combined was around $178,000, though small businesses paid a much lower amount, averaging $5900. Microsoft Digital Defense Report revealed that approximately 50% of ransomware attacks originated from Russia, Iran, China, and North Korea and are a significant source of cash for these nations.
But money is not the only important asset that cybercriminals seek. Many criminals steal the freedom and dignity of others, these are online sexual predators and human traffickers.
According to the Crimes Against Children Research Center 20 percent of US teenagers who regularly use the Internet report they have received an unwanted sexual solicitation through the Web. The UCast Studios December 23, 2020 podcast interviewed Sarah Siegand, co-founder of “Parents Who Fight”. The podcast discussed in depth how sexual predators are usually adults pretending to be teens on social media or gaming forums. Yet increasingly predators are teenagers from the same high school as their victims. Unless parents learn how to take precautions, they often find their teens have been sexual victims for months or years and are completely unaware of how to address these horrible situations their children are in.
Those who have taken sexual exploitation to an even more terrifying level are the sex traffickers who use the Internet to do business. Worldwide, they have created an industry that generates an estimated $99 billion a year from 4.5 million people coerced into some form of sexual servitude. It is a form of modern-day slavery.
The creation of more sophisticated anti-cybercrime software and the announcement of new security patches to computer operating systems have not improved Internet security. Encouraging computer users to make their passwords more complex and change them more often has not improved Internet security either. Losses in the trillions of dollars to cybercriminals and from careless data management are increasing. The premises of what made the Internet the universally popular tool that it is – the easy and lightning-fast connection to all data, where personal and financial information is stored in centralized data centers which ensure the Internet will remain broken. The current model cannot provide data security since security is not the top priority for the large institutions that dominate the Internet. For people, the business community, and government agencies dedicated to serving the public, a completely new and secure Internet needs to be built.