The idea of cyber extortion is challenging to define and identify. On the far end, we have ransomware, which I discussed in the last few week’s articles. It is currently the most visible form of cyber extortion, even though cases often stay out of the public eye. A person or group identifies a security flaw and takes over a system, and then holds it hostage until the ransom is paid. It has turned into quite the business model, as many of us know. This is clearly a crime.
However, cyber extortion also happens in more or less subtle ways, which are unpleasant but cannot easily be identified as crimes. Exploring these instances is where things can get tricky.
Some may be considered extortionists simply when they point out the results of security research to the organization where the security issues are discovered without freely sharing the information with the organization. In other words, they share with the organization and the world that the problem has been identified. Still, if the organization wants any more specifics or, more commonly, wants the discovered issues to be kept confidential, they must pony up some cash.
This, of course, is the eternal grey area of cybersecurity research worldwide. On the one hand, the researcher should be fairly compensated for his or her work, but on the other hand, the firm being researched never asked for the research in the first place. The bug bounty practices are slowly clarifying the situation with many organizations.
Another aspect is that much of the marketing world concerning cybersecurity products and service providers relies on some level of “ambulance chasing,” a practice where lawyers follow an ambulance to an accident site to offer legal services to victims of a tragedy. This practice is, by and large, considered rather seedy. Since many cybersecurity incidents are akin to more traditional accidents of yore, this seeps into the cybersecurity industry and may be considered a form of extortion by companies.
What is perhaps even more interesting and something we perhaps have not seen yet is what the outcome of a massive cybersecurity catastrophe might look like. In areas devastated by forest fires, for example, there are always those who take advantage of the disaster.
Companies that provide generator products and services will engage in price gouging, and an underground economy of various service and cleanup providers will (and do) engage in activities that prey on the victims of such tragedies. In the unfortunate event that the world, or any significant part of the world, should fall victim to cybersecurity-related devastation, one might surmise that all sorts of unscrupulous people would engage in various forms of cyber extortion. I don’t think we need to go into specifics, but you can let your mind wander thinking about this.
It seems that when organizations are considering the notion of identifying and prioritizing risks in this new world of cybersecurity profit models, one essential thing is not only identifying the risks from a cessation of operations perspective but also identifying risks that may expose an organization to various forms of cyber extortion. Remember, both criminals and legitimate businesses can take advantage of such situations. While criminals may be easy to identify and perhaps deal with (although don’t bank on that), businesses that engage in such practices may pose the biggest threat to all.
These scenarios are interesting, as Arctic Security has always tried to be careful not to use our data in ways that could be perceived to be in this grey area. While we don’t do vulnerability research, based on the data we collect, we do know that the organizations that most need our services are unaware that they have potential security vulnerabilities and that they may already have been compromised.
Now in many cases, it comes down to attitude and delivery. Suppose a research firm or company threatens to expose the dirty laundry of a company unless the company pays an exorbitant research and remediation fee to the researcher, service provider, or product manufacturer of their choosing. In that case, it is a bad way to do business. However, this happens all the time, and some or most of you are likely aware of this.
It has always been our practice to only offer our information when asked and never to hide information from prospective customers who wish to see it. Customers should know that our information is valuable and that the Arctic EWS service will remain relevant. The value of a continuous monitoring service and attack surface discovery is not lost by giving information about currently pressing issues.
Many businesses, and perhaps most, are trying to be helpful. Some are more focused on helping themselves than their prospective customers, which is an excellent reason for you to make sure your organization is doing what it can also do to help itself, so they don’t fall prey to such tactics.