And a rise in cyber- ransoms is the result. To stop the cycle, businesses should stop paying up
Covid-19 has unleashed another pandemic, one that, in the long term, could be much more damaging to livelihoods around the world than the virus: an outbreak of cybercrime. But so far, governments are ignoring the problem, and big business is tacitly nurturing it. In turn, coronavirus-era cybercrime is growing faster than the virus, and policymakers and executives must put a stop to it.
Thanks to the pandemic lockdowns, the economy has been increasingly digitized. More data is being shared online—think of how many more transactions are being conducted over the internet—but also new types of data. A business handling sensitive documents and data might have used a secure in-office network pre-pandemic. But it is now likely to have that data dispersed across a variety of (often personal) devices and insecure home networks.
To be sure, most of this is necessary. Businesses have had to find ways to survive through lockdowns. And there will be plenty of long-term economic gains driven by the flexibility and efficiency of remote working.
But there is a dark side, and it goes beyond business. More countries are embracing e-governance. For example, Egypt, South Sudan, and, most notably, Bangladesh have started moving toward the Estonia model, where even voting can be completed online. Estonia's experience in 2007, when Russian state-backed hackers brought the country to a standstill and threatened its national security, should be a warning to us all. Yet the biggest threat is not from politically motivated state-backed hackers but from a broader range of more dispersed cybercriminals.
Interpol has warned that cybercrime has already spiked during the pandemic, with a further increase expected. Like business, traditional organized crime groups have struggled to continue their operations through Covid-19 restrictions around the world. For example, closed borders, lack of communication, and difficulties accessing customers affects them just like legitimate businesses. Meanwhile, some of the world's newly destitute may be driven to criminality as well, and lax online business practices—as well as lax extradition and law enforcement procedures—could make cybercrime attractive.
Ahead of a rising tide of hacking, governments and business will have to get more serious about tackling it. But early indications are not promising. In August, Uber's ex-security boss was accused of covering up a data breach by paying hackers a $100,000 ransom to delete the data they had stolen (which belonged to 57 million Uber drivers and passengers). It is unclear whether the hackers did delete the data after payment; only 1 in 4 such ransom payments actually achieve this desired result.
But Uber is just the tip of an iceberg. In a 2018 report, 53 percent of executives who had experienced a ransomware attack admitted to paying the hacker's ransom. On average, hackers are paid $24 billion each year. This makes the illicit trade much smaller than drugs or human trafficking, but it is also much younger. It took decades for professionalized transnational cartels to emerge, but that transition for cybercriminals could be faster.
If anything, paying ransoms could spur it on. There is a reason why many countries do not negotiate with terrorists. Paying ransoms is a short-term solution, but it simply kicks the can down the road by strengthening criminals. That's especially true for data crimes. A hacker can gain access to millions of individuals' information, be paid off handsomely by the data owner, and still profit through identity theft and fraud. And because the data owner won't have informed the victims, they will not be in a position to protect themselves (by ordering replacement bank cards, for example).
Of course, it is easy to see why company executives might pay ransoms. A hack can affect a company by stalling its operations, damaging its reputation, and hitting its bank balance when it is forced to pay compensation for a data breach. Earlier this year, Equifax was ordered to pay $700 million as a result of a data breach class action lawsuit, which will have cost it even more in reputational damage and loss of trust among customers. A ransom payment to a hacker may have seemed cheaper.
It doesn't matter if Russia actually sways the vote. What matters is whether Americans think it did.
But it won't be in the long run. And as business stays online, business leaders need to increase offline backups, hire professionals to test for vulnerabilities, and ensure that all staff are cyber-aware to secure their systems and data. Meanwhile, countries around the world need to cooperate more to bring these criminals to justice. Given the asymmetric nature of cybercrime (a disproportionate number of criminals are in Russia, China, and Iran, and many victims are in the United States and Europe) this is as much a political issue as it is a law enforcement one. Finally, laws against ransom payments need to be publicly promoted and enforced. Executives who pay ransoms to hackers may be unaware of the criminal nature of their act, and they likely don't fear prosecution. This must change.
Building societies and economies that are resilient to the threats of the future means putting data privacy front and center of politics and business. If it isn't, individuals will simply distrust digital trade, and economic growth will be stunted at a time when conducting business online is an absolute lifeline.
Jamal Ahmed is the CEO of Kazient Privacy Experts.
Disclaimer: This article first appeared on foreignpolicy.com, and is published by special syndication arrangement.