Cybercrime: a new challenge to be addressed and prevented. Remarks by Paola Severino
September 8, 2017
Following is an excerpt from Professor Paola Severino’s talk at the “Scenarios for competitive strategies today and tomorrow” Forum, held between September 1 and 3 in Cernobbio, Italy. Courtesy of the Professor.
The use of digital tools can also be a source of new and widespread risks, implemented by the impact brought along by breaches in the privacy of individuals, the collection of sensitive data by companies and the world of finance, the assault to national secrets that are related to security and defence.
These risks are far more difficult to contain than in the past, given that computer-aided anonymity not only represents an incentive to cyber attacks, but can multiply the chances of success while simultaneously undermining the possibility of effective reaction through traditional penalty systems.
Let us think of Bitcoin usage for recycling purposes or for extortion purposes to the detriment of companies, forced to pay for the return of deleted data through the intrusion of a virus. Let us think about the opening and closing within a few hours of email accounts in order to carry out through them frauds or other crimes against property. Let us think of the possibility of interfering in commercial communications by acquiring the identity of another subject in order to get unwarranted benefits.
In other words, the versatility in the techniques displayed by these types of attacks requires a constant adaptation for reacting effectively to these new forms of aggression. Contrasting cybercrime is, indeed, made particularly difficult by the continuous “metamorphosis” of computer attacks, as they are based on new technological innovations.
The growing usage of crypto-currencies and the new frontiers of cyber-laundering, encouraged by virtual currencies that seem to escape any form of control and regulation by the public authorities, even though their use is growing rapidly, has already been mentioned. It is very difficult to regulate the phenomenon. Transactions are often carried out in the dark web and, as a matter of principle, could be tied to both legal and illegal economic transactions.
A typical example of evolving attack patterns is constituted by the spreading of ransomware and the refining of encryption techniques for computer systems, by sending viruses as bait. Frequently, the media reports about computer intrusions carried out in order to obtain a ransom, more often than not to be paid through crypto-currencies, as the price for restoring the “infected” system. Again, contrast to such activities is made particularly difficult by the development of increasingly evolved malware (CryptoLocker, WannaCry Locker, to name a few), despite the apparent simplicity of their operation on the basis of asymmetric encryption (the same used for business transactions and digital signature devices).
For this reason, in the context of developing a sound IT economy, just as Italy and Europe (as a world leader in research and innovation) know and are certainly able to do, there is an urgent need to think of a very different approach to regulation regarding other phenomena of undue use of the financial system.
Firstly, just as the sharing economy opening up to boundless latitudes of trades, the prevention and repression of the described phenomenon must operate on an absolutely trans-national scale. Establishing providers in places that favor anonymity and cover their liability, for example, may render ineffective the best of national prevention legislations. Allowing the opening of opaque sites in places that do not regulate their registration will allow them to be used for the spreading of deep web-like phenomena as vessels of unimaginable evils, without the legal system being able to intervene.
In other, more general terms, the prevention and control networks, in order to be effective, should not show any stretch marks, as to prevent the infiltration of illicit phenomena by exploiting their shortcomings. International agreements, therefore, are needed to regulate an international communications system.
These principles are the inspiration for the recent European Directive (No. 1148/2016), which in its “recital” no. 43 states that “given the global dimension of the issues relating to the security of networks and computer systems, a closer international cooperation is needed to improve safety standards and information exchanges, and to promote a common approach to security.”
Secondly, it will be necessary to outfit actual monitoring centers with the complex and multi-disciplinary knowledge needed to report the rapid-fire changes in attack techniques, in order to study possible ways of preventing them and spread the information required to avoid any aggression. Therefore, for example, to effectively combat the phenomenon I mentioned earlier, ie. the increasingly evolved creation of malwares tied to the virus-as-bait dynamic, users should be constantly informed about the growth of social engineering techniques that get the victim to cooperate with the sly attack (e.g., opening suspicious emails, entering your credit card details on specific sites, and so on).
Also, by way of example, in order to prevent the phenomenon of cyber-laundering, it seems useful to concentrate on the necessary existence of a blockchain on which all transactions of each Bitcoin get recorded in an accessible way. As a result, each operation to convert any crypto-currencies, as well as any payment order from one portfolio to another, will be, theoretically speaking, perfectly traceable. Taking into account these technical features and the fact that the dark side of the phenomenon lies in the anonymity of the subjects involved in the exchanges, it would be necessary to aim at, for the purposes of prevention, a blockchain system banning operations from encrypted addresses.