Business scenario for the future of cybercrime

Cybercrime

2020-12-30 / www.icspa.org




 

The rate of mainstream uptake of some technologies depicted in the narratives may seem somewhat ambitious for 2020. This is a conscious choice, which not only allows for a richer and more consistent realization of emerging technologies, but also reflects the trend observed for the last half century that the pace of technological development outstrips our expectations.

Xinesys Enterprises is a small to medium-sized enterprise with just under 200 full time employees worldwide. It punches above its commercial weight thanks to recent supply chain and distribution innovations. Amongst its portfolio Xinesys produces mid-tech devices that assist in and benefit from smart home technology. Their best-selling product is the R0Bud, a robotics-based gadget which many consumers buy as a toy, but which has come to be something of a home help for those with limited mobility. Lakoocha, meanwhile, is a world leader in communications (and now also content) provision. Although officially Xinesys is classed as a manufacturer, their activity is more accurately described as assemblage. Parts for the R0Bud are produced in various locations by smaller concerns: its wheels are made by Kinuko and her team. The Xinesys business model is heavily reliant on automation: goods are checked in and out of its warehouses automatically, and items in both the supply and distribution chains are transported without direct human intervention. Components in transit contain executable code which enables them to make intelligent decisions about their transport and receive routing instructions from their dispatcher. This greatly improves efficiency, but restricts the company’s choice of suppliers to those who have already embraced this technology.
This supply and distribution method also comes with its own risks. Xinesys accepts that a certain amount of its stock will go missing in transit. While some of this can be attributed to accidental misrouting, it is clear that in some cases a new kind of theft is being committed, with criminals intercepting and rerouting stock for retail on the black market.
Highly sophisticated underground Research & Technology (R&T) has also resulted in the production of counterfeit tags and sensors with sub-optimal performance, which ultimately disrupt effective transit.
New business models continue to challenge traditional notions of intellectual property. Some large corporations who continue to insist upon absolute intellectual property rights are finding themselves left behind by those who make their R&T available to the commons under certain conditions, thereby encouraging open source and user generated innovation. Various different models and new regimes are springing up around the world, and while Xinesys naturally wants to protect its intellectual property, it has already seen positive results frommaking some of its own R&T available for further open-source development, e.g. by paying distributed design collectives to contribute to the evolution of existing products, and the development of new profitable uses for existing technology.

Both Xinesys and Lakoocha have grown used to nuisance attacks, which are occupational hazard of being a public facing company. Corporate websites and feeds remain at risk of getting” owned”, and this practice is now so common that it’s almost become part of the fabric, Internet graffiti. But attacks for the lulz are increasingly sophisticated – in recent months Lakoocha in particular has been the victim of fake press releases designed to ridicule the CEO and intrusions with no apparent motive other than to undermine confidence by manipulating data. In Xinesys’ line of work, there have been instances of anti-sec activists posing as legitimate suppliers in order to undermine the effectiveness of products and automated supply chain distribution.

Even the smallest concerns now insure against data loss and associated reputational damage, and cyber risk insurance is a legal requirement in many countries. The imposition of security scores for corporate entities is a mixed blessing. There is no doubt that it encourages greater social responsibility and public confidence, but it has also meant that the CEOs of both Xinesys and Lakoocha have had to justify much higher expenditure on reputation and risk management. For smaller enterprises like Xinesys, there are specialist risk management companies of security consultants to which this task can be outsourced. Large multinationals like Lakoocha, on the other hand, have for the most part chosen to bolster their existing information security departments.

The Universal Security Score system is in fact quite useful when it comes to vetting prospective suppliers and distributors. The advent of “business in a box” cloud services has facilitated the establishment of bogus companies with the intent of stealing product, personal data and R&T. Where once professional looking web pages gave an air of legitimacy to criminal enterprises, now scam merchants can purchase an entirely legitimate infrastructure and set of business processes at very low cost.
The stakes are high. For all that large corporations have been able to secure their standalone databases, convergence of data from different sources over a global wireless network also engenders converged threats. And in a world where reputation has become everything, compromise – particularly of customer data – has an immediate impact on share prices and consumer confidence.
For this reason, established banking and payment providers are leading the way in the creation of a dedicated Internet for secure transfers. This has in turn created something of a headache for businesses like Xinesys, whose operations necessarily straddle the “secure” and public Internets and has prompted the emergence of bridging services. Inevitably, bogus bridging services have appeared which harvest data for retail in the digital underground.
There is now such a plethora of payment systems, some running on the “secure” Internet, some not, and so far, no single architectural solution has held sway. The situation is equally challenging for Lakoocha, which must deliver to consumers mixed streams of data from different clouds without compromising security.
Communications and content service provision is now firmly classified as critical infrastructure, especially in those countries where power and data are delivered together. This has drawn large service providers further into matters of international diplomacy.

Companies like Lakoocha with operations in a number of different countries find themselves variously subject to state regulation or self-regulation and having to deliver very different services accordingly. Such is the control of the Internet in some countries that it has become virtually impossible for some (less preferred) multi-nationals to operate.
Xinesys has naturally moved its processing to a Cloud provider. Inevitably there was some initial concern from the Board and shareholders about this degree of outsourcing, but a stringent service level agreement – stipulating the exact circumstances under which the provider may use the company’s data – and round the clock scrutiny from the contracted risk and security management service has gone some way to allaying these fears.

To date, Xinesys is not aware of having experienced any major breaches, which is just as well, as it has seen the impact service disruption and data theft has had on some of its competitors. Outages be they by design (infrastructure maintenance), malicious (Denial of Service) or by accident, are an unfortunate reality of distributed computing, but the provision of geographically distributed back-up locations in Xinesys’ service level agreement means that these are largely temporary, with most disruptions lasting no more than a couple of minutes. Nevertheless, social engineering of employees continues to be a successful attack vector, and the wholesale enterprise adoption of social media has increased the attack surface. This is a world in which botnets have moved to the Cloud, and Xinesys personnel access their virtual work machines from any number of devices.
The issue of liability is increasingly complex. Companies like Xinesys and Lakoocha already have arrangements in place for the processing and storage of personal data. But the global proliferation of sensor data and the delivery of personally augmented content means that much larger amounts of data are vulnerable to compromise, and this data is potentially much more revealing about individuals.
Because in many places the Internet has become so personalized, consumers now find it much easier to filter out unsolicited advertising. Xinesys therefore relies on pushing content to CSPs in order to generate business, in addition to traditional web-based advertising. Advertisements and marketing material is then relayed to potential customers via augmented reality and context-based services.
All this data has an intrinsic value. There are companies who retail big and intelligent data, which enable service providers both big and small to identify and target potential customers based on their behavior. But questions have arisen concerning the methods some companies use to obtain this data, and in a number of cases criminal groups have been found to have supplied legitimate service providers.
Individuals who discover – often through their identity management services – that their personal data has been compromised or even misused, increasingly sue CSPs and other large corporations. Meanwhile, communications providers like Lakoocha are finding themselves accused of negligence regarding attacks on critical infrastructure and responsibility for physical injury to individuals when service interruptions impact on the functioning of wireless enabled medical devices. Transparency is the watchword, as many consumers become obsessed with the small print of their contracts and privacy policies and seek high levels of accountability from their service providers.
In terms of business processes, multi-nationals are just beginning to experiment with remote presence technologies. Advances in virtual reality facilitated by 3D tracking, cognitive neuroscience and haptic interfaces have enabled the development of technology that maps speech and behaviorisms onto virtual or robotic representatives, potentially succeeding in remote business interactions where video conferencing and virtual worlds have failed.
After the initial outlay, implementation is of course much more cost effective than flying executives around the world to face-to-face meetings, and there are precedents for its performance in the military, nuclear power generation and gaming. But it remains to be seen whether corporations heavily reliant on trust and personal relationships will take to it, and there have already been incidents of criminal interception, manipulation, and eavesdropping for profit.

HIGHLIGHTS


Top