The pandemic has been an unusually chaotic time for Neil Walsh, the chief of the United Nations’ cybercrime, anti-money-laundering, and counterterrorism department. As the global lockdown forced much of the world’s population to conduct their lives online, cybercriminals followed, finding novel ways to exploit the pandemic. And Walsh has had a front-row seat as this new wave of cybercrime has broken.
Whether through off-the-shelf malware or more sophisticated hacking techniques, cybercriminals have made a killing off the global health crisis, often at the expense of the most vulnerable individuals and institutions. While it’s difficult to measure exact costs, some estimate that cybercrime cost the global economy more than $1 trillion in 2020 — the equivalent of 1% of the worldwide GDP. By the U.N.’s own estimates, email-delivered malware ballooned by as much as 600%, and ransomware attacks by more than 40%, compared to the year prior. Walsh has been helping member states coordinate efforts to combat these increases and developing programs to raise awareness of them.
Rest of World caught up with Walsh over a video call to discuss the impact of the coronavirus on cybercrime and how countries around the world are responding.
By some reports, certain cybercrime, like malware, has increased by as much as 600% over the past year. How has the pandemic contributed to this spike?
Well, it’s difficult to put an exact figure on cybercrime for a few reasons. It usually takes only reported crime into account, and there’s no accepted international definition of what cybercrime actually means.
Still, we’ve certainly seen a boom during the pandemic. There are vastly more people on the internet than there were a year ago: businesses, communities, everything just went online. So the victim pool is suddenly enormous, and scammers can make a fortune. Criminals just have to persuade a small number of people to buy whatever it is they’re selling, right? And this has coincided with a reduction in policing capability because investigators are no longer working in offices with the proper tools to go after digital criminals. The likelihood of getting caught is, unfortunately, very, very low.
To give you one example of how these ecosystems work: I have a clear memory from March 2020, when I was researching darknet chat rooms and forums. A user showed up in a relatively well-known cybercrime forum and said, “I’ve never been on the darknet before, but I want to know how I can make money out of Covid and cybercrime.” A number of people in the forum told him to piss off, but there were also a few who said, “Here’s how it works: You’re going to do it through fraudulent vaccines, personal protective equipment (PPE), and so on.” At the U.N., we saw a number of people faking budgets, grants, and end-user certificates with our letterhead and trying to validate fake PPE orders purporting to be worth millions of dollars.
To me, this really underscored how quickly criminal organizations can find a new commodity to push, whether that’s drugs, money, or something else. Globally, criminals have been thinking, We’re moving stuff across borders, but that’s going to be really difficult for the next few years — how do we get into the digital side of things? How do we continue to make money?
We saw an enormous upsurge in fraudulent PPE sales. Sellers were targeting governments that were publicly saying that they didn’t have enough PPE. All a criminal needed was a couple of pictures of N95 masks and gowns, and they were off.
Is there a typical profile of a cybercriminal?
Not anymore. It used to be that the average hacker was around 17 or 18, while the average participant in organized crime was in their 30s or 40s. But now you’re seeing people who were previously involved in weapons or drug trafficking getting into higher-level cybercrime. While I can’t speak to any specific country, there are a number of countries with populations that are highly technically skilled and suffering a significant economic decline. If you have the skill set and no income, this certainly opens the door to exploitation and criminality.
Are there other, non-PPE-related forms of cybercrime on the rise?
The biggest one is the proliferation of child-sexual-abuse content. By the third quarter of last year, the tech sector was reporting vastly higher amounts of this kind of material appearing online — a very large increase from the previous year. Victims can be anywhere on Earth. However, Southeast Asia, sadly, remains the region where children are most heavily targeted. But when you look at where much of this content is hosted, it’s actually in the E.U., due in part to its exceptionally strong privacy laws. So the surge in child-abuse content isn’t just a developing-world problem, it’s a global one. And unfortunately, because of the pandemic, it’s growing.
I think there’s a really important discussion to be had about how states are able to seek assistance from the countries in which cybercriminals and groups are based. Successful criminals tend to be located in places where law enforcement is limited in its ability to gather evidence. For instance, if somebody is going after victims in the U.S., they might try and live in a country where there’s no extradition treaty with Washington, D.C., or where it’s difficult for American law enforcement officials to operate.
“If you put real evidence of cybercrime out in the public domain, it’s easier to find clarity on all sides.”
These questions get even more complicated when it comes to hackers working on behalf of governments. If a cyberattack happens, country A might come out and say, “Country B did it.” Country B will deny it, and country A won’t produce the evidence. In these cases, it’s best to take a policing approach, which is simply to follow the clues and allow that to guide the analysis. That’s when you can actually start to ask detailed questions. Is there a smoking gun? Do I trust how the data was collected? Can I challenge the conclusions, inferences, and premises of the available materials? If you put real evidence of cybercrime out in the public domain, it’s easier to find clarity on all sides.
So what’s preventing this kind of cyberpolicing from happening?
When it comes to the United Nations, the logistics are challenging. Countries often vote along political lines and are unable to agree on basic approaches. What worries me about this is that, when diplomats and policymakers can’t engage in constructive dialogue, the only people who win are criminals. When I speak to our partners in the U.S., Russia, China, or really anywhere, they will describe the threat of cybercrime in broadly similar terms, and they will agree that we need to do much more capacity building with regard to law enforcement and public awareness. But then only a few countries will actually invest.
Do you think some of the cybercrime strategies we’ve seen over the past year will continue to be pursued post-pandemic?
My instinct is that, if a new criminal business model is working, it’s not going to change until it no longer works. So I think some of the current schemes are here to stay, and they will probably grow and evolve. For instance, we’ve seen vaccine-development labs and public health organizations targeted and held for ransom by hackers. But at the same time, there have also been positive developments. Cybersecurity companies around the world have stepped up to offer free help to anybody working on Covid-19 who has suffered from hacking attacks.
I should add that I’m curious to see how cybercrime will change in the next six months, as vaccines become more available.
