Since quite some time as Chief Security Advisor, I am working to support Law Enforcement. We are supplying training, giving technical support as needed and are staying in close contact as well as soon as we decide to file a criminal complaint. This happens especially if we are phished (we being Hotmail) or some other criminal activity happen towards Microsoft or our customers.
This lead me to the point where I started to think whether the work I am doing in this area is actually targeted enough (meaning, do we actually make the Internet a safer place) or is it just "operational hectic" – Am I just helping the person shouting the loudest.
Let's take a moment and think about it:
There is an old model of 10:80:10 (no, not the 80:20 rule J):
- 10% of the population would never commit a crime, no matter what.
- 80% of the population is opportunistic, meaning that if the value behind the crime is high enough and the risk of being caught low, they would commit a crime. Having this said, it is completely clear that the value and the risk are subjective an often different for different people.
- 10% of the population would always commit crime, no matter what.
I leave it now up to you to decide to which group you belong to but based on statistics I would assume that most of us are in the middle tier – depending on the stakes that are at risk.
Now, I said that the middle group would weight value vs. risk, s let's look at this a little bit closer. I recently discovered a formula on this subject:
Mb + Pb > Ocp + OcmPaPc
- Mb: Monetary benefit for the attacker
- Pb: Psychological benefit for the attacker
- Ocp: Cost of committing the crime
- Ocm: Monetary cost of conviction for the attacker
- Pa: Probability of being apprehended and arrested
- Pc: Probability of conviction for the attacker
This formula was published 1995 by Clark and Davies and in my opinion did not lose its significance in the time of the Internet.
Thinking about this, it probably helps us to understand how we can work with the middle 80% to keep them away from crime and additionally try to make it harder to the ultimate 10% to commit crime. This leads now back to my question above: Am I doing the right thing? Or better, what can I actually do efficiently? To answer these questions, let's have a look at the different parameters in the equation:
- Mb: From a Microsoft perspective, I probably cannot change the monetary benefit for the attacker. Can you (depending in which segment you are working)? I doubt. Today's systems store business-critical data and have to store business-critical data. This will not change.
- Pb: Do we have an influence on the psychological benefit for the attacker? I doubt as well as this is a personal feeling and the feeling of being "the one that hacked company a" will never go away. However, we could work on the right hand side of the equation to make it harder to be able to brag about a success and with this measure lower the psychological benefit as well. Remember the guy who wrote Sasser: He went to school bragging about having written Sasser and a "colleague" of him then actually blew the whistle on him.
- Ocp: The cost of committing the crime is probably the area where we can have the single biggest direct impact – but not working with Law Enforcement. This can be influenced by different activities where we work to make products that are harder to attack as the Security Development Lifecycle, Defense in Depth and many additional things. Additionally we can work with you, with our customers to improve further on architecture and processes to make the networks more resilient against attacks.
- Ocm - Pa - Pc: The final part is now all about Law Enforcement. How probable is it that I get caught and what are the consequences. It drives me crazy to see that sometimes people who commit crimes on the Internet even get well-paid jobs in the security industry after being convicted. So, we all fight against the criminals and finally they even get rewarded. This is one sight. But on the other side, working with Law Enforcement to increase their ability to get the bad guys is probably what we have to do. Do not get me wrong. There are a lot of excellent people out there working for Law Enforcement. But helping all the Officers to understand the latest technology and help them to increase the probability to catch the bad guys is what we should do. Finally I think that we all have to work with the Policy Makers to help to drive laws where needed that make activities that are illegal in the real world illegal in the Cyberworld as well. The Council of Europe made a first significant step to try to lay a framework for laws. But this has to be implemented across the Globe. There you can help and drive Pc and Pa.
This is the first time ever I have a call to action for you:
Whenever you are attacked, involve Law Enforcement and make sure that they start an investigation. This is the only way to make it riskier for the criminals to commit crime. If we just fight the attackers and closer vulnerabilities – what is the risk for the middle 80% in relation to the value? We have to change this equation and we have to do it together.
As my conclusion, I will continue my work with Law Enforcement to support their fight against the criminals I hope you join in