With the proliferation of new technical bugs, computer viruses and ransomware, the demand for comprehensive security plans to protect businesses and individuals has never been greater. Though testing tools such as security scans are helpful in protecting organizations from cybersecurity threats, they are often inadequate and thus hiring hackers to instead test corporations’ platforms proves to be beneficial. The role of hackers has also evolved drastically, with hackers now being viewed as technological tools. With cybercrimes being very lucrative, it is critical to understand how cybercriminals are incentivized to commit crimes given the legal complications that could follow.
Ethical hackers try to hack into the systems, breach the security and exploit company weaknesses to show possible vulnerabilities in a legal setting. There are two main kinds of hackers; black-hat and white-hat hackers. Black hat hackers gain unauthorized access to systems to either steal data or do other illegal acts while on the other hand, whereas white-hat hackers (or ethical hackers) use their hacking skills to find security loopholes so that they can be patched up before they can be exploited for malicious purposes. Currently, ethical hacking is an integral element of a comprehensive security plan because it provides a method to test a computer system or a network to address and identify vulnerabilities.
Due to an increasing number of businesses leveraging ethical hacking tools, it is being used in conjunction with several tools and strategic plans. These include but are not limited to security assessments, penetration testing and risk analysis in several business processes to maximize cybersecurity. Companies are also exploring the possibility of red teaming, where companies implement rigorously challenging plans, policies, systems by adopting an adversarial approach. According to a Norton cybersecurity analysis from 2017, 978 million people were victims of cybercrime in the same year, resulting in $172 billion in losses worldwide. Ethical hackers protect data breaches, prevent security breaches, defend national security and gain customer trust by ensuring the safety of their data.
Economics of Hacking
The economic model of hacking reveals the different incentives for cybercriminals to influence business decisions, exploit bureaucratic pitfalls and alarm citizens and businesses against the unawareness of cybersecurity. Businesses can assess if and how much hackers "supply" hacking by evaluating the return on hacking over other opportunities. This can be illustrated and understood through the economic model of hacker behaviour. The law of supply and demand is a theory that explains the relationship between sellers and buyers, in this case, being hackers and businesses, respectively. The theory describes the relationship between a product's price and people's willingness to buy or sell it. For the hacking market analysis, the model in Figure 1 will be used.
Opportunity cost is the cost of the next best alternative, which, in this case, would be the businesses’ indirect demand for hackers. Since prevention is costly, businesses typically tolerate some degree of hacking risks, and so this sensitivity can be perceived as an implicit "demand" for hacking. With the x-axis representing the number of cybercrimes (using an arbitrary quantity unit) and the y-axis representing the average amount gained from cybercrimes (again using an arbitrary price unit), the equilibrium occurs when the supply and demand curves intersect to represent the ideal hacking conditions because cyber crimes are inevitable. Pragmatically speaking, vulnerabilities, attacks, breaches, and malware are all part of the natural and expected order of things in information technology hacking and because cybercrimes cannot be completely eradicated, the onus is on businesses and organizations to employ both offensive and defensive tactics to protect their data.
According to how firms execute their defensive strategies in security plans, factors such as law enforcement and financial advantages to hackers shift the supply right, legal alternatives shift the supply left, and private defensive measures impact the demand curve, similar to how they do in a regular supply and demand model. When the demand shifts right, it means that there are several security vulnerabilities within the organization that incentivize cybercriminals. Thus, businesses expose their systems to cyber threats through several vulnerabilities in their systems. On the other hand, there are several factors that shift the demand curve, including a defence model used by companies to avoid cyber threats. Their models must follow the COBIT (Control Objectives for Information and Related Technology) principles in some form, which state that the businesses should be meeting stakeholders’ needs, covering the enterprise end to end, applying a single integrated framework, enabling a holistic approach and separating governance from management. Depending on how businesses implement their security systems, it could create inefficiencies such as spillovers, misaligned incentives, and information asymmetry. This results in an increase or a decrease in cybercrimes than the equilibrium quantity.
If the supply shifts right, it means that the quantity of cybercrimes increases but there is less black money and intellectual information gained from illegal hacking as there are relatively more hackers, so the amount gained is spread amongst a larger group. As the law cannot be adequately enforced in cyberspace and the dark web, where all hacker interaction occurs, hackers could strategically escape from punishment. Cybercrime is a relatively new phenomenon that is becoming increasingly complex, thus responses from legislators and law enforcement agencies are still being established at all levels of the government. In the US, there are 50+ federal statutes that address different aspects of cyber-security and cybercrime, but there is no single comprehensive U.S. legislation that encompasses all aspects of cyber-related crime to account for an entire chain of events that occur in massive hacking activities such as ransom attacks where the attacker illegally gains access to company files to then demand a ransom from the victim to restore access to the data upon payment. Some examples include the ransom attack on JBS by the Russia-linked cyber-criminal gang REvil, breaches of the computer systems of the Australian National University in 2018 and the 2015 malware attack on the Bureau of Meteorology which never got caught.
Importance in Business
Additionally, hackers can perform an Advanced Persistent Threat which is a prolonged and targeted cyberattack where the intruder gains access to a network and remains undetected for an extended period of time for illegal purposes without the victim’s knowledge. These attacks are increasingly becoming common, thus going around law enforcement for prolonged periods. Furthermore, mass cyberattacks exhibit high economies of scale meaning that even with little cyberattacks, a lot of damage can be done to a company’s properties.
This is evident especially when the COVID-19 pandemic hit and businesses were forced to migrate online rapidly and some or most aspects of the migrations were not secure, resulting in high damages shifting the supply curve rightward. Since the outbreak, over two-thirds of member countries that responded to the worldwide cybercrime survey said they've seen a significant number of COVID-19 themes for phishing and online fraud. The most prevalent are online scams and phishing where threat actors deployed COVID-19 themed phishing emails, often impersonating government and health authorities, to entice victims into providing their personal data and downloading malicious content. Furthermore, there has been a significant increase in cybercriminals registering domain names containing keywords, such as “coronavirus” or “COVID” to underpin a wide variety of malicious activities. From February to March 2020, there was a 569% growth in malicious registrations, and a 788% growth in high-risk registrations was detected. As well, many hackers have call centers where they conduct phone scams claiming they are professionals and ask for access to hacking into their systems.
If, however, the supply shifts left, the quantity of cybercrimes decreases. This can happen when the hackers are given other alternatives. Certain factors that shift supply left include legal alternatives such as increasing the attractiveness of IT ethical hacking jobs that shift the supply curve more than marginal jobs or non – IT jobs, which tends to decrease the equilibrium quantity of cybercrimes. With a lot of white–hacker (ethical hacking) jobs as opposed to black-hat hackers (with illegal intentions), modern hackers are categorized not only according to their expertise but also according to the values they adhere to. Although hiring ethical hackers has several associated risks such as the chance of corrupting the files or data of an organization, massive security breaches and cybercrimes, if hired correctly, they can prove to be very useful. Ethical hackers will help fight against cybercrimes by giving their business new perspectives through several testing methods such as penetration testing to identify potential vulnerabilities to defend customer data and information present in business exchanges and follow strict policies such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Payment Card Industry Data Security Standard (PCI DSS).
Even with a few automation tools and vulnerability analysis available, there is a high chance that reports will be misinterpreted, may miss key components that should be tested, and new undetected threats could emerge after the scans are done, such as those in Advanced Persistent Threats as mentioned earlier. As well, these tools lack the ability to reduce the overall threat, as they do not check all attack vectors such as physical/social engineering and may miss what a reconnaissance exercise would show. Thus, businesses need to invest in ethical hackers as they provide the best defensive strategy with an offensive approach, handle sophisticated attacks as it is difficult to detect the notorious activities of a hacker in the absence of an intelligent intrusion detection system and reduce losses. Previously, an ethical hacker informed Homebrew, a popular, free and open-source software package management system regarding its flaws. He accessed their Github repository in under 30 minutes to prove that if he were a malicious actor, he could easily make a small unnoticed change to the code to place an application on any machine that installed it to maliciously victimize the users. Furthermore, a security researcher revealed a vulnerability in a WordPress plugin that leaked the Twitter account information of users. Elliot, the ethical hacker, informed Twitter of this vulnerability on December 1, 2018, prompting Twitter to make the accounts safe again from the security lapse.
Moreover, hacking is very prevalent among the general public and in politics as well. Several whistleblowers violated privacy policies to save citizens from their own government, and their actions influenced how organizations understand privacy. For instance, the British Columbia Civil Liberties Association recently used illegal methods to prove and sue the Canadian government for illegal domestic surveillance. The group said Canada’s intelligence agency, known as Communications Security Establishment Canada (CSEC), is collecting personal information on its citizens. In addition, in Edward Snowden's case, wherein he fraudulently hacked US government networks to establish the government was monitoring its citizens, there was widespread public awareness and opposition to government mass surveillance, leading to judges declaring parts of these programmes illegal. Before December 2014, the legal authority that regulates the secret services in the United Kingdom considered portions of the sharing of intercepted communications between the United States and the United Kingdom to be unlawful. Furthermore, in May 2015, a court of appeals in the United States found that the mass collecting of US phone records was illegal.
Furthermore, a new examination of documents detailing the US National Security Agency's SKYNET programme shows that SKYNET carries out mass surveillance of Pakistan's mobile phone network and then uses a machine-learning algorithm to score each of its 55 million users to rate their likelihood of being a terrorist. Most of the 2,500 to 4,000 people killed by drone strikes since 2004 have been classified as "extremists" by the US government but as the victims’ names are being identified by sources such as Bureau’s researchers in Pakistan and other organizations, including Amnesty International, Reprieve and the Centre for Civilians in Conflict, most of them may have been innocent. As well, in 2017, a website run by the Jharkhand Directorate of Social Security leaked the personal details of over 1 million Aadhaar subscribers, and cybersecurity agencies and the Supreme Court have expressed concerns over its security, especially in view of the government's plans to link it to every aspect of citizens' lives. In India, Aadhaar is a 12 digit individual identification number issued by the Unique Identification Authority of India on behalf of the Government of India and thus holds a significant value in storing private data. The number serves as a proof of identity and address, anywhere in India.
While insurers are attempting to manage their risks by requiring clients to adhere to cyber policies (such as HIPAA and PCI DSS) in order for their claims to be approved, they can only do so if businesses believe their services are feasible. With the insurance rates increasing, smaller firms with low budgets may feel that the coverage is not worth the cost if insurers increase rates too much, making them more vulnerable to cybercrime. As a result, government officials seeking to improve organizations’ cyber postures may need to either mandate certain best practices — rather than relying on the promise of insurance coverage to incentivize voluntary compliance — or intervene to help insurers by helping them in providing affordable coverage more financially attractive.
As a result of these security breaches, technology corporations and software developers are including privacy into their products, and businesses are standing up to governments. World’s largest tech companies including Apple, Facebook, Google, Microsoft, Twitter and Yahoo, have launched a campaign calling for an end to the bulk collection of personal data. For instance, Microsoft rolled out Microsoft AccountGuard & Defending Democracy Program that aimed at protecting “organizations that underpin democracy” from hacking and disinformation campaigns. Furthermore, Google launched Project Strobe & Advanced Protection Program was created for high-risk users including “journalists, activists, business leaders, and political campaign teams to ensure their systems are secure and can defend any potential threats.
Apple, as well, announced a partnership in 2018 with Cisco, Aon, and Allianze to enhance and work in conjunction with their networking, ransomware, and security capabilities to avoid any malicious attacks that could expose tons of public data.
The hacking economic model reveals the various objectives for cybercriminals to influence businesses’ decisions, exploit administrative flaws, and alert citizens and businesses about cybersecurity illiteracy. Companies require ethical hackers even with certain testing tools, and recent political events highlight the need for privacy and provide an incentive for businesses to hire ethical hackers. While the application of economic theory does a good job explaining why hackers respond the way they do, it neglects certain assumptions and driving forces, such as psychological motives and economies of scale in offences that are less common in traditional (offline) criminal behaviours but tend to underscore hacking in cyberspace.