It’s not just the frequency of new cyberattacks or the persistent, morphous nature of the attack vectors themselves that is astonishing. We are now beginning to see the way in which cyber technology is transforming our entire lawless ecosystem into a new, fascinating and frightening display of criminal behavior — not hiding within the shadowy confines of the dark web, but rather right out front, in broad daylight.
One stunning example is the way that e-commerce is being used to launder stolen capital. As Internet innovation has become a global reality, criminals have elected to simply use the web as a front for every form of online fraud, such as illegal internet gambling payments, illegal drug transactions, and terrorist funding.
So not only are we faced with an onslaught of asymmetrical cybersecurity battles, but the benefit distribution system on the back end has re-engineered its entire payment process through online portals whose legitimacy is impossible to determine. This technological evolution has rendered the entire global effort to set up and maintain anti-money-laundering entities almost completely useless.
Just over a month ago, an investigation uncovered an international network of seven online dummy stores that were pretending to sell household goods, but were instead being used as a multinational front to conceal illegal internet gambling payments. Another investigation late last year revealed a small town in England that had become the international hub for online porn and poker companies, with transactions in the tens of millions of dollars virtually hiding in plain sight.
That site, like all of the other money-laundering sites, was beautifully designed and was developed by a popular website-design-as-a-service operating freely on the dark web. It openly advertises itself as a “gorgeous free highway for online money laundering.” Any micro-merchant on the planet can now set up a website that purports to sell, say, home decorating accessories while in reality only manages electronic cash transactions in and out of online merchant banks. Activity that would be highly regulated in the physical and even the electronic world becomes fully unregulatable in the cyber universe.
Combined with the growth of the fintech industry, we now have hundreds of online financial services companies that aggregate payments for these small retailers, creating a complex and opaque system that completely obscures visibility into the actual identity of the underlying merchant by the larger banking entity. And the traditional banking sector further exacerbates the problem by determining the country of origin for a merchant’s operation through a look only at where the company is registered, rather than also determining where the firm’s website resides.
The resulting smokescreen enables online criminals to proceed with their business entirely undetected.
Some of the worst cases relate to terrorism financing. The Charlie Hebdo attack in Paris was funded by $50,000 obtained through the sale of fake Nike running shoes that never existed.
Mexican drug lord El Chapo’s drug distribution process relied on, and still does, on prepaid debit cards that are loaded and then used to make fake purchases at fake Mexican online sites selling fake power equipment. El Chapo understands that if you want to sell to a large audience, you want to enable them to use the most convenient payment methods. El Chapo’s message was simple: If you want to buy this drug, you need to buy the lawn machine.
And of course, not unlike our response in the cybersecurity domain, there are several companies working hard to combat this threat by employing the latest big data, artificial intelligence, and machine learning technologies with the goal of uncovering this class of fraudulent merchants.
So far, it’s fraudulent merchants, one — technology combat companies, zero.
Because it is almost impossible to identify the source of these pipelines in a way that is similar to the problems in identifying attribution for a cyberattack, this phenomenon will transform the entire way that merchant banking is conducted, and it won’t be pretty. Updating banking controls and regulations to accommodate the data required to mitigate some of this activity will impact the speed and agility of merchants to conduct business internationally. Soon, our banking system will look a lot like the TSA-controlled airline boarding process. It probably won’t stop the bad guys either.
It was 9/11 that transformed the travel industry. Cybercrime is transforming the banking industry. China’s adoption of quantum computing will soon transform the Internet. What’s next? And why does it seem that we are always surprised? The U.S. Congress and the Trump administration have done nothing to address either the problems of an asymmetrical cyberwar that is quickly spinning out of control or the internet-fueled cybercrime processes that support illegal online operations.
In the 1920s young men in search of quick and easy fortune flocked to organized crime as an obvious way to amass startup funding. The requisite skills were rapid reflexes, muscle, and moxie. The illegal ecosystem was physical and geographical, and law enforcement was ultimately able to prevail based on roadblocks, informants, and lots of bullets.
Today’s Internet-based form enables a much different set of skills, yet depends on the same human nature to engage. Law enforcement, handcuffed by a politically sensitive set of engagement rules and forced to operate with limited battle space intelligence, cannot compete. Increasingly, the current state of cybersecurity is looking more and more like an event horizon.
As technological innovation continues to race ahead undaunted by the now proven facts of cybersecurity risk, it seems we stand on the edge of the earth’s biggest fault line. And instead of gazing in awe at the impending disaster, we decide to start building our next home on the exact spot where we presently stand.
Steve King is the COO of Netswitch Technology Management.