Is it time to hold the Russian government responsible for the rise in sophisticated cybercrime attacks on the U.S. economy?
As Congress recently held hearings on the Target data breach to discuss new ways to protect consumer information and prevent future data breaches, one key issue that should be on the table is how to clamp down on the foreign source of these attacks. The Target breach -- possibly the largest hack in U.S. history, affecting over 110 million consumer accounts -- used Russian-made malware to pull it off. That should come as no surprise to anyone. After all, some of the most notorious malware that's targeted U.S. consumers, banks and retailers over the past few years has originated from Russia or former Soviet states: ZeuS, Citadel, SpyEye, CryptoLocker, to name just a few. In fact, roughly 70 percent of "exploit kits" released in the fourth quarter of 2012 came from Russia, according to a study by Solutionary.
Until we tackle the Russia problem, we won't make any real progress against cybercrime. In order to stop a leaky boat from sinking, you have to do more than just bail water -- you have to plug the actual leak.
The U.S. has already taken an aggressive stance against the Chinese government for its ongoing cyber-espionage attacks against the private sector. It needs to do the same with Russia. While the Russian government does not appear to be directly behind these cybercrime activities, neither is it doing much to stop them. A report by the Russian cybercrime intelligence firm Group-IB cited a number of reasons for Russia's failure to thwart the proliferation of this activity inside the country: inadequate laws, weak penalties and legal loopholes for those convicted; a need for more advanced investigative capabilities and better law enforcement training; and improved coordination with other countries. In its defense, Russian authorities did arrest the creator of the BlackHole exploit kit. But they've failed to stop the vast majority of high-profile crimeware rings -- from ZeuS to CryptoLocker.
Russia also has another problem: "bulletproof hosting." What is that? Bulletproof hosting refers to the practice of protecting malware-infected websites from being shut down by their service providers. In the U.S., for instance, when a website is found to contain malware, there are legal recourses to take the site offline and prevent it from being used to infect other websites. That is not always the case in Russia -- these infected websites are sometimes protected from takedowns, allowing cybercriminals to thrive by having a safe platform to host their malware for infecting U.S. consumers and businesses.
It's estimated that cybercrime (most of it appearing to come out of Russia) costs the global economy $113 billion each year, according to Symantec. Unlike the estimated costs of Chinese cyber-espionage (which are speculative figures based on projected future values), cybercrime is stealing real money from companies and consumers every day.
Russia's failure to act against the cybercrime industry operating within its borders poses an advanced persistent threat to the U.S. economy. Our government officials can no longer ignore the consequences of Russia's inability or unwillingness to act. If we're going to hold China responsible for the cyber-espionage attacks emanating from its IP addresses, isn't it time we confront Russia for harboring the vast majority of the world's cybercrime industry?