Do Dark Markets Drive Data Breaches?
Deputy Attorney General Rod Rosenstein claims that dark markets drive breaches. It’s an interesting idea - but also a dangerous one, and wrong.
Does the existence of cyber criminal marketplaces encourage hacks against large corporations like Equifax, Target, Anthem and Yahoo! or, is it the availability of stolen data that spawns marketplaces for trading such information?
The answer could have a profound impact on how our government responds to companies that lose track of sensitive customer data. In fact, there’s evidence that some of the nation’s top cops have a “market first” understanding of breaches.
In a speech this week in Boston, Deputy Attorney General Rod Rosenstein laid out the argument that cyber criminal markets are a big part of why breaches like those at Equifax have become so common and persistent.
Addressing an audience at the Edward M. Kennedy Institute for the United States Senate, Rosenstein trumpeted the Justice Department’s accomplishments, including the take-down of the AlphaBay dark market, which was a major hub of online, illicit commerce in everything from stolen data and identities to drugs.
Rosenstein said that the growth of dark markets like AlphaBay was a “disturbing trend that helps explain why data breaches continue to occur.” The markets facilitate crimes of all kinds, Rosenstein said, and enable even “unskilled hackers” to purchase the tools needed to carry out attacks like data theft. After the crime, “dark markets continue to support the sale of data after being stolen by others and use it to perpetrate fraud. Criminals then are able to launder their ill-gotten gains through networks available on those same dark markets,” Rosenstein added. “We have to do more to stop dark markets if we want to disrupt sophisticated underground economy that ports transnational organized crime.”
All of that is undoubtedly true, but on the question of whether the markets create the crime or are a byproduct of it, I think that Rosenstein has things backwards. In short (and to paraphrase James Carville), “It’s the supply, stupid.” Markets like AlphaBay obviously do make the sale of stolen data more efficient, and the development of ancillary market functions (like the sale of drugs, firearms or hacking tools) is just classic market behavior. Put simply: once you have a buyer at your door, markets evolve to find as many ways as possible to sell to that buyer and get them to part with their money. AlphaBay, Hansa and other dark markets just do what any smart storefront does: they diversify.
However, it is wrong to assume that by cracking down on dark markets, you’ll make any appreciable dent in that data breach problem. Hackers will almost certainly continue to target companies and steal their data and intellectual property. If a marketplace like AlphaBay isn’t available, they’ll find another - or invent their own - in order to make a return on their goods. Markets are created to facilitate the exchange of goods, not the other way around.
Rosenstein’s “markets drive breaches” logic is flawed, also, because it links breaches only to market forces, when it is abundantly clear that not all the actors taking part in sophisticated hacks like those at Anthem and Equifax are profit-driven cyber criminals.
In fact, as Bloomberg reported earlier this week, the Equifax breach has all the hallmarks of a state-sponsored hacking operation. State actors like China, North Korea, Russia and Iran likely have no interest in fencing their ill-gotten data on AlphaBay or other dark markets. Their objectives are (geo)political and strategic - not financial. Nor do state actors have any need for the hacking tools, botnets and other wares on offer there. To the extent that APT groups from Russia, China or North Korea would use a market like AlphaBay or Hansa, it would not be to achieve their objective, but to cover their tracks or sow doubt about their identity and motives.
The final problem with Rosenstein’s formulation that dark markets drive breach activity is that it neatly absolves companies of much of their responsibility in preventing or at least, noticing and responding to breaches to limit their damage. Equifax, for example, may have been breached for weeks or longer before staff noted the intrusion. The same goes for Deloitte. In his speech, Rosenstein urged companies to develop a program for identifying and patching software vulnerabilities. That’s the kind of basic blocking and tackling that all companies should do as a matter of course. He might as well have reminded them that they can prevent theft by locking the lobby doors before leaving for the evening.
Dark markets or no, private and public sector organizations are in the best position to prevent breaches and attacks on their own networks. Laying the blame on criminal groups and their dark markets might feel good, but it does little to encourage business owners to better their own security, defense and response. That was an opportunity missed.