President Trump’s executive order (EO) on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” is a commendable first step in bolstering the nation’s federal defenses against large-scale cyber attacks and state-sponsored cyber adversaries. The need to combat these types of threats and threat actors has only become more pressing following the recent WannaCry and Petya ransomware attacks — both of which wreaked havoc worldwide within weeks of the EO’s May 11, 2017 debut. Indeed, it’s exactly these sorts of attacks — high-profile, allegedly linked to foreign governments, and with widespread damages that spill over into the physical world — that tend to spark change and mobilize leaders and decision-makers to take action.
The challenge is high-profile cyber attacks and state-sponsored cyber adversaries represent a relatively small portion of the cyber threats and threat actors infringing upon the collective well-being and security of the nation and its constituents. In order to lay the groundwork for a more secure, informed, and resilient nation, the Trump administration should consider supplementing the existing EO with plans to address another type of threat: cybercrime.
Cyber threats need not be sophisticated to be damaging
Since the cybersecurity EO focuses primarily on nation-state cyber threats, it does little to address the rising threat and capabilities of cybercriminals. The reason for this likely stems in part from the fact that unlike the disastrous and in many ways unprecedented attacks like Mirai and WannaCry, most instances of cybercrime — though extremely frequent and familiar — are fueled by less-sophisticated tactics, driven by cybercriminals’ desire for financial (rather than political) gain, and are, quite frankly, less newsworthy.
Despite these characteristics, cybercrime in its many forms does pose a substantial threat to the nation’s financial stability. One case in point is the mounting yet oft-overlooked threat of business email compromise (BEC). These types of scams occur when a cybercriminal uses social engineering or intrusion tactics to compromise a business email account and convince an unsuspecting victim to conduct an unauthorized wire transfer. Though unsophisticated, BEC scams are estimated to have caused over $3.1 billion in U.S. damages in the last three years alone.
In fact, the FBI’s recently-published 2016 Internet Crime Report lists BEC scams as the costliest type of cybercrime; there were 12,005 reported incidents in 2016 with losses exceeding $360 million. Ransomware, by comparison, was less common and less costly; the FBI received 2,673 ransomware complaints totalling just over $2.4 million in losses in 2016. In other words, combating BEC and other cybercrimes will help the Trump administration protect the financial well-being of the nation and its constituents.
The challenging role of state and local law enforcement
Cybercriminal communities continue to grow more connected, disparate, and thriving than ever before, often operating far afield from their targets. As such, cybercrime presents many challenges for particularly state and local law enforcement officials. While President Trump’s EO seeks to equip Federal law enforcement and intelligence agencies with the resources needed to address large-scale and/or state-sponsored cyber threats, it doesn’t appear to address the role of state and local law enforcement — many of which may be limited by jurisdiction and lack the advanced capabilities and substantial resources required to tackle cybercrime.
Given that many cybercriminals operate and develop and their malicious schemes within the confines of the Deep & Dark Web, law enforcement officials (at any level) without visibility into these online regions will likely be unable to detect and address these threats proactively. Unfortunately for individuals and organizations victimized by cybercrime, this means that cybercriminals rarely face recourse, and losses are rarely recouped. To make matters worse, many state and local law enforcement officials have not received proper guidance on how or when to report cybercrimes to federal agencies. And even though many cybercrimes are considered substantial and impactful enough to warrant federal investigation, many do not and are rarely addressed. As such, it’s crucial for the Trump administration to recognize and address these challenges to ensure that all law enforcement officials are better equipped to combat cybercrime.
Although President Trump’s EO has laid an impressive and hopeful foundation for a more secure nation, its focus on bolstering federal defenses against large-scale cyber attacks and nation-state cyber threats is still too narrow. In order to effectively protect the U.S. and its constituents from the ever-increasing complexities of the today’s cyber threat landscape, the Trump Administration must also address cybercrime, the substantial financial losses it continues to cause, and the mounting challenges it presents to local and state law enforcement officials.