The House Subcommittee on Terrorism and Illicit Finance held a hearing this week to examine the monetization and illicit use of stolen data after a hack.
“Cybertheft is particularly damaging because the sensitive information being stolen, including Social Security Numbers, is difficult or sometimes impossible to change,” Subcommittee Chairman Steve Pearce (R-NM) said.
Pearce added that the victim’s data can be used repeatedly to apply for credit cards, mortgages, and other financial products over and over again.
“Unfortunately, this activity is only becoming more widespread as criminal organizations realize the low cost of entry, the ease of using hacking tools, and the difficulty law enforcement faces trying to apprehend hackers,” Pearce said. “I thank the witnesses and my colleagues for discussing how we can combat these cyber-attacks and protect Americans’ sensitive information. I look forward to continuing this work so we can strengthen our financial system to better predict and prevent future breaches.”
Experts testified that nations that offer sanctuary to cybercriminals or conduct cybercrimes must come under greater pressure from the United States and the international community.
“Finding ways of tarnishing the reputations of the markets, by wasting a criminal’s time or making an exploit tool purchased on the black market ineffective, can help to prevent the loss of information and cut the value chain early in the attack cycle,” Lillian Ablon, an information scientist at RAND Corporation, said. “Solutions might include spreading misinformation or injecting false products into the markets to breed distrust among the actors and increase the number and quality of arrests.”
Joe Bernik, chief strategist at McAfee, said policymakers need to modernize the Social Security Number system.
“A good start is to determine what digital technologies offer strong security to create renewed confidence in the Social Security credential. A private sector eco-system of trusted identity management could then be built upon the new foundation of a modern, digitally secure SSN,” Bernik said.
It is difficult to estimate the cost of cybercrime because criminals aren’t often able to monetizing the results of their theft.
“Even if we know the value of what was taken, in many cases criminals cannot gain the full value, particularly for personally identifiable information (PII) or intellectual property (IP),” James Lewis, senior vice president at Center for Strategic and International Studies, said. “It is harder (in some cases, much harder) to monetize the result of a successful hack than it is to hack itself. One reason we believe that cybercrime continues to increase is that criminals have become better at monetization, in part because of the availability of cryptocurrencies like Bitcoin.”