Figure 1 . Representative Timeline for A Phishing Attack
crime-enabling infrastructure by combining hundreds , thousands or even millions of infected computer systems in multiple jurisdictions into a botnet . These criminal actors then lease this infrastructure through an underground marketplace to other criminal actors who use the botnet to conduct phishing , distributed denials of service ( DDoS ) or other criminal attacks . These figures illustrate that criminal activities – in particular , those that operate on crime-enabling botnet infrastructures – proceed seemingly unabated . Harm or loss from botnets often exhibits what data analysts call a long tail : a large portion of the harm or loss associated with a crime occurs near the onset of the criminal attack , but the damage can continue for weeks , months or even years . These timelines give us an opportunity to dispel several misconceptions regarding cybercrime . Cyberattacks aren ’ t always sophisticated ; often , it is not skilled but unskilled criminal actors who lease facilities and who download or purchase attack software such as phishing kits or denial-of-service clients ( e . g ., LOIC ). Likewise , cyberattacks are not launched from superior technology ; the technology advantage that cyberattackers have is not that they have superior technology but that they are able to build criminal infrastructures at low or no cost by exploiting systems they have no authorization to use . Lastly , cyberattackers aren ’ t all comic book supervillains ; what is popularly perceived as sophistication is actually “ a direct result of the vast number of attack methodologies at their disposal .” Private sector and law enforcement investigators can match or surpass the tactics of criminal actors . They have access to comparable technology , including sophisticated detection or mitigation software . As Figures 1 and 2 illustrate , they are technologically able to mitigate or contain attacks in Internet time . However , the ability to collect and share sufficient evidence to identify , apprehend and prosecute criminal actors is a decidedly different story . We conclude from these timelines that :
A framework that strips criminals of the advantages they currently enjoy should exhibit the following characteristics : rapid response , effective action and an accelerated process that weathers public scrutiny .
Private Sector Frameworks Accelerate Response to Online Criminal Activity Today , private sector investigators collect and share information that they can reliably associate with criminal activity through ad hoc trust networks or vetted , trust-based communities . When they cannot obtain court orders , they use the shared or accumulated information to identify acceptable use policy , trademark or copyright infringement , or other policy violations . Identifying such violations gives a service provider the justification to disrupt criminal activity by removing content , suspending website operation , or terminating name resolution of domain names associated with online criminal activity . Similarly , domain name registrar or registry operators may voluntarily suspend an Internet domain name when investigators present evidence that the name ( s ) have been used to lure victims to sites hosting illicit content or to support criminal botnet infrastructures . The operative word here is voluntary . The operator will act after reviewing the evidence that an investigator presents , and after considering any business risk ( liability ) that the operator has determined it would assume by removing content or suspending an Internet domain name
109