Brookings Report Tackles Cybercrime

The Brookings Institution released a report this week written by Noah Shachtman entitled, "Pirates of the ISP: Tactics for Turning Online Crooks into International Pariahs."

It tackles what to do about cybercrime and those who perpetrate it. Specifically, Shachtman suggests thirteen steps that must be taken to combat cybercrime:

  1. Begin U.S.-China talks focused on cybercrime.
  2. Draw China into the larger community of ISPs and network carriers.
  3. Avoid national retaliation as a cybercrime solution.
  4. Lean on the criminal support networks.
  5. Motivate ISPs to pressure the criminal ecosystem.
  6. Hold the worst hosting companies liable for their criminal clients and the worst ISPs liable for their criminal hosts.
  7. Encourage ISPs to notify customers of infections.
  8. Amend the laws to allow ISPs to share attack data.
  9. Push companies to expand reporting of network breaches.
  10. Require government contractors to have cybersecurity insurance.
  11. Expand and improve training for cybercrime specialists in law enforcement.
  12. Pursue civil strategies to disrupt criminal networks.
  13. Avoid schemes to strip away Internet anonymity; continue to promote freedom of online expression.

There are some interesting takeaways from the recommendations and the report more generally.

Shachtman juxtaposes U.S. and Chinese policy on Internet regulation (private sector-led vs. state controlled, respectively) as a reason for the two countries to work together through bilateral and cooperative efforts. Both countries, he notes, care about cybercrime and want to address the issue. The problem, he admits, with working together is the possible leakage from cybercrime investigations to state-sponsored cyber efforts. His approach, as evidenced by his second recommendation, is to engage China, bringing the country into the circle, which potentially could lead to transparency and more collaborative efforts to combat cybercrime.

Some of the other recommendations are common sense, while others, if ever even considered to be implemented, would likely cause much controversy. Specifically, Shachtman pushes for ISPs to be held responsible for criminal behavior perpetrated through their networks in certain instances. He calls for a blacklist, if you will, of bad hosting companies who should be held liable for their connections to criminal activity. He calls on ISPs to do a better job of policing their networks. As one of the headers of the report suggests, "It is Up to the ISPs." The call for ISP responsibility, liability, and incentivization is not that different than the piracy/IP debates on Capitol Hill right now.

The Brookings report is worth reading. At a time when much of the chatter on cyber is focused on security and data breaches, Shachtman reminds us that all might be lost if we do not focus on bringing down the criminals and their enterprises attacking the net.