Saturday, December 17, 2022

Digital Baitballs and Shrinkage: a cybersecurity lesson from 2022

A school of fish forming a baitball to minimize predation
A school of baitfish forming a ball to reduce predation (Shutterstock) 

If 2022 has taught us anything about cybersecurity, it is this: our combined efforts to protect the world's digital systems and the vital data that they process are capable of thwarting very high levels of sustained criminal activity, where "thwart" means preventing the complete collapse of trust in digital technology and limiting casualties to levels that appear to be survivable, if not acceptable.  

In other words, despite all the efforts of bad actors, from local scammers to nation states, abusing all manner of digital technologies, to commit everything from petty crimes to war crimes, humans are surviving, and we are continuing to expand our reliance on said technologies.

Of course, this lesson would appear to offer little comfort to the victims of digital crime in 2022, the countless companies, consumers, non-profit organizations, and government entities that lost money and peace of mind to the hordes of ethically challenged and maliciously motivated perpetrators of cyber-badness.*

Is survival enough?

Swordfish checking out a baitball
Baitball and a swordfish (Shutterstock)
You could argue that humans are in deep trouble if the best we can say about the struggle between cybersecurity and cybercrime at the end of 2022 is: "most of us survived." However, other species on our planet have endured for millions of years by embracing "most of us survive" as the goal of their defensive strategy. 

For example, small fish that spend most of their lives in the open ocean form a tight group when predators approach; then they swirl around in a ball to make it harder for predators to select targets. I wrote about this phenomenon—the baitball—in a recent article on LinkedIn.

So, the good news for 2022 is that we can head into 2023 knowing that the world can survive a large amount of ongoing cyberbadness. We have seen that levels of criminal abuse of digital technology can rise quite high without resulting in the breakdown of society. 

(You could even argue that cybercrime is falling in relation to the growing number of criminal opportunities created by the ongoing deployment of new digital technologies and devices, but that's for a different article.)

The bad news is that surviving is not as enjoyable and fulfilling as thriving. Living just this side of the breakdown of society means the other side is a looming presence, a constant stress factor, as is the knowledge that any one of us could be the next cybercrime victim.


So what will it take to get from surviving to thriving, to a state in which cybercrime is either eliminated or reduced to a manageable level? Unfortunately, the short answer is: it will take a lot. The countries of the world need to agree to, and enforce, norms of ethical behaviour in the digital realm. If that sounds almost impossible given the current state of the world, then you have a measure of how much effort it is going to take to eliminate cybercrime or reduce it to a manageable level. However, it should be noted that the idea of reducing crime to a manageable level is not unprecedented. 

Shopkeepers learned long ago that it is almost impossible to stop their stock from shrinking. Some employees will swipe stock from the stockroom. Some customers will shoplift. Furthermore, some vendors will over-charge and under-deliver. Taken together, these money-losing phenomena are known as shrinkage. 

Despite efforts to reduce shrinkage, including the use of technology, it still cuts into retail revenue in America to the tune of 1.5% per year on average, equating to losses in the order of $100 billion in 2021. Nevertheless, despite shrinkage, the retail sector keeps going. Retailers don't expect to eliminate shrinkage, but they will spend time and money on measures to keep it to a relatively low percentage.

So what are the prospects for reducing the impact of cybercrime to a very low level, perhaps a very small percentage of GDP? I honestly don't know. We are still a long way from getting a full picture of cybercrime's impact; this is particularly true of the psychological and health impacts. There are hidden social and economic costs as well, given the not insignificant percentage of people who don't go online due to fear of cybercrime.

Some would argue that the term cybercrime is becoming problematic in discussions like this, given that most predatory crime today has "cyber" aspects. Fortunately, there is plenty of evidence that people who commit predatory crime can stop, and many do so as they get older, start families, get a "proper" job. In criminology this is known as desistance and may actually be easier for people with digital skills to desist.

In the broad scheme of things, the most intractable obstacle to reducing cyberbadness may not be predatory criminals clinging to a crooked lifestyle; it could well be humans who are prepared to use digital technologies like social media to spread disinformation, undermine truth, and foster hatred in furtherance of selfish agendas.

To the best of my knowledge, the term cyber-badness was first coined by Cameron Camp, my friend and colleague at ESET.