It's almost humorous to remember now how terrified everyone seemed to be in the early 1990s of the mostly harmless 'dark-side hackers' of the era. The most famous of these was undoubtedly Kevin Mitnick, whose 1995 capture formed the basis of no less than three books. But other than stealing airtime to get and stay online, Mitnick didn't profit from any of his exploits.
Cut to 2003 and the beginning of Fatal System Error, when 25-year-old Barrett Lyon is getting ready to meet the owners of the onling gambling operation BetCRIS. By then, the world of online crime had moved on: the computer addicts and teenaged joyriders had been superseded as threats by real criminals with very different interests.
Lyon, through his company Prolexic, was in the business of rescuing companies from distributed denial-of-service (DDoS) attacks. Essentially, he was dealing with an online version of the old protection rackets: pay up or we'll send your company offline. Threats like these were particularly serious for betting companies, who rely on timing to make their money. By the end of the book, somewhere around 2005, even these attacks seemed small beer. By then, the criminal underground had moved on to targeting consumers: our bank accounts, credit cards, and identities. By the end of Fatal System Error it seems logical to take your financial data back to paper.
It is the contention of Joseph Menn, cybercrime reporter for the Financial Times, that between the beginning and end of his book there was a window in which law enforcement could have taken control of the internet by arresting and punishing the worst criminal offenders. He has a point: in interviews, law enforcement officers say that even experienced and successful physical-world criminals are moving online because the job itself is physically safer and entails a much lower risk of getting caught or prosecuted. Why rob a bank when you can stay home, steal just as much money, and not get shot at?
Often, of course, even law enforcement officers who would like to pursue cybercriminals can't do much. Who can get the resources to pursue a crook in a remote location who has stolen relatively small amounts from any one individual, even if in aggregate he's profited by millions?
This was Lyon's problem in 2004 to 2006. By monitoring IRC channels and other online forums he had managed to identify some of the minds behind the DDoS attacks, but couldn't get the FBI to follow through. The UK's National High-Tech Crime Unit (NHTCU), however, was a different story, and Menn follows Welsh policeman Andy Crocker as he takes up Lyon's information and traces the perpetrators to their home in the Russian underground. It took years of effort, but Crocker's investigation eventually resulted in convictions. The bad news: by the time Crocker returned to the UK, the NHTCU had been swallowed up by the Serious Organised Crime Agency (SOCA) and interest in cybercrime investigations had waned.
Menn winds up by recommending changes: increase software publishers' liability; teach consumers to be more careful; pass new laws requiring banks and online merchants to authenticate customer identity more thoroughly; get governments to take these threats more seriously. And finally, get the technical community to secure the internet.
Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet By Joseph Menn Public Affairs Books 286pp ISBN: 978-1-58648-748-5 £15.99