By Sir David Omand
First published in the World Policy Journal Winter 2015/2016
LONDON—In 1910, one of the last remaining bands of outlaws of America’s Wild West emerged from their hideout in the Sierra Ladrones Mountains in New Mexico and heisted a Wells Fargo shipment. The Sierra Ladrones (literally, in Spanish, Robbers’ Mountains) are only 45 miles as the crow flies from Albuquerque, but in 1910 there were an un-policed wilderness. The gang retreated with their booty and hid in the canyons. It took two years for the bounty hunters employed by Wells Fargo to track them down, ending inevitably in a final fatal shootout.
Today’s robbers hit banks with cyber attacks, not shotguns, and have no need to dynamite safes to get access to far greater sums of cash than the treasure boxes of Wells Fargo. They can conduct their raids from anywhere—the other side of the world or down the street. They can hide in plain sight, not skulk in caves of the badlands with names such as Rustler Park, Blackjack Canyon, and Robbers Roost. Physically, of course, criminals still have to have a place to live. But today’s criminals might be living openly next door flaunting their wealth in jurisdictions that cannot, or will not, cooperate in hunting them down. We are all just coming to terms with the fundamental change in criminality that has come from the Internet and, in particular, access to that small part of it known as the Dark Net.
BANISHING SPACE & TIME
The Internet has abolished most of the constraints of space and time with a few clicks of the mouse. An attempt at cyber fraud can be committed on a colossal scale against thousands of households or individuals in many different countries simultaneously. Attacks against American and Western banks and other financial institutions can come from countries on the other side of the world where the criminals are confident they will be free to continue their activity unmolested. There, judicial warrants will not be respected, and overseas law enforcement will be slow to respond if at all. Earlier this year the FBI announced a reward of $3 million for information on their most wanted cybercriminal, Evgeniy Bogachev, believed to be living in Russia and responsible for the massive Gameover Zeus botnet, which launched sophisticated malware attacks that infected upward of half a million PCs around the world, stealing banking credentials and responsible for losses more than $100 million.
On the Internet, cybercriminals can get to know each other, gather necessary skills for an attack, access insider information, and buy the malware. All that and more is readily available in cyberspace without ever having to meet physically in the canyons of New Mexico. After their heist, they can use criminal cyber networks to launder the proceeds of their crime so they can continue to live superficially respectable lives. All of this is quite different from the criminal underworld of old.
GOING DARK
The so-called Dark Net is where much of the online criminal activity takes place, largely beyond the reach of law enforcement. On the Dark Net anonymity is the rule, and identities and locations of the participants can be concealed from even the most persistent gaze of police and intelligence agencies.
The Dark Net operates according to different rules than the rest of the Internet. Normally we open our browsers and use a search engine such as Google, which provides us with a web address. A mouse click and the browser then effortlessly and instantaneously displays the very site we are seeking. We can do this because the content of the visible or surface Web has been carefully indexed and kept up to date by automated web-crawler programs, sometimes known as spider programs, operated by the search engine companies that crawl the Internet collecting and sorting information. What we also do not see since it operates behind the scenes is the global Domain Name System service that translates the easy to use and remember web address into the unique 32-bit (or nowadays increasingly a 128-bit) digital labeling number (the Internet Protocol, or IP address) that allows servers to know exactly where to address a request for access to the site.
But this surface Web is only a small part of the Internet—some would estimate 1/500th of it. The remainder, the so-called deep Web, is hidden from normal view, for largely legitimate reasons since it is not intended for casual access by an average user. An analogy would be the many commercial buildings, research laboratories, and government facilities in any city that the average citizen has no need to access but when necessary can be entered by the right person with the proper pass. The Dark Net, to develop that cityscape analogy, can be thought of like the red light district in a city with a small number of buildings (sometimes very hard to find), where access is controlled because the operators want what is going on inside to remain private. At one time, these would have been speakeasies, illegal gambling clubs, flophouses, and brothels, but also the meeting places of impoverished young artists and writers, political radicals, and dissidents.
The Dark Net is therefore best thought of as a collection of websites that can be visible to a public that knows where to look, and can actually be visited but only under the right conditions to protect the security of operators of sites and their users. Strong encryption and anonymity protocols ensure that the IP addresses of the servers that run these sites remain hidden and that the authorities cannot work out who is visiting them, even if they did locate the sites and place them under surveillance.
The Dark Net is thus a largely unpoliced part of the Internet. On the Dark Net, anonymity must be demonstrated before access is granted, the cyber equivalent of reassuring the gang that you have the minimum tradecraft to provide confidence that you have not been followed to their lair.
TOOLS OF THE TRADE
One of the enablers driving the rapid rise in cybercrime is the ready availability of hacking and cyber tools. The digital criminal does not need to be a master hacker since cyber exploits can themselves be bought through hidden websites on the Dark Net. The increasing commoditization of computer malware such as viruses and worms makes it likely that in the future we will see more use of such digital weapons for terrorism and political purposes, a trend already evident, for example, with the Syrian Electronic Army operating in support of President Bashar al-Assad and the self-described Hacking Division of the Islamic State.
Nor do cybercriminals face the traditional difficulties of getting rid of their booty without drawing attention to themselves. In the Dark Net, criminals can make introductions to each other, acquire experts for the financial and commercial transactions involved, and begin the process of laundering the proceeds. Cyber-crime threatens public confidence in the everyday use of the Internet for financial and commercial transactions. The harm from today’s cyber attacks, however, is not just financial. The purloined data on government employees heisted during an attack on the U.S. Office of Personnel Management may well have been to the advantage of a hostile intelligence service. The malicious Ashley Madison hack has exposed tens of thousands of would-be adulterers and has reportedly led to more than one suicide as a result. The prospect of cyber attacks on critical infrastructure threatens future national security around the world.
It is in everyone’s interests, therefore, that governments should promote good cyber security including strong encryption for financial and commercial transactions. Our economic future is inextricably bound up with the level of confidence in the Internet as a secure medium for transacting business and for supporting innovation. On another front, the United Nations Special Rapporteur on Freedom of Speech, David Kaye, a respected former State Department lawyer, recently called on nations to ensure that individuals andcompanies are free to protect the privacy of their digital communications by using encryption technology and tools that allow anonymity online, empowering them to browse, read, develop, and share opinions and information without interference. Journalists, civil society organizations, members of ethnic or religious groups, and those persecuted because of their sexual orientation or gender identity, activists, scholars, artists, and others need to be able to exercise their rights to freedom of opinion and expression.
The wilderness has, in the right context, social value worth preserving. The bandit hideout in New Mexico’s Sierra Ladrones is now a national wildlife refuge. The very characteristics of the Dark Net valued by criminals also make it a refuge with social value for those who seek to evade censorship and the persecutions of despotic and undemocratic governments.
THE ONION ROUTE
And here rests the fundamental paradox that has always been at the heart of the Dark Net, reflecting its long and complicated history. The most popular anonymizing software, Tor, that makes it possible for criminals to operate Dark Net websites was first developed by the U.S. Naval Research Laboratory to provide a means for military units and field agents to communicate online without being identified and tracked. The resulting Tor network (the initials of its original description as The Onion Router project) can only be accessed with the special Tor browser. A user with the Tor browser, free to download, is able to send communications over the Internet, including requests for access to Dark Net services, that are automatically wrapped in multiple layers of encryption and directed through a random path in a worldwide volunteer network of some 6,000 servers. At each hop, the onion router is able to strip off the next layer of encryption and discover to which router to direct the message next but with no knowledge of the path taken, and only at the very end will the final destination be seen by the last server in the network. Even a hidden watcher cannot track back to find the originating IP address, and thus potentially find clues to the identity of the user. Tor is the most popular of the Dark Net browsers, but there are alternatives, and new programs to achieve the same end are bound to appear.
The State Department promoted Tor as the ideal tool to help protect those advocating human rights, democracy, and reform in oppressive regimes overseas. Just as quickly, Tor was identified by criminals as the best means to protect their virtual meeting places online. Entrepreneurial criminals then saw the potential for distributing pirated copies of Hollywood blockbusters and new music videos, and that Tor would make it possible to run Dark Net marketplaces, attracting vendors selling everything that is illegal and profitable: drugs and other controlled substances, sex and pornography, weapons, computer malware and viruses, stolen credit card details, and money-laundering services. This illegal sale of firearms (and, in a recent case, the poison ricin) has increased concerns over lone wolf terrorist attacks. The Tor browser, with the anonymity it brings, today gives access to an index of such illegal sites, known as the Hidden Wiki, that enables searches of dark markets for the desired product or service. The advantages are not lost on terrorist groups, who use the Dark Net for propaganda websites for their supporters, such as the jihadist sites that show beheadings and other atrocities and provide guides to bomb making and counter surveillance techniques.
The most notorious of the many online marketplaces was Silk Road, a website that specialized in contraband drugs, narcotics, and weapons from a large number of competing vendors. Its owner masqueraded under the pseudonym Dread Pirate Roberts. In 2013, the FBI succeeded in arresting some of those they believed responsible, subsequently shutting down the website so that Tor visitors accessing the site simply saw the FBI logo and a formal notice saying the marketplace had been closed by law enforcement. Earlier this year, a Manhattan jury finally found an American, Ross Ulbricht, guilty of running the criminal enterprise as Dread Pirate Roberts and guilty of narcotics trafficking, money laundering, and computer hacking. He was given five concurrent sentences including two for life imprisonment without the possibility of parole. Ulbricht’s defense that Dread Pirate Roberts was actually Mark Karpelès, a French citizen living in Japan with an online alias of MagicTux, was rejected by the jury. An appeal is pending.
The data on which the site depended seems quickly to have been duplicated on other servers, since within a month the site had resurrected itself as Silk Road 2.0. A lengthy and intensive law enforcement effort between the FBI, Europol, and national police authorities then succeeded in closing that site (by means they have been careful not to make public for obvious reasons). According to the FBI, by July 2013, Silk Road had processed over $1.2 billion worth of sales with some 4,000 anonymous vendors based around the world, selling products to over 150,000 anonymous customers globally, making it the most sophisticated drug market ever seen. On good capitalist principles, the fierce competition for customer loyalty and repeat purchases drove out fraudulent dealers and ensured generally high standards of quality for the illegal substances being sold, certainly by comparison with that of the traditional street corner dealers.
According to British researcher Jamie Bartlett, who has explored the Dark Net from the inside, although Silk Road 2.0 may no longer exist, dark markets continue to spring up, with more than 50 sites now operating in several languages conducting more illegal business than ever before. He was easily able to buy marijuana from a site called Drugsheaven. It arrived by post in an innocuous white package five days later. He then interviewed women performing sex acts for a global audience from a Northern England bedroom and met neo-Nazis and other political extremists who thrive at the margins of the Web in a variety of disturbing sub-cultures.
Detectives have a saying—“follow the money”—in the hope, borne out of experience, that a payment trail, once uncovered, can eventually lead back to the identification of the higher-level criminals behind an operation. Along with Tor anonymity, however, the Dark Net also makes payments dismayingly hard to trace by insisting that the illegal substances, whether drugs, weapons, or pornography, are paid for in the anonymous currency Bitcoin. Once an order has been placed, the buyer transfers the correct amount of Bitcoins to an escrow account, an electronic wallet controlled by the administrator of the Web market. When the buyer receives the product through a commercial mail service, the buyer then notifies the administrator who can release the money to the vendor.
Even more disturbing is the use of the Dark Net for the sharing of indecent images of children between offenders who may have never met and who may be on separate continents. Access to these sharing networks on the Dark Net is often only granted to those who can themselves provide fresh indecent images to add to the vast stock that are being exchanged. Now there is also live streaming of child abuse. The U.K. law enforcement partner of the FBI, the National Crime Agency, has a specialist Child Exploitation and Online Protection Centre (CEOP) that found more than 2 million child abuse images in a single offender’s collection. In 2011, U.S. law enforcement handed over 22 million such images and videos to the National Center for Missing and Exploited Children. The Internet, and the anonymity that is integral to the Dark Net in particular, has made such deeply criminal and anti-social activity easy for the offenders and hard for law enforcement.
TAMING THE WEST
We should remember that it took decades of effort, but eventually the Wild West was tamed. Better protection and security awareness made robberies and rustling harder. Ever more frequent raids into the badlands eventually disrupted the outlaws’ hideouts and undermined their sense of security. The Dark Net, too, needs to have the worst excesses of criminal behavior policed. We can see the FBI and its international partners have that objective today. The major takedown of the Silk Road illegal marketplaces by the FBI and European partner agencies was an example with significant value in demonstrating that the Dark Net need not be a totally lawless zone. The message that this is not a risk-free way of making a lot of money has to be felt by the criminals—the more successful criminals become, the more likely they should be to end up behind bars. We need more successful international cooperation like the extradition and conviction this year of Deniss Calovskis, a Latvian national who pleaded guilty in an American court this year to conspiring to commit computer intrusion. He was one of three men arrested in connection to the creation and maintenance of the Gozi virus, a suite of malware designed to target financial institutions that is reported to have infected more than a million computers worldwide, resulting in millions of dollars in losses. Calovskis’ co-accused included Nikita Kuzmin, a Russian arrested in California in 2010, and Mihai Ionut Paunescu, a Romanian arrested in Romania in 2013, illustrating the global nature of the problem.
The deterrent message would be even more powerful if there were more effective ways of tracking online the financial transactions involved and lawfully seizing the ill-gotten gains. That would be a useful additional deterrent to the risk of prison, since unlike the criminals of old, who had to often resort to extreme violence, today’s cybercriminals are regarded as committing white-collar crime, attracting relatively shorter sentences since their victims rarely sustain any physical injury.
As the ballad of Billy the Kid goes, in old Silver City a man’s best friend was his Colt .44 since it was up to the individual to protect himself. The equivalent today for the cyber punk is the claim to an absolute right to strong encryption and Internet anonymity—an argument that is so frustrating to law enforcement and intelligence agencies. Stimulated by the wide publicity given to the allegations stemming from the documents stolen by Edward Snowden from America’s National Security Agency and its U.K. counterpart, Government Communications Headquarters, more Internet users have become concerned about issues over their personal privacy. This extends beyond government surveillance to greater recognition of the implications of the business model of the Internet that provides each user useful services free at the point of use but which is actually paid for by the monetization of their personal data for marketing or other commercial purposes. Hence, there is an increasing interest in data protection legislation, end-to-end encryption, anonymizing networks and software, virtual private networks (VPNs), proxy services, and peer-to-peer networks (for example, for music and video file sharing). Facebook has even created a version of its site accessible on the Dark Net for those who wish added privacy protection.
It is, of course, in everyone’s interest that governments should encourage good personal cyber security and promote strong encryption for financial and commercial transactions.
An essential tactic in catching outlaws was and still is to improve intelligence gathering, including recruiting informers inside the gangs, thus sowing suspicion and disrupting their operations. In the old days, sting operations could lure robbers to attack heavily guarded bullion trains. There are digital equivalents today that need to be legally available to the authorities to tackle cybercriminals, along with sensitive digital intelligence interception and computer exploitation techniques.
VITAL RULE OF LAW
Some will continue to argue the social advantages of anonymity and privacy will always outweigh the harms that can be caused under their cloak. But the rule of law in a democratic society does not mean we should accept spaces, real or virtual, where authorities cannot go to try and uphold the law. There must be no virtual badlands. That means law enforcement and the nationalintelligence agencies working in their support must have the legal authority to gather digital intelligence to uncover plots, whether terrorist or criminal, and to gather evidence on their suspects.
This does not mean Internet activity can always be made transparent on demand to intelligence and law enforcement or that every investigation will succeed in uncovering the evidence to bring offenders before justice. That task is getting harder than ever but, it should be added, that is not a sufficient argument for legislation mandating back doors for the authorities to be built into otherwise secure communications. It is, however, an argument for ensuring law enforcement retains the right to seek evidence when justified and, for example, that Internet companies must respond to lawful warrants to the best of their ability. The authorities are also entitled to the moral support of law-abiding citizens as they search for new and innovative ways of keeping us safe and secure.
If we allow the authorities, as I believe we must in the Internet age, to operate powerful digital intelligence tools, then we also need strong assurances that such powers cannot be misused and will only be deployed when lawful, necessary, and proportionate to do so, and that the police and intelligence officers involved will act with restraint and always with respect for the privacy of the individual. So clear legislation and robust judicial and political oversight will be needed more than ever. To borrow from the title of a recent report to the British prime minister on privacy and surveillance, what is needed is that these safeguards be built into a new democratic license for the law enforcement and intelligence agencies on whose work our safety and security so fundamentally depend.
*****
Sir David Omand, a professor at King’s College London, served as the U.K. intelligence and security coordinator and director of the Government Communications Headquarters.