Cybercrime is increasingly run like a business with product research, help desks, sales targets and even money-back guarantees. Teiss guest blogger, Andrew Wajs, CTO at digital platform security provider Irdeto, considers how legitimate businesses will need to fight back.
Many businesses have a distorted profile of pirates, imagining them to be individuals locked away working in isolation. However, today’s criminal has a very different profile. Cybercrime is a complex network of people functioning in roles familiar to enterprise organizations. Many are well-educated, well-funded computer scientists who have the same resources as enterprise businesses at their disposal. They invest in product research and development, and produce and distribute their products and services. Today’s cybercriminal has customers to satisfy, money to be made and must consider their ROI just like any other business.
Unfortunately, many organizations still do not recognize cybercrime as it truly is – a competing business entity that continues to grow its illegal offerings. Once organizations and the content production market have made this mind-shift, the more effective the industry will be at recognizing and combatting piracy.
Disrupting the business model
Picture an average consumer watching a live sporting event via a pirate streaming website. Ten minutes into the live broadcast, they lose all access and the screen goes blank. This example of effectively disrupting cybercrime ruins the user experience for this pirated service, creating frustration with the illegal offering. The more times a user unexpectedly loses access to their content, the more likely it is that they will seek legitimate ways to view programs – even if those services have a cost.
Recognizing the need to disrupt piracy business models has become crucial. The “cybercrime as a business” perspective raises the potential for new approaches. Content owners must ask themselves new questions in the face of constantly advancing piracy business models: “How can the pirates’ R&D costs be increased?” “How can we make cybercriminals’ operations more expensive and significantly lower their ROI?” “How can we, as corporations, make it difficult for cybercrime syndicates to scale their operations?” These are pertinent questions and, when considered carefully, aid in implementing effective counter-hacking strategies.
Protecting the code
To answer these questions, organizations must implement technology strategies to complicate piracy business models and make pirates’ efforts less worthwhile. Code diversity is one effective way to do this. By creating many versions of the same code, the payoff for the hacker on each target is less. Similarly, implementing a whitebox cryptography strategy can pay dividends when driving up pirates’ costs. This technique involves hiding code secrets in plain sight, and results in much more effort being required to infiltrate the software. By making it extremely difficult for hackers to gain insights into code and software, it becomes much harder for attackers to scale their operations and make them cost-effective.
Ensuring that hackers are not able to sell or distribute their stolen content will result in poor ROI for the criminals. Content providers can partner with ecommerce sites and payment parties to block distribution and transactions for illegal offerings. This strategy creates a trusted block of code that neutralizes attempts at code tampering and siphoning.
Preventing the money flow to hackers is, of course, the most effective way to drive up their ROI and make piracy redundant. Content providers can educate consumers about the illegality of buying and watching stolen content, thus dis-incentivizing it. Working within the law to prosecute misdemeanors will also deter people from purchasing stolen content. Service providers can also work closely with networks to make pirate services unusable. Disrupting an illegal show halfway through due to poor quality or connection will result in a service that consumers will not tolerate. As content will consequently be harder to get hold of, and low quality connections will make services unwatchable, pirate services will become obsolete.
A change of strategy
It is easy for security companies and technologists to focus on making their software and products more secure. Yet, the focal point should include strategies to make pirates’ business models uneconomic. As hackers become more aware of anti-piracy security measures, content providers must establish new strategies to meet this growing criminal intelligence. Diversifying code and making pirate services unusable will force hackers to reassess their illegal businesses due to increased costs. Additionally, prosecuting criminals and educating consumers on the impact of the crime will make piracy less appealing, and result in piracy becoming uneconomic and unsustainable. Focusing purely on making things more secure is no longer enough. Disrupting pirates’ business models needs to be a priority.
POC is: Irdeto@ruderfinn.co.uk
Follow Irdeto on Twitter at: @irdeto
Andrew Wajs is Chief Technology Officer of Irdeto. As CTO of Irdeto, Andrew leads the development of innovative security to protect digital platforms and assets across multiple industries, such as media & entertainment, payments & banking, and automotive. Since joining Irdeto in 1992, Andrew has been the senior systems architect, a key innovator and patent author, as well as holding a range of positions ranging from engineering, system engineering and VP Product Line Management. Subsequent to this he has been the force behind many start-up projects within Irdeto and is now responsible for security innovations in mobile payments and banking, providing a critical layer of security for today’s anytime/anywhere e-commerce and payment environments. As CTO, he is also responsible for IoT (internet of things) security.
Before Irdeto, Andrew managed the Advanced Products Group in Mindport during 1998-99. Prior to that, he held a similar position at Altech Public Networks. He has a Master's degree in Electrical Engineering from the University of the Witwatersrand in South Africa.