Traditional theft is risky business. If your target was a Maserati sitting in a parking lot, first you'd have to check your surroundings, check for witnesses, cameras, then you have to spend time breaking into the car without tripping an alarm, turning on the ignition, then as you drive off, you'd have to constantly check your rearview for the owner or police, find someplace to hide the car, and then finally spend time finding a trustworthy buyer willing to take the risk of buying stolen property. As you can imagine, a mistake at any one of those steps would lead to jail time or worse.
All that time. All that stress. All that risk. The act of stealing physical goods is increasingly becoming less practical with each passing year.
But while rates of traditional theft are stagnating, online theft is booming.
In fact, the next decade will be a gold rush for criminal hackers. Why? Because the excess time, stress, and risk associated with common street theft just doesn’t yet exist in the world of online fraud.
Today, cybercriminals can steal from hundreds, thousands, millions of people at once; their targets (people's financial information) are far more valuable than physical goods; their cyber heists can remain undetected for days to weeks; they can avoid most domestic anti-cybercrime laws by hacking targets in other countries; and best of all, the cyber police tasked with stopping them are usually woefully underskilled and underfunded.
Moreover, the amount of money cybercrime generates is already larger than the markets of any single form of illicit drug, from marijuana to cocaine, meth and more. Cybercrime costs the United States economy $110 billion annually and according to the FBI’s Internet Crime Complaint Center (IC3), 2015 saw a record-breaking loss of $1 billion reported by 288,000 consumers—keep in mind the IC3 estimates that only 15 percent of cyber fraud victims report their crimes.
Given the growing scale of cybercrime, let’s take a closer look at why it’s so hard for authorities to crack down on it.
The dark web: Where cybercriminals reign supreme
In October 2013, the FBI shut down the Silkroad, a once thriving, online black market where individuals could purchase drugs, pharmaceuticals, and other illegal/restricted products in much the same fashion as they would buy a cheap, Bluetooth shower speaker off of Amazon. At the time, this successful FBI operation was promoted as a devastating blow to the burgeoning cyber black market community … that is until Silkroad 2.0 launched to replace it shortly thereafter.
Silkroad 2.0 was itself shut down in November 2014, but within months was again replaced by dozens of competitor online black markets, with well over 50,000 drug listings collectively. Like cutting off a head off a hydra, the FBI found its battle against these online criminal networks to be far more complex than originally expected.
One big reason for the resilience of these networks revolves around where they are located.
You see, the Silkroad and all of its successors hide away in a part of the Internet called the dark web or darknet. ‘What is this cyber realm?’ you ask.
Put simply: The everyday person's experience online involves their interaction with website content they can access by typing in a traditional URL into a browser—it's content that's accessible from a Google search engine query. However, this content only represents a tiny percentage of the content accessible online, the peak of a giant iceberg. What's hidden (i.e. the ‘dark' part of the web) is all the databases that power the Internet, the world's digitally stored content, as well as password-protected private networks.
And it's that third part where criminals (as well as a range of well-meaning activists and journalists) roam. They use a variety of technologies, especially Tor (an anonymity network that protects its users’ identities), to securely communicate and do business online.
Over the next decade, darknet usage will grow dramatically in response to the public’s rising fears about their government’s domestic online surveillance, especially among those living under authoritarian regimes. The Snowden leaks, as well as similar future leaks, will encourage the development of ever more powerful and user-friendly darknet tools that will allow even the average Internet user to access the darknet and communicate anonymously. (Read more in our Future of Privacy series.) But as you might expect, these future tools will also find their way into the toolkit of criminals.
Cybercrime’s bread and butter
Behind the dark web veil, cybercriminals plot their next heists. The following overview lists the common and emerging forms of cybercrime that make this field so lucrative.
Scams. When it comes to cybercrime, among the most recognizable forms involve scams. These are crimes that depend more on tricking human common sense than using sophisticated hacking. More specifically, these are crimes that involve spam, fake websites and free downloads designed to get you to freely enter your sensitive passwords, social security number and other vital information that fraudsters can use to access your bank account and other sensitive records.
Modern email spam filters and virus security software are making these more basic cybercrimes harder to pull off. Unfortunately, the prevalence of these crimes will likely continue for at least another decade. Why? Because within 15 years, approximately three billion people in the developing world will gain access to the web for the first time—these future novice (noob) Internet users represent a future payday for online scammers.
Stealing credit card information. Historically, stealing credit card information was one of the most lucrative forms of cybercrime. This was because, oftentimes, people never knew that their credit card was compromised. Worse, many people who did spot an unusual online purchase on their credit card statement (often of a modest amount) tended to ignore it, deciding instead that it wasn't worth the time and hassle of reporting the loss. It's only after said unusual purchases racked up that people sought help, but by then the damage was done.
Thankfully, the supercomputers credit card companies use today have become more efficient at catching these fraudulent purchases, often well before the owners themselves realize they've been compromised. As a result, the worth of a stolen credit card has plunged from $26 per card to $6 in 2016.
Where once fraudsters made millions by stealing millions of credit card records from all types of e-commerce companies, now they are being squeezed to sell their digital bounty in bulk for pennies on the dollar to the handful of fraudsters who can still manage to milk those credit cards before the credit card supercomputers catch on. Over time, this form of cyber theft will become less common as the expense and risk involved with securing these credit cards, finding a buyer for them within one to three days, and hiding the profits from authorities becomes too much of a hassle.
Cyber ransom. With mass credit card theft becoming less and less profitable, cybercriminals are shifting their tactics. Instead of targeting millions of low net worth individuals, they are beginning to target influential or high net worth individuals. By hacking into their computers and personal online accounts, these hackers can steal incriminating, embarrassing, expensive or classified files that they can then sell back to their owner—a cyber ransom, if you will.
And it's not just individuals, corporations are also being targeted. As mentioned previously, it can be very damaging to a company's reputation when the public learns that it allowed a hack into its customers' credit card database. That's why some companies are paying these hackers for the credit card information they stole, just to avoid the news going public.
And at the lowest level, similar to the scamming section above, many hackers are releasing ‘ransomware’—this is a form of malicious software that users are tricked into downloading that then locks them out of their computer until a payment is made to the hacker.
Overall, due to the ease of this form of cyber theft, ransoms are set to become the second most common form of cybercrime after traditional online scams over the coming years.
Zero-day exploits. Probably the most profitable form of cybercrime is the sale of ‘zero-day' vulnerabilities—these are software bugs that have yet to be discovered by the company that produced the software. You hear about these cases in the news from time to time whenever a bug is discovered that allows hackers to gain access to any Windows computer, spy on any iPhone, or steal data from any government agency.
These bugs represent massive security vulnerabilities that are themselves hugely valuable so long as they remain undetected. This is because these hackers can then sell these undetected bugs for many millions to international criminal organizations, spy agencies, and enemy states to allow them easy and repeated access to high-value user accounts or restricted networks.
While valuable, this form of cybercrime will also become less commonplace by the end of the 2020s. The next few years will see the introduction of new security artificial intelligence (AI) systems that will automatically review every line of human written code to sniff out vulnerabilities that human software developers might not catch. As these security AI systems become more advanced, the public can expect that future software releases will become nearly bulletproof against future hackers.
Cybercrime as a service
Cybercrime is among the world’s fastest growing forms of crime, both in terms of sophistication and the scale of its impact. But cybercriminals aren’t simply committing these cyber crimes on their own. In a large majority of cases, these hackers are offering their specialized skills to the highest bidder, operating as cyber mercenaries for larger criminal organizations and enemy states. Top end cybercriminal syndicates make millions through their involvement in a range of crime for hire operations. The most common forms of this new ‘crime-as-a-service’ business model includes:
Cybercrime training manuals. The average person trying to better their skills and education signs up for online courses at e-learning sites like Coursera or buys access to online self-help seminars from Tony Robbins. The not-so-average person shops around the dark web, comparing reviews to find the best cybercrime training manuals, videos, and software they can use to jump into the cybercrime gold rush. These training manuals are among the simplest revenue streams cybercriminals benefit from, but at a higher level, their proliferation is also lowering cybercrime's barriers to entry and contributing to its rapid growth and evolution.
Espionage and theft. Among the more high-profile forms of mercenary cybercrime is its use in corporate espionage and theft. These crimes may arise in the form of a corporation (or government acting on a corporation's behalf) indirectly contracting a hacker or hacker team to gain access to a competitor's online database to steal proprietary information, like secret formulas or designs for soon-to-be-patented inventions. Alternatively, these hackers might be asked to make public a competitor's database to ruin their reputation among their customers—something we often see in the media whenever a company announces that their customers' credit card information has been compromised.
Remote destruction of property. The more serious form of mercenary cybercrime involves the destruction of online and offline property. These crimes may involve something as benign as defacing a competitor’s website, but can escalate to hacking a competitor’s building and factory controls to disable or destroy valuable equipment/assets. This level of hacking also enters into cyberwarfare territory, a subject we cover in greater detail our upcoming Future of the Military series.
Future targets of cybercrime
Thus far, we've discussed modern-day cybercrimes and their potential evolution over the coming decade. What we haven't discussed are the new types of cybercrime that may arise in the future and their new targets.
Hacking the Internet of Things. One future type of cybercrime analysts are concerned about for the 2020s is the hacking of the Internet of Things (IoT). Discussed in our Future of the Internet series, IoT works by placing miniature-to-microscopic electronic sensors onto or into every manufactured product, into the machines that make these manufactured products, and (in some cases) even into the raw materials that feed into the machines that make these manufactured products.
Eventually, everything you own will have a sensor or computer built into them, from your shoes to your coffee mug. The sensors will connect to the web wirelessly, and in time, they will monitor and control everything you own. As you might imagine, this much connectivity can become a playground for future hackers.
Depending on their motives, hackers could use IoT to spy on you and learn your secrets. They can use IoT to disable every item you own unless you pay a ransom. If they gain access to your home's oven or the electrical system, they can remotely start a fire to murder you remotely. (I promise I'm not always this paranoid.)
Hacking self-driving cars. Another big target may be autonomous vehicles (AV) once they become fully legalized by the mid-2020s. Whether it's a remote attack like hacking the mapping service cars use to chart their course or a physical hack where the hacker breaks into the car and manually tampers with its electronics, all automated vehicles will never be fully immune to being hacked. Worst case scenarios can range from simply stealing the goods being transported inside automated trucks, remotely kidnapping someone riding inside an AV, remotely directing AVs to hit other cars or ram them into public infrastructure and buildings in an act of domestic terrorism.
However, to be fair to the companies designing these automated vehicles, by the time they are approved for use on public roads, they will be much safer than human-driven vehicles. Fail-safes will be installed into these cars so they deactivate when a hack or anomaly is detected. Moreover, most autonomous cars will be tracked by a central command center, like an air traffic control, to remotely deactivate cars that are behaving suspiciously.
Hacking your digital avatar. Further into the future, cybercrime will shift to targeting people's online identity. As explained in the previous Future of Theft chapter, the next two decades will see a transition from an economy based on ownership to one based on access. By the late 2030s, robots and AI will make physical items so cheap that petty theft will become a thing of the past. However, what will retain and grow in value is a person's online identity. Access to every service needed to manage your life and social connections will be facilitated digitally, making identity fraud, identity ransom, and online reputation smearing among the most profitable forms of cybercrime future criminals will pursue.
Inception. And then even deeper into the future, around the late-2040s, when humans will connect their minds to the Internet (similar to the Matrix films), hackers may try to steal secrets directly from your mind (similar to the film, Inception). Again, we cover this tech further in our Future of the Internet series linked to above.
Of course, there are other forms of cybercrime that will emerge in the future, both those fall under the cyberwarfare category that we will discuss elsewhere.
Cybercrime policing takes center stage
For both governments and corporations, as more of their assets become controlled centrally and as more of their services are offered online, the scale of damage a web-based attack could wreak will become far too extreme a liability. In response, by 2025, governments (with lobbying pressure from and cooperation with the private sector) will invest substantial sums into expanding the manpower and hardware needed to defend against cyber threats.
New state and city-level cybercrime offices will work directly with small-to-medium sized businesses to help them defend against cyber attacks and provide grants to improve their cybersecurity infrastructure. These offices will also coordinate with their national counterparts to protect public utilities and other infrastructure, as well as consumer data held by massive corporations. Governments will also employ this increased funding to infiltrate, disrupt and bring to justice individual hacker mercenaries and cybercrime syndicates globally.
By this point, some of you may wonder why 2025 is the year we forecast governments will get their act together on this chronically underfunded issue. Well, by 2025, a new technology will mature that’s set to change everything.
Quantum computing: The global zero-day vulnerability
At the turn of the millennium, computer experts warned about the digital apocalypse known as Y2K. Computer scientists feared that because the four-digit year was at the time only represented by its final two digits in most computer systems, that all manner technical meltdowns would occur when 1999's clock struck midnight for the very last time. Luckily, a solid effort by the public and private sectors headed off that threat through a fair amount of tedious reprogramming.
Unfortunately, computer scientists now fear a similar digital apocalypse will occur by the mid to late 2020s due to a single invention: the quantum computer. We cover quantum computing in our Future of Computer series, but for the sake of time, we recommend watching this short video below by the team at Kurzgesagt who explain this complex innovation quite well:
To summarize, a quantum computer will soon become the most powerful computational device ever created. It will calculate in seconds problems that today's top supercomputers would need years to solve. This is great news for calculation intensive fields such as physics, logistics, and medicine, but it would also be hell for the digital security industry. Why? Because a quantum computer would crack almost every form of encryption currently in use and it would do so in seconds. Without dependable encryption, all forms of digital payments and communication will no longer function.
As you can imagine, criminals and enemy states could do some serious damage should this tech ever fall into their hands. This is why quantum computers represent a future wildcard that’s hard to forecast. It’s also why governments will likely restrict access to quantum computers until scientists invent quantum-based encryption that can defend against these future computers.
AI-powered cyber computing
For all the advantages modern hackers enjoy against outdated government and corporate IT systems, there is an emerging tech that should shift the balance back towards the good guys: AI.
We hinted at this earlier, but thanks to recent advances in AI and deep learning technology, scientists are now able to build a digital security AI that operates as a kind of cyber immune system. It works by modeling every network, device, and user within the organization, collaborates with human IT security administrators to understand said model's normal/peak operating nature, then proceeds to monitor the system 24/7. Should it detect an event that does not conform to the predefined model of how the organization's IT network should function, it will take steps to quarantine the issue (similar to your body's white blood cells) until the organization's human IT security administrator can review the matter further.
An experiment at MIT found his human-AI partnership was able to identify an impressive 86 percent of attacks. These results stem from the strengths of both parties: volume-wise, the AI can analyze far more lines of code than a human can; whereas an AI may misinterpret every abnormality as hack, when in reality it could have been a harmless internal user error.
Bigger organizations will own their security AI, whereas smaller ones will subscribe to a security AI service, much like you would a subscription to a basic anti-virus software today. For example, IBM’s Watson, previously a Jeopardy champion, is now being trained for work in cybersecurity. Once available to the public, the Watson cybersecurity AI will analyze an organization’s network and trove of unstructured data to automatically detect vulnerabilities that hackers can exploit.
The other benefit of these security AIs is that once they detect security vulnerabilities within the organizations they are assigned to, they can suggest software patches or coding fixes to close those vulnerabilities. Given enough time, these security AIs will make attacks by human hackers next to impossible.
And bringing future police cybercrime departments back into the discussion, should a security AI detect an attack against an organization under its care, it will automatically alert these local cybercrime police and work with their police AI to track the hacker's location or sniff out other useful identification clues. This level of automated security coordination will deter most hackers from attacking high-value targets (e.g. banks, e-commerce sites), and over time will result in far less major hacks reported in the media … unless quantum computers don't muck everything up.
Cybercrime’s days are numbered
By the mid-2030s, specialized software development AI will assist future software engineers to produce software and operating systems that are free (or close to free) of human errors and major hackable vulnerabilities. On top of this, cybersecurity AI will make life online equally as safe by blocking sophisticated attacks against government and financial organizations, as well as protecting novice internet users from basic viruses and online scams. Moreover, the supercomputers powering these future AI systems (that will likely be controlled by governments and a handful of influential tech companies) will become so powerful that they will withstand any cyber attack thrown at them by individual criminal hackers.
Of course, this isn't to say that hackers will go completely extinct in the next one to two decades, it just means the costs and time associated with criminal hacking will go up. This will force career hackers into ever more niche online crimes or force them to work for their governments or spy agencies where they will gain access to the computing power needed to attack the computer systems of tomorrow. But on the whole, it's safe to say that most forms of cybercrime that exist today will become extinct by the mid-2030s.