BLOG: COVID’s Metamorphoses part III: Cybercrime during the “Great Lockdown” recession

By Orpheus Analysts

The third part of our series on COVID-19 and the future of the threat landscape examines the effect of a potential global recession on cybercrime. You can read the series’ previous posts on the impact of geopolitical tensions resulting from Covid-19 on nation-state activity here and here.

Introduction

COVID-19 has and will continue to have significant consequences for health, societies, politics and, perhaps most significantly, the global economy. The pandemic has caused a recession dubbed the “Great Lockdown” by the International Monetary Fund (IMF). Most analysts believe the downturn will surpass the 2008-09 financial crisis and rival the Great Depression of the 1930s.[1] Businesses, employees and consumers face a long period of declining revenues, bankruptcies, climbing borrowing costs, rising unemployment figures and a persistent sense of uncertainty – particularly in sectors most affected by the lockdown.[2]

In this blog post, we unpack what the prospects of the “Great Lockdown” mean for the evolution of the cyber threat landscape. Put simply: will a recession in and of itself increase the potency and frequency of cybercriminal threats? Will there be an overall increase in the number of individuals turning to cybercrime?

The short answer, perhaps counterintuitively, is no. Although we predict there will be a small increase in cybercriminal activity as a result of the recession, we do not expect a significant number of unemployed people to become cybercriminals nor sophisticated cybercriminal groups to suddenly be able to significantly increase their revenues or radically change their targeting and tactics.

Instead, the threats posed by cybercrime will exacerbate trends that existed before the pandemic. Technological changes, such as increased working from home, will likely have more of an impact on the threat landscape than changing economic factors or a small increase in unsophisticated cybercriminal activity.

More cybercriminals?

Conventional wisdom suggests that economic downturns result in more cybercrime.[3] It makes sense to assume that, as employment opportunities disappear, technically-skilled professionals are made redundant, resulting in an increase in the number of individuals engaging in financially-motivated cybercrime,[4] on the basis that economic necessity is the primary driver of cybercriminal activity.

Contested Lessons from the 2008-09 financial crisis 

The data on this subject, however, is far from conclusive. Despite somewhat sensationalised media reporting about the rise of cybercrime during the lockdown, there is little evidence overall cybercrime has risen due to the pandemic so far. The UK’s National Cyber Security Centre (NCSC), for instance, has suggested that it has not seen an increase in cybercrime, but rather that the targeting and tactics of cybercriminals have shifted to exploit the fear and new working arrangements driven by COVID-19.[5] Will this change as a recession starts to bite more deeply?

One way in which we can answer this question is to look at cybercrime statistics after the last major recession in 2008. During the financial crisis, media reporting on the links between recessions and cybercrime bore a remarkable resemblance to some of the claims we are currently seeing.

Yet the statistics on cybercrime in the years immediately following the recession are inconclusive.[6] A Home Office study from 2013, for instance, concluded that many forms of cybercrime saw a de-crease rather than increase after the financial crisis of 2008.[7] However, the FBI, for instance, recorded a significant increase in the amount of monetary damage caused by cybercrime in 2009 compared to 2008 (see graph below). However, even this statistic is more complicated than it appears. In general, the figure does not put it outside of the overall trend depicted in the data, which points to mostly year-on-year growth in the amount of monetary damage caused by cybercrime. It is also worth noting that although 2003, 2005 and 2018 saw significant increases in the amount of monetary damage caused by reported cybercrime, they were years of considerable economic growth rather than downturn in the US.[8]

Lower barriers to entry?

Despite this lack of correlation, potential cybercriminals face much lower barriers to entry than they might have done in 2008. The commodity malware market has grown significantly over the past decade, reducing the level of technical acumen required to conduct a cybercriminal operation.[10] While markets mostly offered single-sales of malware code in 2008-09 – which required customisation and administration by the customer – today’s market is dominated by subscription offers that include 24/7 support as well as hosting services.

Ransomware and botnets used for cryptocurrency mining or spreading banking trojans remain the most prolific threats and are also all malware variants that can be easily purchased as packages together with instructions on cybercriminal marketplaces.[11] However, cyber security-mature organisations are also better equipped to mitigate these more mundane techniques.

It is important to note that economic factors and access to malicious tools are only two factors that may drive participation in cybercrime. Other factors, such as ethical considerations (which are consistently underestimated), pre-existing levels of financial security and fear of law enforcement may act as more significant barriers in many cases.[12]

At the same time, we asses that it is unlikely that a recession caused by COVID-19 will have a significant impact on individuals turning to the kind of cybercrime that requires technical sophistication, discipline and sophisticated organisational structures. This is not to say that more sophisticated cybercriminal activity will not be shaped by the consequences of COVID-19, but instead to emphasise that experienced programmers will not suddenly commit themselves to a life of cybercrime.  Due to the ongoing skills shortage, skilled IT professionals based in comparatively wealthy industrialised nations are unlikely to face mass layoffs. The current effects of the COVID-19 lockdown indicate that a recession will likely disproportionately affect those with jobs requiring a physical presence or working within industries like tourism and retail far more than it will impact the majority of office workers, while ongoing complications resulting from the shift to remote-working is also likely to require retention of IT staff.[13]

Conclusion

In summary, the correlation between economic downturns and increased levels of cybercrime is much less clear cut than many commentators have made out. While we expect to see some small increases in individuals engaging in less sophisticated cybercriminal activity than we did in 2008-09 due to the proliferation of commodity and as-a-service tools, organised groups and sophisticated cybercriminals are unlikely to change tack or increase their activities simply because of a recession. Instead, their activity and overall levels of cybercrime are likely to be shaped by existing trends in the threat landscape and technological changes brought about by the pandemic.

However, as discuss in our next blog post in the series, we assess that there will be two exceptions to this general trend. The first is that we predict increased incidents of malicious insiders motivated by lay-offs and the opportunities presented by remote working environments. In addition, we anticipate some nation-state units or contractors turning to cybercriminal activity to raise state revenues. Check back for the next blog post to find out more.

[1] https://www.imf.org/en/Publications/WEO/Issues/2020/04/14/weo-april-2020 ; https://www.worldbank.org/en/news/feature/2020/06/08/the-global-economic-outlook-during-the-covid-19-pandemic-a-changed-world ; https://blogs.imf.org/2020/04/14/the-great-lockdown-worst-economic-downturn-since-the-great-depression/

[2] https://www.weforum.org/agenda/2020/05/coronavirus-unemployment-jobs-work-impact-g7-pandemic/ ; https://www.bbc.co.uk/news/business-52566030 ; https://www.ilo.org/global/about-the-ilo/newsroom/news/WCMS_743036/lang–en/index.htm

[3] See, for example: https://medium.com/@hackenAI/cybercrime-will-surge-at-least-150-in-2020-due-to-covid-19-f8b2c81c509f and https://www.csoonline.com/article/3541724/cybercrime-in-a-recession-10-things-every-ciso-needs-to-know.html

[4] https://www.forbes.com/2008/11/18/cybercrime-boom-fraud-tech-security-cx_ag_1119crime.html ; https://www.portsmouth.co.uk/health/coronavirus/lockdown-could-lead-highest-ever-levels-fraud-and-cybercrime-portsmouth-professor-warns-2542584 ; https://www.riskbasedsecurity.com/2020/03/30/when-the-going-gets-tough-cybercrime-gets-going/

[5] https://www.ncsc.gov.uk/files/Joint%20Advisory%20COVID-19%20exploited%20by%20malicious%20cyber%20actors%20V1.pdf

[6] https://blog.malwarebytes.com/cybercrime/2020/04/cybersecurity-and-the-economy-when-recession-strikes/

[7] https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/246749/horr75-summary.pdf

[8] https://data.worldbank.org/indicator/NY.GDP.MKTP.KD.ZG?locations=US

[9] Data taken from reports archived at https://www.ic3.gov/default.aspx

[10] https://www.av-test.org/fileadmin/pdf/security_report/AV-TEST_Security_Report_2018-2019.pdf

[11] https://documents.trendmicro.com/assets/white_papers/wp-shifts-in-the-underground.pdf

[12] https://blog.malwarebytes.com/cybercrime/2018/08/under-the-hoodie-why-money-power-and-ego-drive-hackers-to-cybercrime/

[13] In fact, recent evidence in the UK suggests that there’s actually been a rise in demand for qualified IT staff as a result of COVID-19: https://www.bbc.co.uk/news/business-53438262