Cybercrime Is (often) Boring

I read a paper titled Cybercrime is (often) boring: maintaining the infrastructure of cybercrime economies.

It’s from the 2020 Workshop on the Economics of Information Security, held in Brussels, December 14-15, 2020. That was the pandemic year, it looks like it was also mostly virtual.

The authors are Ben Collier, Richard Clayton, Alice Hutchings (University of Cambridge), Daniel Thomas (University of Strathclyde).

This seems like a touchy-feely paper to me. The Methods section admits that they interviewed some people they found on various hacking forums, and basically read a whole lot of hacking forum posts. No numerical data, just qualitative.

Nevertheless, an interesting paper. It’s terrifically well referenced, it has a 4.5 page bibliography. One of the references this paper leans on heavily is The Ethnography of Infrastructure, by S.L. Star.

The authors of this paper use Star’s definition of “infrastructure” extensively. If I might be allowed to partially quote Star’s paper:

  1. Embeddedness. Infrastructure is sunk into and inside of other structures, social arrangements, and technologies.
  2. Transparency. Infrastructure is transparent to use, in the sense that it does not have to be reinvented each time or assembled for each task
  3. Reach or scope. This may be either spatial or temporal—infrastructure has reach beyond a single event or one-site practice.
  4. Learned as part of membership.
  5. Embodiment of standards.
  6. Built on an installed base. Infrastructure does not grow de novo; it wrestles with the inertia of the installed base and inherits strengths and limitations from that base.
  7. Becomes visible upon breakdown.
  8. Is fixed in modular increments, not all at once or globally. Because infrastructure is big, layered, and complex, and because it means different things locally, it is never changed from above.

That’s an interesting set of attributes to mull over. How much of what we commonly call “infrastructure” fits this?

Collier, Clayton, Hutchings and Thomas changed that 8-point enumeration of infrastructure characteristics a little bit. Their cybercrime infrastructure has these traits:

  1. Supportive of broader illegal action
  2. Concerned with maintaining and managing stability and transparency (or usability)
  3. Naturally tends towards centralisation
  4. Has low hacker cultural capital
  5. Involves creatively defending against law enforcement
  6. Necessitates managing and enforcing norms around use and abuse
  7. Promotes the diffusion of risk and culpability
  8. Ultimately underpinned by boredom rather than excitement

That’s actually quite a bit different, although clearly inspired by Star’s list.

They do support their list with fragments of interviews with some kind of low-level cybercriminals/lowlifes, folks who run “booter” services, DDoS on demand using botnets of other people’s computers.

Section 7.1 of the paper discusses how “the tedium of work or of unemployment is a fundamental characteristic of of the experience of life in industrial capitalistic societies”. Carl Marx has entered the chat.

Ultimately, this is a criminology paper, the authors try to figure out if there are unique and novel ways to prevent people from living a cyberpunk life of cybercrime.