British author Misha Glenny has spent years conducting prison-cell interviews with convicts from the Ukraine, Turkey and Nigeria, all in hopes of putting a human face on the growing threat posed by today's cyber criminals.
In looking at how nebulous networks of hackers and identity thieves team up to steal billions, he discovered many Canadian threads run through this rich global tapestry of wrongdoing. Some of the world's most savvy hackers reside in this country – and yet Canadian security agencies are openly mocked for being ill-equipped to deal with cyber-security problems.
Best known as the author of McMafia, Mr. Glenny spoke to The Globe and Mail Monday about his new book, Darkmarket: Cybercrime, Cybercops and You. What follows is an edited transcript.
Who is the most important Canadian cybercriminal you profile?
His nickname was Dron – about 24, he was a gifted, self-taught engineer. He built [credit-card]skimming machines from scratch. He sold them for $5,000 a shot, and he got very good ratings on criminal websites for his product – and for his after-sale care and service. It's true. He was out after about two years in jail. It was discounted like all sentences are discounted. They'll be clocking him quite closely.
Do police lack sophistication?
It's usually the reluctance of police superiors to devote resources to this. Because the question they ask is, "Where are the victims? Why am I wasting resources to catch a criminal who's not committing crimes in my jurisdiction?" The criminals tend to look down their noses at law enforcement. The more sophisticated ones have their own counterintelligence capacity – they claim to be monitoring the FBI as much as the FBI is monitoring them.
You mention there are some criminals who will not steal American credit cards, only Canadian and European ones.
His name in the book is "Recka." He told me directly, "Are you kidding, I would never touch an American card." He does touch Canadian cards. That's because the Americans have this huge FBI and Secret Service network around the world. There's no long arm of Canadian law. Canada has been skimmed dry, basically.
Last year there was a major hacking breach of federal computer systems in Ottawa, including the Finance Ministry.
It was a big deal. I heard heads rolled. It speaks to an interesting point: Who is responsible for cyber when you get to big issues like critical national infrastructure? You somehow have to find a mechanism that could respond to problems across departments.
Can governments even address this issue?
They are a bureaucracy and they operate fearfully slowly. One of the aspects of this whole issue is the speed with which innovations happen.
Do you have a call to action?
We're locked into a mini-arms race, with police and the security industry coming up with a certain solution, and the hackers getting around it. It's such big business now, it's no longer sufficient to regard this as a technical problem. We have to look at the problem in a much more rounded sense. It's happening with thing like Citizen Lab here [at the University of Toronto's Munk School]
What's the role of business?
Critical national infrastructure is largely owned by the private sector. It's axiomatic that you need to co-operate with the private sector if you need to protect yourself. So what then happens for Britain, for example, when British Telecom – which provided the backbone for the telecom system – signs up Huawei from China to upgrade the system? It's going to be a Chinese-owned company in the heart of the key critical infrastructure.
You mean China will control the pipes for the British Isles? That should set off alarm bells.
There has been reaction among the security people, but the public reaction has been nothing. One of the things that has been raised was, "Why does this not create waves?" A very good guy from the National Intelligence Council in Washington says that in 10 years there will be only two providers [in this industry]and they'll both be Chinese.