Daniel Clemens, Founder & CEO, ShadowDragon
Is climate change the cause of higher energy prices? Likely not. That being said, there is common confusion surrounding energy policy and basic economics. The Consumer Energy Alliance said it well: “Higher energy prices are largely due to a lack of supply caused by policy decisions that have discouraged investment in American energy development and increased the cost of producing and delivering the energy we all need.”
As the cost of living fluctuates, people are left to figure out where they are going to cut costs, or in a lot of cases, where they are going to be able to supplement their income.
Recently, House Republicans pitched legislation that would accelerate the permitting process under the National Environmental Policy Act, require more oil and gas lease sales, eliminate climate programs at the EPA, and speed approval of liquefied natural gas, or LNG, exports, among other provisions (Roll Call article).
What is “bad energy policy”? To me, it looks like price caps, export bans, and tapping strategic reserves (that have hardly proven successful). These approaches generate tailwinds of unpredictability in the U.S. and Europe. And where there is a decrease in economic activity, we can expect to see an increase in crime. Cybercrime in particular will only continue to grow, and organizations are simply not prepared to defend themselves.
In short, I am suggesting that the existing bad energy policy plays a role in economic downturn; and when we face economic downturn, the risks of cybercrime are increased. Let’s examine the cybercrime issue a little closer.
Is there a correlation between bad energy policy and increase in crime?
Research suggests that young people exiting school during recessions are significantly more likely to become involved in crime than those who finish school when markets are more stable. If we look around, “recession” is a very possible and looming reality in the U.S. right now.
The ransomware space for example has grown exponentially each year which is completely understandable. There are three key reasons for the increase of ransomware: it is a crime that has proven to be a legitimate avenue to make a profit; organizations across the board continue to have bad security; and there is an influx of cash that pays for that bad security (i.e. insurance payments).
As observable through open source intelligence, many ransomware groups are based in countries with increasingly worsening economic conditions. Due to these economic conditions, the underground economy for ransomware is alive and thriving. Additionally, a criminal can easily buy ready to deploy ransomware, pay the people who break into networks, purchase money laundering services, etc. They barely have to lift a finger. Regardless of the task, there’s a workforce ready to fill the void in every component of the cybercrime life cycle.
Let us not forget for an attacker, the world is flat. If the attacker is experiencing a financial crisis within their world, they can easily interact with your world to ease the pain in their existing reality.
There is often a disconnect within the business and the implementation of true security, and that’s where cyber threats, like ransomware, come in. Businesses face exploitation for a few reasons, including but not limited to: lack of authentication, specifically two-factor authentication; lack of network segmentation; lack of network security; and predictable environments.
Take the 2021 ransomware attack on the Colonial Pipeline, for example. The hacker group identified as DarkSide accessed the Colonial Pipeline network, stole 100 gigabytes of data within a two-hour window, and infected the IT network with ransomware, forcing the pipeline to shut down operations for five days. In this instance, a simple username and password were exposed to the internet, and once the hackers got in, the network wasn’t even being monitored. If they had two-factor authentication and some network segmentation implemented, perhaps this wouldn’t have been yet another news headline.
Anywhere you see a successful instance of ransomware, it’s safe to bet that there was a certain amount of negligence involved to get to that point. After all, there are a lot of hurdles that a criminal needs to make before an unsuspecting user clicks that malicious link.
As criminals are motivated by financial gain during economic downturns, organizations will need to focus on security fundamentals at a minimum for survival.
Focusing on mitigating cyber risk, especially during economic downturns
Even the largest organizations today struggle to procure the budget and resources needed to secure their business. Looking ahead, I expect organizations with a lower security posture to be taken advantage of - much like they always have been - by a spike in criminal activity such as increased ransomware attacks due to increased crime.
As water is to gravity, the attacker will always take the path of least resistance. Implementing security precautions, like multi-factor authentication, password phrases, or even something as simple as limiting your network’s exposure to the internet, can significantly decrease an organization’s risk of attack.
Implementing better energy policy aside, something the U.S. government could do to push the envelope and improve security across the board would be to offer tax incentives to businesses that implement security protocols, such as multi-factor authentication. Similarly, tax credits could be earned for network segmentation. Not only would that organization’s taxes be lowered slightly, but more importantly, the regulatory costs, insurance deductibles, and overall cost of government response to a cyber incident would be lowered as well.
Bringing it all back together… bad energy policy = more cybercrime?
There are states and countries with good energy policies based on individualism or energy independence. For example, “good energy policy” pursues cheap, energy solutions with the maximum possible output. When a state or city has an energy policy that does not require them to depend on another state or city, they will have an easier time keeping the energy they have, while also keeping prices down.
After all, more energy at a cheaper rate enables more technological innovation, because when we aren’t focused on survival, communities can focus on advancement. When we can focus on advancement, companies can better secure their business from cyber criminals.
With extensive experience in defensive and offensive security, Daniel has been a quiet trailblazer in digital intel-gathering long before cyber intelligence became a discipline. More than a decade ago he was inventing and applying his own intelligence tools in support of companies and governments around the world facing urgent threats. Using this deep understanding of web technologies and the behaviors of cybercriminals, he has enhanced, updated and packaged these tools under ShadowDragon.
Daniel is a member of the Odonata Holdings, Inc.