In Industry of Anonymity: Inside the Business of Cybercrime, Jonathan Lusthaus deftly unveils how the industrialisation of cybercrime has occurred despite some of the challenges of functioning behind a shield of anonymity for cybercriminals. This is an appealingly non-technical work that will inspire readers to rethink some of their assumptions about the operations of cybercriminals and will be of interest to anyone working in the fields of organised crime, illicit markets and policing, writes Jessica Jahn.
Industry of Anonymity: Inside the Business of Cybercrime. Jonathan Lusthaus. Harvard University Press. 2018.
In aiming to dispel the fictitious image of cybercriminals as tech-savvy teenagers in their family basement, Jonathan Lusthaus deftly unveils how the industrialisation of cybercrime has occurred despite the challenges experienced by cybercriminals functioning anonymously. His new book, Industry of Anonymity: Inside the Business of Cybercrime, explores the business operations of contemporary cybercriminals who must demonstrate their trustworthiness in order to govern and cooperate with others in delivering a range of profit-driven hacking services. Appealingly non-technical, his fluency with the human and social elements of cybercrime should come as no surprise: Lusthaus is a sociologist by training.
What resonates sharply throughout the book is the offline element, including the ways in which geographic factors influence why and how people commit illicit cyber activity. In particular, geography seems to influence the likelihood of cybercriminals collaborating in-person, whereby people operating in the West are somewhat less likely to meet offline. Whereas, perhaps intuitively, physical meetings and conferences are more likely to occur in countries where law enforcement capacity is limited and corruption may be accepted.
Regardless of the location, Lusthaus finds that the cybercrime industry generally relies on social networks: firms that operate with a clear division of power and a level of professionalisation and markets of exchange between buyers and sellers with a certain degree of demand. Since this is how most legitimate and illegitimate businesses operate, you might be forgiven for wondering what is unique about cybercrime. At the end of the book, Lusthaus concedes that ‘there does not appear to be that much that is new about cybercrime’, adding that ‘the definitions of cybercrime we use should probably reflect this […] there is little to justify the development of new theoretical frameworks around this type of crime’ (194). And therein lies part of the value of this book. Even though the ever-advancing nature of technology might understandably create the illusion of cybercriminal activity as novel, there is seemingly little about such crimes that renders them incompatible with established theories and accumulated knowledge. Certainly, Lusthaus’s honesty is to be commended, but perhaps this important finding is deserving of fuller explanation and could have found a more prominent place earlier in the book (rather than being briefly admitted ten pages from the end).
Image Credit: (Blogtrepreneur CC BY 2.0 howtostartablogonline.net)
With that said, what is perhaps unique about cybercrime, as Lusthaus makes clear, is the anonymity that virtual spaces offer. Indeed, the argument that he advances is that cybercriminals have an added challenge of navigating the risks of doing business with anonymous fraudsters and extortionists, who might very well be undercover officers, while also lacking the possibility of recourse for agreements to be enforced. With the shield of anonymity, which in many instances has enabled the cybercrime industry to expand by allowing people who might not otherwise commit illegal acts to engage in faceless crime, how do cybercriminals develop much-needed reputation and cooperation?
Building on a prior discussion of nicknames and identity, Lusthaus takes up that question in the fifth chapter, stating that ‘within this distrustful world, trustworthiness, enforcement, institutions, and governance all play key roles in driving cooperation’ (140). As a precondition for cooperation, trustworthiness is distilled here into three components, including appearance, performance and reputation. Among the indicators used to assess trustworthiness by cybercriminals are writing style, language fluency, time spent online, the publication of e-books to demonstrate expertise, repeated interaction and the use of referrals and background checks. Undoubtedly, trustworthiness is also closely tied to one’s reputation, which itself is linked to broader manifestations of enforcement: ‘punishment in the form of exclusion from a forum or other grouping means the loss of a nickname’s reputation’ (144). In practice, virtual enforcement is akin to private governance rather than self-governance, in part because forum officers are responsible for developing regulations and performing policing-type functions on a given forum. This virtual private governance and enforcement, however, is relatively weak. For that and other reasons, Lusthaus reports that cybercriminals, just like other law-breakers, sometimes choose to cooperate both online and offline.
Returning to the key theme of the offline dimension of cybercrime, Lusthaus finds that, similar to other forms of organised crime, cybercrime is often centralised in local settings and orchestrated by high-ranking individuals, who in many cases enjoy in-person interactions with each other. To demonstrate his point, Lusthaus draws from the somewhat high-profile cybercrime investigations of Max Butler and Chris Aragon, Albert Gonzalez and his team of affiliates and companies like Liberty Reserve that offer both legitimate tech support and illegitimate hacking services. Of importance here, however, is that there is no typical way in which cybercriminals operate and cooperate. Some work almost exclusively with familiar associates; some work almost exclusively with distant electronic strangers. Both options involve risks and benefits. Indeed, this book is also of value for its ability to capture these.
In the conclusion, Lusthaus offers his recommendations for future research on cybercrime, including the efficacy of law enforcement approaches, the role that the state plays in addressing cybercrime and evaluations of prevention and intervention programmes. Based on his data, he suggests that the majority of cybercriminals would rather perform legitimate technological services if they were presented with such opportunities. As such, job markets, educational opportunities and strategies to encourage potential or active cybercriminals to join the licit industry are promising ways forward.
In its entirety, Industry of Anonymity reads much like a well-informed conversation, rather than a traditional academic text. It is accessible, honest and interesting. More importantly, it inspires readers to rethink some of their assumptions about the operations of cybercriminals. In all, the book is recommended to everyone interested in organised crime, illicit markets and policing. Although Industry of Anonymity is framed as being specifically concerned with cybercrime, much of the content extends broadly to the business structures of other forms of illicit (and indeed licit) activity. I look forward to reading Lusthaus’s future work.
Jessica Jahn (@JessicaJahn) is a MSc student studying criminal justice policy at LSE. Her primary research interests include juvenile justice, technology misuses, counter-terrorism, access to justice and human trafficking.
Note: This review gives the views of the author, and not the position of the LSE Review of Books blog, or of the London School of Economics.