Covid-19, Cybercrime, and Capitol Hill
June 25, 2020
By Benjamin Shaver
Recently, Congress has turned its attention to cybercrime in the time of Covid. The Senate Judiciary Committee held a hearing on June 9th on “COVID-19 Fraud: Law Enforcement’s Response to Those Exploiting the Pandemic” with representatives from the Department of Justice (DoJ), the Federal Bureau of Investigation (FBI), and the Secret Service. On June 16th, the House Financial Services Committee held a similar session, "Cybercriminals and Fraudsters: How Bad Actors Are Exploiting the Financial System During the COVID-19 Pandemic", with witnesses from the private sector, industry groups, and academia. The two hearings provide a snapshot of how cybercriminals have evolved to take advantage of the crisis, what law enforcement is doing to counter them, and the staggering scale of the problem.
In her written statement for the Senate Judiciary Committee for the June 9th event, Senator Feinstein noted that, as of two days prior, the Federal Trade Commission reported that consumers had lost nearly $48 million to coronavirus related fraud. As of June 23rd, losses have increased to almost $70 million. However, this may be only the tip of the iceberg, as schemes directly targeting consumers could be dwarfed by those targeting the federal funding that was created by the CARES Act. Michael D’Ambrosio, Assistant Director of the Office of Investigations of the Secret Service, emphasized the point with a dramatic estimate of the potential losses from the $3 trillion CARES Act stimulus package “Even if we assume a very low rate of fraud, of just 1%, we should still expect more than $30 billion will end up in the hands of criminals. And that is likely an underestimation of the risk, and just one portion of the full range of risks at play.” Senator Whitehouse added during the hearing, “I think we are dealing with what may prove to be the crime of the decade, if not the crime of the century, in terms of the amount of money that was stolen through a common scheme, very likely run by foreign crooks.”
But what do these crimes actually look like? In the Senate Hearing, Sen. Feinstein was particularly interested in the “Scattered Canary” Nigerian cybercriminal network that targeted hundreds of millions of dollars in unemployment funds in the State of Washington, using stolen Personally Identifiable Information (PII) to apply for and receive benefits through online portals. Other scammers have gone after PII through phishing campaigns in which they pose as government agencies offering pandemic relief. Most recently, a cybersecurity company reported that North Korea has begun applying these tactics in a global phishing campaign targeting a range of countries, including the United States.
Law Enforcement agencies are responding, but the volume is a challenge. Calvin Shivers, the Assistant Director of the FBI’s Criminal Investigative Division, reported that the Bureau has established a Covid-19 Working Group with a staff of 500, including agents from all 56 FBI Field Offices agents working with DoJ representatives. He also noted that by the end of May, the Internet Crime Complaint Center (IC3) had already received nearly as many complaints as it had throughout the entirety of 2019. Similarly, Tom Kellerman, head of cybersecurity strategy for VMware, noted that, “During the first five months of 2020 alone, cyberattacks against the financial sector increased by 238 percent.” William Hughes and Craig Carpenito of the DoJ listed a handful of criminal cases involving Paycheck Protection Program schemes and injunctions against businesses selling fraudulent medical treatments. However, lawmakers appeared frustrated by their reticence to discuss ongoing investigations and by the limited number of prosecutions.
There is nothing new about North Korean and Nigerian phishing schemes, and Microsoft has reported that pandemic enabled cybercrime is more of an adaptation of existing schemes than a radical departure. However, if these schemes really do result in $30 billion in lost government funds, that could represent a significant increase in cybercrime’s cost to the US economy as a whole, which we estimated at roughly $100 billion in 2018. The attention this has drawn from the federal government could also have a real impact as lawmakers in both sessions discussed various reforms that could help law enforcement, including a recent bill sponsored by Sen. Graham and Sen. Feinstein that would return the Secret Service to the Department of the Treasury, as discussed at a recent CSIS event, where their cybercrime fighting functions would be aided by closer integration with the financial system. The Covid-19 crisis may give these arguments added weight and could be a catalyst for real change.
Benjamin Shaver is a research intern with the Technology Policy Program at the Center for Strategic and International Studies in Washington, DC.
The Technology Policy Blog is produced by the Technology Policy Program at the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).