In early 2023, the World Economic Forum (WEF) launched Cybercrime Atlas, with the intent to map the cybercriminal ecosystem by facilitating collaboration between private and public organizations.
What does this collaboration look like in practice? We’ve asked Sean Doyle, the Cybercrime Atlas Initiative’s lead, to tell us more about it.
(Sean Doyle’s answers have been edited for length and clarity.)
How does the Cybercrime Atlas initiative work?
The core of the collaboration is joint research undertaken by cybercrime investigators from more than 20 companies spread across technology providers, cybersecurity, banking, payments and cryptocurrencies.
On top of this, we are lucky to have support from the Atlas community with the development of the Atlas’ governance, procedures and platforms. This is led by our partners at Fortinet, Microsoft, PayPal and Santander, but is increasingly a whole of community effort.
We have been grateful for the support of public sector partners such as INTERPOL. These partnerships allow us to test, iterate and improve the utility of the final research packages.
Joint research serves several purposes: it brings diverse skill sets together to create new insights into the cybercriminal ecosystem; it helps participating organizations understand who can play what role when it comes to disruption; and it builds the working relationships and trust between experts and organizations that is needed to make collaboration on disruption effective.
Atlas community members will be testing different forms of collaborative disruption of cybercriminal activities and criminal infrastructure.
Hosting the Cybercrime Atlas in the World Economic Forum creates the space to experiment with how we enable disruption collaborations – giving the Cybercrime Atlas participants access to the expertise and ideas of the Forums’ Partnership Against Cybercrime community.
What milestones has the initiative reached since then? And what specific problems have you encountered?
One of the milestones to celebrate has been the completion and use of the Atlas’ first intelligence packages in the second half of 2023 and early 2024. This was a turning point as it answered one of the first questions posed by the Cybercrime Atlas community: can we create new and actionable intelligence relying on open-source information and, by working collectively, can we build insights that match or exceed those created by the community members working in isolation? The answer to both of these questions is a resounding “yes”.
The challenges encountered are linked to scaling and integrating additional forms of expertise as the Atlas grows. The Cybercrime Atlas is testing collaboration between organizations with different skill sets and approaches to research. This means creating effective ways of managing shared work that are acceptable to all participants and get the best from their skill sets. This is something that is worked out over time and requires continuous adaptation as the Cybercrime Atlas community grows.
Who can join the Cybercrime Atlas and what obligations do contributors take on? What does the current membership look like?
The Cybercrime Atlas community draws on expertise from companies ranging in size from boutique to global.
Contributors come from organizations that have a role in the systematic disruption of cybercrime. So, we have technology infrastructure providers, threat intelligence expertise, investigative expertise and firms in banking, payments and crypto that can understand how to trace the proceeds of cybercrime.
Contributions come in a variety of forms. Many organizations provide staff to support the Cybercrime Atlas research. Others provide expertise in platform development, investigations governance, data management, and so on.
Are there or have there been similar initiatives by other organizations and, if yes, what do you feel is WEF Cybercrime Atlas’ advantage over them?
The Cybercrime Atlas is not in competition with existing collaborations. We aim to enhance and support collaborations that are already out there.
One of the reasons for optimism in counter-cybercrime is that the ecosystem is getting better at sharing lessons learned and strategies to enhance the impact of cyber defenders. We’re grateful for early support from groups like the Cyber Threat Alliance, who provided high quality input to the thought process behind the Atlas.
We’ve also been able to learn from lessons shared by the Institute for Security and Technology, which runs the Ransomware Taskforce, as well as the Cyber Defence Alliance, both of whom are participants in the World Economic Forum’s Partnership Against Cybercrime.
Hosting the Cybercrime Atlas in the World Economic Forum allows it to gain from the Forum’s partnerships across the public sector, private sector, academia and civil society. It also ensures impartiality in the management of the initiative and, as noted earlier, creates the space for the Atlas community to test and experiment with new approaches as the community grows.
Since this is a research initiative, are you compiling a centralized repository of information and insights? If yes, how do secure access to the data in it and limit its dissemination?
As the body of research created by the Cybercrime Atlas community grows, it is expected to act as a utility that accelerates joint-research and responses to cybercrime. Access will be limited to members of the Cybercrime Atlas community and its partners.
Cybercriminals (and generally cyber attackers) are known for their attempts to misdirect law enforcement. How do you vet the data to be included in the Cybercrime Atlas? And how do you vet organizations that want to participate?
The Cybercrime Atlas community is drawn from a diverse group of some of the most experienced investigators in the world. Currently, the research products are vetted by humans (i.e., the Atlas expert community).
Collaboration when it comes to sharing information is one thing. Are there plans for supporting operational cooperation between the private and public sector and between law enforcement agencies from different countries?
In principle, the Forum is not directly engaged in operational and law enforcement activities. The Forum’s Partnership Against Cybercrime community has been working to promote stronger public-private cooperation in the fight against cybercrime and exploring optimal approached for facilitating such collaboration.
The Cybercrime Atlas demonstrates how companies can come together with a common purpose to combat cybercrime. The aspiration is to catalyze these collaborations, empowering the Atlas’ partners, both private and public, to take decisive action as needed.
Has the initiative been involved – in any capacity – with the recent attempted disruptions of high-profile ransomware-as-a-service groups (Lockbit, BlackCat)?
The initiative has focused its research on areas where it can create new insights and impact. To date, we have not concentrated on well-known ransomware groups because there is already a high level of private sector and law enforcement time, thinking and resources going into these.