Shostack + Friends Blog Archive


Pirates, Inc.

I found this short documentary about piracy around the Straits of Malaca to be an interesting view of the reality of pirate life as a last refuge of the unemployed fisherman to be an interesting counterpoint to the NPR Story, “Behind the Business Plan of Pirates, Inc.” which provides an altogether different view of the economics of Somali piracy.

But the issues of criminality and the potential for violence aside, a closer look at the “business model” of piracy reveals that the plan makes economic sense.

A piracy operation begins, as with any other start-up business, with venture capital.

J. Peter Pham at James Madison University says piracy financiers are usually ethnic Somali businessmen who live outside the country and who typically call a relative in Somalia and suggest they launch a piracy business. The investor will offer $250,000 or more in seed money, while the relative goes shopping.

“You’ll need some speedboats; you’ll need some weapons; you also need some intelligence because you can’t troll the Indian Ocean, a million square miles, looking for merchant vessels,” says Pham, adding that the pirates also need food for the voyage — “a caterer.”

Yes, a caterer.

“Think of it as everything you would need to go into the cruise ship business,” Pham says. “Everything that you would need to run a cruise ship line, short of the entertainment, you need to run a piracy operation.”

The article goes on to describe all of the other ways in which modern-day piracy is like pretty much any other business–everything from timesheets to charts of accounts to contracts and professional negotiators/lawyers.

These two stories, in turn, highlight something that is consistently overlooked in discussions of “what to do about Criminal Enterprise X,” the fundamental economic drivers of crime, whether it is a physical and relatively universally-agreed crime  such as piracy on the high seas or much more abstract and disputed, such as electronic fraud or software, movie and music “piracy” on the Internet.

Quite simply, the reason that cybercrime exists, like piracy on the high seas, is because the economics make sense to the participants.  Money focuses the other resources, and its availability indicates that investors think the risks, both personal and financial, are worth taking.

For example, $250k USD in Somalia gets you all the necessities:  A safe base on land (local security and bribes to the appropriate warlords), skilled labor (seamanship is a skill, even powerboating.  Same goes for weapons handling, climbing onto ships, and even catering), weapons, boats, fuel, GPS, intelligence, etc., and finally access to ships to hijack.  The lack of available labor, unprotected areas of operations, or a safe base on land are a big part of why I don’t have to worry about piracy on Lake Michigan, for example.

In Cybercrime, the raw inputs vary a little bit: the start-up capital is probably less, at least for entry-level fraud.  You still need a safe base, which in this case is  accomplished through legal arbitrage (base yourself somewhere cybercrime isn’t illegal) rather than lack of a functioning government, varying types and levels of skilled labor, computer hardware (servers and, probably, ‘bots), connectivity & bandwidth, information, accounting, etc., but are still basically a combination of labor, capital, and domain-specific resources.  The Internet’s removing of the requirement for geographic proximity is why I do have to worry about cybercrime here in downtown Chicago.  The inability of the police to deal with electronic fraud effectively, even domestically, doesn’t help either.

Thus far, most of the public thinking about these types of problems seems to treat them as similar to fighting a fire, a simplistic and wrong assumption.  All you need to do in order to put out a fire–to “win”–is remove one of three crucial elements:  fuel, oxygen, or heat.  Without all three, a fire goes out.

Unfortunately, this won’t work for  complex systems such as crime for a number of reasons.

First, they’re more resilient than that.  You have to remove more than one element, and you’ll probably find that those key elements are either being produced more rapidly than you can destroy them or are so distributed as to be impractical to target.  All you’re probably going to accomplish by attempting to remove one element is drive innovation by your opponent, which may leave you even worse off than when you started.  Thus, strategies based on interdiction of some key element are destined to fail.

Second, as in the case of cybercrime, you’ll rapidly discover that your business shares the same set of inputs as cybercrime.  Again, this means that attempts to deny the attackers a resource will probably have a similar impact on your own operations.  Don’t believe me?  Try running your business without network or Internet connectivity for a few days.

So what’s left?  Defending a static business model in a globalized, connected world is basically impossible, even if perhaps fundamentally unfair.  Lobbying to either enact barriers to entry or create a legislative monopoly can only work if the business is inherently local to a single jurisdiction–which rules out anything involving International Waters or the Internet, which in turn rules out pretty much anything other than a local services company any more.

Instead, you have to innovate, too.  Find the portion of  your value proposition that can’t be disrupted or intercepted and focus on that.  I can’t tell you how to do that, since it’s specific to whatever business you’re in, but I will suggest that Seth Godin frequently has some good ideas on this subject.