Here's the full article:
Why Success Makes You a Target
There is a pattern in global cybercrime that does not get discussed as plainly as it should. The countries that produce the most cybercriminal activity are largely the same countries that suffer the most from it. The United States, China, Germany, France, the United Kingdom, Russia, Japan, Canada, the Netherlands, Australia. These are not developing nations struggling with digital infrastructure. They are the most economically powerful, most digitally connected, most technologically advanced countries on earth. And they are both the primary sources of cyberattacks and the primary victims of them.
This is not a coincidence. It is a structural consequence of what economic development actually looks like in the digital age.
More Development Means More Attack Surface
A peer-reviewed study published in the Journal of International Studies, analyzing global cybercrime trends across multiple countries, confirmed two things. that are individually intuitive but striking when placed together. First, the most powerful countries in global cyberspace are attacked more than less influential ones. Second, the level of socio-economic development of a country is itself an indirect motivation for cybercriminals to launch attacks against it.
The reasoning is straightforward once stated. Economically developed countries have more of everything that cybercriminals want. More digitized financial systems. More valuable intellectual property. More interconnected critical infrastructure. More data. More organizations with the resources to pay a ransom, and more reputational pressure to do so quietly rather than publicly. The more a country's economy depends on digital systems, the larger the attack surface available to anyone willing to attack it.
This is not a problem that resolves itself as countries become more technologically mature. It scales with development. The more sophisticated the digital economy, the more valuable and the more exposed it becomes.
Digitalization Creates Wealth and Vulnerability Simultaneously
The Fourth Industrial Revolution digitized almost every meaningful aspect of economic and social life. Smart manufacturing, cloud infrastructure, IoT-connected supply chains, digital financial systems, government services running on networked platforms. Each of these developments created genuine economic value. Each of them also created new categories of vulnerability that did not exist before.
The countries that led this digitalization did not do so recklessly. They built significant cybersecurity infrastructure alongside it. But the pace of digitalization consistently outran the pace of securing it. Legacy systems that were not designed for a networked threat environment became embedded in critical operations. The attack surface grew faster than the defenses could cover it. And the value of what sat behind those defenses grew accordingly, which meant attackers had more reason to try harder.
The same research found that vulnerabilities in information systems were so highly correlated with other socio-economic development indicators that they could not be treated as independent variables. In practical terms: the more developed the country, the more interconnected its systems, and the more interconnected its systems, the more pathways exist for an attacker to move through them.
Wealth Concentrates Targets
Cybercriminals, like most rational actors, allocate their effort toward the highest expected return. A ransomware group targeting a hospital network in a high-income country is not making a random choice. They are selecting a target that is likely to have resources to pay, legal and reputational pressure to resolve the incident quickly, and operational dependencies on the affected systems that make extended downtime unacceptable.
The same logic applies at the national level. Countries with large, liquid financial systems are more attractive targets for financial cybercrime. Countries with significant intellectual property concentrations, pharmaceutical research, defense technology, semiconductor design, are more attractive targets for espionage. Countries with critical infrastructure that the global economy depends on are more attractive targets for politically motivated disruption. Wealth and influence create the conditions that make attacks worthwhile.
This is why the United States consistently records the highest data breach costs in the world. According to IBM's 2025 Cost of a Data Breach Report, the average cost of a data breach for US companies reached an all-time high of $10.22 million, even as the global average fell to $4.44 million. US organizations now pay more than double what companies in most other countries pay to recover from a breach.
The Same Countries Are Also the Source
The more uncomfortable part of the picture is that economic development does not only make countries better targets. It also produces the technical talent, infrastructure, and institutional complexity that enables sophisticated offensive cyber operations.
The most capable cybercriminal organizations and state-sponsored hacking groups are, with few exceptions, concentrated in economically developed or rapidly developing countries. Not because wealth creates criminal motivation, but because sophisticated cyberattacks require sophisticated capabilities. They require programming expertise, access to enterprise software and vulnerability research, organizational infrastructure for coordinating operations, and financial systems for laundering proceeds. These things exist in developed economies in ways they do not in less digitized ones.
The same research confirms that countries with the most global influence are both the primary initiators and primary victims of cyberattacks. The NotPetya malware released in 2017 is an illustration of this dynamic. Originating as an attack on Ukrainian infrastructure, it spread globally and caused billions of dollars in damage to some of the world's largest corporations: a US pharmaceutical company, a Danish shipping firm, a German logistics provider, the UK's National Health Service. The attack did not discriminate between intended targets and collateral damage. The most connected organizations in the most developed economies absorbed the most harm.
Why Prosecution Is Not a Realistic Deterrent
One reason the threat environment described above persists is that cybercrime operates across jurisdictions in ways that traditional law enforcement cannot effectively follow. There is no global legal framework governing cybercrime. The Budapest Convention on Cybercrime, the closest thing to an international standard, has now been ratified by 81 states. But notably absent are China, Russia, and India, three of the most significant sources of cybercriminal activity in the world. Russia explicitly opposes the convention on sovereignty grounds and routinely refuses to cooperate in law enforcement investigations. India has declined to adopt it on the basis that it was not involved in drafting it.
When an attacker operating from a country that has not signed or does not enforce mutual legal assistance treaties targets an organization in the United States or Western Europe, the practical likelihood of prosecution is close to zero. Even when attribution is clear, extradition is rare. Indictments are issued, charges are filed, and the individuals named continue operating. The 2021 indictment of four members of the Chinese state-sponsored hacking group APT40 by the US Department of Justice, charged with hacking government entities, universities, and companies across multiple countries, is a clear illustration of this dynamic. The indictment exists, the individuals remain in China, and the attacks continue.
This jurisdictional gap is not a temporary problem awaiting a political solution. It reflects a fundamental structural reality: the internet was designed to cross borders, but law enforcement authority does not. Cybercriminals who understand this, and most sophisticated ones do, deliberately base their operations in jurisdictions where they face no meaningful legal risk.
The implication is uncomfortable but important. For most organizations, the probability that a successful attacker will face legal consequences is low enough that it should not factor into how security is designed. Deterrence through prosecution is not a reliable defense. Prevention is.
What This Means for Organizations Operating in High-Income Environments
The implication for any organization operating in a developed economy is not that the situation is hopeless. It is that the threat environment is not random. Being located in or serving customers in the US, Western Europe, Japan, Australia, or any other high-income, highly digitized economy means operating in an environment that attackers specifically target because of its economic characteristics.
That context should shape how security is approached. The question is not only "are we protected against the average attacker?" It is "are we protected in an environment where the concentration of valuable targets around us means the average attacker is considerably more capable and motivated than they would be elsewhere?"
The answer to that question requires more than baseline security hygiene. It requires encrypted file transfer that does not create exploitable cleartext in transit or at rest. Granular access controls that limit what any single compromised account can reach. Active threat detection that does not wait for a known attack signature to trigger an alert. Audit infrastructure that makes it possible to reconstruct exactly what happened when something goes wrong. High availability architecture that keeps operations running when an attack succeeds in disrupting one component.
These are not exotic requirements. They are the baseline for operating responsibly in an environment where economic success has made you, structurally, a more attractive target than organizations in less developed markets. The wealth that makes a country or organization worth attacking is the same wealth that funds the defenses. The question is whether those defenses are actually being built.
