When we read or hear about cybercrime , crimes such as hospital records held for ransom, fraudulent sports ticket sales, theft of millions of payment cards, stolen trade secrets, or outing personal documents, we inevitably wonder what the authorities are doing about it. Crime rates in general have been going down dramatically for the last decade, but cybercrime is rampant.1 Why can’t the law enforcement resources that have been effective against conventional crime also take down cybercriminals ? If law enforcement has to change, how should it change?
The answers are not simple. The reasons for the decline in conventional crime rates are not clear. Shifting age distributions may be as significant as cultural changes and policing techniques. Cybercrime , compared to conventional theft, fraud, and violence, is a new thing for law enforcement . It presents new challenges and requires new tactics. Not all agencies are prepared and in many cases the new tactics don’t yet exist. In some cases, what many people think ought to be criminal is legal under current laws. In areas such as privacy , factions contend over what should be illegal. The obstacles to cybercrime enforcement are many.
The Problem Is New
The problem is new and not so new. In the 1960s, stories of cybercrime already circulated but they differed from what we usually think of as cybercrime today.
Mainframe computers were only accessible to a small group of scientists and engineers. Most mainframes connected with their peripherals but not with other computers. There was no Internet ; networks were a vision and hope, not a reality. Therefore, cybercrimes were almost always the action of an insider, typically an employee, who used the computer to commit some form of theft, embezzlement, or fraud. Most of these crimes were schemes that took advantage of lack of understanding of computing among the public and the management responsible for the computer system.2
Insider computer embezzlement still goes on but an interconnected, ubiquitous network provides many more opportunities for cybercrimes . New mechanisms for cybercrime are invented continuously. The most prominent cybercrimes today are invasions. An outside criminal invades a computer system and steals its resources or subverts its processes to the criminal’s advantage.
Network and the Internet
Today, isolated computers are rare and verging on non-existent. Almost any computer can connect with any other computer on the planet. Only computer security prevents me sitting in my office from connecting to computers in the Pentagon in Washington D.C., the Kremlin in Moscow, or the Chinese Military Commission in Beijing. The physical connectivity is labyrinthine, but it exists. If you know how to navigate around and through the security, you can access any computer on the planet. The security is tough, much tougher than it looks in the movies, but the underlying connectivity exists, and patient and persistent researchers and criminals have repeatedly shown that the connectivity can be used illicitly.
All computers are affected by this connectivity . Even systems that appear to be completely isolated are actually susceptible to unauthorized access over the network. A personal desktop without wireless and without a wired network connection, or an isolated military network that has no external connections to the Internet or any other network are both still vulnerable. These are so-called air-gapped systems. Air-gapping is possibly the ultimate protection, but even air-gapped systems can be invaded (see the sidebar.)
Before the Internet began to reach everywhere, the world of computing was a patchwork of semi-hostile walled communities. Each company, institution, or person had their walled community. Travel to and from the communities was difficult. Crime was confined within walls and law enforcement was a local affair that seldom involved reaching outside the local community.
The Internet has replaced the physical walls with arbitrary lines painted on the ground. The lines are not difficult to cross but crossing them breaks rules and laws. Even moderately savvy users can jump on a jet-power motorcycle to race over the lines. And, most of the time, the cops have to get permission to follow. This is the architecture of Internet crime and law enforcement .
New Opportunities for Crime
Opportunities for cybercrime are on the rise for a combination of reasons. Computers are used more often and for more purposes each year. The spread of the smartphone is one cause. People walk around today with computers in their hands that are far more powerful than the mainframe installations that directed the moon missions of the mid Twentieth Century. A decade ago, around 200 million personal computers were shipped per year.4 The first iPhone was not sold until 2007. The number of smartphones in use worldwide is expected soon to be over 2 billion.5 That is 10 times the number of personal computers 10 years ago. Each one of these smartphones, in addition to the servers, desktops, laptops, and tablets that fill our lives, is as much a target for cybercrime as a desktop or laptop.
The smartphone explosion is not the only source of new cybercrime opportunities. We are at the beginning of the Internet of Things (IoT) that is extending the reach of cybercrime in startling new directions. Smartphones, tablets, laptops, and desktops are all variations on a pattern: processing capacity, storage, and network connections, and human interfaces. These devices come in many shapes and sizes, and their human interfaces vary from keyboards to microphones and back-lit screens to speakers and printers, all designed to interact with different human senses.
With the advent of the IoT , computers attached to the Internet are no longer limited to this basic pattern. Many elements of the IoT are not intended to interact directly with humans. They have other tricks. Industry uses devices in the IoT to monitor and control equipment and processes that vary from nuclear reactors to sewing machines. Fitness monitors track our steps, our global position, and our heart rate and communicate directly with our computers. More sophisticated medical monitors track blood pressure and blood glucose. Smart thermostats in our living rooms are attached to the Internet and can transmit the temperature in our houses to smartphones or tablets on the other side of the globe. The phone or tablet issues commands to adjust the temperature up or down. The elements of the IoT greatly increase the number of points on the network ready to be invaded by enterprising hackers. These elements of the IoT cluster around us. Sometimes we are aware of them and interact with them; other times we are unaware.
In 2016, at any given time, there are estimated to be 3.5 billion Internet connected users.6 Each of these users is a candidate victim of cybercrime . Some estimates place the number of IoT devices connected to the Internet at 50 billion in 2020.7 These statistics are related, but users are not the same as devices. Currently a single Internet user is likely to have several IoT devices in use. In the future, this number will certainly rise. Some IoT devices may not be assignable to a specific user, but many devices will be.
Owning a laptop and a smartphone offers criminals two routes into your electronic domain. A fitness monitor, a home security system, and a front door you can unlock from your phone offer three additional opportunities for a creative criminal. Your automobile may already be attached to the Internet . The electric utility that supplies electrical power to your house may be planning or already has IoT sensors that monitor your electricity usage.
As we are all caught up in the trend to attach more and more of our personal infrastructure to the Internet, we offer more opportunities for criminals to attempt to use the Internet to victimize us. The IoT promises to make lives better. An intelligent power grid combined with alternative energy sources is designed to reduce the cost of electricity and dependence on foreign energy sources while decreasing the total energy used by each individual. The control and instrumentation offered by the IoT network increases the comfort and ease of our lives.
But the benefits come with a cost. Complex systems take time to perfect and they increase vulnerability to both technical flaws and criminal exploitation.
Not only have we increased the ways that criminals can attack us, we have made attacks more lucrative with the activities we increasingly perform on our highly portable computers. Much of our business-to-customer and business-to-business commerce now takes place online. Not only are we expanding our attack surface by increasing the ways we are attached to the network , we are making the attachments more attractive by offering more things to steal. We shop more online for a wider and more diverse range of goods and services. More of our banking and other financial transaction are over wires. We use electronic notifications and documents instead of paper, and our primary message delivery service is the Internet , not the post office. Much of the technology is decades old, but the technology has become more accessible and used more often. Instead of robbing the till, shoplifting, and breaking and entering, cybercriminals steal payment card information, purchase goods with stolen credentials, and hack into home security cameras. Data is intercepted to be used against us and there is more of it to intercept.
The entire economy is increasingly run on a digital infrastructure . Some countries are already planning a transition to an all-electronic economy that does not use physical money. The smart electric grid mentioned earlier increases national dependence on computer networks . Increasingly, industrial supervisory control and data acquisition puts the lifeblood of our transportation and manufacturing onto the Internet .
A few years ago, for the first time, the majority of adults in the US were banking online .8 Most people now bank using payment cards and direct funds transfer, and manage their financial accounts online. Hackers rob banks by hacking into servers and financial communication systems, and come away with millions of dollars. Gun-toting bank robbers are left with slim pickings at bank branches holding little cash in their vaults. The days of Willie Sutton packing a gun and robbing banks “because that’s where the money is” are over.9
With both the number of computers and the uses of computers rising rapidly, the opportunities for cybercrime have increased, and with the rise in opportunity for crime, the number of crimes has risen.
New Kind of Criminal
Cybercriminals are not beetle-browed thugs lurking in dark alleys; in other words, they are not stereotypical criminals. Even the stereotype of the disgruntled and wild-eyed hacker surrounded by greasy take-out wrappers and hunched over a glowing screen is not accurate. The attendees at hacker conventions, such as Def Con or Black Hat , are hard to distinguish from the attendees at any other engineering conference. Certainly, these convention attendees are there as computer security professionals, but realistically, the criminal engineering elite have the same interests as the white hat professionals and are likely to be there to join in the conversation.
Top tier cybercriminals must have expertise and knowledge of computer engineering including software and hardware and in-depth understanding of business practices. Without technical knowledge of computers and networks , criminals can’t gain access. Without knowledge of business practices and systems, the criminals do not know what to do when they get access, where the money is, or how to extract it. A successful large scale exploit is likely to require knowledge of several software systems, networking, hardware vulnerabilities, and detailed knowledge of the business transacted on the system. Acquiring this knowledge and skill is not easy. It requires intelligence, discipline, training, and practical experience. Often, advanced academic training and insider experience is also necessary. These skills are all in demand both for legitimate employment and crime. One consequence is that cybercriminals are able to switch from one side of the law to the other with relative ease. Expert cybercriminals are probably indistinguishable from other technical workers.
Cybercriminal : Dread Pirate Roberts
Ross Ulbricht , who called himself “Dread Pirate Roberts,” was the owner of the Silk Road anonymous trading site. He is an example of a cybercriminal with a high order of expertise. The Silk Road site was taken down by the FBI in 2013. Ulbricht is now serving two life sentences and several other sentences for charges including narcotics trafficking, money laundering, murder-for-hire, and computer hacking.10 With the exception of hacking, Ulbricht’s charges sound like the charges levelled at traditional organized crime boss .
But Ulbricht was far from a traditional criminal . He had no criminal record, no history of advancement from minor offenses to misdemeanors to felonies. He had no known criminal associates. His friends, relatives, and the people he lived with did not suspect he was involved in illegal activity.
Ulbricht was a solar energy researcher and co-author of scientific papers, but at some point he abandoned research and began building an anonymous merchandise exchange that encouraged illegal trade. He has said that he built the exchange to support libertarian economic principles .
While operating Silk Road he acquired tens of millions of dollars in the form of bitcoins from commissions on the Silk Road site, but, unlike typical drug dealers, he apparently was not motivated by greed and showed no interest in spending on luxuries.
His lifestyle was remarkably low key. He sublet a single room in a house and lived quietly, spending most of his time in solitude, working on his laptop computer. He spent little money, travelled seldom, and did little that would have drawn the attention of a typical criminal investigation.11 Eventually, he was captured while using his laptop in the science fiction section of a public library through a combination of painstaking online research and sophisticated cyberforensics .12
Ulbricht’s case highlights the challenge in finding cybercrooks who do not act like traditional criminals. Investigations of drug traffickers and users of murder for hire services are usually quite different from the Silk Road takedown. More and more investigators are being trained to capture the next Dread Pirate Roberts, but it is still a new direction for law enforcement , and the methods used by the criminals to evade detection are also improving rapidly.13
Cybercriminals and Law Enforcement
The traditional tools of law enforcement are not well-suited to catching cybercriminals. A traditional crime investigation is usually performed by a coordinated team. The police are the first to a crime scene. Their job is to come to the rescue of victims , catch criminals still on the scene, do an initial assessment of the nature and gravity of the crime, and secure the scene. Crime scene investigators collect and evaluate evidence; detectives interview suspects and witnesses; representatives of the district attorney advise on the legal intricacies, such as applicable laws, required evidence, and warrants.
Almost none of these roles apply to investigation of cybercriminals, and when they do apply, the expertise needed to execute the roles is far from traditional. The local computer crime scene is seldom a tangible building or a plot of ground to be cordoned off. There may be a device, like a hacked laptop or smartphone , but in many cases, the only evidence of the crime is the report of the crime and buried in records that are stored all over the Internet . Computer criminals do not leave footprints, fingerprints, or DNA samples. There are no blood spatters to analyze, no firearms or bullets to trace. The detectives have no witnesses to interview.
Criminals like Ross Ulbricht seldom have criminal records. They probably don’t have criminal associates, nor are they likely to have violent tendencies that cause them to brush periodically with law enforcement. They don’t have identifying fingerprints or DNA samples in law enforcement files. They are not likely to show up on security cameras. Because conventional methods and tools of law enforcement do not apply to cybercriminals, law enforcement has been forced to evolve new techniques for solving these crimes.
Although there are no footprints in the sand to photograph and preserve, cybercriminals do leave traces. The crime investigator may have nothing more than a few emails stored on an Internet service provider’s server, lines in the log from an anonymous chatroom, and some entries in the victim’s bank record, but these may well be all the clues an experienced cyberinvestigator needs to track down the perpetrator.
The successful capture of Dread Pirate Roberts was accomplished by careful and arduous undercover work, but not the kind of undercover work we usually see on television. The undercover agents may never have seen Dread Pirate Roberts or any of his lieutenants or customers. Instead, many hours were spent in chatrooms establishing trust among the criminal community, discovering rivalries and vulnerabilities. The undercover detective probably did his undercover work seated in a cubicle in a police lab, not hanging out in seedy nightclubs. From that cubicle, fragments of information were pieced together that could eventually be used to infer the pirate’s real identity and location. The final arrest was an undramatic anti-climax in the science fiction section of a public library .
New Kind of Crime
Cybercrime is technological crime . Traditional criminals rely on force and guile to extract gain from their victims . The traditional relationship between criminal and victim is usually direct and personal. Cybercriminals use their knowledge of computing technology to victimize remote victims whom they have never met or communicated with directly. The victim may be unaware of the crime until long after the act.
Cybercrimes Are Local, Cybercriminals Are Global
The locations of the victims of a cybercrime are seldom a clue to the location of the criminals who executed the cybercrimes. For example, an intrusion into banking systems in the third world that affected banks in the US was executed remotely. From October 2015 through February 2016, banks in Bangladesh , Vietnam , and the Philippines were attacked. The attacks were directed at a highly secure electronic funds transfer system referred to as SWIFT . The attacks were directed toward third world banks with vulnerable security practices. Reports say that attackers transferred $81 million from Federal Reserve Bank of New York accounts. Investigators traced the attacks to North Korea . Detecting and tracing the attacks is a formidable technical and investigative challenge, but resolving the case enters the realm of foreign relations , diplomacy , and military strategy —a situation that goes far beyond the limits of typical law enforcement.14
Finding The Perpetrator
A rapid search for a perpetrator in the vicinity of the crime is basic police procedure that is part of every police officer’s training. The equivalent search for a cybercriminal is tracing the network address and location of the cybercriminal’s computer, which is actually both a location and a point in time because cybercriminals change network addresses and move quickly and physical location is not tightly tied to address. See the sidebar below for some of the complications involved in tracing perpetrators using network addresses.
Cybercriminals disguise their identity and location when they attack to make the search for a perpetrator as difficult as possible for police, not unlike a physical criminal dons a hoody and dark glasses to rob a convenience store. The search for an evasive cybercriminal is a job for a trained specialist. Although this training is becoming more common, cybercrime specialists are still scarce and they must concentrate on the most significant crimes. Successfully finding a cybercriminal is not easy. The search may lead to a public wireless network like a coffee shop. When it leads to a residence or office, the criminal may have temporarily hijacked the Wi-Fi Internet connection and may have no permanent connection with the location (see the following sidebar). The search could lead through a Tor network , a way of using the Internet that is intentionally difficult to follow. They can disappear without a trace.
The obstacles to these searches do not mean that a search is pointless, but they are challenging. Cyberforensic specialists use combined methods. For instance, they can cross-reference network records with credit card records to generate a list of who was in a coffee shop while the suspect was using the coffee shop network address to access the Internet . Similar correlations can be made with security camera records. Cellular phone records are another source. The combination of information may narrow the suspects or target the criminal .
These techniques are powerful, but determined criminals can circumvent them. Criminals that use technologies designed for anonymous communication, such as the Tor browser, may be traceable, but tracing is requires a concerted effort with specialized expertise, equipment, and a planned, prolonged effort. Some organizations, such as the National Security Agency , have the resources to trace, decrypt, and otherwise track criminals who use advanced evasive technology , but most law enforcement agencies don’t have those resources (see the following sidebar).
Ironically, using evasive technologies is easy and cheap; catching a criminal who uses evasive technologies is difficult and expensive.
Extradition
After perpetrators are found, they must be apprehended and taken to court. Identifying the courts and enforcement agencies that govern a conventional crime or dispute is usually one of the easier parts of conventional law enforcement . Conventional crime is almost always local. The victim of the crime, the execution of the crime, and the perpetrator of the crime are all in the same geographic location and the courts and law enforcement agencies of the local area have jurisdiction over the crime. Choosing between a civil or criminal court or a more specialized court like a family court follows well-understood rules.
In contrast, even determining the location of a cybercrime can be challenging. The victim of a cybercrime may be located thousands of miles from the perpetrator. The execution of a cybercrime, such as a denial of service attack, can be launched from thousands of servers spread over all the globe. Which location has jurisdiction? The attacked site? The locations of the hacked servers that sent the attack messages? The locations of the command and control servers, of which there may be many? Or the coffee shop where the perpetrator sat for a few minutes while he started the attack? Without a specific locality, prosecution is perplexing. Resolving the perplexity is difficult and expensive.
If the jurisdictions can be determined and the perpetrator of a cybercrime can be found and a solid case established, the difficulties are not over when the perpetrator is not in the same jurisdiction as the victim . In that case, the perpetrator must be extradited to be prosecuted.
Extradition is a complex and expensive process. Extradition is necessary because a law enforcement authority can only prosecute a suspect within in their jurisdiction . Although conventional criminals certainly flee across jurisdictional boundaries , most conventional crimes are performed in the same jurisdiction as their victims and don’t require extradition. A burglary victim complains to the local police. The police identify the criminals, apprehend them, and bring them to trial. If the criminals have fled the area, the criminals must be extradited. The victim’s jurisdiction must convey a request for an arrest to an authority with jurisdiction over the criminal and the criminal’s jurisdiction must agree to the request. After the agreement has been made, officers in the criminal’s jurisdiction perform the arrest. Then it is up to the victim’s jurisdiction to get the prisoner and transport him or her to the victim’s jurisdiction and bring the criminal to trial.
In most cases, extradition only occurs when the act is criminal in both the jurisdiction of the victim and the jurisdiction of perpetrator. If not, a request for extradition is likely rejected. Extradition for cybercrimes tends to be more difficult than conventional crime because conventional crime laws tend to be more consistent across jurisdictions than cybercrime laws. This is a problem within national boundaries, and an enormous problem when jurisdictions cross international boundaries.
The laws governing cybercrime are not always consistent across jurisdictional boundaries . In the U.S., for example, the CAN-SPAM Act of 2003 is U.S. federal anti-unsolicited commercial email legislation. Prior to CAN-SPAM, many states had some form of anti-spam legislation. The federal act preempts many, but not all, of these state laws. Consequently, some spam practices are illegal in some states but not others.
Washington State , for example, prohibits hiding the point of origin of commercial emails by disguising the email address. Other states do not.16 Spammers tried in Washington State courts can be convicted of cybercrimes that would be ignored in some other states. The question of jurisdiction in such a trial is important. The Washington law declares disguised addresses are illegal when either sent or received on Washington computers. Under Washington State law, a prosecutor could attempt to prosecute a spammer sending disguised addresses from a state where disguised addresses are legal. When that happens, the accused spammer would have to be extradited or voluntarily travel to Washington State to stand trial. However, since states are not obligated to extradite an accused person who has not committed a crime under their laws or federal law, the spammer could be immune to prosecution.17
The entire extradition process is slow, expensive, and somewhat risky. A long-distance investigation requires long-range inquiries into unfamiliar territory. If the investigation succeeds in finding a likely suspect, the remote jurisdiction may refuse to extradite the suspect. Also, there is little margin for error because extraditing the wrong suspect is an expensive and highly visible mistake.
Due to the expense and risk, local law enforcement may only have funds to pursue and extradite the most egregious cybercriminals . Less extreme crimes that involve smaller sums of money often have to be ignored. Crooks can take advantage of this weakness. For example, a ransomware ring might keep ransoms low enough to avoid extradition and prosecution. A fraudulent online sports ticket racket might keep their prices below the bar for extradition and only prey on out-of-state victims .
These problems become worse when the crime is international. Not all countries are equally distressed by cybercrime . Although it may not be a publicly declared policy, some nation states are tolerant of international cybercrime and make no effort to prosecute cybercriminals . In extreme cases, such as the North Korea example above, the criminal act appears to be an instrument of government policy . When cybercriminals hide behind practices like this, prosecuting the criminals requires foreign diplomacy in addition to police action. That means the prosecution not only has to make its case, they have to contend for a place on a diplomatic agenda.
The prospects for local victims of remote cybercriminals are not good. Finding the criminal is difficult, requiring skills that may not be available, and expensive. Extraditing and prosecuting the criminals once they are found is also difficult and easily more expensive than finding the criminals. Local law enforcement budgets are never unlimited and often severely limited, meaning that expensive-to-solve, low-dollar, non-violent crimes will not be given high priority.
Realistically, a victim reporting a small cybercrime to the local authorities is likely to get sympathy, but little more. This is most unfortunate because it gives certain types of cybercrime a free pass. A ransomware operation that keeps ransoms low and avoids victimizing near jurisdictions is almost guaranteed to prey on their victims with immunity. Email fraud scams and many other cybercrimes that spread their illegal gains over many victims are similarly skipped over by prosecution.
For crimes that occur entirely within national boundaries, legislation could help by simplifying jurisdictional issues and streamlining the extradition process. Unfortunately, exactly how to simplify and streamline the process is a difficult problem in itself. For example, in the U.S., if criminals could be prosecuted in their home state for cyber fraud on victims in another state, the cost of prosecution may decrease, but what would motivate prosecutors to expend local resources on crimes that do not affect their local constituents?
More extensive federal cybercrime laws may be a solution, but federal officials are already consumed with big ticket crimes. In addition, without substantial changes in the federal legal infrastructure, running low-dollar-amount cybercrimes through the federal court system would be cumbersome and not likely to satisfy many victims .
The international arena is not better. The situation has improved with the establishment of international cybercrime treaties. The most prominent treaty is the Convention on Cybercrime , also known as the Budapest Convention , which was adopted by the Council of Europe in 2001. After 15 years, 49 nation states have ratified it, mostly in Europe, but non-European states such as the United States, Australia, Canada, Israel, and Japan have also ratified it. Signatories to the convention must agree to align local laws with the Convention’s policy on unauthorized computer access, data theft, child pornography trafficking, and several other areas. This greatly simplifies prosecution and extradition. Ratification has been wide, but not universal. Non-signatories protest that the convention intrudes on their national sovereignty. North and South Korea, Russia, China, and India are notable non-signatories.18
Despite the Convention, there are still locations that are relative safe havens for cybercriminals . In addition, cross-border extradition and prosecution are more expensive and difficult than extradition and prosecution within national boundaries. Consequently, international cybercriminals who keep the damage to each victim low enough can often get a free pass.
Somehow this knot must be untied or we will have to resign ourselves to high cybercrime rates.
Hidden and Under-reported
Although lack of privacy on computers is troubling, cybercrimes are often less public than conventional crimes . When a person is assaulted on the street, the event is public. Uninvolved witnesses may call 911 for the victim . If the police arrive on the scene soon enough, they may arrest and charge the perpetrator without the participation of the victim.
Cybercrimes seldom take place in public. A crime like pwning , illicitly seizing control of a computer, and turning the computer into a remotely controlled bot takes place inside the victimized computer and over the Internet . The effects of the pwning may be public, such as using the seized computer as part of a denial of service attack, but even the rightful owner of the computer may never be aware that the computer has been effectively stolen.
Other crimes such as identity theft are similar. The victims of the theft may go for years without realizing that their identities are being used by the criminals .
In other cases, such as cyberbullying or harassment, the victim knows they are victimized, but the damage is private. Schoolyard bullying is in sight of the teachers and other school authorities, but a cyberbully’s acts are invisible to others if the victim does not speak up.
If a crime is visible only to the victim , the victim must report the crime to someone, if only to a confidant who goes to the authorities. If the victim is unwilling to report the crime, or unaware of the crime, the crime is not reported.
Too often, victims do not report cybercrimes . There are a number of reasons for this.
The victims of cybercrime often feel they have brought the crime upon themselves and are unwilling to reveal their poor judgement. They might think they should have known not to open that suspicious email attachment or follow that clickbait link, and they don’t want to publicly admit to their mistake. A business may have been waiting for a profitable quarter to invest in upgraded security systems and training, and is ashamed to admit that its parsimonious strategy backfired.
A business may also hesitate to report that it has been hacked because it fears adverse publicity. Not only does it risk a reputation for backward practices, its customers and partners may be afraid to do business with it. Therefore, a hacked department store might prefer to quietly deal with stolen payment card data themselves rather than call in the FBI or other law enforcement and risk losing customers.
The indirect victims of crimes like payment card data theft have little incentive to report thefts because the bank or the credit card company is required by law to make good the loss. When the authorities are called in, finding the crooks is difficult and time consuming. In addition, prosecution is likely to be complicated by jurisdictional issues and extradition . By the time a conviction occurs, recoverable assets may have disappeared and there may be no compensation forthcoming. It is not surprising that companies that are hacked may see few advantages in reporting the crime to the authorities.
Similarly, an individual who falls for an Internet too-good-to-be-true used car scam that accepts his money and neglects to deliver the car may not be eager to make his humiliation public, and the local law enforcement agency may brush him off because the agency does not have the skills or the resources for an investigation and extradition . The likelihood that the individual will report the next crime sinks fast.
Reporting of traditional crime is often driven by insurance. When my laptop was stolen in an airport several years ago, I missed my flight because I went to the airport police and filled out a theft report. I did not expect the thief to be caught or the laptop to be returned. I was tempted to skip reporting and catch my flight, but I knew that if I did not fill out the report and submit a copy with my claim, my insurance company would not honor it. Many property crimes are reported to meet insurance requirements, rather than from civic duty or expectations that property will be returned. Cybercrimes seldom have this incentive to reporting because few individuals have cyber-risk insurance . However, cyber-risk insurance is becoming more common, as one would expect with rising cybercrime rates.19 Perhaps this trend will drive more extensive reporting of cybercrime.
Cybercrimes are sometimes a “death by a thousand cuts,” which is another reason they are not reported. Each crime may be insignificant, but may become significant when the crime is repeated many times. A single spam email is a criminal act, but the victim can delete it in an instant and the event is hardly worth the trouble to mention. If the criminal is perspicacious enough to send out their spam to a million victims, but only two pieces a month to each individual victim, they may never be reported. Although two spam emails a month from a single source is only a minor annoyance, most people get spam in their inbox from enough sources to make managing it a significant issue. In addition, some of that spam is likely to contain phishing malware that is downright dangerous. Nevertheless, a hundred spam emails in your inbox from a hundred different spammers is more hassle to report than most people are willing to undertake and the spammers slip by.
Reporting cybercrime is important because underreporting impedes accurate measurement of the impact of cybercrime and the criminals who perpetrate unreported crimes cannot be prosecuted. When the real impact is underreported, the resources assigned to address the problem will not be sufficient. Fortunately, the individual victim is not the only point to begin the attack on cybercrime. For example, many enterprises are built around online business and Internet activity. Internet retailers and Internet media providers are two examples among many. If consumers are driven away from online activity by cybercrime , these enterprises suffer, which is a powerful incentive to act against cybercrime. One action is to help authorities identify and prosecute under-reported crimes (see the following sidebar).
Cybercrime Law Enforcement Agencies
Progress is being made. In the US, on the national level, the Department of Justice , through the FBI , has taken the lead in establishing regional computer forensic centers and training programs for local law enforcement agencies. The FBI also actively investigates and enforces federal and international cybercrime. Some types of cybercrimes are investigated by the Bureau of Alcohol, Tobacco, and Firearms . The Department of Homeland Security investigates cyberterrorism through the Secret Service and provides additional training and support to state and local law enforcement .
The National White Collar Crime Center (NW3C) is a non-profit organization funded by its members and federal agencies, mainly the Department of Justice . The NW3C provides cybercrime training and support to state and local law enforcement.
The FBI established a national clearing house for reporting cybercrime. This clearinghouse, called the Internet Crime Complaint Center (IC3) , accepts reports on all forms of cybercrime. The FBI pursues the subset of these reports that are fall into its jurisdiction . The rest are dispatched to an agency with jurisdiction. Sometimes the appropriate agency is Homeland Security or the Secret Service, but more likely, the report will be referred to a state or local agency.
The IC3 can bundle together reports as well as dispatch them. Criminals who commit large numbers of small crimes that each fall below the practical bar for prosecution may rise above the bar when their crimes are bundled together. If victims consistently report crimes to the IC3, even small crimes, the chances of seeing some of these criminals prosecuted will increase and the number of cybercrimes will decrease. The IC3 encourages anyone to report cybercrimes without regard to the size of the crime or the jurisdiction .20
A central clearinghouse also raises the level of awareness of the need for regional and national task forces that bring together resources to deal with cybercrime. A task force can supply experts and equipment that individual agencies would not ordinarily be able to access. For example, tracing a distributed denial of service attack requires specialized software and hardware and the skill to use the resources. Most local enforcement groups do not have the resources to undertake such a project, but a task force combining the resources of several jurisdictions may be able to accumulate the resources and expertise needed to be successful. In addition, task forces provide for coordination and cooperation across jurisdictional boundaries that often impede investigation and prosecution of cybercrimes.
In the European Union, the European Police Office (Europol) pursues international crimes by coordinating the law enforcement authorities of the members of the EU. Europol opened the European Cybercrime Centre (EC3) as a center of technical expertise that provides coordination and support to member states’ anti-cybercrime operations and investigations.21
Interpol is distinct from Europol. Interpol was formed in the first half of the 20th century to facilitate international police cooperation. Although its headquarters are located in France, it is a global organization with only a few states that are not members, unlike Europol , which is limited to European Union membership. Interpol provides support and coordination to cybercrime law enforcement agencies on a global scale. Interpol opened a research and development center for cyber expertise in 2014.22
Where We Are Today
Today, cybercrime is affecting a growing number of institutions and individuals. The conventional crime rate has gone down substantially in the last decade for several reasons, including changing demographics and improving police techniques, but cybercrime has been soaring. The police techniques that been effective in reducing crime are not effective against cybercrime. Local and state police are stymied. Their police academy training simply does not apply to a denial of service attack on a business, ransomware at a local hospital, or victims of Internet fraud.
The federal authorities are better prepared, but they concentrate on large cases involving many thousands of dollars and affecting hundreds and thousands of people, not five-hundred dollar fraudulent Internet sales of fake football tickets.
In fact, five-hundred dollar cases are properly the realm of local enforcement, but local enforcement seldom has the tools and skills to identify the fraudster, and if they could, the culprit is probably in another state or country. The cost of investigating, extraditing, and trying the distant criminal is probably much greater than the sum stolen and more than local budgets can bear. Cyberharassment crimes are often similar. The actions of local enforcement are restrained and the criminals can carry on with impunity. Consequently, the closure rate for local cybercrime cases is less that one in ten.
The situation is bad. Although those $500 dollar frauds, $800 ransoms, and $1,000 car sales frauds are small when compared with the theft of millions of payment cards or millions of dollars stolen in attacks of bank wire transfers, for the persons who lost their money and did not get to go to the game, these are not trivial and the aggregated cost of these crimes is large.
Enforcement is improving. Federal programs are training local police in cyberforensic methods and local officers are trading on their own local pockets of expertise. Regional enforcement centers pool resources and apply them where they are most needed. Local enforcement is working with local private industry and universities to deepen their expertise. The FBI is acting as a central cybercrime reporting hub for the entire country and helping connect the dots to link together small frauds into large operations that justify national and international resources and will finance extradition to a jurisdiction where the crimes can be prosecuted.
International organizations are making it more difficult for international criminals to slip through the net.
Realistically, despite the advances, a victim of cybercrime is lucky to get anything more than sympathy from the authorities. Banks, payment card companies, and merchants are all likely to help the victims of the business’ compromised systems, but the cyber equivalent of car theft or home burglary is not likely to be treated as thoroughly or as competently as a physical theft or burglary. There are certainly exceptions, and the number of exceptions is likely to increase, but the prospects are not good.
Fortunately, there is another side to the problem. Law enforcement struggles to apprehend and convict cybercriminals , but avoiding becoming cybercrime victim is getting somewhat easier. The computing industry is much more aware of cybercrime today than they were even 10 years ago and systems today are designed to be more crime resistant and have become more secure. Of course, the cybercrime business is booming, as criminals are busy devising new ways to steal and defraud using computers, but the vendors are also aware that their business depends on secure and reliable systems. In the next chapter, I look in more detail at what the industry has done and is doing to improve prevention and detection of cybercrimes.
Footnotes
1 For a look at the decline in conventional crime, see Neil Howe, “What’s Behind The Decline In Crime?” Forbes, May 28, 2015. www.forbes.com/sites/neilhowe/2015/05/28/whats-behind-the-decline-in-crime/#3a3a8eec7733 . Accessed August 2016. For the rise in digital crime, see Steve Morgan, “Cyber Crime Costs Projected To Reach $2 Trillion by 2019,” Forbes, January 17, 2016. www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/#31b8dad13bb0 . Accessed August 2016.
2 The story of the programmer who wrote code to snatch the fraction of a cent discarded when dollar amounts are rounded down to the nearest cent has grown to an urban legend. Whether it actually ever occurred is open to question, although I have heard more than one loquacious old-timer deliver an eyewitness account of the crook being marched out in handcuffs. Real or not, there is a kernel of truth. An insider with access to code can modify complex systems to skim resources in ways that even a detailed audit could miss. This is always a danger.
3 See Kim Zetter, “An Unprecedented Look at Stuxnet, the World’s First Digital Weapon,” Wired, November 3, 2014. www.wired.com/2014/11/countdown-to-zero-day-stuxnet/ . Accessed August 2016.
4 “Total unit shipments of PCs worldwide from 2006 to 2015 (in million units),” Statistica, 2016. www.statista.com/statistics/273495/global-shipments-of-personal-computers-since-2006/ . Accessed June 2016.
5 “Number of smartphone users worldwide from 2014 to 2019 (in millions),” Statistica, 2016. www.statista.com/statistics/330695/number-of-smartphone-users-worldwide/ . Accessed June 2016.
6 “Internet Users,” Internet Live Stats. www.internetlivestats.com/internet-users/ . Accessed June 2016.
7 Staff, “Fifty billion internet nodes predicted by 2020,” Electronics Weekly, January 8, 2013. www.electronicsweekly.com/news/business/information-technology/fifty-billion-internet-nodes-predicted-by-2020-2013-01/ . Accessed June 2016.
8 Susannah Fox, “51% of U.S. Adults Bank Online,” Pew Research Center, August 7, 2013. www.pewinternet.org/2013/08/07/51-of-u-s-adults-bank-online/ . Accessed June 2016.
9 Apparently, Willie Sutton did not say this, but he has often been quoted as saying it. For general background, see “Willie Sutton,” Wikipedia. https://en.wikipedia.org/wiki/Willie_Sutton . Accessed August 2016.
10 For details on his charges, see United States District Court, Southern District of New York, “United States v. Ross William Ulbricht, Indictment,” Department of Justice, February 4, 2014. www.justice.gov/sites/default/files/usao-sdny/legacy/2015/03/25/US%20v.%20Ross%20Ulbricht%20Indictment.pdf . Accessed June 2016.
11 Ryan Mac, “Living With Ross Ulbricht: Housemates Say They Saw No Clues Of Silk RoadOr The Dread Pirate Roberts,” Forbes, October 9, 2013. www.forbes.com/sites/ryanmac/2013/10/09/living-with-ross-ulbricht-housemates-say-they-saw-no-clues-of-silk-road-or-the-dread-pirate-roberts/#344e84c764f2 . Accessed June 2016.
12 Nate Anderson and Cyrus Farivar, “How the feds took down the Dread Pirate Roberts,” Ars Technica, October 2, 2013.
http://arstechnica.com/tech-policy/2013/10/how-the-feds-took-down-the-dread-pirate-roberts/2/ . Accessed June 2016.
13 Jim Edwards, “This Is The Physics Student And Used Book Seller Who Allegedly Ran The ‘Silk Road’ Market For Drugs And Assassins,” Business Insider, October 2, 2013. www.businessinsider.com/meet-ross-ulbricht-the-brilliant-alleged-mastermind-of-silk-road-2013-10 . Accessed June 2016.
14 Nicole Perlroth, Michael Corkery, “North Korea Linked to Digital Attacks on Global Banks,” New York Times, May 26, 2016. www.nytimes.com/2016/05/27/business/dealbook/north-korea-linked-to-digital-thefts-from-global-banks.html?_r=0 . Accessed June 2016.
15 This sidebar is not for network engineers! It is only a sketch of what goes on with IP and MAC addresses. I have intentionally simplified by leaving out some major complications, like network address translation, static addresses, and IP versions.
16 Cornell University Law School, “U.S. State Anti-Spam Laws: Introduction and Broader Framework,” LII, undated. www.law.cornell.edu/wex/inbox/state_anti-spam_laws #.Accessed June 2016.
17 Fortunately, the spammer is not likely to get off. Spamming is illegal under the federal law and would probably be extradited for spamming, not the disguised address. Once the spammer arrives in Washington State, they are subject to local law and they can be nailed for the disguised address as well as spamming.
18 For the text of the convention, see “Convention on Cybercrime,” Council of Europe, November 23, 2001. www.europarl.europa.eu/meetdocs/2014_2019/documents/libe/dv/7_conv_budapest_/7_conv_budapest_en.pdf . Accessed August 2016.
For current status of convention ratification, see “Chart of signatures and ratifications of Treaty 185,” Council of Europe. www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185/signatures?p_auth=UQvnS5gj . Accessed August 2016.
19 See “Early NAIC Analysis Sheds Light On Cybersecurity Insurance Data,” National Association of Insurance Commissioners, June 30, 2016. www.naic.org/Releases/2016_docs/cybersecurity_insurance_data_analysis.htm . Accessed August 2014.
20 Lest anyone get sporty, filing a false or intentionally misleading report is a felony. See the sidebar, “Reporting Cybercrimes,” for more detail on reporting.
21 For more information on EC3, see “Combating Cybercrime in a Digital Age,” Europol. www.europol.europa.eu/ec3 . Accessed August 2016.
22 For more information on Interpol’s anti-cybercrime activities, see “Cybercrime,” Interpol. www.interpol.int/Crime-areas/Cybercrime/Cybercrime . Accessed August 2016.