Cybercrime: there’s too much of it, and we need to do more to deter it. With the President of the United States now making frequent references to “doing more about cybercrime” now is a good time to look at what steps must be taken.

Cybercrime can be defined in many ways, but however you define it, I think we can all agree on two things about cybercrime: there is too much of it, and we need to do more to deter it. With the President of the United States now making frequent references to “doing more about cybercrime” now is a good time to look at what steps need to be taken. You can go directly to the steps but first I think a little context would be helpful.

For the definition of cybercrime I like this one: “crimes in which computer networks are the target or a substantial tool” (Koops, 2011). That neatly covers the long and growing list of high profile incidents that have come to light over the last 18 months, including the illegal hacking into, theft of data from, and/or denial of service attacks against: Target, Home Depot, JPMorgan Chase, Sony Pictures, Microsoft Xbox Live, Sony PSN, eBay, NSA, Adobe, Apple iCloud, and Community Health Systems.

Cybercrime prevention, deterrence, and cost

Note that this article is mainly about cybercrime deterrence, not cybercrime prevention. The latter encompasses the things that we do to protect our systems and data from criminals, things like strong authentication, encryption, and measures to detect and defeat malware. Crime deterrence is about making crime less appealing by: increasing the risk (of detection, identification, apprehension, prosecution and punishment); reducing the benefits (making it harder to profit from criminal activity); and deepening the social disdain and moral sanction that criminal activity should elicit. In terms of policy and strategy, the general idea is that combining crime prevention with crime deterrence results in crime reduction.

You might think that the reasons for seeking a reduction in cybercrime are obvious, but just to be clear: cybercrime harms companies and organizations, their customers and members, and the economy. Just ask any organization that has had to deal with a theft of personal data from its systems, or the people whose data was stolen and abused for identity theft and other crimes. There is more about the financial impact of cybercrime in Step 6 where I talk about our failure to measure the cybercrime problem.

Six steps to cybercrime deterrence

I am not under any illusions in laying out these steps. Taking them will be hard and not everyone will agree with them, particularly when moving from the general approach described here to the specifics of implementation. But I do believe now is the time to push this agenda, before the erosion of trust in networking technology undermines its effectiveness and we start to lose the benefits of its deployment. And so that we’re clear, when I say now is the time, I mean now is the time to actually do something instead of just talking about it. Let’s be honest, the right time has come and gone many times in the past without sufficient action being taken, but we can address that lack of commitment elsewhere. Here is what we need to do now:

1. Apply international pressure

Cybercrime should not be tolerated by any country. Any country that turns a blind eye to cybercrime should be sanctioned by the international community. Efforts to fight cybercrime should be encouraged with aid, but failure to cooperate with international efforts against cybercrime should be considered grounds for withholding or reducing aid in general.

Requests for aid should have cybercrime strings attached, for example, in March of 2014, two U.S. senators proposed a cybercrime amendment to the Ukrainian Aid bill. While this amendment did not pass, I think Senators Mark R. Warner (D-VA) and Mark Kirk (R-IL) were on the right track in pursuing U.S.-Ukraine bilateral talks on cybercrime cooperation and “the establishment of a standing senior-level working group” to:

conduct regular dialogue on cybercrime, explore opportunities to build-up the capacity of countries to combat cybercrime in cooperation with law enforcement agencies, and develop improved extradition procedures between them.

We should be pursuing similar relationships among more countries where they don’t currently exist. Why? Because cybercrime is notoriously location-independent. Perpetrators in Country A can victimize targets in Country B with relative impunity if Country A does not have both a strong anti-cybercrime program and a willingness to cooperate with Country B to bring perpetrators to justice.

2. Adjust national priorities

To set a good example, the United States and other countries should make the fight against cybercrime a priority, in reality and not just in public statements. More resources must be committed to identifying, apprehending, and prosecuting cyber criminals, whoever they are and wherever they are located (and just to be clear, too many of them are Americans, located in America).

Violent crime and crimes against property are at historic lows in America and the U.K. The abuse of network technology is at an all time high. Allocation of law enforcement resources should take this into account. On one end of the scale, it is simply unacceptable that the perpetrators of the 2013 Target breaches are still unidentified, unindicted, and at large. At the other end of the scale, it is just not right that law enforcement tells so many Americans that their experience of cybercrime is not damaging enough to be investigated.

At the same time that law enforcement efforts are stepped up, we need to discourage the prosecution of trivial “technical fouls” of the kind epitomized by the cases against Andrew Auernheimer and Aaron Swartz. Thankfully, the White House seems to understand this because it is talking about modernizing the Computer Fraud and Abuse Act “by ensuring that insignificant conduct does not fall within the scope of the statute, while making clear that it can be used to prosecute insiders who abuse their ability to access information to use it for their own purposes.”

Additionally, there are interersting proposals to “criminalize the overseas sale of stolen U.S. financial information like credit card and bank account numbers.” While it would seem obvious that such activity is illegal, the more clearly it can be spelled out in law, the easier it will be to make the case to other countries if their citizens have engaged in that activity. Other presidential proposals that represent steps in the right direction include, and essentially I’m quoting from the above linked press release:

expanding federal law enforcement authority to deter the sale of spyware used to stalk or commit ID theft, giving courts the authority to shut down botnets engaged in distributed denial of service attacks and other criminal activity, updating the Racketeering Influenced and Corrupt Organizations Act (RICO) so that it applies to cybercrimes, clarifying the penalties for computer crimes, and making sure these penalties are in line with other similar non-cyber crimes.

3. Catch more perpetrators faster

It might strike you as blindingly obvious that we need to catch more cybercrime perpetrators faster, but there is a reason I have called this out. The range of measures available to deter criminals includes increasing sentences for those convicted, increasing the probability of being convicted, and increasing the speed with which criminal acts are punished. In the academic study of crime, known as Criminology, there has been a lot of research into which of these measures are most effective in deterring criminal activity.

When interviewed, many criminals say that stiff sentences don’t enter into the equation when they think about committing a crime. Why? Because most criminals don’t think they will get caught. In part, that may due to the immaturity of many offenders, giving them that sense of invincibility that youth inflicts (see Step 4), but regardless of the reasons, there is strong, well-researched support for the following assertion:

“…there is little evidence that increases in the severity of punishment yield strong marginal deterrent effects….By contrast there is very substantial evidence that increases in the certainty of punishment produce substantial deterrent effects” (S. N. Durlauf and D. S. Nagin, 2011).

In other words, while it might be good to make sure that cyber crimes carry sentences which reflect the great harm they inflict on people and society, stiffer sentences alone won’t do much to deter criminals unless we catch more of them faster. And that requires not only better use of current resources, but also, in my opinion, additional resources dedicated to catching cyber criminals.

(Note: criminological research on deterrence has typically addressed physical crimes like burglary and robbery; if you know of any studies comparing the relative efficacy of cybercrime deterrence measures please let me know because I have yet to find any.)

4. Teach cyber-ethics

Teaching cyber-ethics is not the same as security awareness and education. While I am a keen advocate of security awareness and education as a way to prevent crime, I see cyber-ethics as an essential part of cybercrime deterrence. We need to be teaching children, starting at a very young age, to shun all forms of cybercrime, from making illegal copies of software to stealing user names and passwords and trespassing into systems that don’t belong to you. Adding cyber-ethics to the elementary school curriculum may seem like a long shot, but I suggest there are significant immediate as well as long term benefits:

Teachers and parents will gain a better understanding of the implications of their own cyber activities. Right now, many children see their parents behaving unethically in cyberspace, for example, ignoring the property rights of others. Children will enter their “at risk” years with a clearer understanding of right and wrong in cyberspace. Countless crime studies tell us that the teenage years are when children are at greatest risk of deviance, that is, engaging in illegal activities; but children with strong moral guidance from family and school are less likely to engage in deviance, or if they do, far more likely to abandon it relatively quickly. Society as a whole will be moved closer to a zero tolerance of cybercrime. We need to leave behind the notion that criminal hacking is harmless and somehow cool. We need to stop snickering when we hear that Johnny hacked the school network to change his grades; Johnny and his parents need to be severely sanctioned, something that cannot be done fairly if nobody ever explained to them why that is so wrong.

There have been initiatives in this space before, for example, my good friend Winn Schwartau put together an excellent computer ethics teaching aid; but that was more than a dozen years ago, a call to action that went unheeded because of America’s seemingly perpetual lack of commitment to address the problem of cybercrime. Hopefully, more people can now see that the problem will just get worse unless we step up and act.

5. Improve opportunities in developing countries

The old saying that idle hands are the devil’s playthings also applies to hacking skills. If more people have them than there are jobs in which to employ them, those “skillz” are apt to be misused. That was plain to see in Peter Kruse’s research on the Moroccan Phishing cluster, presented at Virus Bulletin 2013. And in the research of Brian Krebs for Spam Nation, where the employment opportunities for Russian programmers were seen to range from malware creation to legitimate software development based on a variety of factors.

What many policymakers have a hard time understanding is that there can be a shortage of qualified candidates for cybersecurity jobs in America (L. Ablon, M. Libicki, and A. Golay, 2014) at the same time that there is a surplus of people with hacking skills in developing countries. The main reason for this is that the Internet is a uniquely self-documenting phenomenon. A teenager with a cellphone in any country can learn basic Internet hacking skills from the Internet but is unlikely to be able to find a job where cyber skills can be put to positive use.

6. Measure the problem

As I have written elsewhere, one measure of commitment to solve a problem is the efforts made to measure the problem. Consistent efforts to objectively measure the problem of cybercrime are notable by their absence or inadequacy in the English-speaking world. I would argue that this seriously hampers policy-making and budget-setting. Making the case for more resources to fight cybercrime requires solid evidence of the scale and scope of the problem. Unfortunately, while the U.S. Department of Justice catalogs physical crimes in great detail, it has only produced one study of cybercrime in the last 10 years: Cybercrime against Businesses, 2005. That study was described as “the first report to provide data on monetary loss and system downtime resulting from cyber incidents.” Sadly, it was also the last.

In 2014, in response to my inquiries, the National Criminal Justice Reference Service stated: “At this time, we do not have any information about any additional reports on this topic becoming available in the future”. When asked for more recent data, the agency refers people to the following report: US Cybercrime: Rising Risks, Reduced Readiness Key Findings from the 2014 US State of Cybercrime Survey. That report was produced by PricewaterhouseCoopers LLP, a Delaware limited liability partnership, and while a for-profit company may be able to conduct an objective study of cybercrime despite being engaged in the marketing of cybersecurity services, relying on such studies to make public policy is fraught with problems. For example, arguments in favor of increased funding for cybercrime deterrence may be attacked if they are based on data supplied by parties who are vulnerable to accusations of inflating data to drum up business.

Several quasi-governmental cybercrime reports have appeared in the past, notably the CSI/FBI report, but its 15 year run ended in 2011. One report that has appeared annually since 2001 is the Internet Crime Report from IC3, the Internet Crime Complaint Center, which works with the FBI. Cataloging complaints reported by victims, the IC3 report has documented the rapid rise of fraud that has an online component (with reported losses totaling $782 million in 2013). Useful as this report is, its geographic boundaries are not entirely consistent, and it is certainly not a full accounting of cybercrime in the U.S. or the wider world. My best guess is that the global cost of cybercrime lies somewhere between the $225 billion estimated in 2010, with major caveats, by A. Anderson et al. in “Measuring the cost of cybercrime”, and the $400 billion cited in 2013 by the good folks at McAfee’s Center for Strategic and International Studies as their high end estimate of the economic impact of cybercrime and cyber-espionage.

What’s next?

Hopefully, there will now be a flurry of activity in D.C. and other world capitals as politicians and policymakers act on these suggested steps to reducing cybercrime. As we wait for the word to spread, the President’s State of the Union address this evening may offer more details about his plans for cybercrime deterrence. If so, we will post commentary here on We Live Security. After that, there will be the small matter of passing legislation, increasing budgets, and setting aside inter-agency rivalries so that we can all pull together to stamp out cybercrime. (I am aware that there are alternative scenarios, but frankly I don’t have the stomach to consider them right now.)

References:

Ablon, L., Libicki, M., and Golay, A. (2014) Markets for Cybercrime Tools and Stolen Data: Hackers’ Bazaar, RAND Corporation, Santa Monica, California. Available: http://www.rand.org/content/dam/rand/pubs/research_reports/RR600/RR610/RAND_RR610.pdf