The Age of Cybercrime

Cybercrime is the soft underbelly of the information age.

Photo by Jp Valery on Unsplash

The 2017 WannaCry cyber-attack that impacted 150 countries, disrupted businesses from PetroChina to FedEx, and sent Britain’s National Health System into turmoil, was described as a wakeup call for organizations to strengthen their security. But in 2018 organizations spent more than ever before on cybersecurity — over $110 billion, and yet major undetected data breaches, massive loss of personal information, and financial theft continue. These figures and the Wannacry attack are a sign of a larger change: the same digital tools, services, software and networks disrupting every business from bookstores to taxis and every business process from financial services to supply chains are also transforming crime. We are rapidly approaching the point where the majority of all criminal activity will be cybercrime.

However, we continue to put cybercrime in its own category as a distinct and novel form of “computer-based crime.” Many still view it as the work of mischievous hackers or specialized government operators exploiting software flaws using malware. We measure its impact in terms of data breaches, stolen passwords, and network outages. We continue to be surprised when an attack occurs, often labeling it with an amusing name or outraged that a government (the Chinese, the Russians) would resort to such tactics. This is a mistake. Cybercrime is not an information technology problem distinct from other criminal activity. It is becoming the primary law enforcement challenge of our time with grave implications for our economic wellbeing, privacy, and safety.

There are two primary reasons for the rapid rise of cybercrime. The first is that cybercrime delivers much higher returns with much lower risks for the criminal. Why place yourself in danger of physical harm from the police or a security guard when you can gain the same or higher payout from behind a screen miles away? The second reason is that today’s ubiquitous software, systems and devices are designed, developed and tested by people, and will have the inevitable flaws, unintended errors, carelessness, and even outright sabotage that are part of human nature and our work. These openings can and will be targeted and exploited by criminals in the same way an unlocked door, unguarded safe or a wrong turn down a dark alley invites trouble.

Cybercrime is not easy to stop. Throughout history crime has been a stubbornly consistent part of the human experience. In response communities established a set of protections — laws, punishments, police services, and security measures — and people followed common sense advice: stay out of bad neighborhoods, lock your doors at night, don’t talk to strangers. Crime could not be stopped, but its effects could be mitigated.

The digital world of cybercrime has put these protective systems and structures under intense stress rendering many of them ineffective or useless.In addition, the very same attributes that are drawing more and more activities online are particularly compelling advantages for criminals.

• Borderless. Today’s highly complex, interconnected communications, commerce and control systems span a global map that is almost impossible to police. Cyber criminals can be based in Russia, Eastern Europe or North Korea, launch attacks into the United States, and store passwords, personal information or funds in China or the Middle East.
• Scalable. The same vulnerabilities often exist in multiple targets, allowing cyber crimes to be replicated around the world using the same tactics. A cyber criminal that infiltrates a social network, accesses an industrial device, or gains entry to sensitive databases has thousands or tens of thousands of victims in one place. In addition, the global audience available online means criminal services such as drug dealing or murder for hire can be marketed not neighborhood by neighborhood over time but globally in an instant.
• Anonymous. The original design of the Internet as a research and military communications system provided for anonymity. This feature has become an enormous advantage for criminals. With cybercrime, there is no need to wear a mask or to hide in the shadows. There are no security camera tapes. The cyber criminal can be anyone or anywhere he or she wants to be.
• Easy. Just as mobile devices, wifi and broadband enable anyone to work from home or the local coffee shop and leverage enormous computing resources, the Internet also enables criminals to work remotely. Yesterday’s bank robber, streetwalker or blackmailer now simply needs a good Internet connection to be in business. Likewise, the proliferation of applications for every activity extends to crime, with commercial “crime-ware” applications readily available for purchase on the dark web and dedicated web marketplaces for criminal activity.

The disruptive impact of cybercrime can be seen in one of the oldest professions: prostitution has shifted online. On the demand side, anyone with access to the Internet can make a “date” through online postings, websites of escort agencies, even applications dedicated to the trade, and reviews provided like a Zagat’s guide. While the available information is limited, it also appears that as prostitution has moved online providing access to more supply with less work, prostitution has expanded as reflected in increasing levels of human trafficking now estimated to be a $150 billion “industry” worldwide.

Compounding the cybercrime problem are the unique challenges it poses to law enforcement.

• Legal jurisdiction. Even within the US, jurisdictional issues complicate enforcement. The cyber crime’s classification — the branch it falls under (criminal, civil, and regulatory), the severity of the offense, and the appropriate punishments — differ across state lines. Differences in international laws and customs magnify the problem. An act considered illegal in one country may not be deemed such in another.
• Coordination. Global coordination among law enforcement is difficult. When cybercrime victims in one country fall prey to criminals on different continents, questions arise about venue, responsible government agencies, and appropriate punishments. In addition, language and cultural barriers may further hinder coordination.
• Inexperience. Digital technologies are constantly changing and the field of cybersecurity is still relatively new. Many law enforcement agencies are inexperienced with new technologies exploited by cybercriminals, and few have focused on recruiting engineering and software talent to train in crime prevention and investigation. Government agencies still rely primarily on third party experts to research breaches, lacking comparable in-house capabilities.

We are at the proverbial tip of the cybercrime iceberg. The advantages of cybercrime are too compelling to stop. While there will be no easy solutions, the first step is to recognize that we are at the tipping point where all crime will be cybercrime.