Policing Cybercrime: A 21st Century Challenge (Part II)
This blog was written to accompany a guest lecture for "Understanding Policing", a Criminology module at Swansea University. It is written in two parts: part 1 explains what cybercrime is (context); part 2 discusses the challenges of policing cybercrime (what students should focus on). This blog should not be construed in any way as legal advice!
Part 2 - Seven challenges of policing cybercrime
While there is a wide variety of cybercrime(s) as described in part 1 of this blog, some challenges are common to the policing of cyberspace more generally. Below I elaborate on some of the most poignant I have identified to date. These include 1) the volume of cybercrime, 2) the under-reporting of cybercrime, 3) its cross-jurisdictional nature, 4) the anonymity with which criminals can operate, 5) the pace of technological change, 5) the low-risk-high-reward associated with committing cybercrime, 6) the challenges of inter-agency work and 7) the impact of state actors.
Each of these will be explored in more details below.
The large volume of cybercrime experienced by victims in the UK is evidenced by the results of the Crime Survey for England and Wales (CSEW). The CSEW indicates that the volume of fraud and computer misuse offences combined is roughly equivalent to all other crime combined (ONS 2017). More specifically, based on the CSEW survey results, the Office for National Statistics estimates that individuals experienced approximately 12 million crime incidents in the year ending September 2016 (Ibid.). Of these, 3.6 million were fraud (over had of which was committed online) and about 2.0 million were computer crimes (Ibid.). This large volume of cybercrimes could lead to a demand for policing and victim services much beyond current capabilities. However, it is important to note that not every crime is the same - these big numbers hide qualitative differences between serious and petty crime, crime that leads to considerable harm and crime which has little to no impact. If you remember from part 1 of this blog, “hacking” constitutes a broad offence and every phishing email you receive is technically an instance of fraud! As such, the greatest challenge for policing may be identifying the cases that represent serious and organised criminality, as well as those associated with victims who are especially vulnerable. Responding to cybercrime will therefore require effective prioritisation, recording & case selection.
Reporting of cybercrime has considerably improved with the introduction of the National Reporting Centre “Action Fraud”. In fact, as the implementation period for Action Fraud was completed (2010-2013), the number of annual reports has risen from 72,314 in the year ending March 2009 to 521,918 in the year ending March 2014, an increase greater than seven fold in the space of 5 years (ONS 2017a). However, the CSEW still demonstrates the degree to which cybercrime goes under-reported in comparison with other crime types. The most recent data indicates that only 6.2% of computer crimes and 17.8% of fraud were reported to the police via Action Fraud (ONS 2017b, Table E7, Experimental Statistics). In comparison 50.2% of all theft was reported to the police in the same period (ONS 2017a, Tables A1 and A4). In addition, the Cyber Breaches Survey conducted by DCMS found that Businesses tend not to report breaches to external organisations (private or public). Just over four in ten (43%) reported their most disruptive breach outside their organisation (Klahr et al. 2017). Most commonly, external reports were made only to an outsourced cyber security provider, e.g. to enable them to make repairs. Only a quarter (26%) of the most disruptive breaches were externally reported to anybody other than a cyber security provider (Ibid.). Among those, the most common places to report the breach were to a bank, building society or credit card company (28%), followed by the police (19%)(Ibid.). As such, we can confidently way that only a small proportion of cases are reported to the police by both individuals and business victims.
Time and space are said to be “compressed” in cyberspace. In this context, cybercrime is by its very nature cross-jurisdictional, with victims and perpetrators often often located across the globe. The lack of jurisdictional boundaries causes issues 1) where different countries’ legislation is misaligned and 2) where law enforcement agencies need information/evidence to be shared from other jurisdictions.
One example of where different laws can create problems was the case of the “ILOVEYOU” virus, a computer worm that attacked tens of millions of Windows personal computers in the early 2000s. The virus spread as an email message which originated in the Philippines. Within five days, “one tenth of the world's mail servers were down” (Meek 2000) and the outbreak was later estimated to have caused between US$5.5–8.7 billion in damages worldwide (e.g. Ohlson 2000). The attack was traced back to two young Filipino computer programmers, one of whom was arrested and the other charged in absentia. However, as there were no laws in the Philippines against writing malware at the time, all charges against both men dropped by state prosecutors. In addition, as they committed no crime in the Philippines, the “double criminality” principle meant they could not be extradited to face trial elsewhere.
At the same time, the sharing of information and evidence across national borders can be a lengthy and costly process. Most case studies of successful cybercrime investigations will highlight that sharing evidence across jurisdictions is key to the investigation / prosecution of cyber-crime (and, increasingly all crime as digital evidence is often held on servers in foreign countries). Mutual Assistance Treaties (MLATs) set out the processes by which this data can be accessed by the police, but these have been deemed to be too slow to be effective. For example, for data stored on its Irish servers, Germany would have to rely on Irish authorities to request data from Facebook regarding an apprehended suspect. As digital evidence can be easily destroyed or tampered with - even where it is held within jurisdiction (e.g. a locked Gmail account hosted on US servers and belonging to a US suspect) - the time it takes to share evidence through MLAs can be a hindrance to investigations.
Governments and law enforcement agencies across the world have attempted to meet this challenge by developing international agreements to harmonise legislation (i.e. making sure certain online behaviour constitutes a criminal offence across jurisdictions). A key example of this is the Council of Europe’s (CoE) Convention on Cybercrime, also known as the Budapest convention, as it was first signed there in 2001. To date, the convention has been ratified by 56 countries, signed by another 4 (where it is awaiting ratification by the respective national parliaments) and a further 11 countries have been invited to join (Seger 2018). Furthermore, over 20 countries have legislation largely in line with the convention and over 45 are presently developing cybercrime legislation by drawing on convention provisions (Ibid.). In addition, both the CoE and the European Commission are actively developing new legal instruments to enable the more effective sharing of digital evidence.
Where encryption technology is used and where crime is committed on or facilitated by the “Dark Web”, law enforcement will have to mobilise costly resources and expertise in order to investigate crime. A good example of this would be the recent case of Matthew Falder, the prolific sex offender who victimised children for 8 years before a 5 year international investigation was successful in identifying him as the perpetrator. His success at evading law enforcement efforts was in great part due to his use of encryption technology and the fact that much of his activity was on Dark Web forums. On the other hand, he was caught by making mistakes - which arguably is how most criminals are caught.
Pace of tech change
Where law enforcement are successful in investigating cybercrime, it is likely that criminals will move on to other technologies (and learn from the mistakes of their predecessors, such as Matthew Falder above). In the latest episode of the Cyber Law & Security Podcast, my co-presenter Dr. Patrick Bishop pointed out that this has always been the case - after all, where fingerprinting technology became available, criminals started to use gloves. However, the pace of technological change and the growth of Information and Communications Technology (ICT) is such that it is likely to continue to create difficulties for law enforcement. Dark markets such as the infamous Silk Road and more recently Ansa and Alpha Bay have been shut down as a result of international police operations. These cases illustrate that it is possible to investigate and successfully disrupt illegal activity online. However, researchers have argued that criminal organisations learn and the markets and the technology they depend on simply evolve to avoid detection (Horton-Eddison 2017).
Low risk, high reward? Easy to enter the world of cybercrime
Related to the above is the ease with which people can become cybercriminals. On the one hand, the availability of cheap computers and “off the shelf” malware (available for purchase from internet forums) means individuals need not to be particularly gifted coders to become cybercriminals. On the other, the limited number of investigations and prosecutions mean that the likelihood of being caught is limited. As such, the return on investment can be great for cybercriminals. In addition, cybercrime is a relatively low-risk activity in itself, when compared to crime areas. In contrast to most other crime types, cybercriminals can operate from the safety of their own home, without being exposed to physical harm or social sanction. Altogether, this means that, at least for now, cybercrime pays and well.
Inter-agency working & collaboration
The cross-jurisdictional or a-territorial nature of cybercrime, along with the pace of technological change previously mentioned mean that law enforcement have to coordinate with multiple organisations to investigate cybercrime: other police forces nationally, with police forces in other countries and with private sector organisations. Just in the two examples discussed in the lecture (Raphael Gray and Matthew Falder) I was able to identify the following organisations as having played a part in the investigation to some extent: FBI, Canada's Royal Mounted Police, Dyfed Powys Police, CPS, National Crime Agency, Europol, US Homeland Security, Microsoft, Gumtree and GCHQ. In addition, security goes much beyond traditional “public policing” and law enforcement has to rely on the data and expertise of private sector such as financial institutions, technology companies etc. However, these multi-agency partnerships will inevitably lead to tensions, conflict of interests and competing priorities. As a result, police operations may be hindered (as well as helped) by the necessities and compromises required for partnership work. As criminologists one of the important contributions we can make is seek to understand how and whether these “security assemblages” (Schuilenburg 2017) work in the public interest.
The impact of state-actors?
Cybercriminals come in many shapes and forms, ranging from the so-called “script-kiddies”, to organised crime enterprises and even state-sponsored attacks. The WannaCry virus for example (which impacted on the UK National Health Service), has been hypothesised as a Russian attack on Ukraine. There has also been considerable conjecture that the infamous Stuxnet attack on Iranian power plants may have been carried out by Western state actors. However, given the difficulties of "attribution", i.e. identifying who is responsible for cyber attacks, the impact and capabilities of states to attack each other remain difficult to measure.
There can be no doubt that cybercrime presents new and developing challenges for policing. Some of these challenges were identified and discussed above. However, in understanding what they are we can start to envisage ways in which we may tackled and overcome them. The table below summarises the challenges discussed above and suggests a few places where we may wish to start our quest for solutions.
Horton-Eddison, M. (2017). Updating Escrow: Demystifying the CDM multisig process.
Klahr, R., Shah, J. N., Sheriffs, P., Rossington, T., Pestell, G., Button, M., & Wang, V. (2017). Cyber security breaches survey 2017, Main report: Department for Culture Media and Sport (DCMS).
Meek, J. (2000, 5 May 2000). Love bug virus creates worldwide chaos, The Guardian. Retrieved from https://www.theguardian.com/world/2000/may/05/jamesmeek
Ohlson, B. K. (2000, 9 May 2000). 'Love' virus costs approaching $7B, research firm says, Computerworld. Retrieved from https://www.computerworld.com/article/2594882/it-management/-love--virus-costs-approaching--7b--research-firm-says.html
ONS (2017). Crime in England and Wales: year ending Sept 2016. Statistical Bulletin, Office for National Statistics. Retrieved from https://www.ons.gov.uk/peoplepopulationandcommunity/crimeandjustice/bulletins/crimeinenglandandwales/yearendingsept2016
ONS (2017a). Crime in England & Wales, year ending September 2016 - Appendix tables.
ONS (2017b). Crime in England and Wales: Experimental tables.
Schuilenburg, M. (2017). The Securitization of Society: Crime, Risk, and Social Order (2nd ed.): NYU Press.
Seger, A. (2018). Strengthening the rule of law in cyberspace: The
framework of the Budapest Convention on Cybercrime. Paper presented at the Joint Conference on Cybercrime, Eurojust, The Hague, Netherlands. https://www.coe.int/en/web/cybercrime/judicial-cooperation-in-cybercrime-matters-international-joint-conference