Cybersecurity and cybercrime are intimately connected, and increasingly serious issues. If the situation is to improve, the response of our government must improve. The harms of cyberattacks are already extreme, but will increase as our world becomes even more digitally connected, and as ever more data is collected, stored, and stolen.
If cybersecurity is a now personal and corporate responsibility, fighting cybercrime is mostly a government responsibility. Better cybersecurity will not be enough to protect us, so our government — at all levels — must do better at combatting cybercrime. Government plays an essential role in protecting its citizens and residents from criminal activity and malevolent nations. It would be nice if government could eradicate all crime, but that is not possible, just as it is impossible to eradicate all rats and cockroaches. Instead, we need more effective suppression of crime, reducing it to “manageable” levels to decrease the victimization. Government reduces crime mostly through law enforcement — with deterrence, apprehension, and enforcement. (Another function of our criminal justice system is rehabilitation, but this cannot occur without apprehension.) Currently, cybercrime prosecutions are too rare, allowing cybercriminals to attack incessantly, without fear of apprehension or punishment, until even the best cybersecurity succumbs.
Securing our homes and businesses
Imagine a society where law enforcement was unable to deter burglars. Suppose police stopped responding to burglaries in-progress, stopped trying to investigate them, and prosecutors stopped bringing offenders to court. Without effective law enforcement, criminals would soon realize how risk-free and lucrative this crime has become, and the burglary rate would skyrocket. Some companies and homeowners would invest in stronger doors and locks, video surveillance, and private security guards, but many could not afford to do so. Stronger doors and burglar alarms would not eliminate burglaries, but merely slow their commission. The burglar with an infinite amount of time knowing there will be no response or consequence will eventually break into the home or business.
Warfare throughout the centuries has provided us with similar lessons—obstacles will not to stop attackers indefinitely, but merely to slow them down. What defenders have built can be climbed or broken with sufficient time, attackers can defeat moats, walls, mines, and other obstacles. Thus, the purpose of an obstacle is merely to slow the attacker until an effective response can be launched.
In our imaginary world where burglary is not prosecuted, we would turn to government try fix the problem, to start identifying and prosecuting those responsible. We would be unhappy if government denied the root of the problem and simply suggested we needed to protect ourselves with stronger locks, thicker steel doors, or other security features.
Today, police solve just over ten percent of reported burglaries. It is a distressingly low ratio yet somehow enough to keep our homes and businesses relatively safe. As a state trooper, I investigated many burglaries—all too often unsuccessfully. As a prosecutor, I learned that it requires considerable effort to litigate and achieve a just result following the arrest. The criminal justice system is inefficient, the burglary solve percentage is low, yet pursuing burglars is essential to keep the crime at bay. This type of deterrence is lacking with cybercrime.
Cybercrime enforcement is not yet effective
We cannot expect better cybersecurity defenses to solve our problems. Unlimited cybercrime attacks, if unanswered and without consequences, cannot be withstood indefinitely. The solve rate for cybercrimes is minuscule, too close to zero. Cybercrime statistics are hard to find, those that exist are not accurate because many cybercrimes are not detected, and those detected are often not reported.
Because the cybercrime solve rate is so low, these criminals face almost no risk, and are free to commit such crimes all day, week, and year long, experimenting and innovating until they steal successfully. When they find a lucrative scheme, they continue unchecked. The cybercrime economy steals hundreds of billions of dollars annually from individuals and businesses in this country, and some elite cybercriminals earn millions of dollars, often without any effective response from our government. Unlike burglary, the criminal can victimize from a distance, across international boundaries.
In the face of the onslaught of international criminal victimization of us, only a handful of prosecutions occur each year, usually the result of dedicated investigators and prosecutors. I had the good fortune to help lead one such international cybercrime prosecution which lasted nearly a decade, beginning when I was a junior prosecutor. I learned many lessons about cybercrime and cybersecurity, including that successful cases can be brought, as difficult as they are.
The solution to our cybercrime problem is to bring more quality prosecutions. The relative dearth of prosecutions compared with the infinite nature of cybercrime means there is very little risk to perpetrators. Of course, this is not a call for mindlessly increasing the mere quantity of cybercrime prosecutions. To paraphrase the legendary Robert Morgenthau, arrests and convictions are not to be treated as notches on a gun, nor to achieve bragging rights, nor press releases. Instead, each prosecution calls for a fair and impartial application of justice. We need to change the cybercriminal’s risk analysis, to teach them that their crimes have consequences. Perhaps if caught in the earlier stages of their careers, they might choose a different path. Simply put, law enforcement needs to get better at apprehending the perpetrators and bringing more cases while still ensuring the prosecutions are just. It also means properly prosecuting identity theft—cybercrime’s partner.
Recently, I was dismayed to hear a prominent prosecutor seem to minimize the importance of apprehending and prosecuting cybercriminals, while stressing the importance of cybersecurity and prevention. Few would disagree that cybersecurity and prevention are important, but law enforcement must perform its traditional duties—deter crime, apprehend and bring perpetrators to appropriate justice. Law enforcement is the only entity that can do this. If law enforcement is currently unsuccessful in suppressing these crimes, they need to find ways to improve, not pretend that enforcement won’t help, nor that cybersecurity will save us. Building a higher and thicker wall doesn’t change the fact that barbarians are on the other side, doing everything they can to get in.
Better cybersecurity is essential but does not address the root cause. Consider the two hikers being stalked by a tiger. The first hiker laces up his boots and gets ready, not because he will try to outrun the tiger, but because he simply needs to outrun his hiking companion, upon whom the tiger will feast. It’s government’s job to protect us from the tigers. We can and should improve security and fraud resistance, but that will not reduce overall crime so much as shift who the victim will be. Government has the resources and tools to catch the attackers, the general public does not.
Sometimes there is a tendency to put the “best face” on a problem, for government to tell us that it is doing what it should, that it is addressing the issue effectively. Here that is denying the real problem, and government should acknowledge that it needs to do more.
Some have said that there needs to be harsher punishment for cybercrime, but that will not save us either. The punishment imposed for convicted cybercriminals seems to be appropriate and significant these days. We need to remember that punishment, however serious it might be, cannot deter crime if the risk of apprehension is nearly zero.
Of course, we should be thankful for the many fine men and women working on law enforcement’s front lines to investigate and prosecute cybercrime as analysts, detectives, investigators, special agents, and prosecutors. Many work tirelessly to build cases, catch criminals, and achieve justice. Great cases are being made. These public servants face an unrelenting tsunami of crime, receiving inadequate pay, resisting the more lucrative private sector, doing their best under difficult circumstances, and we owe them our thanks. Unfortunately, not everyone meets their obligations on cybercrime—perhaps through inadequate training, poor motivation, or inadequate resources.
The path forward
This problem does not lie solely at law enforcement’s feet. Many cybercrimes are committed outside our borders, making investigation and enforcement extremely difficult—though not impossible. While there are legal procedures to obtain evidence and defendants from other countries, this can be slow and problematic. Critically, some countries turn a blind eye to perpetrators within their borders, and ignore money laundered into and through them. Thus, our federal government must play a greater role to obtain cooperation of foreign governments to investigate and fight cybercrime and money laundering. This means putting diplomatic and financial pressure on countries.
Fighting cybercrime requires we understand the nature of the cybercrime economy, which is diverse, innovative, and capitalistic. It means following the money, investigating money launderers, and reducing the cybercrime profits that escape our country. Most of all, it means apprehending more perpetrators—the problem will not improve until government gets better at bringing more offenders to justice.
Of course, we still need to protect ourselves and those around us. Every individual and business needs to take control of their security and privacy, assess the threats, the risks, and take reasonable precautions. Reasonable cybersecurity for the individual and organization is the new responsibility, like locking your doors at night, or putting on your seatbelt while in the car. This starts in your home for you and your family, and then you bring your knowledge and skills to your workplace. My recent book can help you with this, it’s called Cybersecurity for the Home and Office, The Lawyer’s Guide to Taking Charge of Your Own Information Security.
The criminals attacking us will not stop voluntarily, and they will not give up just because we make our walls higher. They need deterrence, apprehension, and to have their criminal profits traced and choked off. Nations who are not cooperating sufficiently also need consequences. We need our government and our elected and appointed officials to do better, and we should encourage and pressure them to do so.