“We Can’t Arrest Our Way Out”

by Jonathan Lusthaus

Given the transnational nature of cybercrime, improving international cyberpolicing efforts is one major element for reducing the threat of cybercrime. But as one law enforcement agent told me, it’s not that simple: we “can’t arrest our way out” of this situation. Just as broader crime policy involves a range of nonpolicing solutions, cybercrime policy should be no different.

First, as with traditional forms of crime, the policy community should be having discussions about appropriate sentencing and potential avenues for rehabilitation. While some “conventional” criminals are making their way into cybercrime, those who are hackers or otherwise technically skilled present an interesting case. In the past, critics have complained that sentencing for cybercriminals was too lenient in comparison to “real” crimes like bank robbery. But as sentencing has become increasingly severe in certain jurisdictions, we should be careful not to move to the other extreme. (Different countries are at different stages of this process, with some still having very short cybercrime sentences.) Meanwhile, in terms of rehabilitation, some cybercriminals do possess a versatile skill set that can be very valuable for society, and could lead to their own gainful employment doing something they enjoy. But specialists need to investigate further how such reform could work effectively without greater risks of recidivism and without incentivizing cybercrime as an entry point into the IT industry.

Second, education about cybercrime is very important. As national and global societies, we are still learning what the threat is and how best to protect ourselves. The first point all users have to accept is that the Internet is not necessarily a safe place. There are unseen people out there who want to “get us” in a variety of different ways and for different reasons. That should inform the way individuals and organizations conduct themselves. There are no hard and fast rules, but just as people might be guarded when they walk around a rough-looking area at night, users should be looking around themselves online. They should be thinking about where they visit, what they click on, what pops up, what is sent to them, and so on. Users should make sure to lock their doors—in technology terms, by having basic protections like anti-virus software, security updates, firewalls, and strong and diverse passwords—and always approach online activity with a degree of caution.

Users should also be wary of the digital footprint they leave online—what personal information they choose to disclose, and whether they really trust various companies and organizations to protect it. Cybercrime is more than technical vulnerabilities; it’s just as much about leveraging available information against victims through “social engineering” (deceiving someone into revealing private information or performing certain actions). Victims might like to think they are the target of an elite cybercriminal using the latest exploits, but many supposed “hacks” might just be the result of poor password security or someone guessing your mother’s maiden name. The more breadcrumbs users leave around for cybercriminals, the easier their job.

But education is equally important on the perpetrator side. Some face a slippery slope of involvement, starting with borderline criminal activity like software cracking to more serious activities later on. It’s not hard to see why credit card fraud might seem like a game when you started your hacking career creating “cheats” for online games. It is vitally important that younger people are taught about the reality of their actions in the virtual world. It is something that many cybercriminals often realize too late: Their victims are real, as are the consequences of illegal behavior.

One hacker and former cybercriminal I’ve met with, who made a substantial amount of money from identity theft in the 2000s but was later jailed, sees things in a similar way. Now establishing a career in the IT sector, he hopes to one day run a workshop that goes into schools and identifies those who have the “hacking mindset”—the sharpness and intellectual adventurousness that defines hackers (both black and white hat). This hacker’s view was that these youths need to be acknowledged for their unusual talents and taught about the potential positive applications for their abilities. But just as importantly, they need to be warned about the dangerous paths not to go down and the consequences of such actions for their lives and others. Otherwise, they may find their own way forward, just as he did.

Finally, we have to acknowledge the significant economic factors behind a lot of cybercrime and think about how to counteract them. Cybercrime is no longer a “middle class” crime of well-educated and privileged adolescents. As Internet access and usage has become more widespread, there are now cybercriminals from all backgrounds and demographics (though anecdotally speaking a preponderance of males). While economic drivers might not explain the involvement of those from privileged backgrounds (aside from greed), for others the venture is certainly an alternative source of income or career path.

Internationally, cybercrime is a de facto method for less economically developed nations to “outsource” some of their crime to wealthier countries. Not that they are actively promoting this process, but countries with limited economic opportunities produce a lot of crime and sometimes a considerable amount of cybercrime (Nigeria being a good example). In Eastern Europe, there is a glut of technical talent being produced, but not always the best job market to support it; cybercrime can become a promising option for those open to criminality. It is a basic supply-and-demand problem.

Of course, there are complex issues of personality, individual backgrounds, and values here too. Economics will never explain everything. At one end of the spectrum, you will always find those who will not turn to crime under difficult circumstances and have clearly determined boundaries, regardless of their financial position. At the other end of the spectrum, there are those who will engage in illegal behavior despite being in a relatively strong economic position.

For those in the middle who are simply seeking financial security, greater investment in IT industries in various countries around the world may help solve part of the problem. One interesting example in this area comes from the leading security journalist and blogger Brian Krebs, who recently spoke with a major cybercriminal in Russia. This man was perturbed by his struggles to employ high-quality coders for his criminal operation. The problem was that the Russian IT sector had recently grown and many of the skilled coders the criminal wanted to employ had taken jobs in legitimate industry. In the end, this cybercriminal even had to seek licit employment himself.

Read more about cybercrime policy in “Electronic Ghosts“.