Cybersecurity, Cybercrime, and Our Government
by John Bandler
Originally published on October 17, 2017, by the Huffington Post and updated here.
Cybersecurity and cybercrime are intimately connected and are serious issues. If the situation is to improve, the response of our government must improve. The harms of cyberattacks are already extreme, but will increase as our world becomes even more digitally connected, and as ever more data is collected, stored, and stolen.
Properly fighting cybercrime requires government action
Fighting cybercrime is mostly a government responsibility. All sectors play important roles for cybercrime investigation, but only government has certain tools that are necessary to investigate, prosecute, punish, and deter offenders, and nation-states that harbor them.
Cybersecurity is a now personal and corporate responsibility. But better cybersecurity will never be sufficient to protect us all. This means government — at all levels — must do better at combatting cybercrime. Government plays an essential role in protecting its citizens and residents from criminal activity and malevolent nations. It would be nice if government could eradicate all crime, but that is not realistic. Crime will always be lucrative, and there will always be humans willing to victimize others. Instead, we need more effective suppression of crime, reducing it to “manageable” levels to decrease the victimization. Government reduces crime mostly through law enforcement — with deterrence, apprehension, and enforcement. Another function of our criminal justice system is rehabilitation, but this cannot occur without apprehension.
Currently, cybercrime prosecutions are too rare, allowing cybercriminals to attack incessantly, without fear of apprehension or punishment, until even the best cybersecurity succumbs.
Securing our homes and businesses
Imagine a society where law enforcement was unable to deter burglars. Suppose police stopped responding to burglaries in-progress, stopped trying to investigate them, and prosecutors stopped bringing offenders to court. Without effective law enforcement, criminals would soon realize how risk-free and lucrative this crime has become, and the burglary rate would skyrocket. Some companies and homeowners would invest in stronger doors and locks, video surveillance, and private security guards, but many could not afford to do so. Stronger doors and burglar alarms would not eliminate burglaries, but merely slow their commission. A burglar who knows there will be no response has an infinite amount of time to break through the locks and doors. A burglar who knows there will be no consequence has nothing to fear.
Warfare throughout the centuries has provided us with similar lessons—obstacles do not to stop attackers forever but merely to slow them down. What defenders have built can be climbed or broken with sufficient time. Attackers can defeat moats, walls, mines, and other obstacles. Thus, the purpose of an obstacle is merely to slow the attacker until an effective response can be launched.
In our imaginary world where burglary is not prosecuted, we would turn to government try fix the problem, to start identifying and prosecuting those responsible. We would be unhappy if government denied the root of the problem and simply suggested we needed to protect ourselves with stronger locks, thicker steel doors, or other security features. We would be unhappy if government suggested we needed to rely on the ethics and goodwill of the burglars to see the error of their ways and stop their attacks.
Today, police solve just over ten percent of reported burglaries. It is a distressingly low ratio yet somehow enough to keep our homes and businesses relatively safe. As a state trooper, I investigated many burglaries—all too often unsuccessfully. As a prosecutor, I learned that it requires considerable effort to litigate and achieve a just result following the arrest. The criminal justice system is inefficient, the burglary solve percentage is low, yet pursuing burglars is essential to keep the crime at bay. This type of deterrence is lacking with cybercrime.
Cybercrime enforcement is not yet effective
We cannot expect better cybersecurity defenses to solve our problems. Unlimited cybercrime attacks, if unanswered and without consequences, cannot be withstood indefinitely. The solve rate for cybercrimes is minuscule, too close to zero. Cybercrime statistics are hard to find, those that exist are not accurate because many cybercrimes are not detected, and those detected are often not reported.
Because the cybercrime solve rate is so low, these criminals face almost no risk, and are free to commit such crimes all day, week, and year long, experimenting and innovating until they steal successfully. When they find a lucrative scheme, they continue unchecked. The cybercrime economy steals hundreds of billions of dollars annually from individuals and businesses in this country, and some elite cybercriminals earn millions of dollars, often without any effective response from our government. Unlike burglary, the criminal can victimize from a distance, across international boundaries.
In the face of the onslaught of international criminal victimization of us, only a handful of prosecutions occur each year, usually the result of dedicated investigators and prosecutors. I had the good fortune to help lead one such international cybercrime prosecution which lasted nearly a decade, beginning when I was a junior prosecutor. I learned many lessons about cybercrime and cybersecurity, including that successful cases can be brought, as difficult as they are. But I also know how many crimes were committed, and how many offenders I lacked the resources to pursue.
Better investigation is needed
The solution to our cybercrime problem is to bring more quality prosecutions. The relative dearth of prosecutions compared with the infinite nature of cybercrime means there is very little risk to perpetrators. Of course, this is not a call for mindlessly increasing the mere quantity of cybercrime prosecutions. To paraphrase the legendary Robert Morgenthau, arrests and convictions are not to be treated as notches on a gun, nor to achieve bragging rights, nor press releases. Instead, each prosecution calls for a fair and impartial application of justice. We need to change the cybercriminal’s risk analysis, to teach them that their crimes have consequences. Perhaps if caught in the earlier stages of their careers, they might choose a different path. Simply put, law enforcement needs to get better at apprehending the perpetrators and bringing more cases while still ensuring the prosecutions are just. It also means properly prosecuting identity theft—cybercrime’s partner.
Cybersecurity protects individuals but does not stem the cybercrime tide
In 2017 I heard a prominent prosecutor minimize the importance of apprehending and prosecuting cybercriminals, while stressing the importance of cybersecurity and prevention. Everyone can agree that cybersecurity and prevention are important, but law enforcement cannot abdicate its important and traditional duties—deter crime, apprehend and bring perpetrators to appropriate justice. Law enforcement is the only entity that can do this. If law enforcement is unsuccessful or unmotivated to suppress these crimes, they must improve themselves. They cannot pretend that enforcement doesn't help, or that cybersecurity will save us. Building a higher and thicker wall doesn’t change the fact that attackers are on the other side, doing everything they can to get in.
Better cybersecurity is essential but does not address the root cause. Consider the two hikers being stalked by a tiger. The first hiker laces up his boots and gets ready, not because he will try to outrun the tiger, but because he simply needs to outrun his hiking companion, upon whom the tiger will feast. It’s government’s job to protect us from the tigers. We can and should improve security and fraud resistance, but that will not reduce overall crime so much as shift who the victim will be. Government has the resources and tools to catch the attackers, the general public does not.
Sometimes there is a tendency to put the “best face” on a problem, for government to tell us that it is doing what it should, that it is addressing the issue effectively. But here that is denying the real problem, and government should acknowledge that it needs to do more.
Some have said that there needs to be harsher punishment for cybercrime, but that will not save us either. The punishment imposed for convicted cybercriminals seems to be appropriate and significant these days (or was within recent history). We need to remember that punishment, however serious it might be, cannot deter crime if the risk of apprehension is nearly zero.
Of course, we should be thankful for the many fine men and women working on law enforcement’s front lines to investigate and prosecute cybercrime as analysts, detectives, investigators, special agents, and prosecutors. Many work tirelessly to build cases, catch criminals, and achieve justice. Great cases are being made. These public servants face an unrelenting tsunami of crime, receiving inadequate pay, resisting the more lucrative private sector, doing their best under difficult circumstances, and we owe them our thanks. But in general, government can do better to investigate, prosecute, and deter cybercrime.
The path forward
Fighting cybercrime requires we understand the nature of the cybercrime economy, which is diverse, innovative, and capitalistic. It means following the money, investigating cybercrime and money launderers, and reducing the cybercrime profits that escape our country. Most of all, it means apprehending more perpetrators—the problem will not improve until government gets better at bringing more offenders to justice. That is why we wrote a book on Cybercrime Investigations (published in 2020).
This problem does not lie solely at law enforcement’s feet. Many cybercrimes are committed outside our borders, making investigation and enforcement extremely difficult—though not impossible. While there are legal procedures to obtain evidence and defendants from other countries, this can be slow and problematic. Critically, some countries turn a blind eye to perpetrators within their borders, and ignore money laundered into and through them. Thus, our federal government must play a greater role to obtain cooperation of foreign governments to investigate and fight cybercrime and money laundering. This means putting diplomatic and financial pressure on countries.
Of course, we still need to protect ourselves and those around us. Every individual and business needs to take control of their security and privacy, assess the threats, the risks, and take reasonable precautions. Reasonable cybersecurity for the individual and organization is the new responsibility, like locking your doors at night, or putting on your seatbelt while in the car. This starts in your home for you and your family, and then you bring your knowledge and skills to your workplace. My 2017 book can help you with this, Cybersecurity for the Home and Office.
The criminals attacking us will not stop voluntarily, and they will not give up just because we make our walls higher. They need deterrence, apprehension, and to have their criminal profits traced and choked off. Nations who are not cooperating sufficiently also need consequences. We need our government and our elected and appointed officials to do better, and we should encourage and pressure them to do so.
This was originally published on October 17, 2017, at the Huffington Post at https://www.huffingtonpost.com/entry/cybersecurity-cybercrime-and-our-government_us_59e5fe36e4b0a741e4b35416. I reproduced it here and made minor changes and edits here to keep it current.
This page is hosted at https://johnbandler.com/cybersecurity-cybercrime-our-government, copyright John Bandler, all rights reserved.
Originally published HuffPost 10/17/2017. Updated here 3/21/2022.