Including online fraud in national crime figures is just the start of tackling this new type of wrongdoing, says Tim Erlin.
We live in a data-driven world, where decisions are often based on, or justified by, statistics. Not only do we use data to come to conclusions and take actions, but there are also venerable bastions of metrics that get used and reused to measure progress, like the unemployment rate, currency values, or GDP. A good statistic gathers trust. With crime in particular, we tend to measure reported incidents and rates of change. This information allows us to say things like “we’ve seen a drop in violent crime” or “these policies have created a measurable decrease in robberies”. Those are positive changes, but they’re preceded by negative changes. In other words, an increase in crime rates produces calls for action, funding, and changes in policy.
This is where we run into a problem with cybercrime. It’s generally not included in overall crime statistics. It’s treated as separate, by politicians, the media and ultimately law enforcement. The prefix ‘cyber’ is used to distinguish and soften what amounts to a significant type of very real crime, with very real-world impacts. It’s not cybercrime; it’s just crime, and it’s time to stop treating it like a second-class citizen.
This forced separation we experience with cybercrime is ultimately the result of the layers of abstraction between the cybercrime so-named and the very real monetisation of that crime. While cyber attacks that result in physical destruction may be exempted from this explanation, the distance between the theft of a credit card number or healthcare record and the criminal monetisation of that act can be vast. It is rare that the individual or organisation actually perpetrating the data theft is the same as the entity at the end of the monetisation pyramid. There’s a whole underground economy involved in turning that stolen data into profit.
While I paint a picture of stark contrasts, it’s not really that black and white. In fact, cybercrime is tracked in a number of ways, both privately and publicly. There are countries like India, Australia and, as of a few weeks ago, England and Wales, that do include cybercrime in their publicly published crime statistics. There are many others that don’t, however. The United States is one of them, and while the FBI has been instrumental in developing any number of cybercrime-related initiatives, it’s still treated as fundamentally different from physical crime. The result is that cybercrime doesn’t have the visibility it deserves in informing policy decisions.
So what needs to change? A key issue is education. One of the primary means to gather crime statistics is through police reports, but many people wouldn’t know if they were cyber-attacked or that they could (or should) report such things. We all know how to reach emergency services in the event of a traditional physical crime, but who would think to call 999 when their computer is infected with malware? What would that emergency operator actually do? I’m not suggesting that the 999 emergency service start taking tech support calls, but I am suggesting that cyber attacks are crimes, for which there should be nationally organised standard response mechanisms. If someone steals my wallet, I call the police. If someone steals my Google wallet, I should be able to call the police.
Another problem that needs to be addressed is the skills gap in law enforcement. It’s not as simple as getting people to report cybercrimes; your average local police service simply isn’t staffed or skilled to handle that change. We’ve seen specialised law-?enforcement agencies, like the FBI, develop these skills, but they’re largely targeted at the top end of the cybercrime economy. That’s entirely appropriate, but also opaque to the average citizen. How many breach notices have you read that talk about cooperation with the FBI, and then offer free credit reporting?
In order to change the status of cybercrime fundamentally, we need to evolve a cybercrime law enforcement service for the average citizen.
Any changes start and end with standardised public reporting of cybercrimes as crime, by both individuals and corporations. When we start comprehensively gathering the data we have, we can inform policy decisions more effectively. By changing policy to align with the world we live in, we can more effectively gather relevant and accurate data. There are any number of technological challenges involved in this process, but we shouldn’t let the perfect be the enemy of the good.
Tim Erlin is a director, security and IT risk strategist for cyber-security specialist Tripwire ?(www.tripwire.com).