Balaclava Man on LaptopFor as long as laws have existed, so has crime. Depending on your religious outlook, you could say it began with Cain and Abel. The comprehensive recording of UK crime (and learning its lessons) goes back to 1898 – and as with Robert Peel’s Police force, was a British innovation.

For many years, crime and its detection operated in the physical realm. Police across the world are better practiced at investigating and bringing to justice traditional criminals. Look at the Hatton Garden safe deposit robbery as a case in point.

One of the earliest reported cases of computer crime goes back to 1973. Roswell Steffen, a bank clerk from New York, was found guilty of embezzling US$1.5m by ‘manipulating account data in the bank’s computer’. But Steffen is an anomaly. It was only 26 years ago that computer crime was even recognised with its own category (it was classified as a form of fraud). And only the UK Computer Misuse Act of 1990 started the legal process of codifying ‘CyberCrime’.

This is in fact remarkably prescient: computer misuse in 1990 was still a case of tweaking private networks. Few people had the opportunity to do this. Little could the authorities know that within a decade, the web would bring connectivity to the masses and across borders, making hacking a sport for all.

Today, authorities are constantly playing catchup with cyber-criminals and the opportunities to commit digital crime will increase exponentially alongside businesses rushing to connect their products to the Internet of Things.

This won’t change, indeed the concept of policing the internet is perhaps arcane. 6 out of 10 Britons say they have been targeted by scams in the past year, and some retail experts feel that an insurance regime (where crime is just a cost of doing business) rather than attempting resolution, might be a better answer.

Equally, scams are only the tip of the iceberg. The breadth of computer crime includes cyberterrorism, industrial sabotage (take a look at Stuxnet) and piracy, along with the many consumer-facing scams like Advanced Fee frauds and Chargeback frauds, or the current insidious trend, Ransomware. Less publicised but just as important is the social differential of cybercrime. Older people are particularly vulnerable, and hard-pressed law enforcement communities are ill-equipped to help them. There is also a rich seam of ‘romance frauds’ which may be funny to the well-informed, but are in fact again an abuse of the vulnerable.

A perfect storm of trends is fuelling digital crime:

  • An exponentially increasing number of devices, internet connections and bandwidth: we are entering an “always connected” developed world
  • Classic crimes moving online (e.g. fraud to phishing) because it is easier and more scalable to run a scam online than to attempt to burgle banks
  • Online crime is certainly faceless, often perceived by many as digital and therefore victimless, and still very much “white collar”
  • Software operates on a “Minimum Viable Product” basis to remain profitable; in other words, launch first and fix later. Even top manufacturers are patching and enhancing as they go. Similarly, the threat landscape is never static: cybersecurity is a trench war of many individual battles
  • The “Magnification of Capabilities and Consequences”, i.e. cybercrime operates at scale. Whilst fixes can be rolled out quickly, a single attacker can have a magnified effect by harming many users in seconds
  • Attribution is exceptionally hard: an eleven year old in a Cyber Café is often as well resourced as state actors

We live in a Post-Westphalian age, in which physical borders are more porous, but our virtual borders have to all intents and purposes evaporated completely. Indeed some of the most interesting digital confrontations are between non-state privateers. ‘GhostSec’, an offshoot of the libertarian digital activist group, Anonymous, is a self-described vigilante group formed to attack ISIS websites that promote Islamic extremism.

Another non-state digital privateer of note is, of course, Edward Snowden. Like Anonymous, his actions attract either praise or revulsion: he is either a free speech hero or a traitor to civilised society. Whichever side of the free speech divide you sit on, perhaps the most important fact is that Snowden is one man; the subsequent leak of the ‘Panama Papers’ – certainly not a large group effort – shows that individuals and small groups have immense power to leverage change in the digital world.

Traditional policing will continue to find challenging cybercrime hard. It will have to concentrate on major frauds where the opportunity for redress warrants investigation. They will also be permanently behind the technological curve.

But the technical challenge is less significant than the real issue: whether legislation and cross border agreements can keep up with the changing nature of computer crime. In a recent commencement speech to Northeastern University, US Secretary of State (and noted foreign policy expert) John Kerry said: “The future demands from us something more than a nostalgia for some rose-tinted version of the past that did not really exist in any case. You’re about to graduate into a complex and borderless world.”

Physical borders are becoming less relevant for sure. And that’s the topic of my next post. 🙂