If cyber-crime is the tier one (most serious) threat that we are told it is, and we are experiencing upwards of 2-3 million cyber-threats each year, then why have we only had 350 or so prosecutions under the UK Computer Misuse Act 1990 in the last quarter century? What causes this disparity?
The answer is actually pretty simple. Threats are not necessarily crimes and there are also many different types of cyber-crime and many different victims, offenders, regulators involved. And prosecutions are a very unreliable indicator of the success of law and the complexity of the evidence chain often means that many computer crimes are prosecuted under other laws. There is also the problem of under-reporting.
But the conundrum does raise the issue that while everybody seems to agree that cyber-crimes exist, not everybody agrees on what they are. There is a host of sometimes contradictory accounts, from equally valid sources, that each purport to offer an explanation and it’s worth taking the time to reconcile these to work out an effective response.
The debate over personal internet security is very different in substance to the debate over corporate security in terms of substance, loss and harm, as well as which policing agency should be involved. The various crime victim surveys (English & Welsh, Scottish and Eurobarometer, for example) all indicate that our individual chances of falling victim to cyber-crime, to the point that we feel harmed enough to seek help, are in the low percentages (2-7%).
Remember that it is important here to differentiate here between technical victimisation (for example, receiving an email telling you that you have won the lottery, which we tend to ignore) and incidents that cause actual harm. If you ask organisational or corporate victims if they have been victimised they will probably tell you they have not. They don’t want you to know in case you lose confidence in them, but, in truth, most will have been victimised in the many ways that organisations tend to be; through petty theft, major theft, embezzlement, frauds, extortion and so on.
Both the personal and organisational security debates are very different to the debate over national security and cyber-crime, which is where the tier one threat mainly lies. At this level the amount of victimisation is impossible to quantify as it is so tightly bound up with the politics of cyber-crime and the protection of the national infrastructure.
Technology and crime
There is also the vexed issue of whether a crime is “cyber” or not. The term cyber-crime is such an all-encompassing rubric that we need to consider the level of technological involvement in individual crimes.
At one level are the “cyber-assisted” crimes, where criminals have simply used computers to help organise them (for example researching how to kill someone or how to manufacture drugs). If you take away the internet from these crimes then they will probably still be committed (this is what I call the transformation test).
The next group is “cyber-enabled” crimes, or hybrid cybercrimes, which are established crimes in law for which the internet provides criminals with global and networked opportunities, such as pyramid-selling schemes, online scams and so on. If you take away the internet from these crimes then they still take place, but at more localized levels.
If you take away the internet from these crimes then they disappear completely. Except, of course, that you can’t take it away in practice.
As we piece together the picture, it soon becomes clear that cyber-crimes each have distinct modus operandi, covered by distinct bodies of law. At one level we have “crimes against the machine”, crimes that attack the integrity of the computer’s access mechanisms such as hacking and cracking, cyber-vandalism, cyber-spying, DDOS(distributed denial of service) attacks and viruses. In the UK, such offences are mainly covered by the Computer Misuse Act 1990 and the key source of evidence is found in the computer’s login and operating logs.
At another level lie the “crimes that use machines”, such as fraud, but also phishing or advanced fee fraud which use networked computer systems (often legitimately) to engage victims with the intention of dishonestly acquiring cash, goods or services. These crimes are covered by the Fraud Act 2006 and related legislation. The evidence is to be found in computer transaction logs and those of relevant financial systems.
Finally, there are the “crimes in the machine”. These are computer-content crimes that relate to the illegal content of computer systems. They include the trade and distribution of extreme pornographic and hate crime materials or materials that intend to deprave, corrupt or incite violence. In the UK these are covered by a range of laws including the Extreme Pornography laws (sections 63 to 67 of the Criminal Justice and Immigration Act 2008) and Hate Speech Laws, Communications Act 2003 and others. The evidence for these crimes is usually located in the computer’s main storage space.
So, the problem of cyber-crime is one of extreme contrasts. From the criminal’s point of view, why commit a high risk £50m robbery when you can commit 50m low risk £1 robberies? Most people tend to see cyber-crime as a victimless inconvenience, even though someone is cashing in.
But lumping in alleged terrorist activity and major fraud with hamfisted phishing, Russian love goddesses and Nigerian princes serves to underplay the actual threat experienced at the sharp end. A sharp end where harm to the individual, the organisation and the nation state take place and where the policing resources do not get effectively focused.
It is only by mapping out cyber-crimes that we can begin to make sense of the different accounts. We can also begin to understand the different offender profiles and the different types of resources that are required to police them, not to mention the agencies responsible, ensuring in the process that victims get the help they need and that the expectations of the public match what help is available.