Governments, private companies and individuals can all take reactive actions to counter crime in cyberspace, but there is a broad-based need to improve the general state of digital hygiene around the world in order to combat crime through prevention. In 2009, a US Senate hearing revealed evidence that upwards of 80 percent of cyber attacks could be prevented by proper system configuration and network monitoring.92 Even something as simple as downloading and installing patches for commonly used software such as Microsoft Word or Adobe Flash can have a drastic effect on the ease with which criminals can exploit the technology for malicious purposes. According to Verizon’s “2015 Data Breach Investigations Report,” for example, upwards of 99.9 percent of vulnerabilities were exploited one year after the vulnerability had been exposed and recorded in the Common Vulnerabilities and Exposures database, and thus occurred one year after patches were available for the exploit.93 Simple improvement in digital hygiene can prevent a lot of criminal behaviour in cyberspace, thereby freeing up governmental and private resources that could be used to contend with more sophisticated threats.
Proper digital hygiene hinges upon the widespread availability of the information needed to keep people safe. There are several welcome efforts already at work to try to collect and coordinate the sharing of information and best practices across borders, such as initiatives such the Global Cybersecurity Index,94 the Cyber Readiness Index95 and CyberGreen.96 Efforts of this sort need to be broadened and deepened as much as possible if cyber hygiene is to prove to be a truly effective preventive tool against cybercrime.
Being realistic, it has to be said that currently and in the short-to-medium term, efforts at improving digital hygiene alone will likely not be sufficient to make cyberspace safer. As a result, governments, private companies and individuals sometimes need to undertake steps to combat crime in a more reactive fashion. While the need for these efforts can be greatly reduced by better digital hygiene, the reactive measures themselves are proving to be only marginally effective in most cases.
In a world of sovereign states, governments have traditionally had the practical responsibility for policing society. Increasingly, as online crime has become a more endemic problem, governments have generally increased the resources and effort devoted to policing cyberspace. Some early successes include instances of successfully apprehending online child predators and the arrest of those involved in illegal marketplaces, such as the high-profile Silk Road, and the takedown of botnet computer networks used to attack critical infrastructure. Both old-fashioned police work and the innovative use of new technologies are needed to police the Internet in the digital age.
Effective policing in other areas is far less effective. State efforts to police cyberspace are usually limited by problems resulting from the fact that cybercrimes often span geographical jurisdictions, thus requiring international coordination, and demanding more resources. Another limitation involves the often significant lag between the development or reform of laws that govern what is legal or illegal online, and the pace with which the technology changes and shifts in people’s use of the system.
The law reform process has not sped up sufficiently, but recent moves have been made to update laws so that they protect people from online abuses, such as banning so-called revenge pornography in many US states. These are all positive steps, but they have not proceeded far enough or quickly enough. It is likely that, at least for the foreseeable future, law will always lag technology, but this does not mean governments should just accept this as unavoidable. Instead, they should make greater effort to ensure that laws react in a timely manner to challenges emerging in the digital ecosystem.
Cybercrime and cybercriminals traverse space with unparalleled speed. Cybercrime has localized victims, while the perpetrators very often reside in very different jurisdictions around the world. Finding the perpetrator of a cybercrime and getting a conviction almost always requires that various law enforcement bodies carefully coordinate their efforts. At best, this coordination will be within a single country, with local law enforcement coordinating with subnational and national police services. Often, however, the coordination will have to be across national borders. Law enforcement agencies need to better recognize that cybercrime very often cannot be dealt with locally and will cross into different organizations or countries’ jurisdictions. Formal procedures for facilitating coordination, such as deciding on a basic rule regarding the organizational lead in an investigation, are essential. Getting broader participation in these positive efforts started at Interpol’s i-24/7 data exchange initiative would go a long way toward improving the ability of law enforcement to apprehend cybercriminals across borders.
In response to these challenges, governments have been increasing both national and international coordination, devoting more resources to combatting cybercrime — often establishing dedicated units to do so — and seeking reform of the mutual legal assistance treaty (MLAT) process.
Overwhelmingly, cybercrime will span borders. MLATs are meant to assist nations that need to pursue a criminal across national boundaries. In today’s world, MLATs are cumbersome, and can take up to a year to complete, even if one excludes the number of applications rejected because of process issues. The requests for assistance are often thwarted by a lack of compatible legal requirements in the correspondent countries. To take one example, unless required to do otherwise, most ISPs only retain data for between six months and one year, which means that the data that a government is looking for might be deleted even before the MLAT process is completed. The inefficiency of MLATs is a serious impediment to law enforcement’s efforts to combat cybercrime. Governments need to work to reform the process so that seeking legal assistance from other states is easier, more transparent and faster.
Law enforcement is at the front line in combatting cybercriminals, but law enforcement agencies remain woefully under-resourced and often lack the skills and training needed to effectively contend with sophisticated online criminals. Without additional resources, law enforcement agencies will find it difficult to bring the necessary capacity to bear upon the problem at hand.
Recommendation: Apprehending criminals across national borders remains a difficult challenge. Governments should never purposefully shelter those that have been linked to the commission of cybercrimes.
Recommendation: The transborder nature of many significant forms of cyber intrusion curtails the ability of the target state to indict, investigate and prosecute the individuals or organizations responsible for that intrusion. States should coordinate responses and provide mutual assistance in order to curtail threats, to limit damage and to deter future attacks.
Combatting cybercrime would be far simpler if all nations agree upon some basic definitions of online criminal behaviour and harmonized their national laws to ensure that as many jurisdictions as possible had comparable laws. One early effort in this regard was the Budapest Convention on Cybercrime. Now in force in 48 countries stretching from Europe to the Americas, Africa and the Caucasus, and the Pacific the convention goes a fair way towards making cybercrime illegal in all jurisdictions. However, several states that have an active cybercrime element are not parties to the treaty. Current signatories should expand their efforts to make the Budapest Convention more inclusive, to improve government cooperation on combatting the scourge of cybercrime.
While states have been the main law enforcement body in our current Westphalian era, there is an increasing trend towards policing being undertaken by states in close collaboration with private companies. For example, “Operation Tovar,” which took down the expansive ZeuS botnet, was achieved by a combination of the FBI, Europol and the UK National Crime Agency working in concert with a host of private companies, including Crowdstrike, Dell SecureWorks, Symantec, Trend Micro and McAfee. This takedown is but one example of the close, and often highly effective, collaboration of governments and private companies in the policing of cyberspace. Computer Security Incident Response Teams are also an invaluable bulwark in the collective fight against cybercrime.97
Such collaboration can be useful for two reasons. First, private companies such as ISPs and content platforms own and operate a lot of the physical infrastructure of the Internet. Second, private companies are often best positioned in terms of technical skills and resources to identify criminals and to track and destroy (or at least contain) malicious code. These realities entail an expanded role for private companies in the policing of the network, often in collaboration with governments.
Increasingly, law enforcement in cyberspace is not the sole purview of governments. Governments often work in close collaboration with technology companies to bring down botnets and otherwise police cyberspace. In principle, both governments and technology companies should be receptive to these public-private partnerships. In practice, these coordinated efforts should not be used by either side to circumvent any legal restrictions that might be in place.
Recommendation: States should not rely upon the weaker data collection rules that govern private companies to get access to information that they could not obtain themselves through legal channels.
Private companies that are not directly involved in the IT space are also often thrust onto the front line of defence against cybercrime. Companies ranging from Home Depot to Target to eBay have had their systems breached and customer data stolen. These data breaches, and all the unreported attempted breaches, against companies are growing frighteningly common. Sometimes these breaches are tied to state-sponsored hackers in foreign countries, as in the case of the attack against Sony Pictures Entertainment in 2014 by “The Guardians of Peace.” Sometimes these attacks come from private sector actors, such as the hack of the online adultery site Ashley Madison, by the group or individual going by the name of “The Impact Team.”
Many private companies have responded to their real and perceived vulnerability by establishing a chief information officer position, with the responsibility to coordinate cyber defence. According to a recent C-Suite Survey of executives, over 60 percent of businesses have also increased their IT security budgets due to the perception of a worsening security environment.98 These efforts are a set of good first steps, but most companies have relatively immature processes for making and implementing decisions about how to protect themselves from cyber attacks.
The knowledge about operating and securing data systems, software and networks is overwhelmingly in the hands of private cyber security companies, which are used by governments to protect themselves against cyber attacks, and their inhabitants against various forms of cybercrime. Outsourcing online security to private actors without clear oversight and control regimes amounts to negligence.99
The Diginotar Scandal
The Diginotar scandal illustrates why the two-fold dependency on private companies leads to serious concerns. The Dutch government relied on Diginotar to provide security certificates for most of the electronic services it provided, including sites that had been used for all online tax returns filed in the Netherlands. After the company’s infrastructure had been breached, fake certificates were issued for hundreds of popular websites, which could be used to launch man-in-the-middle attacks. An investigation by another private company provided evidence that the false certificates were used to monitor the communications of approximately 300,000 Internet users in Iran. After the attack, the company did not report the incident immediately, thereby jeopardizing the security and privacy of not only Dutch Internet users, but millions of other Internet users across the globe. How healthy is a situation in which the security of our communications online depend on a cyber security company whose most critical servers contained malicious software that can normally be detected by anti-virus software?
Businesses are the cornerstone of national economies. More and more, states and companies are relying upon efficiency-enhancing digital technologies that are vulnerable to cyber attacks. Businesses have to take seriously their responsibility, to their owners and employees, to secure the future of the business from cyber attacks, including information theft and data corruption. They must also be vigilant in discharging their responsibility to their customers for safeguarding their information so that private and secure services can be provided. Businesses must invest not only in enhancing their cyber defences, but also in building security into their underlying business processes and technology architectures.
Unfortunately, small- to medium-sized enterprises (SMEs) that form the backbone of the global economy may not be financially capable of shouldering the burden of extensive IT security, or may not see it as a priority use of limited resources. However, even small companies can be a threat vector for their customers or their commercial partners. Systems breaches of larger companies can come from anywhere in their supply chain, as evidenced by the breach at Target via an HVAC vendor.
Governments have a responsibility to reach out to their SMEs, including working with the cyber-security industry and the insurance sector, to explore funding routes and capacity-building efforts that can assist smaller companies in managing digital security risk in an effective manner for the benefit of all.
The responsibility of a business does not stop at simply trying to prevent a cyber breach of their systems. Companies also need to be prepared to deal with the consequences of a successfully executed cyber attack, and should find ways to share what they learn in the process without compromising their competitive positions.
Recommendation: Businesses should purchase cyber insurance to cover the liability costs of successful breaches of their systems.
Cyber liability insurance vendors can also be persuasive in promoting best practices in the corporate sector. Cyber premiums can be expected to be higher if best practices are not followed, just as health premiums or vehicle insurance premiums are affected by what the policyholder does or does not do. The market for cyber insurance is immature in comparison to the seriousness of the threats, and the capital available to the industry is currently inadequate to underwrite the full risk. Pricing the risk is difficult in the absence of reliable time series data, making it difficult for insurers to put a reliable figure on the likely losses from breaches.
Recommendation: More research is urgently needed to support greater accuracy when pricing risk. This is an area where the OECD could make a significant contribution.
Despite its current limitations, risk markets (including bond markets) can play a major role in building resilience among individual and business users. Public reporting of cyber attacks and their impacts (even if the report is anonymized) will enable the risk markets to develop fact bases on which to price cyber risk products. In other areas of insurance, the reliance on third-party evaluators of ICT products helps to reduce systemic risk. Third-party evaluation processes are needed in ICT supply chains, although corporate compliance with such evaluation standards will not be sufficient for enterprise security.
In the end, ordinary individuals are both the most common target of cybercrime and in the best position to defend themselves, whether in their homes or in their professional lives. Certainly, some people have responded to the real and perceived dangers of cyberspace by being more cautious about what they do online, thereby protecting themselves (and others) from cybercrime. Yet, many individuals do not follow even the bare minimum standards of digital hygiene, such as changing passwords regularly, not clicking unknown links or using antivirus software, thus endangering themselves and others.
A large majority of data breaches are the result of human error. People are the weak link in most IT security systems. Law enforcement and private companies need to do their best to protect users, who are generally less knowledgeable about how cybercrime unfolds. Capacity-building efforts to develop cyber-security skills are crucial for preventing crime online, but they are often adversely affected by cumbersome political institutions and cultural issues.100 Everyone needs to recognize that sometimes they are themselves the last and best line of defence against cybercriminals.
Recommendation: To assist the public to understand and practice the essentials of cyber hygiene, governments should undertake significant campaigns to raise awareness and develop the needed skills. Cyber-security awareness programs should start early, for example, by incorporating cyber hygiene into primary and secondary education curriculums.
The reality is that the Internet ecosystem is populated by calculating and reactive actors. Criminal elements adapted to the growth of the Internet by increasing their online presence and expertise, often capitalizing upon the weaknesses of others. Governments, private companies and individuals have had uneven responses to cybercrime. The responses that have been undertaken have been patchy and very shallow in some areas. Crime has always been an endemic social problem and the core lessons of the off-line world apply online: crime in cyberspace can be made less pronounced than it is today through the exercise of common sense, by undertaking tried and tested precautionary measures, and by judicious policing.