Fighting cybercrime – what happens to the law when the law cannot be enforced?

The widespread loss of trust in the internet is the fifth greatest strategic risk facing the world, according to the World Economic Forum’s Global Risks Report 2019. The report indicates the scale of the challenges facing the security community, as well as the new opportunities and partnerships that can be forged to enable public good in this era of unrivalled technological change. Cybercrime will continue to be the security challenge of the 21st century.

In the context of cyber security as a major global risk, the global community needs to recognize that there is a “stunning enforcement gap”, as a recent report by the Third Way highlights. Not only is the current wave of cybercrime largely unseen, but the chances of being successfully investigated and prosecuted for a cyber attack in the US are now estimated at 0.05%. This mirrors similar reports from around the world. This is for a crime type that is predicted to be costing the global economy $6 trillion by 2021. For violent crime, the equivalent chance is 46%. The global community needs to ask itself why this is happening, and what can be done to change it.

One of the key reasons for the lack of progress in the successful investigation and prosecution of cybercrime is that the spotlight continues to be driven by a wider debate around national security concerns. Focus continues to centre on the implications of a relatively small number of high-end nation state threat actors. While this debate is undoubtedly important, it is distracting attention from the growing enforcement gap for digital crime, and from developing the new generation of capabilities required to close this gap. Attribution and enforcement of the law has to be part of the global architecture in building an effective response to a type of crime where “the majority of attacks, for the majority of the people, for the majority of the time” come from financially motivated crime groups.

Three steps are needed to help build the global architecture to fight cybercrime.

1. Cybercrime 2025 - agreeing a vision for the future

First, the community needs to agree what is important in the near future, focus on a shared vision of that future, and establish a real dialogue on how to build towards it. This is difficult but necessary - and it’s about what countries and corporations agree on, not what they disagree on. This might include a common understanding of the need to reverse the cyber enforcement gap, to tackle transnational organized cybercrime before it grows to epidemic proportions, and to eliminate safe harbours for cybercriminal networks. This task is increasingly important as a new generation of technology emerges. Integrated smart cities, 5G networks, artificial intelligence and cloud computing will shape our digital future, but they also have the potential to accelerate rapidly the scale and impact of cybercrime.

2. Building global capabilities to enable increased enforcement

Second, there needs to be an understanding that cybercrime is a shared global issue and requires a global response. No one country or corporation operates in a vacuum. The world as a whole needs to build a new generation of partnerships across transnational, national and corporate entities. The enforcement gap is largely being driven by the difficulties in being able to conduct investigations on attackers often operating overseas, against diverse and disparate technical systems using communications technology that make any attack global in nature by default. Without the attribution and prosecution of attackers, technical defences often just shift them to easier targets in new sectors or countries.

Exemplars of best practice should be highlighted and built on across the community. These include successful operational partnerships such as Microsoft’s Digital Crime Unit, Europol, and the UK’s National Cybersecurity Centre’s work with telecommunications providers. The EU is also introducing e-evidence legislation that will significantly help with sharing data at speed to be used in case work. Enhancing capabilities in emerging markets, especially in Africa, is also important, as these are increasingly victims and important nodes in the fight against cybercrime.

3. Setting global principles for public-private partnerships

Third, the community needs to recognize that investigating cybercrime is different from investigating traditional types of crime. This is not simply an issue of law enforcement agency capacity. Every victim, data holder or investigative body, whether in the public or private sector, is part of a global ecosystem that is increasingly connected and mutually dependent.

The skills, capability and data required to investigate are within the corporate domain. This is a crime type that operates at a different pace, and there is therefore a much greater need to work under agreed common frameworks and principles at a global level and at internet speed. This includes incentivizing data sharing and collaboration, and setting out clear roles and guidance to leverage each other’s capabilities.

Establishing principles is increasingly important in an era where concerns over privacy, the sharing of data and the interpretation of legislation such as GDPR is inadvertently potentially hampering the sharing of valuable information. Companies often hold critical data but do not feel able to share it due to concerns over data privacy, client confidentiality or giving away intelligence to business rivals.

New tools and platforms using technology such as homomorphic encryption will be needed to help build more sustainable models to protect victims and enable global investigations, while respecting the right to privacy. Setting principles and harmonizing frameworks for cyber response between victims, cyber services providers, law enforcement, Computer Emergency Response Team (CERT) bodies and transnational institutions are important examples of how to close the margins of cooperation in which cybercriminals operate.

Addressing the cyber enforcement gap will require deeper transnational integration and dialogue across governments, both from a policy and capability perspective. It also requires much closer integration between law enforcement and the private sector. This offers a unique opportunity to build trust between entities and agree common values, from which a new global architecture will emerge. If this cannot be achieved, we risk undermining the digital economy, as well as the traditional institutions that are relied on to provide security and trust across society.