[BreachExchange] Why it's so hard to prosecute cyber criminals

Audrey McNeil audrey at riskbasedsecurity.com
Tue Dec 6 19:34:10 EST 2016


http://www.infoworld.com/article/3147398/security/why-
its-so-hard-to-prosecute-cyber-criminals.html

We live in a world where internet crime is rampant. Cyber criminals steal
hundreds of millions of dollars each year with near impunity. For every 1
that gets caught, 10,000 go free -- maybe more. For every 1 successfully
prosecuted in a court of law, 100 get off scot-free or with a warning.

Why is it so hard to prosecute cyber criminals?

Jurisdiction, jurisdiction, jurisdiction

This is the No. 1 barrier to prosecuting cyber crime. Most of the time, the
person committing the crime is located outside of the country (or at least
outside the legal jurisdiction of the court and prosecutors seeking the
conviction). It’s hard enough to successfully prosecute a cyber criminal if
they originate in the same jurisdiction as the victim, but close to
impossible when both reside in different locations.

Many times we successfully collect good legal evidence and even verify the
identity and location of the cyber criminal, but we have no legal ability
to arrest the person. We have established cross-boundary, reciprocal legal
rules with many cyber allies, but many more countries don’t and won’t
participate. China and Russia will never honor our warrants of arrest any
more than we would honor theirs.

We're still learning how to prosecute

Our legal system, refined over centuries, was forged in the physical world
for physical crimes. Internet crime is not even three decades old.

Localities, cities, and states have had a hard time figuring out what is or
isn’t illegal in the computer world for a particular location, especially
if that crime involves computers or people outside of their jurisdiction.
For example, if porn is illegal in a particular locality but is accessed on
a computer that is located outside that locality, is it illegal? Is it
prosecutable? Some local court systems say yes, but many more say no. For
that reason, most smaller entities leave it up to the federal legal system
to define and prosecute computer crime.

In the United States, most federal crimes are defined in what is known as
Title 18. Most Title 18 crimes could be construed to cover their electronic
counterparts, but do so imperfectly. Congress created a special Title 18
section called 1030 in 1986, which has been updated and amended many times
since its creation and is known as the Computer Fraud and Abuse Act.

The CFAA is the main U.S. federal law cyber criminals are prosecuted under,
but many other laws can also apply depending on the situation, such as the
Federal Wire Act and the CAN-SPAM Act. You can read a really good, but
long, 213-page “summary” of U.S. federal computer crime law here. Of
course, many localities, especially if they are large and populous, have
their own laws that may apply.

It has taken decades for law enforcement agencies, legal systems, and
juries to get up to speed on cyber crime. Law enforcement agencies have had
to train their officers to recognize the various forms of cyber crime, how
to collect and preserve related evidence, and how to hire and train
specialized forensic investigators. Prosecutors, judges, and juries have to
be educated as well.

It’s probably just now, after 20 years of cyber crime, that we're beginning
to understand how to successfully prosecute internet-related crime. That
limited success shows in the continuous stream of cyber criminals arrested
-- and their networks shut down -- on a regular basis, such as a takedown
last week.

Most cyber crimes are not reported

The vast majority of internet crimes are never reported. I can understand
why. Most people have no idea of where and how to report internet crime,
and if they do, rarely does anything come of it.

To be honest, you could lose a ton of money -- say, $50,000 -- and most
entities would have to spend many times that amount to try and recover it
for you, if recovery was even possible. So when you call saying you lost
$500 to a ransomware attack, perpetrated by a criminal that law enforcement
probably can’t identify or touch, you’re probably not going to see
resources assigned to the case beyond someone filing away your report.

Because most internet crimes are not reported, accurate statistics and
evidence are hard to come by -- even though they're needed to help in a
successful prosecution.

The difficulty of gathering legal evidence

Most of us think we're capable of collecting evidence that might lead to
someone’s identification and arrest. But would that evidence stand up in
court?

Bulletproof evidence of cyber crime is hard to get. For example, suppose
you have an accurate log file that shows an intruder breaking into your
system. You can copy that log file and give it to the police, but rarely
will it withstand the assault a defense attorney is likely to throw at it.

Here are some sample questions an attorney might ask in court: How do we
know the log file hasn’t been tampered with? Who had the ability to access
the log file? Is the time and date stamp accurate? How do we know? How do
we know your computer system accurately detected the originating IP address
-- can’t IP addresses be faked? Was the log file originally written to
write-once, read-only media? What has been the chain-of-custody of that log
file since it was first created until now? What experience does the
computer team have with obtaining legal evidence? And so on.

Any time you hear about cyber criminals being arrested, realize that behind
the scenes, many computer professionals and law enforcement officers with
cyber expertise came together to ensure the evidence collected would hold
up in court. Obtaining good evidence takes skill.

At wit's end

I remember many years ago when I called to warn a woman that her identity
was being used by cyber criminals. Apparently, she had been called by lots
of people about this already, and was obviously thoroughly confused and
disgusted by callers infringing on her privacy.

After I told her who I was and why I was calling, she yelled at me: “If you
call me one more time, I’ll call the internet police!”

Little did she know how much we all wish there was a single, unified, cyber
police force we could call.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161206/1d7fe422/attachment.html>


More information about the BreachExchange mailing list