Time to admit we’re failing on cybercrime
16 Feb 2018|

The first step in solving a problem is recognising that there is one. When it comes to tackling cybercrime, it’s time to admit our approach isn’t working.

Our failure is staring us in the face. In his address to the National Press Club last year, then-Cybersecurity Minister Dan Tehan said that in the past year the Australian Cyber Security Centre had ‘identified 47,000 cyber incidents, a 15% increase on last year. Over half of these incidents were online scams or fraud, which saw an increase of over 22%.’ That’s five incidents every hour in Australia. As the minister put it, ‘business for cybercriminals is booming’.

With this volume of crime, you might think plenty of people are being arrested. In fact, no. Asked by Nick Evans of the West Australian how many prosecutions there’d been, the minister said, ‘Prosecutions are incredibly difficult because a lot of what is occurring is occurring offshore … So it’s not one where I can stand here and readily say to you that we’ve had success in targeting this organisation or that organisation and we’ve put them behind bars.’

There are multiple ways Australians are being fleeced through cybercrime. In one example reported by government, a cybercriminal stole money by posing as two senior executives at one company. First, the criminal, pretending to be the CEO, sent an email requesting a large payment from the financial controller. In a second email, the criminal, this time pretending to be the chief operating officer, authorised the ‘CEO’s’ request. Believing that these fraudulent requests were genuine, the business made payments worth $500,000 to the criminal’s offshore bank accounts. It’s a scam repeated across the country, with estimates that compromised business email cost Australian companies $20 million last year, a 130% increase from the previous year.

This isn’t to single out Australia. The problem is universal. The UK Office for National Statistics released a national crime survey in 2017 that ‘estimated that there were 3.3 million incidents of fraud in the survey year ending June 2017, with over half of these (57%; 1.9 million incidents) being cyber-related’. In the United States, the director of the National Security Agency, Admiral Mike Rogers, has likened the cyber domain to the ‘Wild West‘. Statistics from the US Internet Crime Complaint Center show that the financial loss from cybercrime in the US exceeded US$1.3 billion in 2016, a rise of 24%. Because this was only based on reported cases, it’s likely a large underestimate.

As the Wild West moniker suggests, there’s very little risk of being caught if you’re a cybercriminal. There are several reasons for this. As the statistics suggest, the volume of crime is so high that it has overwhelmed our capacity to respond. Traditional crime fighters are also unequipped to deal with this crime type. If you have $20,000 worth of valuables stolen from your home, your local police station will likely be on the case immediately. If you have $20,000 stolen in an online scam, going to your local police station will produce a very different experience. Online crime is likely to be both transnational and veiled in anonymity. Law enforcement activity is likely to require significant technical expertise and cooperation from foreign counterparts, both of which make successful attribution and enforcement difficult.

These factors make cybercrime highly attractive. And if this wasn’t bad enough, we’ve more recently witnessed the rise of crime-as-a-service, allowing non-experts to essentially buy and apply ready-to-use kit. This opens cybercrime to even more actors.

While the challenge is formidable, part of the problem has been our approach. We essentially have three responses to cybercrime.

First, and most important, is improving our cybersecurity. This is so critical that there’s now a Minister for Cybersecurity. Hardening defences against attackers makes eminent sense. The problem is that it’s not enough. Even as Australia and other Western states have been hardening our cyber defences, the volume of reported cyber incidents has increased.

Second, we can use our offensive cyber capabilities to make life harder for cybercriminals. On 30 June 2017, Australia made the rare, candid admission that its cyber offensive capabilities would be directed at ‘organised offshore cybercriminals’. While this increases the cost of carrying out cybercrime, it isn’t a complete solution. This high-end capability can’t deal with the overwhelming volume of cybercrime, and its effects are often not enduring—it can’t put cybercriminals behind bars, and even if their equipment is destroyed, the criminals can easily buy more.

Finally, we can use law enforcement to deter cybercriminals. But with the current score card essentially 47,000 to 0, we can anticipate the average cybercriminal today doesn’t feel much heat.

What this all boils down to is the reality that national level efforts aren’t enough. And for as long as we continue to fail, the attractiveness of cybercrime will increase owing to its low risk and high rewards, drawing in and supporting more and more nefarious actors, including organised crime groups and terrorist organisations.

To address this problem, the cost of engaging in cybercrime has to increase, as does the risk of being caught. Ongoing improvements in cybersecurity and the limited use of offensive cyber capability are part of the solution, but we need to reconsider our law enforcement response.

Acting alone, we’re unlikely to succeed. One thousand new AFP officers won’t stop cybercrime. But a broader approach, working in concert with other states, might bear fruit. The world is still too divided on this topic for a large multilateral forum like the UN to be able to move the needle on this issue. But a more narrowly focused ‘coalition of the willing’ or mini-lateral response has potential.

There’s a dawning realisation in like-minded countries that national-level efforts are failing to address the challenge of cybercrime, opening the door to more cooperative approaches. Australia should consider leading efforts to string together a small coalition of states with the interest and will to stump up the resources needed to shift the cost/risk profile of cybercrime. There’s no single right answer on what needs to be done, but the basic parameters are clear.

The group should agree on a narrow set of coordinated actions they’ll take to increase the cost and risk of cybercrime, as well as how these efforts will be coordinated at an international level. This would likely involve an initial focus on non-state actors that can be targeted by law enforcement (as opposed to criminal states involved in cybercrime such as North Korea). It might involve throwing considerably more resources into tracking where stolen funds end up, working together to bring law enforcement and diplomatic pressure to bear on destination states, and providing everyday citizens with a feedback loop so they know that when they report cybercrime, something will be done about it.

The current situation is unsustainable. It’s time concerned states revisit their approach.