Think about everything the Internet has brought us: rapid innovation in connectivity, entertainment, business, and commerce. The rapid change in these industries is happening right now, during our lifetime. Hundreds of years from now, history books will refer to our generation as the first that got online. But the Internet has its problems, too. I have an intimate understanding of the issues of privacy and security on the Internet, having spent my entire career fighting these problems.
The impact of online crimes is expansive. In the real world, you only have to worry about the criminals who live in your city. But in the online world, you have to worry about criminals who could be on the other side of the planet. Online crime is always considered “international” because the Internet has no borders.
Another factor that makes online crime more ubiquitous is the changing identify of hackers. Today, computer viruses and other malicious software are no longer written by hobbyist hackers seeking fame and glory among their peers, but by professional criminals who make millions from their attacks. These criminals want access to your computer, your PayPal passwords, and your credit card numbers. There is now a global market for sinister crimeware—viruses, worms, trojans, spyware—that is produced and sold on underground websites.
The international community has failed to address the real nature and extent of the problem. Due to limited resources and the expertise needed to investigate online criminal activity, national police forces and legal systems are finding it extremely difficult to keep up with the rapid growth of online crime. The victims, police, prosecutors, and judges rarely uncover the full scope of these crimes, which often take place across international boundaries. Progress in the fight against these crimes has been slow. Arrests are few and far between, and the penalties handed down are too light compared to those attached to “real-world” crimes.
Online crime is growing fast, and we are sending the wrong message to cyber criminals. Right now there is great incentive to become an online criminal; online crime is easier to carry out than “offline” crime, and it costs less to get started. Criminals can see that the likelihood of getting caught and punished is extremely small, while the profits being made are huge.
If a gunman walks into a bank and demands cash, the police leap into action. When international borders are crossed during such a crime, international police agencies become involved. When the gunman is caught, there is always a trial in which the bank will push the prosecutor for the maximum penalties possible. But this is not the case with online crime. Virtual gunmen are free to roam the Internet with almost nobody there to stop them. Online crime is always international, yet most police investigations are conducted using only their local resources.
Computer security companies are doing their best to protect their customers’ computers, but little can be done directly by non-governmental organizations to fight the criminals at the heart of the matter; anti-virus companies are not law enforcement, nor should they be. Tackling online crime requires a serious investment of resources on the international level, and expert law enforcement agencies need to follow criminals into the online world.
Part of the struggle international law enforcement faces with online crime is the sheer scale of the crimes being committed. Traditionally, international law enforcement has focused on large crimes such as drug trafficking and smuggling. Countries involved in investigating these types of crime can easily see the value in catching these criminals. But online crime is typically composed of small individual crimes. The attackers don’t hack the bank. They hack the bank’s customers. One victim might have only lost a few hundred dollars from his bank account. Starting an international investigation looks like overkill, which is why getting international cooperation often becomes difficult. The problem is, of course, that there is more than one victim. A banking trojan botnet, for example, might steal money from tens of thousands of people at the same time.
What we need is an international police force with the enforcement power to really target the organized crime that operates on the net. It would investigate the top of the crimeware food chain and track down the people running the online crime syndicates. Each member country would be required to cooperate with others, regardless of the apparent size of the crimes.
Of course, establishing such a new force would present a number of legal challenges. For example, malicious code is often created in countries where it is not considered illegal, or where the perpetrators are never prosecuted.
Cyber crime policing agencies are best served by focusing specifically on fighting malware crime. By trying to extend their reach to other areas, like catching pirates and hactivists, they end up overstretching their limited resources and ultimately accomplishing very little. Banking trojans represent what should be their No. 1 concern.
The last thing anyone wants is some sort of net police that might restrict the freedom of the Web. But we need to take action now on Internet crime. If we don’t, it will continue to grow stronger and potentially jeopardize all the great benefits the net has brought to us. Ours is the first generation to go online. It’s up to us to make sure this incredible resource stays around for future generations.