Every so often we experience an advance in technology that is so radical it not only changes the way that societies interact, it also has a fundamental affect on the behaviour of the criminal element within that society: introducing completely new and previously unheard of words into our everyday language usage. Henry Ford’s invention of the motorcar is a classic example of this point (coining terms such as car-jacking and get-away car). Ask any criminal defense lawyer what, in their opinion, has been the most radical change in criminal behaviour, however, and probably the biggest response you’ll receive is cybercrime. What, however, is cybercrime and how can it have had such a profound impact on our lives in such a short space of time?
Although you may get general consensus among criminal defense lawyers that cybercrime has been the most recent radical change in criminal behaviour, it is unlikely you’ll receive the same consensus when it came to defining what cybercrime actually was. Nevertheless, broad consensus would most probably agree that cybercrime is a term of language used to describe “criminal activity that utilizes an element of a computer or computer network”.
Thus, essentially there are two separate and distinct elements to cybercrime. On the one hand you have an element of exploiting weaknesses in the computer operating system or computer network. On the other hand you have an element of exploiting social fabric of a computer network, whereby a criminal makes use of the computer network to infiltrate the trust of other users of that computer network for profit or gain. Although these different elements of what constitute cybercrime may not seem overly important, they do have an impact when you look at the evolution and development of cybercrime.
Prior to the turn of the millennium large scale cybercrime centred on or around one-man operated criminals exploiting the weaknesses in the computer operating system or computer network. In most cases these crimes were committed by computer nerds who felt challenged to prove that they could beat the system. We coined the term hacker for just such a nerd, but rarely was there a financial gain element to the criminal behaviour. While a great deal of financial damage could actually result, not to mention the potential for the security risks that resulted, this one-man band criminal lacked the motive and intent of traditional criminal gangs. In short, cybercrime was infantile and largely seen as a practical joke or game by those who committed it. Criminal defense tactics at this time was also largely based on the fact that no real intentional damage was done and, in a large number of cases, the penalty for the crime was showing how the computer system had been hacked by the hacker.
Once we had all got over the fact that there was no millennium bug after all (probably the biggest cybercrime hoax of all time), cyber criminal had organised and focused their attention elsewhere. Yes, the geek element of hacking still existed – as still does today – but now hardened criminal gangs had worked out that the Internet was a safe domain, with much less risk, with which to operate and generate large profits.
In short, criminal gangs had introduced a professional element into the world of cybercrime. No longer were we looking at geeky exploitation of weaknesses in computer operating/networking systems, things had now developed to criminal gangs making use of computer networks to infiltrate and take advantage of the trust of other users of that computer network for huge financial gain.
Because of this radical change in the nature of cyber criminal activity, law makers and criminal defense lawyers began to see developments which reflected these changes. Primarily these included new cyber crimes, such as:
* cyber-extortion – where criminal gangs threatened to close down internet-based businesses if protection money was not paid. Worse still, threats can also be made to infiltrate the businesses security system to access financial or personal information stored therein that may then be used for financial gain
* information theft – similar to that set-out above, only no prior approach is made to try and extort protection money and a computer network is infiltrated with the purpose of obtaining information relating to the users, whether they be an individual user of business
* fraud – fraud has many guises on the internet, from the famous e-mails promising millions in advance fees to the sale of unmarketable quality goods. What is usually fairly consistent is an unsolicited e-mail approach by the fraudster to their victim.
* identity theft – identity theft is where the cyber criminal steals their victims identity and then transacts, usually via the Internet in the name of the victim. More often than not this will include and element of credit card fraud.
* exploitation of children, etc – unfortunately many view the act of cybercrime as either harmless fun (such as hacking) or for financial gain (such as credit card fraud). However, there is also a very real and extremely nasty side to cyber crime – taking advantage of weaker members of our society. Almost weekly we now hear of cyber criminal gangs who have been caught with child pornography.
* intellectual property theft – strangely many computer network users do not see the illegal downloading of software and intellectual property as constituting a criminal act. In fact it is anything but. Billions of dollars are being lost each year on illegal software and intellectual property downloads that are putting sever financial constraints on the companies that manufacture these products, many of whom are young start-ups themselves. Nevertheless, unlike other forms of cyber crimes, governments have been quick to respond to the actions of those who illegally download movies, music or software from the Internet and so, many argue, criminal defense procedures against such persons are probably the most successful and front-line of all.
* phishing and vishing – both phishing and the more recent vishing is obtaining financial information, such as bank account records or credit card details, by sending what look like authentic messages to the recipient informing them they need to comply with certain procedures to reactivate their account. Once the information has been obtained, the criminal then defrauds the victim.
Cybercrime and the law
According to a survey undertaken by McConnell International on the cyber laws of 52 nations, the general consensus is:
“Undeterred by the prospect of arrest or prospect, cyber criminals around the world lurk on the Net as an omnipresent menace to the financial health of businesses, to the trust of their customers, and as an emerging threat to nations’ security.”
Moreover, conservative estimates put the cost of cybercrime at approximately $50 billion annually. With more than 60 million residents in North America having online banking facilities, the cost to the USA alone of cyber crimes is estimated not in the million, but billions (latest estimates put this cost as high as $5 billion annually).
Clearly, then, with large scale criminal activity taking place on such a mammoth level the law intervenes and redress can be sought. Actually, no. Criminal defense lawyers will be able to tell you that only approximately ten percent of all cyber crimes are reported; and of those that are actually reported, less than two percent end up in some form of conviction on the part of the cyber criminal.
Should criminal defense procedures such actions and behaviour by cyber criminals not encourage victims reporting cases? Conversely the argument goes the other way. Afraid of the risk of losing customer confidence in their network, major businesses that have fallen victim to cyber crimes in the past have opted not to report.
Nevertheless, even where victims have sought redress and restitution within the criminal defense system, the general consensus among victims has been that the law will provide little or no assistance to their case. More concerning, however, is cases where victims of the criminal gangs instigating the cybercrime have no recourse to criminal defense procedures that would otherwise protect their individual rights and freedoms, such as the alleged criminal gangs who operate in the former communist block selling the wares of child pornography over the Internet to clients in the West who believe they’re safe from prosecution in their own homes.
Regardless of this factor, however, with 90 percent of American businesses surveyed stating that they had encountered computer-related security breaches in 2001, clearly cyber-crime has reached endemic proportions and the time has now come to address this issue. But what restitution within the criminal defense system would a victim of a cyber-crime currently have?
As with most technology related crime, US state legislation lags behind. Although each of the Houston criminal defense code, Austin criminal defense code, Texas criminal defense code, San Diego criminal defense code, Chicago criminal defense code may well contain provision that can be applied to cybercrime, as any half decent Texas criminal defense lawyer, San Diego criminal defense lawyer, Chicago criminal lawyer will be able to tell you, each of the , Texas criminal defense system, San Diego criminal defense system and the Chicago criminal defense system rely on antiquated laws to counter the activities of cyber-criminals. In short, most state criminal defenses against cybercrime lack the all important “cyber” element. As such, the often fail to provide for the unseen element that is often an underlying element in any cybercrime against American victims.
Where state legislation may be slow, federal legislation drags its feet! However, acknowledging the damaging nature of cybercrime has not been completely lost on successive US lawmakers and a number of federal laws within the federal criminal defense system have been invoked against cyber criminals, including:
* CAN-SPAM Act – dealing with spam unsolicited e-mailing, in particular fraud related activities
*Computer Fraud and Abuse Act – as the name suggests, the act provides against computer fraud and abuse
* Electronic Communications Privacy Act
* Identity Theft and Assumption Deterrence Act
* Trade Secrets Act
Currently there is little or no international legislation that contains criminal defense mechanisms against cyber crimes. There are, however, a few multi-jurisdictional legislations, such as those in found within European Union law.
That said, there is a Convention on Cybercrime that a number of nations have become signatories to. Questions do, however, remain over whether or not this is toothless in the fight against cybercrime.
Cyber-crime, where’s it all going?
There are two things we can be fairly sure of: (a) cybercrime is not going to go away of its own free will, there’s simply too much money involved and criminal gangs are too organised to just walk away; and (b) unless drastic measures are taken within the criminal defense system, the economic fall-out from cybercrime is going to surpass all other organised criminal activity in a very short period of time.
So where is this all going? The answer here is very probably three-fold:
(1) improved computer security;
(2) changes in the behaviour of the cyber criminal; and
(3) administrative changes to the criminal defense system that sees more unified laws being enacted against cyber criminals.
If we take a look at each of these in turn.
Improved computer security
There is little doubt that businesses are not waiting on the criminal defense system to catch up with protecting their rights and taking it upon themselves to spend billions of dollars in improving their security systems. In many instances, those writing the improved computer security system packages have, themselves, previously been cyber criminals. Sending the fox out to catch the fox appears to be the modus operandi of the day. Notable here are finance and credit card companies, who are leading the way in developing technology that is less friendly to cyber criminal activity.
Changes in the behaviour of the cyber criminal
Notwithstanding the fact that businesses are spending billion in upgrading and improving their computer network systems, the cyber criminal themselves is also learning to adapt. Not sticking to tried and tested criminal behaviour, that can easily be replicated by new emerging criminals, leading cyber criminals are adapting to new technology with new cyber crimes. Even now we are hearing of criminal activity involving WiFi networks, where the security systems are more infant. Moreover, criminals are also making use of the WiFi system itself to cover their tracks when carrying out illegal activities. A new comer on the block, Voice Over Internet Protocol (VoIP), although not yet subject to major cyber criminal activity, is likely to be the next big thing that criminal gangs turn their attention to.
Consequently, changes and upgrades to technology and their security systems is a double-edge sword. On the one hand it is very much a way that businesses can stay ahead of the cyber criminal. On the other hand, it is also a way that cyber criminals can move into new untapped areas. This cat and mouse game may well have a long way to run.
Administrative changes to the criminal defense system that sees more unified laws being enacted against cyber criminals
Although business can be seen to be making superhuman efforts to deter cyber crimes via upgrades to their security systems and innovative changes to technology, the rights of individual users of the computer networks are still not being fully protected. Nor will these changes have much of an effect on individual computer network users, who are more vulnerable to cyber-fraud crimes than break-ins to their actual networks. In other words, the social element of computer cybercrime needs addressing. Here, changes to the law are going to be needed if cyber criminals are going to be deterred. However, with a global tool such as the Internet, with reach-ability from almost anywhere in the world, how will this work without?
Clearly a united front on criminal defense laws against cyber crimes is going to be needed. If this cannot be implement on a global basis, then geographic areas are going to need to consider implementing these laws that a cross jurisdictional. The Council of Europe Convention on Cybercrime is an example of how this may be approached. However, with Internet technology and access now becoming more readily available to billions of people in South America and Asia, clear, concise and unified approach to the criminal activities of cyber criminal is going to need to the issue of the day if some form of criminal defense to cybercrime is going to be a success – either in the short-term or long-term. Implicit within these must be very strict laws to counter hard core criminal gang activities, such as crimes against children. To do otherwise would surely result in the Internet’s image of being the last vestige of the wild, wild, west holding true – as a lawless environment where no criminal defense is required because no criminal action will be forthcoming.