The murky world of cybercrime makes even ascertaining the extent of the problem hard, writes Peter Grabosky, but one thing you can bank on is a bright future for cyber security.
Cybercrime has become a big issue. Just how big it is, may be unknowable.
The most skilled cybercrimes are never detected by the victim. Consider fraudulent charitable solicitations: when proffered by the most skilled offenders, they leave the victim with a warm inner glow.
There are those cyber-victims who are well aware of their misfortune, but may be too embarrassed to disclose it to anyone. Individuals who are conned by fraudulent investment offers, or by romantic overtures from total strangers, bear witness to the accuracy of the 19th century dictum that there is a sucker born every minute. Moreover, they may perceive that there is little likelihood of redress. Either way, the victim suffers in silence.
A clear picture of patterns and trends in cybercrime has thus proven to be elusive. In addition, law enforcement agencies may be ill-equipped to investigate cases that pose technological challenges, especially when they appear to have been committed by an offender located in a foreign jurisdiction. Reports of offences may be ignored, and limited police resources reserved for terrestrial matters more amenable to successful investigation. Further complicating the picture is the practice that sees many cybercrimes enumerated and processed as generic offences. Frauds facilitated by digital technology may thus be lumped together with “terrestrial” cons.
Organisational victims of cybercrime may have incentives or disincentives to report. Owners of intellectual property, or advocates for their respective industries, may seek to overstate their losses in order to elevate piracy and its control to a position higher on the policy agenda. By contrast, financial institutions may be disinclined to disclose losses, lest their reputation for security and integrity be tarnished.
Mandatory reporting of cybercrime incidents is hardly a perfect solution to the “dark figure” of unreported cybercrime. There are circumstances in which compulsory disclosure may be appropriate, such as when a publicly-traded company is obliged to report material losses to financial regulators. Otherwise, one might argue that businesses should manage their own risk.
There are good reasons why terrestrial victims of sexual assault are not compelled to report their victimisation, even if it may be in the public interest for them to do so. However, as is the case with sexual assault, relevant state authorities should provide the means to facilitate reporting of cybercrime, without compounding the victim’s problems.
Every new technology, and every new application, is amenable to criminal exploitation. As we move further into the digital age, there is no reason to doubt that new criminal opportunities will abound. Keeping abreast of technological change, and reducing the risk of cybercrime, will remain a key challenge.
In advanced industrial societies, no single institution has the capacity to govern cyberspace effectively. Civil society, the state, and private industry each have an essential part to play. The collaborative governance of cyberspace cannot be minutely choreographed. Individuals are well advised to protect their electronic assets with basic security technologies, and to avoid venturing into the more dangerous corners of cyberspace. Industry has the responsibility to design digital products and services with security in mind. States have a range of tools by which they can persuade, induce, or command industry to engage in activities conducive to cybersecurity. Mechanisms of civil liability may provide means of redress for defective products or for careless stewardship of customers’ personal information. Institutional investors and insurers have vested interests in the security of their investments and policyholders, and are in a position to require appropriate cybersecurity measures on their part.
One might look to the history of motor vehicle safety for some insights. During the flowering of the motor vehicle industry in the aftermath of World War II, government regulation was modest, manufacturers were focused on aesthetics and speed, and individual drivers acted more or less irresponsibly. Greater concern for safety brought about requirements for safer vehicle design, random breath testing and lower speed limits, public information campaigns, and better-engineered roads. Safety is now a marketable feature of motor cars. These developments, along with improvements in emergency medical technology, have seen the annual number of road fatalities in Australia decline by two-thirds between 1970 and 2015.
For over two decades, it has been trite to suggest that “cyberspace knows no boundaries.” It is now entirely possible for the victim, the offender, and the evidence of cybercrime to be located in separate jurisdictions around the world. Effective investigation and prosecution of transnational cybercrime requires a degree of international cooperation that was unimaginable in the 1980s. Regional models such as those based on the Budapest Convention, and successful investigations involving joint operations by a dozen or more countries, have provided a good foundation. There nevertheless remain some countries which lack the political will or technical capacity to cooperate in such collective endeavours. Further diplomacy and technology transfer remain essential to mitigate these problems.
Fifty years ago, a popular film The Graduate featured a young Dustin Hoffman who was offered a few words of wisdom by a middle-aged gentleman: “I want to say one word to you. Just one word… Plastics.” Today, the closing words of this brief conversation might be “There’s a great future in cyber security.”