Cybercrime and Punishment

Cybercrime and Punishment

We all know the fight against cybercrime is an uphill battle, as Kevin Townsend explains. In the end, he finds, the solution may be a change in both legal and social policies.

Cybercrime is increasing and something needs to be done about it. Everybody can agree with this statement, but that’s just about all that is agreed upon. Nevertheless, most people look first to the Law for protection.

In response, legislation is taking two separate routes in its attempts to reduce cybercrime. The first is to define the crime and attack the criminal with anti-hacking legislation. The purpose of this anti-hacking legislation is deterrence – to dissuade the criminal through fear of the punishment.

The second route is to make hacking more difficult by requiring companies to improve their security and better protect their data with anti-breach and data protection legislation. The purpose of anti-breach and data protection legislation is persuasion – to persuade companies to better secure their data through fear of the punishment.

In both cases it is believed that only severe sanctions – long prison sentences and/or heavy monetary fines – will make the legislation effective. That in turn leads to legislation’s biggest difficulty: because the law cannot define all eventualities, there will always be collateral damage; that is, severe sanctions levied on relatively minor infringements. The problem here is that if exceptions are or can be made, the deterrent effect is reduced and the effectiveness of the legislation is diminished.

There are two further problems in using legislation to defeat hacking: hackers need to be caught, while business frequently ignores regulations (even legal requirements).

The Uphill Battle

To prosecute hackers, they must first be identified, apprehended, and then presented to a court. This is easier said than done – the international and multi-jurisdictional nature of the internet makes it an uphill battle. One example will suffice: the Russian constitution forbids the extradition of Russian nationals. Because of this, any Russian hacker within Russia cannot be extradited to the US, irrespective of the weight of evidence against him or her.

Business' failure to adequately secure data is more complex, and is probably influenced by senior management’s subconscious subjection to the ‘optimism bias’ – that is, the common belief that bad things only happen to other people. Data protection legislation tends to punish only those that have been breached; and if that is not going to happen to you, then there is little incentive to spend money complying with the law.

Guy Bunker, a senior vice president at Clearswift, suggests what he calls a ‘company-killer’ sanction would be needed – that is, a fine so heavy that the company is forced into liquidation – before other companies take proper notice of data breach legislation. Company-killer fines could become a reality if the EU’s proposed changes to European data protection become law.

The Legislative Problem

In the past, Europe has primarily relied on its data protection laws (based on the EU’s data protection directive) to persuade businesses to protect data. But the sanctions are miniscule, with little deterrent effect. The EC commissioner for justice, Viviane Reding, recently pointed out that despite fining Google the maximum possible for breaching the French data protection law, it amounted to “0.0003% of [Google's] global turnover", which she described as pocket money. In contrast, the proposed replacement for these laws, the general data protection regulation, can impose fines of up to 2% of global turnover. In Google’s case, that could amount to a fine of up to $1 billion, which Reding describes as, “a sum much harder to brush off.”

In the US, the most used anti-hacking legislation is the Computer Fraud and Abuse Act (CFAA), which already includes severe sanctions. Here, criticism is levied less on its content and more on its enforcement; with some very high-profile examples of severe prosecution for minor offenses. Rather than face decades in jail for downloading academic papers that he believed should be free for anyone, Aaron Swartz committed suicide. In a separate case, Andrew Auernheimer (aka, ‘weev’) was sentenced to 41 months for downloading – not for hacking – personal information from AT&T. Auernheimer was released from a federal correctional facility earlier this year when a US court of appeals decided to reverse and vacate his conviction after he served just 14 months of the sentence.

These and others are examples of the inevitable collateral damage from legislation that cannot keep up with technology. Chris Pogue, a director at Trustwave SpiderLabs and a former criminal investigator with the US Army, believes we should not blame the law. 

“Like motor vehicles or firearms or anything else, it's not the gun that kills people, it's the person holding the gun. The problem is inappropriate use – not the law itself.”Chris Pogue, Director at Trustwave SpiderLabs and a former criminal investigator with the US Army

The danger with inappropriate application of legislation, perhaps such as its use against Auernheimer and Swartz, is that it could have a chilling effect against the independent white hat hackers who patrol the internet, find vulnerabilities and report them to the software vendors. Pogue recognizes their importance. “As long as there is something to take, there will be someone to take it”, he explains, “and it's been that way since Cain slew Abel. We have to have the proactive security researchers and ethical hackers that can help us to identify the security vulnerabilities before the bad guys find them.”

The need to nurture the white hat hackers or security researchers has been recognized by legislators on both sides of the Atlantic. In the US, senators Zoe Lofgren (D-Calif.), Jim Sensenbrenner (R-Wisc.), and Ron Wyden (D-Ore.) introduced ‘Aaron’s Law,’ a bill designed to amend the Computer Fraud and Abuse Act. The problem with the CFAA is that it criminalizes ‘unauthorized access to a computer’, a phrase that can be given many interpretations. At its worst, it criminalizes even the most innocuous breaches of either a company’s or website’s terms of use.

Judge Alex Kozinski of the US Ninth Circuit Court of Appeals explained the potential for abuse in 2012.

“Employees who call family members from their work phones will become criminals if they send an email instead. Employees can sneak in the sports section of the New York Times to read at work, but they’d better not visit ESPN.com.”Judge Alex Kozinski, the US Ninth Circuit Court of Appeals

Aaron’s Law is designed to remedy this issue by removing the term “exceeds authorized access” and replacing it with “to obtain information on a computer that the accesser lacks authorization to obtain, by knowingly circumventing technological or physical measures designed to prevent unauthorized individuals from obtaining that information.”

At the time of writing, however, the website govtrack.us gives Aaron’s Law only a 55% chance of getting past the committee stage, and only an 8% chance of becoming law.

There has been more success at reform in Europe. The initial draft of Europe’s new anti-hacking law took an approach similar to the CFAA in the US. It was opposed by the Green justice spokesperson Jan Philipp Albrecht, who explained, “the legislation fails to recognize the important role played by 'white hat hackers' in identifying weaknesses in the internet's immune system, with a view to strengthening security. This will result in cases against these individuals, who pose no real security threat and play an important role in strengthening the internet, whilst failing to properly deal with real cyber criminals. The result will leave hardware and software manufacturers wholly responsible for product defects and security threats, with no incentive to invest in safer systems.”

Albrecht’s opposition paid off, and the draft was amended. Commenting for this article earlier this year, he said, “European cybercrime law was updated in 2013 and now includes harsher penalties if you, for example, run a botnet and not just hack into one computer. But we also have ensured that legitimate security testing is not criminalized, because this would undermine the internet's immune system.”

Drafting laws is difficult because legislators are continually subject to conflicting arguments. For anti-hacking laws, civil rights groups seek to protect personal freedoms while vested interests (such as intelligence agencies and the content industries) seek the maximum possible sanctions and the tightest possible terms. For data protection laws the roles are reversed: civil rights groups seek greater controls and higher sanctions while vested interests argue that light-touch legislation is necessary to foster investment and innovation.

However, because the most effective lobbying will always come from those with greater resources, it is reasonable to predict that anti-hacking legislation will, in general, be strict, whereas data protection legislation will be relaxed.

This leads many in the security industry to suggest that security researchers will need to find alternative ways to protect themselves if they wish to continue probing the internet’s weaknesses. “The legal sanction against hackers has to be very strong”, explains Eric Chiu, president and co-founder of HyTrust.

“Although it is difficult, we must somehow differentiate between the cybercriminal and the white hat researcher, even though both are initially doing the same thing.”Eric Chiu, president and co-founder of HyTrust

Bunker suggests that licensing might be the answer. “Licensing pen-testers would close the door to random 'hacking by researching' but would also keep people above the law – but perhaps there should also be another system, for example, via the NSA or FBI, around how an individual could disclose something without going public”. Another suggestion is that ethical hackers can protect themselves by limiting research to those companies that offer a bug bounty – the invitation of a bug bounty implies an invite to probe that would be difficult to prosecute.

But it should also be said that there are those who do not believe a solution can be found in legislation. The problem, they contend, is a social one, and only a social solution can solve it. One of these is Ilia Kolochenko, founder and CEO of High-Tech Bridge, a penetration testing and computer forensics company located in Switzerland. For Kolochenko, the base problem is the wealth gap between the rich and the poor. 

“Young people today know that they are smart and skilled, but have no money and no future. But they see other people with no skills and no brain, but money and fast cars. They see that they can make many thousands of dollars every month by cybercrime; so that’s what they do.”Ilia Kolochenko, founder and CEO of High-Tech Bridge

Kolochenko does not believe that legislation will change this – and he has some support from the Obama administration’s application of the US espionage laws. Obama’s administration has prosecuted more whistleblowers than any other president, and used the very strict espionage laws to do so. Whistleblowing, however, is on the increase rather than decrease, driven more by social pressures than it is limited by legal pressures.

This social argument should not be dismissed out of hand. In January 2013, George Friedman, founder and CEO of intelligence firm Stratfor, described the potential for civil war in Europe driven directly by the EU’s ability to save the banks, but not the people. “It is difficult to see”, he wrote, “how continued stagnation and unemployment at these levels can last another year without starting to generate significant political opposition that will create governments, or force existing governments, to tear at the fabric of Europe.”

In January 2014, the World Economic Forum declared ‘severe income disparity’ to be the world’s fourth most serious risk, while ‘structurally high unemployment / underemployment’ is at number two, and ‘profound political and social instability’ comes in at number ten. By comparison, ‘cyber risk’ is not mentioned at all in the top ten global risks.

What’s hot on Infosecurity Magazine?