There is NO Deterrent to Cyber Crime!
When charges are filed against hackers or other cyber criminals (yes there are other cyber criminals besides hackers), the announcement always includes the number of years in jail the accused will face if convicted. IE- If the Russians hackers responsible for attacking Yahoo! are found guilty, they will face up to 25 number of years in jail.
This statement is made as if it will somehow scare other cyber criminals into not committing crimes because they might face time in the Bighouse, the Slammer, the Pokie, or just prison.
Well guess what, the threat of jail time has no effect. Going to jail really does not scare cyber criminals.
(This is not a commentary on the penal system good or bad. It’s about cyber-crime, I promise)
Why does it have limited to no effect? It’s not because hackers and the lot are big bad tough guys/gals.
No, it’s because charges and jail time are resume builders.
Ill explain. Cyber criminals fall into two groups Domestic and International.
Starting with the latter, the International Cyber Criminals (ICC) do not fear US jail time because the likelihood of them going to jail in the US is very rare.
US law enforcement officials would first have to catch them, get them to the US via extradition, bring them to trial and get them convicted. I’m not going to go into detail of how difficult each of these steps are but I assure you they are near impossible.
By example in 2005, the cyber-criminal “Script” was identified as Dmitry Golubov. Charges were obtained, a warrant for his arrest issued but Script was in the Ukraine.
US Law Enforcement worked with the Ukrainians to get him arrested however, until 2003, hacking outside the Ukraine was not illegal. When it became illegal, the penalty was 5 years in jail or the equivalent of $1000 USD fine.
In Golubov’s case, a US arrest warrant was presented to Interpol seeking arrest and extradition to the US. Ukraine said no, they would arrest and try him themselves. And they did. Golubov was arrested charged and spent less than 6 months in jail. During a portion of his trial 2 members of the Ukrainian Congress testified on his behalf stating that sending him to jail was a detriment to the Ukrainian economy. (Think about that statement for a minute)
Golubov was released to his political career. (That does not mean he stopped hacking.)
In short, his actions as a cyber-criminal were benefiting the government, indirectly at a minimum, and being charged by the US served to increase his status and make him golden in the eyes of many. His charges became a badge of honor.
In other cases where the ICC actually came to the US, it was revealed that their life in jail was better than their life in their home countries. When/if jail life got too rough; the ICC would reach out to strike a deal with the US government. The ICC would work as an anti-cyber-criminal (not the same as good-guy) helping to identify other ICC’s in exchange for release from jail. Again, they would wear their charges and conviction as a badge of honor.
Therefore, in either case, staying at home or coming to the US, the ICC’s actually benefit from charges and jail time.
Now to the former, the Domestic Cyber Criminals or DCC’s. If you are a US based cyber-criminal and you are charged, arrested and convicted, you will go to jail. However, because you have a skill set and access to information the US government needs, your jail sentence can be dramatically decreased by helping chase other cyber criminals. In other words, switch from Blackhat bad guy Whitehat good guy and you can work off your time in jail.
DCCs have a great opportunity to become anti-cyber-criminals then the ICCs
Also if you, the DCC, does spend time in jail and are not a complete psycho, when you are released you are sought after by various firms because you have a skill set that they don’t and they need. They need you to help secure networks against your fellow ne’er do wells, for clients that are willing to spend big bucks.
So again, jail time is not a bad thing for DCC’s
Therefore, if jail time is not a bad thing then by definition it is not a deterrent.
This begs the question, how do we stop cyber-crime if there is no deterrent?
It is important to remember that deterring an action is not the same as stopping an action. Deterring means to dissuade an actor from the current course. (And for the record we will never stop cyber-crime. I covered that in a different article.)
Threats are one way of deterring action but informed protection is another, often more effective, way.
By example at some point in history, humans realized that if we lock our doors it helps deter people from coming in and stealing our stuff. We deployed informed protection in the form of a lock.
Sadly, in the cyber realm, more specifically in the personal cyber realm, which includes our homes, family offices, small businesses, etc., we have not learned that we must lock our doors nor, in many cases, have we learned how to even lock our doors.
Now don’t start screaming about security best practices and recommended cyber safety settings.
We do not learn because someone says “don’t do that, do this.” We learn by understanding why we should not do that and why we should do this.
Furthermore, understanding is not just have the basic facts. An example:
Cyber expert -Don’t have an easy password because bad guys can guess it and get into your computer.
Potential victim: Well how can they get in, don’t they need physical access? How can they see my files, what does it look like to them, what do they see on their screens, for that matter who are they, why are they doing this, how did they find me, why me, etc.?
All of these are valid questions that are rarely if ever answered. Which means, people do not understand!
If we want to deter cyber-crime we need to focus on real education about the how and why of cyber-crime. We need to make it so that cyber criminals do not have special knowledge that guarantees them fame and honor after they have been caught. Jail time cannot be a resume builder for hackers.
Since 90% of cyber-crimes involve the compromise of accounts with no technical hacking of systems, that is where we need to focus.
How are the accounts compromised and what is done with data once they access it.
In the grand scheme, the entry into a system is simply breaking and entering, often with no breaking. The burglary and sale/use of the stolen goods is the real crime.
It takes talent to break in but it takes a completely different skill set to profit from the break in.
Let’s start teaching and sharing publically how both are done. Let’s publish the recipe for the secret sauce.
Does doing so mean others might try? Yes
But if others know how to do it, then the supply of knowledge will increase meeting or exceeding the demand.
Thus, charged and convicted cyber criminals will not be a valued commodity in the market and jail time will increase its deterrence factor.
Hmmm, now that I have written this, maybe my premise is wrong.
There is a deterrent to cyber-crime!
Education is a deterrent. Unfortunately, we don’t seem to be using it very effectively.