Fresh Thoughts #38: “You're on your own.”
- Newsletter
The government and law enforcement are not going to save you from cybercrime.
This was the blunt message from Sandip Patel KC.
While this may sound hysterical, Sandip has experience. In his time as a prosecutor, he secured convictions for high-profile cybercriminals, including:
- Jake Davis - the LulzSec administrator from Shetland, Scotland
- Renu Subramaniam - the DarkMarket administrator
- Glenn Mangham - the hacker who stole Facebook's source code
So why did he say this?
There's a hidden intractable problem behind cybercrime. According to the ONS, 61% of fraud has a cyber element - the highest level since recording started in 2016.
And to prosecute a crime, law enforcement needs to follow the evidence. Each piece linking to the previous to form a coherent story. Any break in the evidence thread and the crime can't be prosecuted.
So for fraud and cybercrime investigations, there's a lot of computer evidence to collect. (I'll cover how time-consuming computer forensics is another day…) But what if the evidence isn't in the UK?
If you've used a VPN to watch a Netflix show restricted to a specific country, you'll know how easy it is to appear in another country.
While rules, regulations, and laws are constrained within national boundaries… the internet is not. Victims of cybercrime can be in the UK, but the criminal can be anywhere in the world.
Foreign criminals can appear to be in the UK.
UK criminals can appear to be in a foreign country.
To get evidence from a different country, you have to ask...
And herein lies the problem.
For some countries, you'll get nowhere. Their societies and legal systems are built differently. They're ideologically different.
Countries like the US, the UK, and Western Europe are built around the idea of liberal western democracy - where individual rights are cherished above those of the state.
In China and Russia, the exact opposite is true. Marxism-Leninism ideology holds that the collective state is more important than any one individual.
So as Carl Miller from Demos said in his presentation just before Sadip spoke - “There's zero risk being a hacker in Russia targeting UK [individuals].”
There's a reason Edward Snowden went to China and then on to Russia.
But what about friendly countries? The good news is you can get evidence, but it's slow. Really slow.
Taking one of the friendliest international relations - UK-US - it takes months of diplomacy to receive evidence. MLAT (Mutual Legal Assistance Treaty) is an international process for over 70 countries to request evidence from the US. On average digital evidence takes 10 months to be received, and paper evidence takes even longer.
Which means investigation teams are locked into prosecutions for years. From a purely time and effort view, it's clear that only the most significant and high-profile criminals can be investigated this way.
But at least the biggest cybercriminals will get the longest sentences. Right?
Well going back to the convictions Sandip Patel secured:
- Jake Davis (LulzSec) - Convicted of denial of service attacks against SOCA, Sony, CIA, News International, and Westboro Baptist Church amongst others. He was imprisoned for 38 days - having been tagged for 21 months before his court appearance.
- Renu Subramaniam - Administrator DarkMarket the “Facebook for fraudsters”, received four years and eight months in prison for mortgage fraud - tangentially related to DarkMarket.
- Glenn Mangham - who stole the source code for Facebook, received an 8-month sentence and served 4 months.
It always takes much more effort to prosecute a cybercriminal than they will receive in prison. Which makes it seem that prosecuting cybercrime is a vocation rather than a legal strategy.
So where does that leave you (and me)?
We're on our own. Together.
October 25, 20223 Minutes Read
