February 16, 2021

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

The classic TV Drama Dragnet was famous for Lieutenant Joe Friday’s straight forward instruction to witnesses “Just the facts Ma’am

So, let’s look at the facts with respect to cybercrime. The World Health Organization (WEF) currently estimates cybercrime as having revenues over $2 Trillion dollars a year. That’s  Trillion with a T

That’s roughly the same revenues as the United Kingdom – the worlds 10th largest economy – and the cybercriminal nation is arguably better organized that the United Kingdom.

Cyber Crime Magazine’s recent study indicates at the current rate of growth the impact of cybercrime by 2025 will be over 10 Trillion a year.

That will make cyber-crime nation roughly equivalent to the 4th largest world economy by annual revenue.

The FBI’s budget  to fight cyber-crime is currently less than $500 hundred million – that’s million with an M – fighting againsta cybercrimeenterprisewith annual revenues over two trillion – that’s trillion with a T.

Best estimates are that we currently successfully prosecute less than one half of 1% of cyber criminals – that’s down from a full 1% a decade ago – largely due to the growth in the number of cyber criminals.

Just the facts Ma’am.

In earlier posts we identified the core reason for the prevalence of cybercrime, that being all the economic incentives favor the attackers. Cyber-attacks methods are cheap, easy to acquire, enormously profitable and the business model is great.  Defenses , on the other hand are burdened with virtually always being in a reactive state, having to pitch a perfect game against attackers while protecting an increasingly vulnerable system of systems and along with the  challenge that it’s hard to demonstrate return on investment for defensive measures.

We will discuss policy changes to address these inequities in subsequent posts, but presently we will concentrate on the other main driver of cybercrime – lack of effective law enforcement.

It’s imperative to be clear at the outset that the problem does not lie with the law enforcement personnel.    As illustrated by the statistics cited above our law enforcement personnel  are competing with a sophisticated and resilient enemy, and one that often that has nearly unlimited resources – including at times collaboration with state actors.

Due to the stealthy nature of modern attack methods, just detecting the attack and uncovering the crime can be difficult. Once the attack is discovered agents may have to deal with numerous mechanisms criminals use to hide their identity such as through virtual private networks VPN’s and proxies. A court order to search may be required further delaying the investigation. If the perpetrator is overseas, as is often the case, it can become even more difficult to obtain the warrant. There may also be jurisdictional issues especially if the case is international and so extradition may be required. This creates its own problems as we will discuss in subsequent posts. Law enforcement is also tasked with obtaining and safely storing the digital evidence needed to bring a case against these criminals. Obtaining and handling electronic evidence is an expensive and rigorous process.

These expenses include personnel costs, licenses, and equipment. Any wrong move on how the evidence is handled and a defense attorney could have the evidence thrown out. Many such law enforcement departments are behind the curve in handling this electronic evidence and this kind of training is not yet part of the core curriculum in police academies. Finally, prosecution can be hampered simply because statutes can be confusing or even simply inadequate because legislators have not kept up with the digital environment

No, the accountability for the failure to adequately address cybercrime lies squarely with public policy and those in charge of developing it. Even proponents of  cyber regulation such as Clarke and Knake in their Fifth Domain book acknowledge that “Government’s role will be limited to support the private victims of cyberattacks with law enforcement information sharing and diplomacy.” (we will address the failures of information sharing and diplomacy in subsequent posts). But law nforcement is clearly a governmental responsibility.

While these complexities help explain why criminal enforcement is difficult, they don’t explain why these conditions have persisted for decades without a comprehensive plan by government to address the situation and action to implement such a plan. 

Funding for cyber law enforcement clearly has not been sufficient to meet the constantly growing gap.

The inadequacy of this government commitment is in stark relief when we realize that some individual corporations have a larger cyber security budget than the whole FBI– just for their one entity, JP Morgan Chase has a cyber budget of $600 million. In 2020 the Auto industry, not often thought of as on the cutting edge of digital defense, anticipates spending just under $5 billion dollar which would be roughly five times the size of the Departmental Homeland Security’s budget for cybersecurity.

Obviously lack of adequate funding is not the only problem that needs to be addressed in beginning to rectify our completely inadequate cyber law enforcement effort.

Join the Rethink Cybersecurity Community click here