Why Do We Call It Cyber Crime If We Don't Treat It Like a Crime?

Linda Musthaler
By | June 30, 2014

Posted in: Network Security Trends

My subdivision outside of Houston, Texas has a monthly newsletter, and one of the features is the neighborhood police patrol report. It's mostly stuff like items being taken from unlocked cars or suspicious people or vehicles in the neighborhood. Every now and then someone reports identity theft or fraudulent charges on their credit card. I think to myself, "What a waste of time for people to report to the police that someone used their credit card to commit fraud. The police aren't going to do anything about that. It's better to call the bank."

As it turns out, those people are doing exactly what they should do in calling the police to report a crime. While our local law enforcement agency might not have the resources or expertise to investigate the fraudulent activity on the credit card, the agency needs to document the incident in order to measure the current rate of cyber crime. If we don't measure the crime rate, how do we know to allocate resources to the problem?

The Internet Crime Complaint Center (IC3) is a joint effort between the FBI and the National White Collar Crime Center. This agency that is set up to take reports of consumer cyber crime like identity theft, credit card fraud, malware infestations, phishing emails and more.

In 2012, the latest year for which statistics are available, IC3 received nearly 290,000 complaints from victims who reported total losses of $545 million. The FBI estimates that only 10% of all incidents are reported to IC3, largely because most victims never even think of reporting this type of incident.

Frankly, I'd be surprised if the figure is even as high as 10%. After all, the Global Payments breach affected some 1.5 million card holders in North America in 2012, and that is just one of many cyber crime events that year.

Earlier this year, Gary Warner gave a presentation at the TEDxBirmingham conference in which he challenged the conventional wisdom of cyber crime in America. Warner is a world-renowned researcher on cyber crime and has been recognized by the FBI for his exceptional service in the public interest.

If you can spare 14 minutes, you should watch Warner's very entertaining but informative presentation here:

http://www.youtube.com/watch?v=MPMr5jPwA7I

Warner challenges the commonly held notion that incidents like credit card fraud and malware infections aren't worthy of real criminal investigations by law enforcement. He says, "Why do we call it cyber CRIME if we aren't going to treat it like a crime?"

He relates a personal story of how someone in his family had $1800 worth of fraudulent charges on a credit card. He called the police to report the crime and the police told him to call his bank to have the charges taken off his account. Warner insisted that he wanted the police to investigate the crime and hopefully catch and prosecute the perpetrator. The law officer told him that was not likely to happen because the criminal was halfway across the country and the cost to investigate and prosecute someone would be more than the $1800 that was stolen.

Warner points out that he was probably not the only victim of this fraudster, and that it's important that all victims come forward and report the crime so that law enforcement at some point can connect the dots among the incidents and build a better case against the fraudster. Cyber crimes are not isolated incidents and we need to use the power of crowd sourcing to solve them.

If fact, in the U.S. we have 35 Electronic Crimes Task Forces (ECTFs) across the country that are specially trained law enforcement officers who support state and local agencies with resources and expertise. Cases of fraud and other cyber crimes from all over the country can be funneled into these centers so that experts can attempt to discover who is behind them.

In his TED presentation, Warner points out that we often blame the victims of cyber crimes, even if they did nothing wrong. It's especially true when a large breach happens to a merchant or other company. For example, we blame Target Corporation for its 2013 data breach, saying its computer defense systems weren't good enough.  Target is a victim here, so why do we suggest that the company didn't do enough to prevent a crime against it?

The Police Executive Research Forum (PERF) recognizes that cyber crime is changing policing. Criminals on the other side of the world are now a problem for people in our own communities. Most of the 18,000 state and local law enforcement agencies across the nation are challenged by a lack of staffing, funding and expertise when it comes to fighting cyber crime. This is where the national resources like the FBI, the Secret Service and the ECTFs are essential in helping the local agencies. At the same time, the National Computer Forensics Institute provides cyber training for local law enforcement and judicial officials—to help create expertise among police officers, prosecutors and judges.

As Gary Warner points out, cyber crime is indeed a crime and we should treat it that way, beginning with reporting incidents to police so they can be logged, tracked, measured and perhaps even solved.

You May Also Be Interested In: