Cybercriminals know no borders and cybercops know them all too well. While the bad guys operate in relative safety from countries such as Russia and China, law enforcement is hamstrung by a lack of trained personnel and resources, poor or nonexistent international cooperation and preoccupation with traditional crime and physical terrorism.
The conclusions of McAfee's 2008 Virtual Criminology Report: Cybercrime vs. Cyberlaw, are somewhat dispiriting. Drawn from the findings of more than two dozen international security experts, the report describes a world in which pockets of undermanned cybercops with little or no hope of bringing criminals to justice.
The volume of malware, PCs in botnets and malicious and compromised websites increased dramatically this year, relying on massive, inexpensive, automated attacks, rather than ingenious new techniques, for the most part.
Listen to the interview:
Online fraud perpetrators are also finding clever ways to launder their money, using non-bank payment services, such as e-gold, to make it harder for investigators to "follow the money." They also set up accounts with their proceeds and have associates in another part of the world withdraw the money as profit or reinvest it in other criminal activities or spam campaigns.
Taking a cue from drug traffickers, cybercriminals are enlisting people as "mules" to launder money transactions, generally without realizing they are part of a criminal enterprise. They are recruited for some fake job, such as international sales representative, and receive payments from fraudsters, which they then transfer internationally in exchange for a small commission.
Recruiting mules is easier in a down economy, as people are more willing to turn a blind eye to make money. The report emphasizes -- no surprise here -- that people are more likely to fall prey to fraudulent schemes in tough times.
identity theft keeps law enforcement, researchers occupied: An expert on cybercrime and online
scams, Derek Manky, is one of the members of the Fortiguard research team.
Who's fighting the spyware operators? There are plenty of malicious hackers who use spyware to gather others' personal data, so why aren't these cybercriminals behind bars?
The report expresses hope that regulatory requirements and the need to curtail fraud losses will prompt financial institutions to maintain security spending, but this may be offset by the cost of combining IT infrastructures in the rash of sudden, large-scale mergers.
Regardless of the economic climate, cybercrime fighting is chronically hampered by almost insurmountable obstacles. Cybersecurity remains a low priority, as governments generally don't take the cybercrime threat seriously, despite organized campaigns like the Russian attacks on Estonia and Georgia. Car bombs and attacks with grenades and automatic weapons, understandably, get a lot more serious attention.
Police are generally ineffective, largely because they haven't kept pace with the digital age. They lack the expertise to gather evidence and prepare and present it at trial, even though many cybercriminals leave plenty of evidence behind if you know where and how to look.
In the McAfee report, Peter Sommer, visiting professor at the London School of Economics' Information Systems Integrity Group, said the problem isn't a lack of evidence.
"The problem is that there aren't enough well-trained investigators, prosecutors and judges to use it effectively," he said.
In the courts, where penalties are traditionally imposed based on damages, the extent of damage caused by cybercrime is hard to assess, and it's tough to get victims involved. Individuals often don't realize what's happened, and businesses -- breach disclosure laws notwithstanding -- are generally reluctant to go to court.
With the exception of a handful of well-supported spectacular cases, law enforcement rarely bags Internet crime kingpins; most of those arrested are low-level mules who probably can't point the way up the criminal chain of command, even if they are willing to do so.
And, there is strong suspicion that top-level Internet criminals enjoy a certain level of immunity in their countries.
For example, Dmitri Alperovitch, director of intelligence analysis and hosted security at Secure Computing Corp. (recently acquired by McAfee), implies that Russin President Vladimir Putin and the Federal Security Service are protecting Russian cybercriminals.
"The right people now know who the Storm worm authors are," he said. "It's incredibly hard because a lot of the FSB leadership and Putin himself originate from there, where there are a great deal of people with connections in high places."
"Criminal behaviour has always received political cover from governments," Alana Maurushat, acting academic director of the Cyberspace Law and Policy Centre of the University of New South Wales in Australia said in the McAfee report. "Quite often, those with the expertise and technical skill set that governments require to successfully handle tasks, are often hackers themselves."
Government tolerance or even collusion aside, there's simply a general lack of international coordination and cooperation. The Council of Europe Convention on Cybercrime, which the report describes as "the only international agreement that covers all relevant areas of cybercrime legislation," has been ratified by only 23 of its 45 signatories since it was drafted in 2001 (the United States is the only country among seven non-member signatories to ratify).
Further, the convention is quite dated, the report says. Phishing, identity theft and "the virtual crime world" have emerged since 2001.
"While we don't need a new model law, we could have added protocols to deal with new issues," said Marco Gerke, professor at the University of Cologne and UN and Council of Europe expert on the Cybercrime Convention.
Even if international law were on sounder footing, however, coordination, cooperation and even simple communication is too unsure and too slow to respond to criminal attacks.
"The convention is a good guide for legislation. Operational needs now trump the need for new law," said Ferenc Suba of CERT in Hungary.
Law enforcement is bound by national borders, making it very difficult for local police to prosecute Internet crime.
"The law is irrelevant to most cyberhackers – they can operate out of anywhere," said Mary Kirwan, a former cybercrime prosecutor in Canada. "The reality for law enforcement is that if you want them to act as speedily and effectively as the international cybercrime community, you need to give them the tools. If the hackers share all their information, and businesses and governments share none of their information, you can imagine which does better."