(by Jordan Demo, Colorado Law 2L)
The recent Equifax breach affecting approximately 143 million people has left many to call for justice—but justice for whom? After-the-fact investigations have tended to focus on whether the targeted entities took sufficient or reasonable measures to protect their systems. But what is the process for bringing attackers to justice? How are attackers who take the personal information of companies and individuals held accountable? What can be done to help deter this kind of behavior?
The Difficulty in Prosecuting Cyber Criminals
- Jurisdictional issues arise in incidents involving the apprehension of attackers, particularly those located outside the United States. In many instances, attackers are located outside the United States or outside the jurisdiction of the American courts and prosecutors who are seeking a conviction.
- A related issue is legal collaboration with countries, such as Russia or China, to extradite attackers. Some of these efforts prove successful, while others do not.
- The legal system must also continuously adapt to catch attackers. With the global nature of the internet and attackers’ ever-changing and increasingly sophisticated methods of operation, the U.S. legal system relies on criminal laws that largely predate the internet, including the Computer Fraud and Abuse Act.
The Difficulty in Reporting, Under-Reporting and the Transaction Costs of Recovery in Cyber Crimes
- Security consultant Roger Grimes explains how “[t]he vast majority of internet crimes are never reported. Most people have no idea of where and how to report internet crime, and if they do, rarely does anything come of it.” This issue largely stems from the reality that many local law enforcement departments outside of large cities are ill-equipped to deal with cybercrimes such as bank fraud and identity theft. Many of them simply do not have the resources or proper training and protocols in place to help the general public with these issues. (The Department of Justice has issued guidance on the proper procedures for reporting crimes.)
- According to the FTC, about only a quarter of identity theft victims even report their incidents to law enforcement. This could be a result of individuals not knowing who to contact, or related to the transaction costs associated with recovery. Grimes notes that the transaction costs of going after a hacker who may have committed identity theft and fraud are not worth the time or money for the parties involved because it is common that recovering funds costs more than what was stolen in the first place.
Continuing Issues & Questions
- Nick Selby, a Texas detective who focuses on cybercrime issues argues that the FBI taking the lead on cybercrime after 9/11 led to local law enforcement viewing cybercrime as a primarily federal issue. But the FBI may lack the time and resources to take on all cases. Is there a way to close this gap?
- The EU has established a joint task force to combat cybercrime in coordination with the US. But what, if anything, can be done to coordinate with these countries that often are hostile or refuse to cooperate with the EU or US?
- Not all cybercriminals are overseas. Many of these incidents occur through social engineering such as a friend’s hacked email sending out phishing attacks to all their contacts, or a keylogger being placed on a public computer at the local library. What are some ways that we can continue to improve our security awareness to help prevent social engineering?