Cybercrime and Punishment

Like everyone else, law enforcement is expected to perform miracles of efficiency. But it's not all about financial analysis: there is no such thing as victimless crime.

Like everyone else, law enforcement is expected to perform miracles of efficiency. But it’s not all about financial analysis: there is no such thing as victimless crime.

 I spent a couple of days last week at the National Cyber Crime Conference in Sheffield*, UK.

I was invited there to talk about those PC support scams that have been raising my blood pressure for a while. (That’s a topic I’ll be returning to sooner rather than later.) While I very much enjoyed the opportunity to raise the issue with such a highly influential group of law enforcement representatives, it was also a great opportunity to indulge my natural curiosity as to what the recent political announcements on measures to counter cybercrime mean in practice, in the part of the world I actually live in.

If you’re interested in the bare bones of the conference put on by the Association of Chief Police Officers (ACPO) and the Police Central e-crime Unit (PCeU), you can get the basic info about the central event – that is, the formal rolling out of three regional e-crime hubs in Yorkshire & Humber, the North West, and the East Midlands – from articles by Dan Raywood and/or John Leyden. I want to talk about some of the detail, though. (I made a lot of notes, so I'll probably be back with commentary on some of the other issues that caught my attention.)

In a depressed economy in a (fairly) liberal country (i.e. one where law enforcement's primary concern is not necessarily the maintenance of the political status quo), the public sector is at least as susceptible to budgetary restriction and cost/benefit analysis and monitoring as anyone else, being expected to perform miracles of efficiency. So it’s not surprising that the cost effectiveness of the PCeU was a topic that came up time and time again in presentations. And cost-effective it does indeed seem to be: a major driver here is the reduction of financial harm to the UK economy, and the target of saving £504 million pounds in four years looks not only achievable, but on course to be very comfortably exceeded. The unit’s Financial Harm Reduction Report claims a harm reduction figure of £140 million over the period 1st April – 30th September 2011, the equivalent of 1:35 ratio of cost to harm reduction. In other words, the unit achieved a little less than 28% of its four-year performance target in six months.

I don’t claim to have looked in detail at all the calculations that underpin the report, but it’s a fascinating insight into investigations into criminal operations like the Ghostmarket forum, a late and unlamented resource for those with an unhealthy interest in activities such as carding, auction scamming, and even bomb making. An investigation (Operation Pagode) into that group claims a conservatively estimated Police Costs to Harm Reduction Ratio of 1 : 73. Operation Dynamophone, an investigation into banking and credit card phishing, claims a 1 : 19 ratio, while the more generic Operation Papworth claims an extraordinary ratio of 1 : 6622.  

But it’s not all about cold financial analysis: a motif that occurred time and time again in the course of the conference was that ‘cybercrime is not victimless crime’. I’ve no idea how or if the attacks by ‘ColonelRoot’ on the web hosting company ‘Punkyhosting’ were factored into the calculations relating to the Organized Criminal Group behind Ghostmarket, but  the use of material from Andrew Laws’ blog gave a very appropriate expression to the voice (literally – Andrew wasn’t there in person) of just one victim, talking about how he was affected personally both by the attacks and by the subsequent trial of Zachary Woodham and Louis Tobenhouse. As AV researchers, we tend to focus on the bits and bytes of malware and other attack methodologies: it’s not a bad thing to be reminded occasionally that the real-world impact on victims is a matter of psychological and personal financial damage, not just prevalence statistics and cost/benefit analyses.

*No, the photograph isn't Sheffield, it's the building in London now called the Norman Shaw Building, which used to be New Scotland Yard, headquarters of the Metropolitan Police. I just happen to think it's far more photogenic than 10 Broadway, the building now called New Scotland Yard and to which the Met HQ moved in 1967. (Photograph used by permission of Small Blue-Green World.)

ESET Senior Research Fellow

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center