Criminal Law

The Challenge of Cybercrime

Susan W. Brenner is NCR Distinguished Professor of Law & Technology, University of Dayton School of Law, Dayton, Ohio.
E-mail: <Susan.Brenner@notes.udayton.edu>
Website: <http//ww.cybercrimes.net>

Introduction
Cybercrime poses great challenges for law enforcement and for society in general. To understand why this is true, it is necessary to understand why, and how, cybercrime differs from traditional, terrestrial crime.

Disrespect for National Boundaries
One characteristic of cybercrime is its disrespect for national boundaries. As a report issued several years ago noted, effective law enforcement is hampered by the

"transnational nature of cyberspace. Mechanisms of cooperation across national borders to solve and prosecute crimes are complex and slow. Cyber criminals can defy the conventional jurisdictional realms of sovereign nations, originating an attack from almost any computer in the world, passing it across multiple national boundaries, or designing attacks that appear to be originating from foreign sources. Such techniques dramatically increase both the technical and legal complexities of investigating and prosecuting cyber crimes."

Cyber Crime . . . and Punishment? Archaic Laws Threaten Global Information, A Report prepared by McConnell International (2000).
<http://www.mcconnellinternational.com/services/cybercrime.htm>

The "Love Bug"
Another characteristic of cybercrime is that the conduct at issue may not be illegal. See Susan W. Brenner, Is There Such a Thing as Virtual Crime?, 4 California Criminal Law Review 1 (2001).<http://www.boalt.org/CCL/v4/v4brenner.htm> In May 2000, the "Love Bug" virus raced around the world in two hours and caused billions of dollars of damage in over twenty countries. It was quickly traced to the Philippines, where FBI agents and local authorities identified a suspect. But since Philippines law did not criminalize virus dissemination, it took days to get a warrant to search his apartment, giving him time to destroy evidence. Then there was the problem of prosecution. The perpetrator could not be charged locally because virus dissemination was not a crime in the Philippines; since virus dissemination was not a local crime, he could not be extradited for prosecution in the United States, where it was a crime.

Extradition treaties require "double criminality," i.e., require that conduct be a crime in the jurisdiction where it was committed, as well as in the jurisdiction seeking to extradite an offender. So, the "Love Bug" virus affected millions of computer users in more than 20 countries, causing billions of dollars in damage, but no one was ever prosecuted for disseminating it.

Multiple Victims
Yet another characteristic of cybercrime is the differential scale of "harm" that can be inflicted. Traditional crime is generally a one-to-one transaction, i.e., it involves one perpetrator and one victim; while perpetrators can offend serially, they can commit only one "crime" at a time. See Susan W. Brenner, Toward A Criminal Law for Cyberspace: A New Model of Law Enforcement?, __ Rutgers Computer & Technology Law Journal ___ (2003). Cybercrime is different because it is automated crime. Whereas a nineteenth century fraudster would have to defraud Victim A, then Victim B, then Victim C, and so on, an early twenty-first century cyberfraudster can automate the process, defrauding many victims simultaneously and with essentially the same effort. This is a trend that will only accelerate. According to one expert, we will see the rise of "crime in a box," i.e., automated crimes each of which is a

"ready-to-use crime—from the selection of a victim to the perpetration of the misdeed and the covering of the perpetrator's tracks and identity—that is packaged in a single computer program. . . . When the program is executed, it automatically commits the crime and removes any damning evidence (including itself) before the victim can blink an icon. The creator of an automated crime can package it, test it in real environments and pass it on to any number of unknown perpetrators. The perpetrators can then execute the crime to attack any number of victims' computers without the creator's—or even the perpetrators' or victims'—further involvement."

Donn Parker, Automated Crime, Information Security (1999). <http://www.infosecuritymag.com/articles/1999/autocrime.shtml>

Perfect Anonymity
The concept of "crime in a box" illustrates two other characteristics of cybercrime: One is anonymity; in the real, physical world, perpetrators can don masks and otherwise attempt to disguise themselves, but they can never achieve perfect anonymity. It is difficult, if not impossible, to disguise one’s height, weight, sex and vocal characteristics, and it is equally difficult to avoid leaving some sort of trace evidence at a crime scene. Perfect anonymity, and perfect pseudonymity, are easily achievable in the cyberworld; a man can be a woman, a woman can be a man, a child can be an adult, a foreigner can pass for a native, all of which makes the apprehension of cybercriminals that much more difficult.

"Script Kiddies"
The second characteristic of cybercrime illustrated by the notion of "crime in a box" is that, contrary to popular perception, one need not be a particularly sophisticated computer user to be able to launch cyberattacks and commit cybercrimes. Many attacks are carried out by "script kiddies," individuals, often juveniles, who use programs written by others to commit cybercrimes. They may not understand how the program works, but all they need to know is how to launch it. See, e.g., Know Your Enemy: The Tools and Methodologies of the Script Kiddie (2000), <http://project.honeynet.org/papers/enemy/>

Conclusion
Cybercrime is different, and because it differs in these and other ways it poses great challenges for law enforcement. Since it is transnational crime, nations must adopt adequate, consistent laws outlawing the emerging varieties of cybercrime; this measure addresses the "Love Bug" problem and helps avoid the specter of "cybercrime havens," i.e., countries that have, by decision or by default, failed to outlaw cybercrime. The possibility of cybercrime havens is of great concern to law enforcement, since they can be used to launch attacks upon businesses, citizens, and governments in other nations. Another essential tactic for combating cybercrime is to ensure that law enforcement agencies around the world can cooperate quickly to preserve essential evidence and to track and apprehend perpetrators.

In an effort to promote the achievement of these goals, the Council of Europe promulgated a Convention on Cybercrime; parties to the Convention pledge to adopt laws outlawing specific types of cybercrime and to take such "legislative or other measures" as are needed to ensure that their law enforcement personnel can cooperate with law enforcement personnel from other countries in the investigation of cybercrimes and the pursuit of cybercriminals. See Council of Europe, Convention on Cybercrime. <http://conventions.coe.int/treaty/EN/cadreprincipal.htm>