There are many social and criminology theories that can explain the rise in cybercrime. Rational Choice Theory puts it down to a cost benefit analysis, so if the gains for the criminal outweigh the risks to them, crime will increase. Routine Activity Theory says that crime is attributable to the convergence of three factors, i.e., the presence of motivated offenders, the presence of suitable targets and a lack of suitable guardians. Personality models such as OCEAN can explain crime in the sense of the characteristics of offenders and victims, as can the Online Disinhibition Effect. But there’s much more than theory here. We can explain the increase in cybercrime by reference to hard facts, but when we do, you’ll be able to spot some of the issues that the theories point to. So, key reasons for the growth include: The global nature of the cyberspace, which means that cybercrime can be conducted from anywhere in the world. This breaks the usual physical proximity between offender, victim and law enforcement agencies, so a victim in the UK can be targeted by a global criminal population and the offender can be out of reach of the police. Add in geo-political factors, which provide safe havens for criminals, and problems in the international legal system, such as in the field of extradition and mutual legal assistance, and you can see how a rational choice can favour the criminal. Technology itself is the root cause in the growth – we’re talking cyber, after all. This can be looked at in many ways, such as developments in the speed, sophistication and automation of attack tools, through to the fast pace of tech development and deployment that builds-in vulnerabilities that criminals can exploit, through to the way that tech can provide anonymity. Anonymity enhancing or preserving tools such as Tor, VPNs, VMs, Proxies and end-to-end encryption of secure communications all help the criminal to disguise their identity. We also need to bear in mind increased connectivity. The IoT, smart cities, connected car and the like constantly add to the pool of targets, creating more opportunities for the criminals, due to the expansion of the attack surface. That leads to the issue of attribution. If you don’t know the identity of the criminal, then who are going to arrest? This is central to the success of the overall process of criminal justice. The attribution problem is compounded by false flag operations and the mixing of the criminal “gene pool” within the cybercrime marketplace, which causes loss of identity. The cybercrime marketplace has many features that contribute to crime growth. For example, bullet proof hosters and grey infrastructures help to protect the criminal and increase their operational resilience against law enforcement takedowns. Other features include the “Crime as a Service” model and its many variants, such as Ransomware as a Service and Access as a Service. These models lower the barriers to entry into the world of crime for new, would-be cyber criminals. For example, a low-skilled new entrant can pay for access to readymade attack tools and launch an attack without having to acquire real hacking skills. Prior to the development of CaaS, cybercriminals had to invest in the acquisition of skills and building of tools, which suppressed the growth in crime levels due to the “lead time”. CaaS has also enabled cybercriminals to specialise. For example, at the top of the ransomware criminal ecosystem there are “Mr Big” type characters who develop attack models and tools for renting out to “affiliates” who perform the actual attacks. Mr Big then takes a share of the proceeds. This model enables them to scale and invest in building better attack tools and provides them with a degree of resilience against apprehension, because the features of an attack are no longer uniquely linked to a specific gang or individual, meaning that attribution is harder. All of this provides growth momentum for crime. Another feature of CaaS is the “gig economy”. Cybercriminals can build a regular pipeline of work by selling their skills and services to others, who assemble them within an attack model. This also adds to the slickness and resilience of crime models, adding to growth. They can go from job to job without delays or interruptions in their criminality. Cryptocurrency is arguably one of the most influential contributors to cybercrime growth, because it enables the proceeds of crime to be laundered in larger amounts and at lower risk than through the centrally governed financial system. Add in mixers, tumblers and privacy coins and proceeds of crime can be moved without fear of identification. This also means that people operating in a gig economy can be efficiently and safely paid, which underpins the growth and resilience of the criminal supply chain in the gig economy. The idea of targets and guardians is represented by the behaviour of people and organisations operating online and the protections they deploy. All of this comes down to security hygiene. The more we put and do online, the bigger are our risks and the easier crime is for the offenders. Personality models also come into play; thus an extrovert character might reveal more about themselves for social engineers to exploit. Again, we have to keep in mind the quality of the technology that we use, particularly IOT devices that have not been designed from a security perspective, through to failures to quickly patch vulnerabilities. Let’s also keep in mind crime reporting. There are many reasons why people do not report crime, ranging from ignorance of the crime occurring (which might be a detection problem, or a lack of understanding of what constitutes an offence) through to disillusionment in the police. This means that risks are reduced for the criminal, because they’re not on the police’s radar. Then we have other problems in policing, law enforcement and criminal justice, to add to the pile. Think about the challenges of acquiring digital evidence on a global stage, processing and analysing the evidence and ensuring that it is of prosecution-quality in terms of maintaining data integrity and adherence to chain of custody rules. Then multiply that by crime volumes and reflect skills and resources needs and shortages: the problem will be obvious. Finally, we have the concept of crime itself. Crime is a social construct and what constitutes crime differs over time and across countries. Thus, deviant behaviour online isn’t necessarily always criminal and it takes time for the law to catch up with developments. We’ve seen this recently in the upskirting/ downblousing debate and the stance taken by the Online Safety Act shows they were not always ready to criminalise bad behaviours. This factor filters into many of the others, such as at the geo-level and also in crime reporting.
It doesn’t sound great, does it? That’s because it’s not. If look at things this way, we get back to Routine Activity Theory: if we’re not going to control cybercrime effectively through the law enforcement and criminal justice route, we need to build up our resilience through better security hygiene. That will introduce more suitable guardians (better passwords, more AV, less clicking on bad links etc.) and so will reduce the body of suitable targets.
Useful reference materials
"The future direction of cybercrime and the difficulties of digital investigations: a rationale for a review of digital investigation specialise evidence" by Angela Mison, Gareth Davies and Peter Eden, University of South Wales, provides a great overview of many of the issues discussed above, including the "gig economy" concept. You can find it on Google Scholar.
"Ransomware as a service: understanding the cybercrime gig economy and how to protect yourself" by Microsoft Threat Intelligence provides a super overview of the rapidly evolving nature of this cybercrime. Access it here.