To tackle cybercrime, we must understand complexity.
Cybercrime is a form of Organized Crime with which we are getting uncomfortably familiar. Thousands of Canadian websites were offline this month due to a cybersecurity threat. Media coverage suggests nearly 60% of Canadians have been targeted by cybercrime and warns of an ongoing “epidemic of cybercrime”. Contrary to the Robin Hood image they like to maintain, internet-based Organized Crime defrauded the pandemic emergency support system, and more than half the known ransomware victims were critical infrastructure providers, including healthcare providers. Clearly, internet-based Organized Crime has a significant and increasing impact on our modern lives.
Studying recent publications on cybercrime reveals how essential characteristics of complexity allow cybercrime to flourish. I am going to use insights from systems thinking and complexity science to discuss some of these characteristics and their significance.
Diversified but interconnected operations are a significant characteristic of cybercrime. Numerous interconnected but independent criminals utilize a wide variety of internet-based crimes to exploit opportunities created by our increasingly virtual lives. Some abuse victims directly, but others prosper from contributing to the ever-growing cybercrime marketplace. Just like outsourcing and internet-based services have transformed legitimate businesses, the “crime-as-a-service” business model is revolutionizing Organized Crime.
Modern online retail offers a good comparison. Today, anyone can become a retailer with minimum skills and equipment. The physical location and official place of business become a strategic choice as goods and services are bought and sold in online marketplaces and delivered by fulfillment warehouses. Various platforms process payments from anywhere and deliver them to anywhere in the world. Connecting services and products worldwide allows retailers to make the best of opportunities created by a constantly evolving global market.
Similarly, anyone can become a cybercriminal with minimum skills and equipment by combining legitimate and illicit services. Cybercrime services, such as ransomware, fraud, malware and money laundering for different skill levels are readily available on the dark web. Criminal use of legitimate services such as payment processing and encrypted communications allows knowing and unknowing providers to partake in a lucrative grey market for cybercrime. Criminals pick their combination of tools and services or buy into ready-to-run solutions.
Successful behaviours emerge as autonomous actors strive to adapt and advance their practices. Because everyone involved is interconnected, numerous factors influence the emergence of successful behaviours—cybercriminals, victims, potential victims, authorities and the general public influence each other’s behaviour.
For instance, cybercriminals have learned that the greatest profits are made off financially capable victims who cannot afford to lose their data or have it leaked. Consequently, ransomware attackers are now targeting such high-value targets in a rising trend called “big game hunting”. The potentials for immense gains are a powerful attractor for other cybercriminals and has created a lucrative market for those able to contribute to the hunt. Abusing human emotions and behaviour remains an effective method for breaking into systems. How the pandemic has forced millions of individuals with varying technical proficiency to work remotely facilitates such manipulation. Access brokers use social engineering fueled by legally and illegally obtained personal and corporate information to uncover weaknesses of optimal targets and sell access to their systems.
The autonomy of the interconnected operators makes cybercrime resilient. Enforcement actions that catch individuals have a limited impact on the overall operation. One’s downfall becomes another’s opportunity as new criminals replace those captured by law enforcement. Even when law enforcement authorities take down key Organized Crime platforms, the interconnectivity of the autonomous actors allows them to self-organize anew. This resiliency is evident by the quick replacement of illicit online marketplaces such as the Silk Road and encrypted communications platforms such as EncroChat. The consequences for individuals are dire, but the overall impact of law enforcement actions on cybercrime is minimal in the long run.
The same characteristics of self-organized autonomous actors also make cybercrime extremely adaptable. The independent actors can at any time decide to change their behaviour to what they deem more beneficial for them. The famous butterfly effect explains how minor changes can have great consequences, i.e. the claim that a butterfly flapping its wings can change the path of a tornado.
Cryptocurrency is an example of a butterfly effect in cybercrime. Payment collection has long been a barrier for cybercriminals due to the risk of authorities’ tracking of payments. Cryptocurrencies such as Bitcoin offered an easy and untraceable method for receiving payment from victims. The invention of cryptocurrency was probably not influenced by cybercrime. However, this initially minor change revolutionized online-based Organized Crime. The untraceable transfer of funds made already easy online crimes enormously profitable and fueled the ongoing and constant evolution and advancement of cybercrime.
Cybercrime has many characteristics of a complex problem, only some of which I have discussed. Understanding that Organized Crime is complex and not complicated is critical to developing effective approaches to address the plague. Most people use these two words interchangeably, but there are critical differences. Experts can solve complicated tasks following appropriate processes because cause and effect are predictable. However, complexity is unpredictable and uncontrollable and consequently can only be managed, not solved. The most common mistake in tackling complex problems is to address them as if they were complicated.
The punitive-focused approach authorities are deploying to address online-based Organized Crime suggests they fail to recognize its complexity. Targeting individual actors or groups has limited impact and often brings unintended consequences. The slim chance of getting caught means the lure of enormous illicit gains far outweighs the minor deterrence of punishment. The Council of Europe informs us that only a fraction of cybercriminals gets caught. Furthermore, Europol reports that despite authorities’ best efforts, more than 98% of the proceeds of crime remain in the hands of criminals. Meanwhile, events that significantly impact cybercrime, such as the emergence of cryptocurrency and actions for preventing the spread of COVID-19, are beyond the influence of the criminal justice system.
Successfully addressing the complexity of cybercrime requires a holistic approach. A cooperative effort of all stakeholders is necessary to tackle all the elements that contribute to the success of cybercrime. Prioritizing prevention over prosecution allows for greater transparency, information sharing and cooperation. Successful prevention increases the risk for detection and decreases profits, reducing the attraction and increasing the deterrence of swift, certain, and severe punishment. Subsequently, other more beneficial attractors should draw the bright minds involved. Perhaps then these brilliant minds could become attracted to tackling an even more important and intractable problem: climate change.
