Do the crime but never do the time.
The idea of good conquering evil is a staple of Western fiction, from novels and plays to movies and TV shows. In the vast majority of cases, you know the hero of the story is going to win in the end, because that's how it's meant to be. It's a nice thought, but in reality, that’s not the case at all: criminals nearly always get away with it – and nowhere is that more evident than with cybercrime. Although the authorities have succeeded in capturing hackers in the past, the vast majority of cybercriminals never face any consequences for their actions. What makes it so difficult to catch them?
Jurisdiction
Most cybercrime originates from abroad, with China, Russia and the USA among the top offenders. Not only does this make it more difficult to identify hackers, it means the police can’t apprehend them anyway – not without appropriate authorisation, at least.
Of course, it might be mutually beneficial for governments to work together to help reduce cybercrime, but that generally isn’t what happens. For a start, most nations don’t like leaving their citizens at the mercy of foreign justice systems, and without extradition treaties in place, the authorities in other countries tend to be uncooperative. There’s even less reason for them to help each other when you realise that a good proportion of cybercrime is state sponsored.
The sad reality is that if hackers are based in foreign countries, there is almost no chance of catching them.
Proxies And Other Technology
Careful cybercriminals will go to great lengths to hide their identity and their location. As well as using online pseudonyms known as ‘handles’, they will often do business on the dark web, which makes it hard to track them. Furthermore, they might use VPNs and proxies to hide their true IP address, which makes it extremely difficult to find out where they’re really located. The company that provides the proxy or VPN will usually have the real IP address in their records, but if it’s not willing to voluntarily share this information, the authorities will need to get a court order to compel it to do so. If the company is based abroad, that could be next to impossible.
Inadequate Laws
You can’t charge people with crimes if their actions have never been defined as criminal before. That’s why it’s so important for new laws to be introduced, to keep up with the latest technology. Before the introduction of the Computer Misuse Act 1990, for example, in the Regina versus Gold and Schifreen case of 1987, two hackers were charged under the Forgery and Counterfeiting Act 1981. Despite hacking into BT’s Prestel service, there was no specific law that outlawed their actions, so this law was used instead.
Sometimes, this kind of strategy works, but in this case, the hackers won their case on appeal and were acquitted, because their crime simply did not fit the law that was used to prosecute them.
Today, cyber crime laws are much more fleshed out, but they’re relatively new, and they’ll no doubt need to be updated again in the future.
Lack Of Reporting
One of the main requirements of General Data Protection Regulation (GDPR) is that companies need to report cyber breaches in a timely manner. The problem is that businesses are often reluctant to admit they’ve been hacked. It makes them look bad, and it can put off potential customers.
So despite GDPR, it’s likely that many hacking cases are still going unreported. Because of that, the authorities can’t even begin to look into these cases, and although the chance of catching criminals is always slim, not reporting crimes at all makes it non-existent.
Consequences For Businesses
Cybercrime is big business. One estimate in 2018 put the global profit total at a whopping $1.5 trillion. With so much money to be made and so little chance of being caught, it’s easy to see how cybercrime is likely to thrive in future. For businesses, that means protecting themselves is going to be ever more important. In addition to cybersecurity and disaster recovery technology, firms should also give consideration to cyber insurance, which can help to recover any financial losses incurred through breaches.
Governments and law enforcement agencies still have a part to play, of course, and it's important that they continue to improve their strategies for catching criminals. However, it's unrealistic to expect them to do it all for us. Individuals and businesses have to take security seriously if they don't want to become the next unfortunate target for hackers.
