A Friday Rant on Cybercrime Legislation

Posted on 21 October 2011 by


We’ve been, you’ve noticed, real quiet for about a month. That’s because both Dave and I have been not just slammed, but over-slammed on investigations of various sorts. Not making any excuses, but you get what you pay for.

Right now Dave is preparing to do some more work at CSG Analysis on some law enforcement technology, and we’re pleased as punch to have partnered with one of law enforcement’s most forward-thinking agency administrators on some upcoming research. More on that reasonably soon.

I spoke this past week at the SecTor Canada security conference, one of the best. I was truly honored to be on the same bill as luminaries like Brian Krebs, Mikko Hypponen, Sean Bodmer, Mike Smith, Kai Axford, Dave Mortman, Moke Rothman and a whole list of others. It was a great time.

On Monday I was speaking to a law-enforcement-only room about some of the attacks against police networks we’ve covered here: lessons learned and the like.

Then on Wednesday I was talking about how companies can work with law enforcement when they’re hacked, and why they don’t, and what can be done about it. I’ll put up links to the presentations (there’s audio available so you can watch the presentation and hear the commentary, I’m told) when they’re made available.

Why People Don’t Call The Po-Po
One of the guys there was questioning legislation, which brings me to an interesting idea I’d like to get some feedback on.

If we look through the proposals for updates to cybercrime law (have a look here for examples), from the over-broad and relatively meaningless National Security Council Strategy to Combat Transnational Organized Crime to Shouting Senators Baying For Cybercrime Legislation, we see that for the most part, the proposals fall into the category of, “Oh,-CRUD,-some-of-my-constituents-got-cyber-robbed-and-I-better-get-something-DONE-dammit”. This means that we get some real whirly-gig doozies of cyber-stinkers like the dunderheaded idea that lengthening sentences for computer intrusions is worth the paper it’s printed on.

The problem is not that the sentences are insufficiently severe, the problem is that no cops other than a small number of feds are empowered, prepared and trained to investigate, and also that the number is so small that triage means that less than 0.01% of cyber crimes are ever investigated, let alone prosecuted.

It is because of this lack of judicial experience in cyber crime cases that lawmakers are getting really, really crappy advice about what legislation should be doing to help in the fight against cyber crime.

The problem with cyber-legislation, therefore, is that it is not being driven by demands by judges and juries and prosecutors and cops and city officials and stakeholders for better clarity into the issues and better tools with which to do the job, but rather by chest-pounding lawmakers seeking to “do something”.

The knee-jerk reaction is in most arenas, of course, a highly effective proactive tool, but in cyber law, it’s particularly ridiculous.

Let’s talk crime for a moment: someone comes into property which is not theirs, takes property which does not belong to them and monetizes it by selling it. In fact, there’s nothing particularly new about cybercrime other than the vector – the windows they break and the silverware they take. Yet cops, DAs and judges are so vexed by the vector that they can’t see the simple fact that there are laws on the books against crime – even against cyber crime.

They just don’t have the training in articulating the facts, nor the understanding of the systems or even the property values. We need that.

Right now, the FBI rushes in and takes forever to get very, very few convictions. Don’t get me wrong – they’re wicked smart, but they’re hopelessly outgunned, and the high-profile arrests represent the teensiest, eensiest percentage of the actual levels of cybercrime out there.

Non-federal cops need support from the criminal justice mechanisms out there to investigate cyber crime on local and sate levels.

Oh ho! naysay naysayers, you don’t have jurisdiction.

In fact, we do. For example, crimes against Texans, or those which transit Texas in their commission, can be investigated by Texas cops – end of story. It’s just that the cyber crime investigation and prosecution is so painful and horrible, no one wants to investigate it. That is stupid, and deprives our citizens who are victims of cybercrime that the FBI won’t get excited about – stuff under, say $100,000 – of justice.

The hell with that.

The wheels of justice do turn slowly, but here they’re even slower because of all the maladroit congresspeople trying to “help” with cyberlegislation written by technological Troglodytes who can’t update their iTunes without the help of an aide who’s under 30 and has an IQ of greater than 110. With training and support, cops and prosecutors can start making cases and then – and only then will they see the true limits of the current legislation.

Then – and only then – can they be in a position to make informed suggestions to lawmakers about the legal tools they need to combat cybercrime. This legislation can’t be imposed from the top down, by leaders just as clueless as the rest of us as to what is effective. This legislation must be driven by the unmet needs of the legal system.

But it’s okay – we only have to go through this if we want cybercrime legislation with any hope of addressing cybercrime.