Dr. Maria Bada Explains the Challenges of Cybercrime Prosecution in AI Era
Dr. Maria Bada, Cambridge Cybercrime Centre, explains the intricate nature of global cybercrime, its prevention and prosecution under international and national law.
Dr. Maria Bada, Senior Research Associate at the Cambridge Cybercrime Centre, University of Cambridge
Dr. Maria Bada is a Senior Research Associate at the Cambridge Cybercrime Centre, University of Cambridge where she is focusing on interdisciplinary research, bridging psychology and cybersecurity. Previously to this role she was a Senior Research Fellow at the Global Cybersecurity Capacity Centre, at the University of Oxford.
Her research focuses on the human layer in cyber security and cybercrime, mainly on the impact of cybercrime on society as well as looking at the cybercrime ecosystem and the ways that cybercriminals form their communities, their characteristics and how they function. Moreover, she is conducting research on profiling of cybercriminals, trying to understand their pathways into cybercrime. Additionally, she focuses on the effectiveness of cybersecurity awareness campaigns for school learners, SMEs and the public and their impact in changing online behaviour.
She is a member of the National Risk Assessment (NRA) Behavioural Science Expert Group in the UK, working on the social and psychological impact of cyber-attacks on members of the public. Moreover, she is a member of the Steering group of the London Digital Security Centre, launched by the Mayor of London as a joint venture with the Metropolitan Police and City of London Police, a member of Europol EC3. Also, she is a member of the British Psychological Society and the British Counselling Society.
1. What is a typical profile of a modern cyber criminal?
There is a variety of profiles of modern cybercriminals. Therefore, I cannot claim that there is a distinct profile. There are certain stereotypes that cyber offenders are male, at a particular age, with specific technical skills, from divorced families for example. Also, there is research showing a relationship of specific personality traits or psychological state to criminality.
However, most cybercriminals display some or most of the following characteristics:
a) technical knowledge
b) disregard of the law or rationalisations about why specific laws are invalid or should not apply to them
c) high tolerance for risk or need for the ‘’thrill factor’’
d) enjoyment in manipulating others
e) a motive for committing a cybercrime (e.g. monetary gain, political or religious beliefs, sexual impulses or even for fun).
Often, the prime motivator for the majority of cybercriminals is not only easy profit, but also curiosity. Moreover, other motives can be sexual impulses, political motives, monetary profit, revenge, anger or also serious psychiatric illness.
2. Why do some people choose the "dark side" and become cybercriminals?
There are many reasons why someone would choose the ‘’dark side’’. Young cybercriminals are often studied as they represent a particularly vulnerable group online.
One of the main motivating factors for example is financial profit. Almost anyone can be motivated by money - the young, old, male, female, those from all socio-economic classes etc. Another reason for becoming a cybercriminal are political and religious beliefs. Often people are committing serious crimes in the name of those beliefs. For example, this is the most common motivator for cyberterrorists, but also motivates many lesser crimes, as well. Additionally, the most destructive cybercriminals often act out of emotion, whether anger/rage, revenge, "love" or despair. This category includes cyber-stalking, terroristic threats, email harassment, unauthorized access, disgruntled or fired employees (defacement of company web sites, denial of service attacks, stealing or destroying company data, exposure of confidential company information), dissatisfied customers and so forth.
Moreover, younger cybercriminals and especially teenagers may hack into networks, share copyrighted music/movies, deface web sites, not necessarily out of malicious intent or any financial benefit, but simply "because they can". They may do it to prove their skills to their peers or to themselves, they may simply be curious, or they may see it as a game. Although they don't intentionally do harm, their actions can cost companies money and cause individuals grief.
3. What can be done to prevent young talents from breaking the law?
Communication and education programmes can help young people to understand the consequences of involvement in it. In the UK, the Home Office works alongside the police and NCA with local groups, such as local authorities, schools, youth workers and youth offending teams, to develop educational resources which will explain what organised crime looks like.
There are also initiatives from the Police to prevent young talents from breaking the law. Often teenagers might not realise that their actions will have consequences and in these cases, initiatives such as the City of London Police ‘Cease and Desist’ programme notifies teenagers to stop a specified action and refrain from doing it in the future. The aim is to visit individuals who have been identified as being involved in the fringes of cybercriminality and advice them to desist their activities. The law enforcement agency will enrol teenagers who have been found committing cyber offences onto a programme designed to stop them from entering serious crime. Teenagers who have been served with cautions or cease and desist orders are also invited to attend a workshop at the NCA as part of its Prevent scheme.
Moreover, there is another initiative called the ‘’weekend camp’’ for offenders which was held this year as part of the National Crime Agency’s (NCA) work with young computer criminals. The two-day residential camp reinforced messages about using technical skills responsibly and called on industry professionals who gave talks about jobs in cyber-security.
What is necessary is understanding the risk factors for being drawn into cybercrime, and this could help shape prevention and intervention initiatives but also lead to the identification of suitable individuals for specific prevent interventions.
4. How can SMEs and individuals defend themselves against skyrocketing cybercrime?
The increase in cybercrime has hit all cross-sections of business, but one group that is increasingly targeted is that of Small-to-Medium sized Enterprises (SMEs). As highlighted in a Barclaycard survey in 2016, almost half of these businesses have been victim to at least one cyberattack and 10% have experienced more than four attacks over that same period. One potential reason why attacks against SMEs has grown is lax corporate cybersecurity. Unlike large organisations, they often struggle due to a lack of awareness, expertise and resources. Often small businesses see cybersecurity as a top business priority and do not necessarily invest in improving their website’s security.
An area of particular concern for SMEs is that of encouraging good security behaviour by employees. Developing a strong security culture could address many of the behavioural issues that underpin data breaches in such companies. Employee education is an essential part of the support supplied by the UK’s National Cyber Security Centre (NCSC) to small businesses. In particular, it aims to ensure that public and private sector organisations have access to appropriate information to defend themselves, as well as to define what ‘good’ cybersecurity practices (technical and otherwise) look like for businesses.
There have been many efforts in the UK to assist SMEs in achieving levels of cybersecurity, for example through the UK government’s Cyber Essentials Scheme, the GetSafeOnline.org and other similar informational sites that provide cybersecurity guidance specifically for use by SMEs. Additionally, the London Digital Security Centre (LDSC) was set up and funded by the Mayor’s Office for Policing and Crime, and represents a partnership with the Metropolitan Police, the City of London Police, Mayor’s Office for Policing and Crime and industry experts. The Centre is aimed at supporting SMEs in England’s capital via the provision of a tailored security assessment, education and awareness programme (LDSC, 2017).
When it comes to individuals the challenges are similar. Users are not aware of the risks online and do not have the necessary skills to protect themselves by taking prevention measures. Another relevant point is the fact that people may know the answer to awareness questions, but they do not act accordingly to their real life. Simple transfer of knowledge about good practices in security is far from enough. Knowledge and awareness is a prerequisite to change behaviour but not necessarily sufficient, and this is why it has to be implemented in conjunction with other influencing strategies.
5. Which role should government play in digital protection of its citizens and companies?
The role of the government is crucial in digital protection of citizens and companies. However, creating laws isn't the only way the government can push for greater security. This is the tendency that we often see nowadays. Often governments reply to cybercrime with strict legislation.
There will be more pressure on governments to act, even as society struggles to keep up with the pace of change, let alone to consider the long-term implications of today’s choices. Governments need to prepare for changes in the economy, especially in traditional industries most challenged by technology. Certainly, there is a need to review existing laws to strengthen the legal framework in dealing with emerging cybercrimes. However, it is important for governments apart from their infrastructure to ensure the education and awareness of citizens. Governments cannot do it alone. Cybercrime can be fought collectively. And citizens need to be aware of the risks they can face online, the measures they need to take, the sensitivity of their data and so on.
Additionally, the role of the private sector crucial. Governments will have to build public-private partnerships to proactively mitigate cyber risk.
6. Do you think that new laws, such as GDRP, may bring unnecessary over-regulation, costs and complexity as a collateral effect?
GDPR is essentially an update of existing EU data protection laws. The new legislation aims to make personal data more secure in the face of rising cyber-crime. It also gives people more power to control their own data.
In my opinion this regulation was necessary. However, for example SMEs are far from ready for the GDPR. Some Small businesses that gather, process and store personal data will need to audit their existing framework and make changes where necessary. For instance, if a business relies on computer networks and digital storage, it will need to make sure it has taken strong measures to prevent data breaches; this could mean investing in better cyber-security solutions, training staff to be more web-savvy, and implementing policies that aim to stop leaks from within the organisation. Because of the right to access subject - which gives consumers greater power to access their stored data - SMEs may face additional costs. Many small businesses think that GDPR doesn’t apply to them or lack GDPR awareness. This can lead into receiving fines, depending on the gravity of the violation.
7. How big is the risk of nation-state and state-sponsored cybercrime today?
Information security professionals expect to face more nation-state attacks (state-sponsored cyberattacks) in the coming year. And with cybercriminals increasingly expanding their targets to include businesses, that could be a concern for banks and other financial institutions.
Global ransomware attacks are increasingly linked to nation states, with the lines between politics and crime often blurring. Key ransomware attacks include the so-called WannaCry and NotPetya malware, which infected hundreds of thousands of computers around the world in 2017, demanding that users pay ransoms to regain access. It is very important to focus attention on this issue and understand both the risk and consequences of potential cyber actions by nation state actors. The risks and subsequent mitigation of risk is different than the physical world.
8. What are the main challenges in international investigation and prosecution of cybercrime?
The main challenges in international investigation and prosecution of cybercrime are mainly the differences in legislation. Despite the existence of international legislative instruments, differences in domestic legal frameworks and international instruments often prove to be a serious weakness to international criminal investigation and prosecution of cybercrime. There is mainly an incomplete translation of international instruments to domestic law. And this is the case for many countries.
The evolution of the cybercrime threat landscape is rapid and often the adaptation of legal frameworks is slower. Therefore, this can cause challenges in criminalisation of conduct and provisions to investigate cybercrime and gather e-evidence. Moreover, the lack of harmonisation of operation processes such as the Mutual Legal Assistance process and the lack of forensic-technical standards for the collection and transfer of e-evidence can lead to challenges. Additionally, there is a need for the legal requirements harmonisation for conducting online investigations, monitoring criminal activities online and collecting evidence online.
9. Do you see AI as an enabler for cybersecurity or rather a risk for humanity, particularly if used by bad guys?
Machine learning and artificial intelligence (AI) are being applied more broadly across industries and applications than ever before as computing power, data collection and storage capabilities increase.
Machine learning is powerful in its own right, though, and approach is a natural fit for antivirus defense and malware scanning. Similarly, machine learning has become indispensable in the fights against spam and phishing. However, the role of machine learning is additive rather than having a cure all role.
AI cannot be left to its own devices. It needs human interaction and “training” in AI-speak to continue to learn and improve, correcting for false positives and cybercriminal innovations. Though many machine learning tools have already shown promising results in providing defense, researchers almost unanimously warn about the ways attackers have begun to adopt machine learning techniques themselves. And more of these types of attacks are on the horizon.
Another present threat to machine learning is data poisoning. If attackers can figure out how an algorithm is set up, or where it draws its training data from, they can figure out ways to introduce misleading data that build a counter-narrative about what content or traffic is legitimate versus malicious. For example, attackers may run campaigns on thousands of accounts to mark malicious messages or comments as "Not Spam" in an attempt to skew an algorithm's perspective.
These might include automated hacking, speech synthesis used to impersonate targets, finely-targeted spam emails using information scraped from social media, or exploiting the vulnerabilities of AI systems themselves, the reports states. AI could facilitate the rise of highly believable fake videos and intelligent bots, which could be used to manipulate news, public opinion, social media and elections. Finally, AI could be deployed to hijack drones and autonomous vehicles, which could then be used in attacks or to hold critical infrastructure to ransom.
10. How can we facilitate women leadership in cybersecurity?
In my opinion there is a lot of work to be done for this. women are underrepresented in the cybersecurity field and also progressively underrepresented as they climb each rung of the professional ladder.
The culture of working in cybersecurity is one that demands long hours, late nights, and often frequent travel. Without the proper and supportive network, it is highly unlikely that women who come in this field can stay long.
Therefore, it is necessary to encourage more women into cyber security early on. Adding cybersecurity into the school curriculum and promoting cybersecurity as an attractive profession for women can lead into young girls deciding to follow this path. This can also lead to minimising the big gap of cybersecurity experts in the market. Additionally, offering women equal opportunities to rise to senior leadership roles is important.