• United States




Why it’s so hard to prosecute cyber criminals

Dec 06, 20166 mins
CybercrimeData and Information SecurityHacking

The bad guys are wreaking havoc. Why can't they be brought to justice?

lawsuit judge law court decision sued gavel
Credit: Thinkstock

We live in a world where internet crime is rampant. Cyber criminals steal hundreds of millions of dollars each year with near impunity. For every 1 that gets caught, 10,000 go free — maybe more. For every 1 successfully prosecuted in a court of law, 100 get off scot-free or with a warning.

Why is it so hard to prosecute cyber criminals?

Jurisdiction, jurisdiction, jurisdiction

This is the No. 1 barrier to prosecuting cyber crime. Most of the time, the person committing the crime is located outside of the country (or at least outside the legal jurisdiction of the court and prosecutors seeking the conviction). It’s hard enough to successfully prosecute a cyber criminal if they originate in the same jurisdiction as the victim, but close to impossible when both reside in different locations.

Many times we successfully collect good legal evidence and even verify the identity and location of the cyber criminal, but we have no legal ability to arrest the person. We have established cross-boundary, reciprocal legal rules with many cyber allies, but many more countries don’t and won’t participate. China and Russia will never honor our warrants of arrest any more than we would honor theirs.

We’re still learning how to prosecute

Our legal system, refined over centuries, was forged in the physical world for physical crimes. Internet crime is not even three decades old.

Localities, cities, and states have had a hard time figuring out what is or isn’t illegal in the computer world for a particular location, especially if that crime involves computers or people outside of their jurisdiction. For example, if porn is illegal in a particular locality but is accessed on a computer that is located outside that locality, is it illegal? Is it prosecutable? Some local court systems say yes, but many more say no. For that reason, most smaller entities leave it up to the federal legal system to define and prosecute computer crime.

In the United States, most federal crimes are defined in what is known as Title 18. Most Title 18 crimes could be construed to cover their electronic counterparts, but do so imperfectly. Congress created a special Title 18 section called 1030 in 1986, which has been updated and amended many times since its creation and is known as the Computer Fraud and Abuse Act.

The CFAA is the main U.S. federal law cyber criminals are prosecuted under, but many other laws can also apply depending on the situation, such as the Federal Wire Act and the CAN-SPAM Act. You can read a really good, but long, 213-page “summary” of U.S. federal computer crime law here. Of course, many localities, especially if they are large and populous, have their own laws that may apply.

It has taken decades for law enforcement agencies, legal systems, and juries to get up to speed on cyber crime. Law enforcement agencies have had to train their officers to recognize the various forms of cyber crime, how to collect and preserve related evidence, and how to hire and train specialized forensic investigators. Prosecutors, judges, and juries have to be educated as well.

It’s probably just now, after 20 years of cyber crime, that we’re beginning to understand how to successfully prosecute internet-related crime. That limited success shows in the continuous stream of cyber criminals arrested — and their networks shut down — on a regular basis, such as a takedown last week.

Most cyber crimes are not reported

The vast majority of internet crimes are never reported. I can understand why. Most people have no idea of where and how to report internet crime, and if they do, rarely does anything come of it.

To be honest, you could lose a ton of money — say, $50,000 — and most entities would have to spend many times that amount to try and recover it for you, if recovery was even possible. So when you call saying you lost $500 to a ransomware attack, perpetrated by a criminal that law enforcement probably can’t identify or touch, you’re probably not going to see resources assigned to the case beyond someone filing away your report.

Because most internet crimes are not reported, accurate statistics and evidence are hard to come by — even though they’re needed to help in a successful prosecution.

The difficulty of gathering legal evidence

Most of us think we’re capable of collecting evidence that might lead to someone’s identification and arrest. But would that evidence stand up in court?

Bulletproof evidence of cyber crime is hard to get. For example, suppose you have an accurate log file that shows an intruder breaking into your system. You can copy that log file and give it to the police, but rarely will it withstand the assault a defense attorney is likely to throw at it.

Here are some sample questions an attorney might ask in court: How do we know the log file hasn’t been tampered with? Who had the ability to access the log file? Is the time and date stamp accurate? How do we know? How do we know your computer system accurately detected the originating IP address — can’t IP addresses be faked? Was the log file originally written to write-once, read-only media? What has been the chain-of-custody of that log file since it was first created until now? What experience does the computer team have with obtaining legal evidence? And so on.

Any time you hear about cyber criminals being arrested, realize that behind the scenes, many computer professionals and law enforcement officers with cyber expertise came together to ensure the evidence collected would hold up in court. Obtaining good evidence takes skill.

At wit’s end

I remember many years ago when I called to warn a woman that her identity was being used by cyber criminals. Apparently, she had been called by lots of people about this already, and was obviously thoroughly confused and disgusted by callers infringing on her privacy.

After I told her who I was and why I was calling, she yelled at me: “If you call me one more time, I’ll call the internet police!”

Little did she know how much we all wish there was a single, unified, cyber police force we could call.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author