My “Cybercrime” Isn’t Your “Cybercrime”

This article was originally written for TripWire.

Talk to cybersecurity experts about cybercrime on their network, and they will mention malicious activity like scans, attacks, events, and incidents. Probably at some point, they will slip into geek-speak with a vast array of confusing acronyms and jargon while explaining tactics and techniques by referencing infamous attacks, Internal protocols, and industry shorthand.

Talk to federal law enforcement officers about cybercrime, and they will probably mention the Computer Fraud and Abuse Act (CFAA), unauthorized access, trespass, copyright, identity theft, and other varying statutes and laws. The local officer has her own local laws, statutes, and codes specific to her jurisdiction as well as different types of cases her Chief or Sheriff defines as cybercrime.

What does this mean? It means that my “cybercrime” isn’t necessarily your “cybercrime.” Sometimes, “cybercrime” means malicious activity, and sometimes it means illegal activity.

To add confusion, there is also cyber-enabled crime and cyber-native crime. Cyber-enabled crime is traditional crime abetted or facilitated by the use of cyber tools or means. Malicious and illegal activities under this category are often described as scams and frauds or involve the use of digital devices like phones or computers. Cyber-native crimes are those that cannot be committed outside the digital domain such as network intrusions, cryptocurrency mining, and malware. (Cyber-native crimes may also be referred to as “cyber dependent.”)

Think of these as different approaches to cybercrime best illustrated in a quadrant.

Approaches to Cybercrime Cyber-enabled crime Cyber-native (dependent) crime
Malicious cyber activity Doxing someone; Identifying targets for home robberies via social media; Using online street maps to plan a bank robbery Writing malware code; Scanning a network for vulnerabilities or open ports; Failed credential stuffing attempts
Illegal cyber activity Identity theft through misconfigured and exposed databases Computer/network access and trespass (AKA intrusions); Malware deployment

Why Does this Matter?

Different definitions of cybercrime serve different purposes – one referring to the intent of the activity regardless of its legal status and one referring to the legal status of the activity regardless of its intent. (Although, admittedly, intent is often considered in decisions to prosecute or not.) Add in the complexities that, in some instances, agencies consider only cyber-native crimes as true “cybercrimes,” while others include both cyber-native and cyber-enabled crimes. This means that your “cybercrime” may not be my “cybercrime.”

Terms of service violations showcase the most obvious disparity between “cybercrime” definitions with companies considering violations to be malicious cyber activity, although the justice system may not be able to successfully prosecute. The U.S. Supreme Court’s recent decision in the Van Buren case highlights the struggle of differing definitions. Van Buren successfully appealed his CFAA conviction for selling data that he retrieved from a database he had lawful access to, and the Supreme Court agreed that he did not exceed “authorized access” under CFAA. In this and similar cases, network defenders would classify the activity as malicious and thus “cybercrime,” although it is not illegal.

Taking this differentiation a step further, consider cybercrime statistics. The Federal Trade Commission (FTC) tracks malicious cyber activity statistics grouped by types of activity: fraud, identity theft, and other complaints. Similarly, other governmental bodies (Canadian Anti-Fraud CentreAustralian Cyber Security Centre, and UK Action Fraud and Cyber Crime Reporting Centre) and private companies do the same, although they use different terms and different definitions of “cybercrime.”  As a result, cybercrime statistics are rarely comparable across jurisdictions or agencies.

Challenges

To study cybercrime as a whole, it becomes important to understand what each report, statistic, and jurisdiction is discussing to enable the comparison of reports and statistics. This unreasonably forces cybersecurity experts to understand the complex crime, case, and jurisdictions of the criminal justice system where the definition of what is illegal can change based on a court decision. In contrast, justice personnel are forced to understand the technical nuances of a report and then be placed in the uncomfortable position of having to explain that the malicious activity cannot be prosecuted because it does not violate cyber laws.

Moving Forward

Attempting to standardize the definition of cybercrime into one of the four quadrants is not a reasonable objective. Instead of trying to force a single, fixed definition, the community needs to recognize and incorporate the different understandings of cybercrime. The first step of this is determining which approach your organization or agency uses and should use. Internal conversations to determine scope will provide a clear understanding of responsibilities for both the cybersecurity and physical security staff as well as for researchers, analysts, and others supporting cybersecurity experts.

From that understanding, the next step is to ensure that you have the right tools, processes, and procedures in place for your definition of cybercrime. These might range from training and education programs to support prevention efforts, technical deployments to prevent and remediate incidents, and the development of appropriate contacts, intelligence sources, and incident response plans.

Conclusion

Change is inevitable, especially in cybercrime. As a community, we must move beyond relying on implicit definitions of “cybercrime” and assuming that everyone is speaking about the same activity to a more nuanced approach that acknowledges the differences and uses them to improve the conversations. Our job is protection, and regardless of whether we accomplish that through keyboards, handcuffs, or both, understanding each other’s definitions will further all efforts to fight cybercrime.

 

About the Author: Stacey A. Wright, CISSP, is the Vice President of Cyber Resiliency Services at the non-profit Cybercrime Support Network (CSN), where she supports CSN’s mission to assist individuals and small businesses before, during, and after a cybercrime incident. Stacey leads projects to assist the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in developing the Cyber domain for the National Information Exchange Model (NIEM) and the development of the international Cyber Classification Compendium. She works with multiple partners and stakeholders around the world, particularly in state and local governments as well as in law enforcement.