- Jul 21 2016
Cybercrime poses a significant challenge to law enforcement agencies worldwide. While it is perhaps no longer a novelty, the ways in which criminals exploit technology are evolving at an increasingly rapid pace, causing serious concern to law enforcement. The latest developments in technology are being adopted by cybercrime networks to shape new, unique and innovative modus operandi with little time lag. The information infrastructure is increasingly under attack by cyber criminals. The number, cost and sophistication of these attacks are increasing sharply. Most of these attacks are transnational by design, with victims spread throughout the world, necessitating multi-jurisdictional or transnational investigations.
All studies and trend analyses suggest exponential improvements in the scope, sophistication, number and types of attacks and their economic impact. The clear and present threat of criminality in cyberspace needs to be addressed by strengthening the country’s cybercrime investigation and detection capabilities. This paper proposes a training methodology to meet the challenges peculiar to cyberspace and development of a platform to harmonise cyber skillsets for investigators to respond to, and prevent, cybercrime.
Described as stealthy, technically complex, tenacious, well-financed and motivated by profit or strategic advantage, the spectrum of cybercrime defies every periphery. The cop-and-thief technological arms race remains an enduring paradox of this digital terrain. Criminals across the globe unfailingly strive to counteract innovations in hardware and software cyber bulwarks.
The approach to tackle cyberspace is presently based on building more defenses. This approach, which in isolation creates little or no deterrence, is of little use unless it is complemented with effective action through the criminal justice system to prosecute the offender
There is gross under-reporting and/or non-registration of cybercrimes in India. Not many cases relating to malware attacks, ransomware, bitcoin thefts, hacking, and other cybercrimes are taken up for investigation by law enforcement agencies. This indicates a lack of confidence on the part of victims in the capabilities of law enforcement as well as on part of law enforcement agencies themselves. Experience has taught us that building more defenses, in isolation, is of little use unless sound deterrence is built through an effective criminal justice system. It is imperative that the country’s cybercrime prevention and detection capabilities are strengthened.
Another trend being witnessed globally is the reliance on disruption-based strategy rather than prosecution-based strategy. This trend emerges from difficulties in attribution in cyberspace due to a myriad of factors, both policy-based and technology-based. These difficulties have led to the adoption of disruption-based approaches like “take-downs” and “active defense”.
1. An Evasive, invasive Threat
At the dawn of the 21st century, the fast evolution of communication technologies propelled the ‘cyberisation’ of the global society. Exploited repeatedly for different illegal ends, the cyberspace demands digital crime investigators to broaden their expertise on anti-cybercrime strategies. Cybercrimes often affect the daily life of the general public and instances of phishing, ransomware, Nigerian frauds, online credit card frauds, hacking, pornography, child pornography, data theft, source code theft and identity theft, have risen sharply in the last few years. Cyber criminals are using tools of global reach such as botnets. Millions of unique IP addresses are functioning as botnet command and control servers. On 9 April, 2015, an Interpol coordinated operation took down the SIMDA Botnet, which was impacting more than 770,000 computers in more than 190 countries.
The future cyber threat landscape will certainly be complex. Based on the sophistication of the country’s adversaries, both state and non‐state actors, it is hard to imagine what this threat landscape will look like in 10 or 20 years.
1.1. Inventive and Brazen
The cyber threat landscape holds a wide belt of opportunistic actors ranging from nation-states to highly organised criminal syndicates to loosely coordinated lone black-hat hackers. Complicated encryption, malware deployment, and anonymisation are among the many tactics in their playbook to carry out quick and untraceable cybercrimes. Deterring these cyber-savvy adversaries will require investigators to attain similar levels of sophistication.
Cybercrime is the fastest growing area of crime. More and more criminals are exploiting the speed, anonymity and convenience of internet to commit a diverse range of transnational criminal activities. New types of cybercrimes are emerging all the time, with their impact on the global economy running into billions of dollars. In the past, cybercrime was committed mainly by individuals but now, criminal organisations work with technology experts willing to outsource their expertise to them. These highly organised cybercriminal networks bring together individuals from diverse sectors and jurisdictions in real time to commit crimes and vanish without a trace.
The cybercrime network is expanding, strengthening and, increasingly, operating like any legitimate, well-organised and sophisticated multinational business network. Seasoned cyber criminals can even thwart the response of the law enforcement agencies. They use a large number of latest illegal tools, such as exploit kits and malware. However, legitimate tools are also being used by them. Darknet and crypto currencies are anonymity tools used by them to hide their identities and trails.
1.2. Overlaps of Cybercrime
The plurality and mesh of Internet-of-Everything devices has transformed cybercrime into dynamic, distributed models with a global reach. The advance of cybercrime will further blur threats unique to internal and external security as well as direct and indirect consequences of this crime genre. Other key convergences include the large intersection between cybercrime and other crime areas and the interoperability involving different jurisdictions to conduct cybercrime investigations and trials. Investigators could maintain a shared understanding of digital gadgetry technicalities to mitigate these limitations.
1.3. Future cyber crimes
The unprecedented volume, variety and velocity of cybercrime may present a greater challenge to next-generation global policing. Greater digital asymmetry between offenders and police, decentralised underground isles, hybrid criminal networks and unfamiliar or improved variants of undetectable botnet may arise. Faced with new communication devices and programmes that are self-destroying and mediums of social (and web) media, investigators will have to be up-to-date about fast-changing cybercrimes.
Combating cybercrime and traditional IT security could draw on different knowledge and skill bases. Yet, conventional training approaches like instructor-led or web-based classroom workshops, online collaborative software and e-Learning modules are frequently utilised to prepare security practitioners.
As per the 2014 report of Indian Computer Emergency Response Team (CERT-In), CERT-In handled 130,338 cyber security incidents in 2014, which included website defacements (25,037), website intrusion and malware propagation (7,286), virus/malicious code (4,307), network scanning probing (3,317), spam (85,659), phishing (1,122) and others (3,610). Several of these attacks can be traced to IP addresses outside India. Hacking of websites is a criminal offence as per Indian IT Act. While the figures in the CERT-In report were a minuscule fraction of the total cyber security incidents in India, more surprising figures come from police statistics.
The ‘Internet Security Threat’ report released by Norton (Symantec) in April 2015 estimated 42 million cybercrimes occurring in India every year. The report says 80 people fall victim to various cybercrimes every minute across the country. The report said 7 percent of the estimated global price tag of cybercrimes is being carried out every year in India.
As per the National Crime Record Bureau (NCRB), 2,876, 4,356 and 7,201 cybercrime cases were registered under the IT Act in 2012, 2013 and 2014, respectively. Further 3,477, 5,693 and 9,622 cybercrime cases were registered under the IT Act and Indian Penal Code (IPC), put together in 2012, 2013 and 2014, respectively. According to NCRB figures, Delhi Police registered only 226 cases and arrested 56 persons under the IT Act and IPC put together in 2014.
Currently, police-recorded crime statistics do not represent a sound basis to assess the impact of cybercrimes. In fact the reported cybercrime figures are just a very small fraction of actual cybercrimes. A large number of countries view police statistics as insufficient for recording cybercrime. Police-recorded cybercrime rates are associated with levels of specialised police capacity rather than underlying crime rates. Studies have revealed gross underreporting of cybercrimes to law-enforcement agencies (LEAs), the reasons for which have been attributed to
two broad factors:
- Fear of reputation loss
- Lack of confidence in the cyber capabilities of LEAs
As far as hacking of websites is concerned, the reason for non-reporting cannot be fear of reputation loss as the fact of hacking would already be public. The reason therefore for can be attributed to:
Non-reporting due to lack of faith in capabilities of LEAs
Non-registration due to lack of confidence in LEAs’ own capabilities
Both these factors highlight the need for capacity-building of LEAs.
The need for skills to work in cyberspace is being realised for all forms of crime, as most of the crimes have some element of cyberspace to an extent that even in a case of suicide, we have to check digital media for any suicide note or other relevant information. Therefore the training requirements have increased.
Large class sizes, different learning styles of users, refresher courses with outdated and non-operational content and the lack of immersive practice and post-training assessment could set as drawbacks of such rigid, pedagogic environments. Presenting low-risk and realistic interactions, immersion training technology brings the learning out of classrooms. Such adaptive training environments offer hands-on experiences that enrich analytical and technical skills of investigators and their situational (or risk) awareness of cybercrimes.
Traditional modes of training through books, boards, PowerPoint / PDF-based approach are not very suitable for trainings to combat cybercrime. There is need for more practical training, something based on simulated environments. However, given the need of volumes, the proposed methodology should be scalable.
The challenges of cybercrime trainings can be summarised as:
Traditional PowerPoint/ PDF-based approach not very suitable
Number of officers to be trained (volume)
Inaccurate assessments of needs of LEAs
2. Way forward
The expanding ubiquity, frequency, and severity of cybercrimes entail LEAs to think beyond the one-size-fits-all training strategy. In devising new counter-responses, continual advancement in knowledge and skill of cybersecurity crimes is a core imperative.
Capacity-building for LEAs must be seen in the context of boosting the capabilities in these functional areas:
To detect cybercrimes
To receive complaints about cybercrimes
To be a first responder to the complaints about cybercrimes
To register criminal complaints about cybercrimes, with all details
To investigate cybercrime cases
To do forensic as well as data analytics related to cybercrime cases
To collect admissible evidence and launch prosecution in cybercrime cases
To prepare and launch public awareness campaigns to prevent cybercrimes
To work with researchers, academia and private sector to improve cyberspace security
To liaison with international LEAs and service providers
Further, efforts have to be made to equip them with:
Adequate staff with appropriate skillsets
Infrastructure for cybercrime investigation unit
Infrastructure for cyber forensic units (to aid investigation, which would be in addition to the forensic labs to give expert opinion for evidentiary purposes)
Appropriate standard operating procedures (SOPs)
A sound legal framework
Tie-ups with other stakeholders
Mechanisms for international cooperation and coordination
3. Proposed INITIATIVES
Cybercrimes introduce unanticipated risks and effects, creating greater urgency to equip investigators with new skillsets. One such area is the establishment of a cloud computing training platform that comprises a networked and nodal nature, parallel to that of cyber security.
This platform can be pivotal to increase shared knowledge and skills for investigators and connect LEAsand stakeholders. This cloud-based training system could encompass functions depicted in the diagram:
3.1. Standardised curriculum
A centralised learning platform provides users from different professions about common objectives to address cybercrimes. Standardised courses enable frontline officers, prosecutors and data analysts with varying levels of cyber knowledge to acquire a consistent overview of investigations such as digital evidence handling, intelligence development and legal procedures.
Greater knowledge about how their roles contribute to investigations could lead to increased productivity and efficiency
Collaborative processes among investigators could be more streamlined and integrated at a global scale through this platform
Curriculum needs to be standardised by keeping in mind different roles of different LEAsand skill sets required for each role. A tentative list of roles would include:
First responder officer
Cybercrime intelligence analyst
Digital forensics specialist
Head of unit: Investigation/forensics
Senior LEA manager
3.2. Cyber Range or Simulated Cybercrime Scenarios
This is the key component of this model. Besides preparation of traditional modes of training through books, boards, power point/PDF-based approach, there is a strong need for more trainings based on simulated environments. This would mean creation of scenarios, including digital exhibits (logs, etc.) for extraction by trainees using forensic tools preloaded on the infrastructure, using appropriate procedures.
3.3. New modus operandi
In cyberspace, criminals keep on adopting new modus operandi every day and therefore, simulation-based training methodology has to be contemporary. To develop new scenarios, it is important to keep abreast of new modus operandi and technology trends. This part would include:
Knowledge exchange on current and emerging methods of operations (or modus operandi) of cybercriminals
Within this platform, training courses could stress-test the computing skills of cybercrime experts to analyse and discern signals collected from hacker forums, internet relay chat rooms and messaging texts
Attacks like phishing and tampering, advanced persistent threats, backend systems and reverse-engineering could be simulated.
Combating cybercrime could take more than technical skills and require cross-disciplinary knowledge. Researchers must look at the best practices to stay ahead of hackers by understanding indicators of malware victimisation, the ecology of trust and motivation among hackers, online hacker communication and interaction styles
Gaining practice in such knowledge exchanges could shed light on how hacker communities interact and share information, creating actionable intelligence for cybercrime investigations
Able to develop the best science to help advance cyber security training and research
3.4. Continuous redesign for training material
Feedback gathered from learner usage and experience must be utilised to design new knowledge capacity and material
The modules should be developed by subject-matter-experts, ensuring quality content is constantly updated
Training courses should be more reflective of real-world cases and incidents
Maintain engagement with users by tapping into learners’ interests, offering appropriate challenges and increasing motivation
3.5. LEA Certifications
This platform could allow performance-based certification to demonstrate that users know what to look for and what actions to take during a cyber incident
Assess if knowledge or skills have been practically transferred
Automated scoring and self-assessments in different areas of cybercrime
Provide critical insights into the effectiveness of training platform
3.6. Environmental scanning of new technology
This platform will probe how internet-enabled technologies and wearables impact cybersecurity, policing and how crime could be conceived
A horizontal approach should involve cyber experts and technology innovators of LEAs from different countries share their cyber investigative products and threat assessments
Police agencies should perform SWOT analysis of their cyber capabilities and identify the next steps for improvement, providing insights into the different needs and stages of cyber capacity development for individual countries
Vertically, the expanse of future internet-enabled crimes could be analysed at national, regional, and international levels
3.7. Synchronised skill levels
This platform will allow new relationships with other nodes within the networks of the cybersecurity architecture
Effective collaboration and greater harmonisation provide a more accurate and comprehensive assessment of cyber criminality, ensuring responses are coordinated, effective and timely
Law enforcement collaborations with the private sector to explore and design complex simulations of future communications technologies that are prone to criminal exploitation, improve cyber security skills at all levels and work with associated professions to make industry more resilient to cybercrime.
Disclaimer: the views in the paper are personal and do not reflect views of INTERPOL or the Government of India.
This article originally appeared in Digital Policy Portal