Can we eliminate cybercrime? Probably not. But with the right level of international cooperation, it may be possible to greatly reduce it. The way that governments dealt with piracy in the 18th century might show us how to do this.
There seems to be no end to the number of high-profile data breaches. This is bad if you are one of the unfortunate people whose personal information is exposed to cybercriminals. It is even worse if you are one of the unlucky businesses that are breached, which could end up suffering hundreds of millions of dollars in damages for something that they might not have been able to prevent.
Modern computers are the most complex things ever built by man. Because they are so complicated, they have bugs, and some of these bugs cause the security vulnerabilities that cybercriminals exploit. These bugs are everywhere. It is impossible to avoid them.
If you are using modern computers, then you are inherently vulnerable to cyberattack, and it may seem particularly unfair to suffer huge losses just because cybercriminals decide to exploit these vulnerabilities. It's like penalizing someone whose house is broken into even though the homeowner made sure that all of the doors and windows were locked.
The only way to avoid having exploitable vulnerabilities is to not use computers.
And because absolutely all hardware and software have exploitable vulnerabilities, it’s possible for a clever and determined adversary to beat the security provided by that hardware and software. The only way to avoid having exploitable vulnerabilities is to not use computers. That’s not a great option—mainly because I would have to find another line of work—but there may be other good reasons to keep using computers, too.
Law enforcement, not technology
If exploitable vulnerabilities are impossible to avoid, cybercrime is not a technology issue. Instead, it is a law enforcement issue. (This was also the conclusion that a group of security researchers came to a few years back.) If cybercriminals were more routinely prosecuted and convicted of the crimes they commit, then we would probably have a much lower level of cybercrime. But law enforcement efforts have yet to create any significant reduction in the level of cybercrime, and most cybercriminals get away with their misdeeds.
Catching cybercriminals is hard, and prosecuting them can be extremely challenging when their actions cross international borders. Some cybercriminals even have the tacit support of their governments. For similar reasons, piracy was very difficult to suppress in the 16th and 17th centuries—pirates freely operated across borders, and many of them had the unofficial support of at least one government. And if there is a strong parallel with piracy, perhaps understanding what it took to finally eliminate piracy may give us some insight into how to deal with cybercrime.
Lessons from history
There were many failed attempts to suppress piracy. Sending warships to patrol pirate-infested waters failed. Passing draconian laws against piracy also failed. In fact, every measure failed until the Peace of Utrecht in 1713 got all of the major powers to agree to the goal of eliminating pirates. With this level of international cooperation, piracy was dramatically reduced by the mid-18th century. International cooperation managed to accomplish what guns and the laws of single nations could not. The same level of international agreement may be necessary to reduce cybercrime to a reasonable level.
International agreement is the key
To do this, we need to define exactly what cybercrime is and what responses are appropriate to it. This problem has proved to be too hard to solve so far, although there have been attempts at it. The most notable of these is the NATO effort that resulted in the Tallinn Manual and its sequel, Tallin Manual 2, which describe how to apply existing international law to the problem of cybercrime. It tells us that existing international law is adequate to handle cybercrime.
But this effort did not include opinions of any non-NATO countries. And without their cooperation, it seems unlikely that all will agree to an international effort to eliminate cybercrime. The Tallinn manuals were a good first step, but more work is needed. They said nothing about how governments could reasonably enforce laws against hackers. And because what hackers do may not actually be illegal in the country where they are doing it, getting governments to agree to which laws to enforce may be a very hard problem.
It may take a significant level of effort at the international level to even agree upon what cybercrime is and what forms of it should be eliminated. The United Nations has been unable to agree on exactly what terrorism is because one person’s terrorist can be another person’s freedom fighter, and we should expect a similar level of difficulty in creating a framework for international cooperation in eliminating cybercrime. One person’s cybercriminal might be another person’s patriotic hacker doing what their sense of ethics and morality tells them is the right thing to do.
A return to Utrecht
Utrecht is a nice city. Maybe it is time for another treaty to be signed there. To do this, countries should first agree exactly what forms of cybercrime need to be addressed. Theft of intellectual property might be covered, while simply using the Internet to commit more common crimes such as fraudulently applying for government benefits might not. Once this is done, an international plan for prosecuting cybercriminals should be implemented. This will not be as simple as updating the mandate of the Peace of Utrecht to “cause all pirates and sea-robbers to be apprehended and punished as they deserve” to address cybercriminals, but the general idea would be the same: Every country would agree to do its best to arrest and prosecute cybercriminals.
The alternative is the billions (no, it’s not trillions, but that’s a topic for another column) of dollars of losses that cybercrime causes each year. We will never eliminate cybercrime, but it may be possible to dramatically reduce it. Let’s make cybercriminals join pirates as part of an age whose time has passed. And remember that if a theme park ever creates a ride called “Hackers of the Caribbean” in which you’re carried past animatronic recreations of people staring at computer screens, eating high-sugar snacks, and drinking high-caffeine beverages, you heard the idea here first.
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.