I was recently asked by someone involved in policymaking for a short bulleted reading list on cybercrime and how to understand the major issues since they didn’t come from a technical background. I started writing the email and then realized I might as well post it here so I can refer back and possibly update. This is massively simplified and is my short hot take if I’m given one minute to explain a problem to someone who doesn’t have a lot of time but has to act on issues related to cybercrime.
- When you experience cybercrime, the police probably can’t help you. If you think the cybersecurity staffing shortage is bad in industry and government, try your local sheriff. You are often required to report a crime to secure social help after being victimized, and that experience is rarely a positive one, especially for marginalized persons. The police in general will treat a report of a $250 purse theft differently than a report that $250 was phished from your bank account, even if you know precisely who did it. If you don’t know where the cybercrime was committed or originated from, the police will tell you that you can’t report it. In general they will refer you either to social services or tell you to report an online crime to the FBI (who generally won’t lift a finger for $250). This refusal to accept reports locally by the police and lack of action from the FBI makes these crimes invisible. There’s effectively nothing anyone can do if you’re a victim of cybercrime other than report you as a statistic. (If you need to, here’s where to report to the FBI). Here, read this. Also, advocate for clear jurisdiction over internet crime and fund the people investigating it.
- Going dark is a myth. The complaints that the FBI and other law enforcement organizations have over the use of encryption on personal devices are about their convenience, their backlog of investigations, and in general a lack of technical people inside their organizations, not truly about responding to potential crimes. The FBI and other law enforcement organizations should consider creating an appealing workplace environment with market-rate salaries to attract some technologists rather than trying to sue their way into slowing down technological innovation so they can keep pace. LEOs can get into phones whenever it’s actually important for them to do so. Note: domestic cybercrime is a different conversation in terms of policy than in espionage, where the ability to access and read a device in another country could be important. However, note that the technology to remotely access and decrypt devices and communications is the same whether being used by a local sheriff’s deputy or the CIA — so authorize its use carefully. Here, read this. Also, fight backdoors in encryption.
- We have a domestic law preventing the creation and training of people who could help with the cybercrime problem. We already have the names of crimes like theft, fraud, and abuse of the public trust. Saying it’s somehow worse to do crimes with a laptop instead of a mailbox only works because prosecutors and juries are frequently able to be convinced that computers are apocalyptically mysterious wizard boxes instead of some sand and steel that we bossed around until it did what we told it to do. The 1986 Computer Fraud and Abuse Act (CFAA) is the cause of much pixel spillage, but suffice to say that it’s a terrible law that penalizes security researchers and doesn’t stop real criminals. It’s primarily used to sprinkle magic cyber dust over a stack of criminal charges against a defendant to scare juries, with a lovely secondary use of threats of prosecution for intellectual property theft against former employees of a monopolistic company afraid of competition. Smart young people have died in this country due to the CFAA. Here, read this and this and this. Also, repeal and replace the CFAA as fast as possible.
- Policymakers who don’t understand technology not only make bad law, but they scare others from wanting to help and enable bad actors to flourish. I try to be a reasonably tactful person, but there’s something especially blithering about the idiocy of politicians who think that because they cannot read HTML that it’s encryption (“I can’t read Spanish, so this Mexico City newspaper must be deliberately hiding its meaning from all English speakers!”). Or, that someone with the skills to notice that an entire US state has published the Social Security numbers of all their teachers and the kindness to tell someone so must be a computer criminal. Intentionally ignorant policymakers who take out their own inadequacies in understanding technology by either mocking or hurting techies or by trying to somehow declare that politics is determining the outcomes of math are dangerous. When policymakers don’t understand the fundamentals of technology or how the online world works, it makes them a figure of ridicule and unable to perform the oversight function necessary to regulate and protect the public. Here, read this and this and watch this. Also, if the policymaker you’re talking to has no intelligent technical people they’re listening to, empathetically find them some to talk to — or, if they have no interest in learning new things, back slowly away and primary the hell out of them next time.
Thanks for comments on this to @KendraSerra and to other distinguished colleagues unnamed here.
