Why law enforcement is losing the cybercrime battle
The cyber insurance market is forecast to grow to $22.5 billion by 2025 as a result of increased cybercrime.
The cyber insurance market was worth around $13 billion in 2023 – nearly double the $7 billion it was worth in 2020 – and this growth shows no signs of slowing. It is forecast to grow to $22.5 billion by 2025. While an expanding market may sound positive, this growth is heavily driven by an increase in both the frequency and severity of cybercrimes.
According the most recent FBI Internet Crime Report, US businesses and individuals have lost over $12.5 billion because of cybercrime last year, showing a steady 22% year-over-year growth rate. At first glance, the number may appear relatively insignificant, however, it merely represents a derivative of the reported direct monetary losses from complaints received by the FBI Internet Crime Complaint Center (IC3) in 2023.
Most organizations and individuals simply do not report cybercrime incidents to law enforcement for an interrelated spectrum of good and bad reasons, spanning from reputational concerns to vanished confidence in actual capacity of law enforcement agencies to identify and prosecute digital bandits.
Of note, for hacked organizations and companies, a concealment of data breach may turn out to be a poor and painfully costly idea: prompt report to the FBI and subsequent collaboration with competent authorities may be a potent shield in eventual regulatory probes, and even in defending private lawsuits and class actions.
Getting back to the numbers, if one compiles all cybercrime incidents from 2023—reported or not—and then adds to the damage calculation formula a full pallet of indirect losses, such as depreciation of stolen intellectual property or damage done to brand value, the number is poised to increase tenfold in the most conservative scenario.
For the time being, while all branches of the US government endeavor to suppress the skyrocketing cybercrime, cyber threat actors still prevail in the spiraling battle. This article will briefly elaborate the current state of affairs in cybercrime industry, projecting some light on five root causes of its stunning success that may appear unstoppable.
First, modern cybercrime is a mature and remarkably well-organized industry with effective division of labor. Contrasted to most cybersecurity startups, backed by deep-pocketed and risk-friendly venture investors, cybercrime gangs simply cannot afford to burn cash in unprofitable growth or uncertain experiments, being compelled either to break even from day one or to sink into oblivion.
The players of cybercrime industry converge toward an efficient market segmentation and narrow specialization with remarkable effectiveness. For instance, ransomware attacks—while the ultimate responsibility is commonly on pinned on a single cyber threat actor—usually rely on well-thought-out collaboration between several groups of cyber threat actors, acting in seamless coordination and synergy.
Illustratively, initial phishing campaigns or mass-scale compromise of popular websites, to host malware and infect victims, are performed by a group that artfully masters all the underlying processes. However, the malware (i.e. exploits) itself will probably come from another group, having years of experience and top-notch expertise in vulnerability research and exploitation.
As for the ransomware—that is installed on compromised devices once malware successfully exploits either a known but unpatched vulnerability or a so-called “zero-day” vulnerability—commonly comes from another group, proficient in ransomware creation including operating system (OS) security controls evasion, stealth data exfiltration, subsequent encryption of victims’ data, and decryption key management.
Occasionally, communications with victims are handled by another standalone group, acting as a service provider to other gangs, endowed with advanced negotiation skills and eloquent fluency in victim’s language, being it French or Japanese.
Finally, laundering of the ransom, commonly paid in poorly traceable cryptocurrencies, is run by another group knowledgeable in anti-money laundering (AML) bypassing schemes and cashing out techniques. Paradigmatically, each player of this impeccably orchestrated syndicate of cybercrime continually hones its skills to perfection, attaining best possible return on investment (ROI) through narrowly focused specialization.
Having said this, some cybercrime gangs have grown to such extent that they can handle almost the entire kill chain internally, but they are rather an exception to the rule on the granular cybercrime marketplace.
Second, despite the impressive progress of law enforcement in cross-border collaboration when combatting against international cybercrime, the battle rather resembles a fierce fight with immortal hydra from the Greek legend: once one head is cut off, two new heads emerge.
After several high-profile arrests, deportations and indictments of cybercrime leaders, who were carelessly traveling across Western countries squandering money and enjoying all niceties of life, cybercriminals became seriously prudent and even paranoid in their habits to avoid apprehension.
Additionally, the now unfolding geopolitical crisis and armed conflicts around the globe result in factual impossibility of judicial collaboration between many countries, including former allies. But even before that, certain jurisdictions were unfairly selective in their cross-border law enforcement collaboration efforts, playing cherry-picking games with their foreign partners.
Tellingly, the Budapest Convention on Cybercrime—the most significant international treaty aimed at effective investigating, prosecuting and punishing multijurisdictional cybercrime—is signed by only 72 countries as of May 2024.
Numerous other countries, whose participation is crucial for smooth and efficient functioning of the convention—including but not limited to China, India and Russia—have not inked the convention yet. This is not to mention that the Second Protocol to the Convention, designed to further enhance cross-border investigations and unhindered collection of digital evidence from abroad, is signed by only 43 countries.
Ultimately, some countries became safe havens for cybercriminals loyal to their governments, enjoying virtual impunity being both non-prosecutable and non-extraditable at their home states. One last thing to mention here is that, in spite of palpable progress by legislators and judges made during last few years, cybercrime is punished with distinguishable lenience, undermining the deterrent effect of punishment.
For instance, stealing $93 million via hacking may cost 9 years in prison, in parallel, provoking an avalanche of comments from defense about the unduly severe and disproportionally harsh punishment for that type of offense. Whereas a misappropriation of the same amount in a classic white-collar fraud scheme may easily culminate in many decades behind the bars.
Third, law enforcement agencies are unprecedently outnumbered by cybercriminals and overloaded with the soaring number of complex cases. According to the FBI Director Christopher Wray, hackers only from China outnumber all FBI cyber agents by at least 50 to 1.
The current state of human capital at Western law enforcement agencies, including some of the most powerful ones like the FBI, is unenviable. Agencies have to compete for scarce cyber talent with wealthy private sector that can offer a considerably better pay, much less stressful work, and many other perks unavailable to federal agents.
The situation in developing countries is much worse, as poorer states simply have no resources to investigate digital crimes except the most damaging or devastating ones (with little or no success).
Retention of cyber talent is another arduous task: quite some young professionals start working very hard for a comparatively modest pay for a government, and then leave to join the private sector with an excellent resume and salary that no state agency can ever afford to pay.
Fourth, cybercrime industry offers appreciably more attractive opportunities to newcomers, ranging from freshman college students to first-year employees in cybersecurity industry. Even without advanced technical skills, working for a cybergang can bring as much as one lawfully earned monthly salary in just a couple of days, especially for recruits from developing countries.
Professional cyber mercenaries and organized cybercrime gangs usually offer highly attractive compensation schemes, which may, for instance, include bonuses for each compromised victim in addition to special bonuses for top performers.
Sadly, few employers from law-abiding sectors of economy can offer similar conditions. Worse, newly recruited gang members usually see and admire the luxurious lifestyle of their kingpins, who can afford to buy luxury cars and even to fly private jets. Few cybersecurity professionals—even executives and senior experts—can expect similar lifestyle even with their highly competitive salaries.
Another grim facet here is that once one becomes a cybercriminal, the way out is thorny. The longer one stays in illicit business, the more onerous it becomes to exit. Integration into civil society and return to law-abiding lifestyle is emotionally arduous, akin to quitting drugs. Aggravating the dilemma, co-conspirators will usually exert harsh pressure on would-be leavers by, among other things, threats to report them to law enforcement.
For young offenders this is particularly problematic as they typically have limited access to any incriminating “corporate” information, including identities of their serious colleagues in the criminal hierarchy, while imprudently disclosing almost everything about themselves.
Eventually, being between a rock and a hard place, most will intuitively prefer to stay and continue getting a decent remuneration, paying no taxes, and enjoying the addictive, albeit toxic and self-destroying, feeling of being above the law.
Fifth, the new generations of cybersecurity professionals are indirectly misled by insufficient education and lack of awareness about the perils of joining the dark side. For instance, once future lawyers are admitted to law school, they will be quickly enrolled in a professional responsibility course dedicated to legal ethics, grasping the formidable risks of social deviance or misconduct.
No similar training exists in most cybersecurity programs at both undergraduate and postgraduate levels.
Resultingly, young cybersecurity practitioners learn valuable tech skills how to hack and defend modern-day IT systems, but get no virtually training on the concomitant risks, duties and responsibilities. Cinematography also pours gasoline on the flame by exalting and glorifying hackers as omniscient and omnipotent contemporary heroes, even if the latter come from the dark side or work for questionable entities. As a result, disoriented and unwitting young professionals make the wrong choice, which they will likely regret for the rest of their lives.
In conclusion, it is worthwhile to remember that winning a battle does not necessarily mean winning a war. Law enforcement agencies have all the ingredients of success to prevail in this war and finally bridle the proliferation of devastating cybercrime. To help them, governments and lawmakers should promptly focus on three pivotal tasks.
First, increase the funding of law enforcement units tasked with cybercrime prosecution without further delay.
Second, revise national laws granting more power with less bureaucracy to law enforcement agencies in digital investigations, seizure of remote infrastructure exploited by criminals, and forfeiture of any cybercrime proceeds.
Third, review and update sentencing guidelines for computer crime offenses, making them as unattractive as traditional crime. While the foregoing will not totally eliminate cybercrime, it will undoubtedly help to get it under control, proving that state can and actually will police the Internet and protect law-abiding citizens in digital space.
Ilia Kolochenko is a partner and cybersecurity practice lead at Platt Law. His practice focuses on data protection, cybersecurity and privacy law.