back to article If only 3 in 100,000 cyber-crimes are prosecuted, why not train cops to bring these crooks to justice once and for all, suggests think-tank veep

A plague of ignorance and misplaced priorities in government and law enforcement, from neighborhood cops all the way up to international bodies, is allowing cyber-crime to run rampant. So says Mieke Eoyang, long-time US government policy adviser and veep of the national security program at Washington DC think tank Third Way. …

  1. macjules Silver badge

    We continue to blame users for not avoiding clicking on every phishing link

    Perhaps they could add that these users should install Avast software.

    (Mine's the one with the Jumpshot pay cheque in the pocket)

    1. Anonymous Coward
      Anonymous Coward

      Re: We continue to blame users for not avoiding clicking on every phishing link

      I run a mail server that puts every incoming email through antivirus software - it only stops about half of the malware, my filters stop the rest of it by holding all emails with .doc, .xls, .img files etc.

      1. Yet Another Anonymous coward Silver badge

        Re: We continue to blame users for not avoiding clicking on every phishing link

        I keep my users safe from clicking on dodgy links by removing the mouse

  2. Phil O'Sophical Silver badge

    A government policy advisor with sensible advice, how rare. I don't hold out much hope of Trump & pals listening to her though, How long before she's fired on trumped-up [sorry] charges for admitting that the emperor has no clothes?

    1. Persona Silver badge
      Black Helicopters

      You are concentrating on the goal, not how it could be implemented. To make it work you would need total cooperation between nations (I probably don't need to add anything else). Next you need an end to state sponsored cyber crime, but given the prerequisite of all nations being cooperatively friendly this shouldn't be a problem. Finally you need the raw data for investigating the crime which works best with total surveillance of both ends of the connection i.e. everything.

    2. hplasm Silver badge
      Facepalm

      "Trump & pals listening to her "

      "To that end, building diplomatic ties and getting cooperation from law enforcement in other countries will be critical."

      nuff said...

    3. a_yank_lurker Silver badge

      Trump is not only one. The problem is most politicians are technical illiterates and do not understand how cyber-crime works and that are techniques to fight it. Instead of Trump, fill your local leader and you have the same problem. About the only leader who might actually understand cyber-crime is Putin because his intelligence background.

      1. Halfmad Silver badge

        The problem is these days we don't have politicians thinking long term, they can't see past the next election so long term strategy is out of the window on pretty much every area of governance.

        If it's not going to be a good news story during the next campaign then they see no benefit in it.

    4. Michael Wojcik Silver badge

      It appears she's not currently employed by the government. That's a private-sector think tank she works for.

    5. Tom Paine Silver badge

      Sensible advice, where?

      Of course we should be doing more to prosecute online crooks, but arresting them all whilst leaving everything insecure is a failing strategy for reasons too obvious to enumerate.

  3. iron Silver badge

    "When a breach becomes public the response all too often is to blame the victim company."

    The company is not the victim, it's customers, employees and users are the victims.

  4. TheSkunkyMonk

    If it worked that way companies would actually have to own up when they get hacked and a lot won't do it just to avoid the bad press and customer complaints that ensue.

  5. Mike 137 Silver badge

    Where the buck should stop much of the time

    At least for the very common drive by infections via the browser (and that includes much ransomware), I largely blame the web developers who force us to browse insecurely in order to use their creations. Not only with scripting enabled by default, but, as in one recent case I examined, drawing scripts and other fragments from around 20 third party servers.

    It's impossible to be secure if you download untrusted and untested code and run it blindly on your systems, but what alternative have we been given in the age of the web app?

    1. Snowy
      Holmes

      Re: Where the buck should stop much of the time

      I agree and the number of websites that will not display anything without a script is sadly increasing all the time.

      1. Rol Silver badge

        Re: Where the buck should stop much of the time

        It wouldn't be a bad idea that when you start your browser, you are actually starting a virtual machine that keeps itself, well and truly to itself.

        And so on a single pc, several icons on your desktop can be different configurations of VM Firefox, each one configured for a specific purpose, with optional white lists, NoScript, firewalls, etc.

        eg. VM F1 is for serious stuff, like banking, and has all your personal details. VM F2 is for work stuff with your work credentials VM F3 is for surfing and is laden with the details of the neighbour you don't get on with VM F4 is for getting up to no good and spoofs everything.

    2. Tom Paine Silver badge

      Re: Where the buck should stop much of the time

      20? Try 200.

  6. GnuTzu Silver badge
    Thumb Up

    "A plague of ignorance and misplaced priorities in government and law enforcement..."

    I love that opening line. It just the foundation of everything, isn't it? I almost didn't read the rest of the story.

    1. stiine Silver badge

      Re: "A plague of ignorance and misplaced priorities in government and law enforcement..."

      You didn't really need to, but you also have to understand that organisations like the one that Mieke Eoyang runs are also infected by, as she put it "A plague of ignorance and misplaced priorities."

  7. chivo243 Silver badge
    Unhappy

    Whack-a-mole at best

    Take one out, another springs up, fills the void and maybe adds a little extra?

    This type of philosophy doesn't address the root cause of crime in general. It is way wide of the mark. But that is not what the law enforcement want either, they just want their job to be easy, not non existent.

  8. Doctor Syntax Silver badge

    "When a breach becomes public the response all too often is to blame the victim company."

    Thinking like this makes you wonder why the banks bother to lock the doors at night.

    1. Michael Wojcik Silver badge

      Yes, there's a bit of that. And given the difficulty of identifying and prosecuting these criminals, we might also ask if we should start working on how to turn wishes into horses, too.

      But while there's blame to go round, and while resources are limited and obstacles often prohibitive, I can see some justification for the force of Eoyang's argument. We shouldn't just throw our hands up at the simple possibility of investigating and prosecuting computer-based crime. There have been successful investigations and prosecutions (Paras Jha, for example), and perhaps we can shift more resources into those areas before we hit the point of diminishing returns.

  9. Colin Bull 1
    Trollface

    Reactive and not proactive

    I have had 3 phone calls this week for the National Grid Agency who want to change my meter. Sadly they have the details of the previous user of the landline number. Why cannot we have a bank account number of email address to give the scammers that can activate an alert. Why can we not have a reverse 1471 system that you can dial to alert the phone company that the previous call was from fraudsters and track the number back to source?

    My only ray of comfort is that the last one was on the phone 32 minutes, and even 4 minutes after I gave my email address as scam @ googlemail.com

    Retired of Tunbridge Wells

    1. stiine Silver badge
      Devil

      Re: Reactive and not proactive

      Well, if they have the previous user's address, you should have scheduled it for monday at 6pm.

  10. Christian Berger

    It's an insane idea

    First of all, it's extremely easy to do something and pin the blame on someone else. Want the Russians to be the culprit, buy a Russian PC to develop your code on and leave Russian language clues. Attribution is basically impossible, unless you are dealing with stupid people.

    Then there's the whole area of side effects of doing this. If you want to make attribution easier you have to make sure that things like anonymous communication disappear. This endangers large groups of the population, from whistleblowers to homosexuals. Probably even people like security analysts.

    Third it doesn't fix anything. The security holes are still there. If they are not used by criminals they probably are used by "Lawfull" organisations.

    In short it's an insane idea, not well thought out and based on assumptions which have been proven wrong many times.

    1. a_yank_lurker Silver badge

      Re: It's an insane idea

      She was talking about putting more plod resources into fighting cyber-crime at all levels. Too many local and state plods over here are more interested in shaking down the citizenry with various tickets than in addressing cyber-crime. Cyber-crime fighting is hard work and takes real skill to do well. Writing a parking ticket for an expired meter, not so much.

    2. Michael Wojcik Silver badge

      Re: It's an insane idea

      Yes, if we put any additional resources into investigating and prosecuting computer crime, we can't possibly put any into finding and fixing vulnerabilities. All those resources are atomic so it's all or nothing.

      And if we can't feasibly investigate and prosecute some computer crimes, then we can't investigate or prosecute any. Those are all-or-nothing too. And there's never been a single successful investigation or prosecution of computer crime, so we can safely assume it's impossible.

      Or perhaps - just perhaps - your argument is bullshit.

  11. John Savard Silver badge

    Global Politics

    The existence of North Korea, Iran, Russia, and mainland China could be one reason we think that focusing on actually making our computer systems secure, rather than expecting deterrence through criminal law enforcement, is more likely to actually solve the problem. This is quite reasonable, and the real problem is why the computer industry is doing such a poor job of making our computers secure.

  12. paddy carroll 1

    They just don't give a shit

    I tried to engage with the police over cyber crime, it turned out to be a data gathering excise - fill out this 9 page form then hey presto: nothing happens.

    I've been to conferences where govt representatives have told us it's our problem.

    I've identified cyber criminals spear fishing company employees - no-one is interested prosecution, you gotta do that yourself.

    I've told google about criminally used gmail accounts, but it appears the criminals privacy is more important than the crime.

    The uk police force was established in response to crime, when they going to go after the cyber miscreants robbing small businesses and individuals?

    1. Intractable Potsherd Silver badge
      Black Helicopters

      Re: They just don't give a shit

      No, no, no, no, no!! You haven't been listening to the fine Home Secretaries from the party that cares only for the welfare of the people. The only crimes are paedo-porno-terrorism and being rude to people on social media. There is exactly the right number of police officers, all perfectly.trained to deal with these crimes. To suggest that there are other crimes calls your loyalty into doubt - are you adequately British? A private flight has been arranged for you - - - >

      (Do I need a sarcasm warning?)

      1. Anonymous Coward
        Anonymous Coward

        Re: They just don't give a shit

        in Oz there is just no where to report it, so there is no cyber crim in Oz,

        oh sorry unless it's federal, then reporting ti gets you locked up.

  13. Anonymous Coward
    Anonymous Coward

    I suspect that...

    The 3 in 100,000 are actual criminals...the rest are unemployed cybersecurity professionals working on bug bounties and being wrongly accused.

  14. Anonymous Coward
    Anonymous Coward

    It’s all jokes at ElReg today

    Decided to take on The Onion have we?

  15. Claptrap314 Silver badge
    Black Helicopters

    I'm confused...

    Are we supposed to pay off the ransomware perps or send in the swat team to chase the packets back to the source?

    Seriously, as another has mentioned, this is like saying that banks should not train their personnel in anti-fraud procedures, but we should just have cops everywhere so no criminal will try anything.

    Hard pass.

    1. Michael Wojcik Silver badge

      Re: I'm confused...

      No, it really isn't like saying that. Try reading for comprehension.

  16. HellDeskJockey
    Black Helicopters

    Also in the US the number of jurisdictions can make it difficult . Every county has their own police and courts, most of the time cases are not consolidated. Which could result in a large number of court cases. Here is an example. Years ago someone made off with my checkbook and used it to commit fraud. Our friendly law enforcement expected me to pay the checks (or cheques if you prefer) or take 3 days a month off work for about a year to sit in the various county courtrooms. I paid them off to remain employed. They don't care about the many low level problems. They only care if someone can get them headlines(free publicity) or if a large business(taxes/campaign donations) is involved.

    I'm not hopeful for any changes.

    You can't win.

    You can't break even.

    You can't quit the game.

  17. Twanky Bronze badge
    Flame

    'Cyber'crime

    Eoyang made the case for allocating more time and money to finding and snaring internet crooks, hauling them into court, and shutting down this criminality.

    The crimes are often fraud or extortion or blackmail or theft. The fact that they've been committed using 'the Internet' is almost irrelevant - apart from the fact that it seems to make it easier for the criminal to avoid being prosecuted.

    It appears that Mieke Eoyang is advocating teaching cops how to catch more of these criminals (somehow) and applying deterrents to prevent (re-)offending. Great. Good idea... Scumbags who steal old folks' pensions (for example) deserve to be locked up.

    The trouble is the computer and organisational systems will still be vulnerable to attack. I don't believe we can find, prosecute and lock up enough criminals to make a significant difference in the crime rate. That doesn't mean I don't think we should try to prosecute more crims - but that won't fix the systems.

    Ransomware hit the news many times in 2019. Are systems any more secure now? Are CIOs really trying to secure their systems? They're more likely making sure their insurance is up to date.

  18. USER100

    Cybercrime

    Cybercrime is what the Mafia, Triads & co. are now investing in. The book 'Future Crimes' is a shocking eye-opener to the scale of it. They set up businesses in large office blocks and pull huge, global scams, netting millions before they're eventually closed down. These are just like 'respectable' businesses, with a CEO and hierarchy, often with some poor sod at the bottom who they use for their bank account to temporarilly stash the money ('Earn $$$ working from home!'), who is oblivious.

    With cash looking like it's slowly being phased out, these crimes are only going to get bigger. Bank robberies can now be committed thousands of miles from the physical bank building. Banks underreport the frequency of their losses for fear of scaring their customers. It's definitely a good idea to put more money into combatting this type of crime (a LOT more money).

  19. foxyshadis

    Thank you for the TED talk on how things should be, but back in the real world, how do you propose any of this actually happens? Where will all of the cyber-savvy officers come from? What budget will pay for the equipment, software, training, and salary for each department's new task force? Who will make hostile nations cooperate with our investigations? Without an action plan, a goal will never be more than a goal and a feel-good TED talk.

  20. Kevin McMurtrie Silver badge

    And the hosts?

    How about the networks that are willing to host criminals? CloudFlare, DigitalOcean, Amazon, OVH, Alibaba, Leaseweb, Google, and the entire country of China. Reports of criminal activity are routinely ignored, or the reporting address isn't even real. Another dozen could be accused of creating services where criminals can activate services hundreds of times faster than they can be shut down; intentionally fabricating a whack-a-mole environment.

  21. amanfromMars 1 Silver badge

    The Curse of Unintended Consequences

    It is an established fact, ever so easily spun as a fiction, that the smarter one becomes in anything, the more vulnerabilities one can identify worthy of destructive/disruptive/creative exploitation.

    Do you really want the likes of a PC Plod understanding the corrupted white collar systems administrations they have been fooled into protecting/aiding and abetting?

    Surely not, for such would be ideally catastrophic and self-defeating?

    And ..... can such a state of exciting affairs be avoided ie can the masses be kept ignorant of their arrogant capture in a rigged enterprise/failed New World Order Program?

  22. WONKY CLERKY
    Linux

    A Service of Prayer for Truth As We All Know It

    Introit

    Dearly Beloved, we are gathered here to express aspects various known to us on the universal www mess.

    As Is to Date:

    1: The world of IT (aka The World of Smoke & Mirors) is made for them's who want to idle, sell crap*, fiddle proper and be generally naughty.

    2: A Universal Precept of Justice:

    Naughty boys should be caught + punished proper

    +

    The Solution

    The Prayer - A Universal Call for Justice:

    Just shoot the first 6 caught and proved naughty - the rest will be very cautious after that and naughty activity global will be much reduced

    (universally applicable to naughtiness in all spheres of pre-planned naughty activity).

    +

    The Reality

    BUT

    Who are The Naughty Boys?

    Hint:

    Put other (in me best Latin) Qui Custard Custardio? - etc

    +

    Dismissal

    Good Luck with making any improvements

    (And that writ more in hope than expectation).

    Saturday 01-02-20 - aka Brave New UK World Day 1

    *NB. NOT an MS comment or sentiment.

    1. amanfromMars 1 Silver badge

      A Most Gracious Offer Gratefully Received .......

      Challenge accepted, WONKY CLERKY.

  23. Orion718

    Revenue streams

    The hard sell for police agencies will be in changing the framework of their agencies to include and staff units or divisions that are not revenue-generating. Most police divisions, with the exception of Homicide, generate revenue for their departments. So the inclusion of a Cybercrime fighting division that bears no prospect of generating revenue for an agency is doomed from the starting gate. . .ergo, why do it? It is certainly needed, but convincing the bean counters to staff, fund, train and promote a division that is non-revenue generating will be an uphill task. As a retired police commander in two states - Pennsylvania and Maryland, the weekly command staff meetings always address the “progress or lack thereof” in the revenue streams. Police commanders are scorned in open session for any drop in revenue. In Pennsylvania, state court records show fines, fees and court costs for traffic tickets issued by all police agencies in the state amounted to nearly $173 million in 2013, the last year for which a complete dataset was available. The money is then distributed between the state, counties and local municipalities. Creating cybercrime fighting units will face the “revenue generating” question. It is not an issue of ignorance, but yes - an issue of misplaced priorities. Reframing the structure of these agencies will be the most difficult task.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020