Talk to cybersecurity experts about cybercrime on their network, and they will mention malicious activity like scans, attacks, events, and incidents. Probably at some point, they will slip into geek-speak with a vast array of confusing acronyms and jargon. They will explain tactics and techniques by referencing infamous attacks, Internal protocols and industry shorthand.
If you talk to federal law enforcement officers about cybercrime, and they will probably mention the Computer Fraud and Abuse Act (CFAA). They may also mention unauthorized access, trespass, copyright, identity theft, and other varying statutes and laws. The local officer has her own local laws, statutes, and codes specific to her jurisdiction as well as different types of cases her Chief or Sheriff defines as cybercrime.
What does this mean? It means that my “cybercrime” isn’t necessarily your “cybercrime.” Sometimes, cybercrime means malicious activity, and sometimes it means illegal activity.
To add confusion, there is also cyber-enabled crime and cyber-native crime. Cyber-enabled crime is traditional crime abetted or facilitated by the use of cyber tools or means. Malicious and illegal activities under this category are often described as scams and frauds or involve the use of digital devices like phones or computers. Cyber-native crimes are those that cannot be committed outside the digital domain such as network intrusions, cryptocurrency mining, and malware. (Cyber-native crimes may also be referred to as “cyber dependent.”)
Think of these as different approaches to cybercrime best illustrated in a quadrant.
|Cyber-enabled crime||Cyber-native crime|
|Malicious activity||Doxing someone; Identifying targets for home robberies via social media; Using online street maps to plan a bank robbery||Writing malware code; Scanning a network for vulnerabilities or open ports; Failed credential stuffing attempts|
|Illegal activity||Identity theft through misconfigured and exposed databases||Computer/network access and trespass (AKA intrusions); Malware deployment|
Why Does this Matter?
Different definitions of cybercrime serve different purposes. One definition refers to the intent of the activity regardless of its legal status. The other one refers to the legal status of the activity regardless of its intent. In some instances, agencies consider only cyber-native crimes as true cybercrimes, while others include both cyber-native and cyber-enabled crimes. This means that your “cybercrime” may not be my “cybercrime.”
Terms of service violations showcase the most obvious disparity between cybercrime definitions. Companies consider violations to be malicious cyber activity, but the justice system may not be able to successfully prosecute. The U.S. Supreme Court’s recent decision in the Van Buren case highlights the struggle of differing definitions. Van Buren successfully appealed his CFAA conviction for selling data that he retrieved from a database he had lawful access to. The Supreme Court agreed that he did not exceed “authorized access” under CFAA. In this and similar cases, network defenders would classify the activity as malicious and thus cybercrime, although it is not illegal.
Taking this differentiation a step further, consider cybercrime statistics. The FTC tracks malicious cyber activity statistics grouped by types of activity: fraud, identity theft, as well as other complaints. Similarly, other governmental bodies (Canadian Anti-Fraud Centre, Australian Cyber Security Centre, and UK Action Fraud and Cyber Crime Reporting Centre) and private companies do the same. However, they use different terms and different definitions of cybercrime. As a result, cybercrime statistics are rarely comparable across jurisdictions or agencies.
To study cybercrime as a whole, it becomes important to understand what each report, statistic, and jurisdiction is discussing to enable the comparison of reports and statistics. This forces cybersecurity experts to understand the criminal justice system where the definition of what is illegal changes based on a court decision. In contrast, justice personnel are forced to understand the technical nuances of a report. Then they are placed in a position to explain that the malicious activity cannot be prosecuted because it does not violate cyber laws.
Attempting to standardize the definition of cybercrime into one of the four quadrants is not a reasonable objective. Instead of trying to force a single, fixed definition, the community needs to recognize and incorporate the different understandings of cybercrime. The first step of this is determining which approach your organization or agency uses and should use. Internal conversations to determine scope will provide a clear understanding of responsibilities for both the cybersecurity and physical security staff as well as for researchers, analysts, and others supporting cybersecurity experts.
From that understanding, the next step is to ensure that you have the right tools, processes, and procedures for your definition of cybercrime. These might range from training and education programs to support prevention efforts. It can also include technical deployments to prevent and remediate incidents, as well as the development of appropriate contacts, intelligence sources, and incident response plans.
Change is inevitable, especially in cybercrime. As a community, we must move beyond relying on implicit definitions of cybercrime and assuming that everyone is speaking about the same activity. Instead, we must move towards a more nuanced approach that acknowledges the differences and uses them to improve the conversations. Our job is protection. Regardless of whether we accomplish that through keyboards, handcuffs, or both, understanding each other’s definitions will further all efforts to fight cybercrime.