Legal Opinion: Who is to Blame for Cybercrime?
By Patrick Vuleta on July 6, 2012 at 10:00 am
Who’s to blame for cybercrime?
Cybercrime costs Australians billions, now rivalling burglary for damage caused. With the future of gaming digital, gamers are increasingly stepping into the fastest growing criminal environment in the world.
Common opinion likes to blame the victims. When the Playstation Network was hacked last year, the debate focused on Sony’s security rather than the hackers. Whenever a Diablo III player is hacked, they’re guaranteed a response of “No authenticator, no sympathy.” At the lowest point, some even side with the perpetrators. “Lulzsec is performing a public service by testing security”, or “Lulzec is a protest group.”
With the sheer numbers of scams, you’re almost guaranteed to be targeted. Is it enough to just keep your antivirus up-to-date, and trash any emails that promise naked pictures of Leliana if you click this link?
Are victims to blame?
Some truth does lie behind the common opinion. Recent studies suggest that many neglect simple measures that would otherwise protect themselves. Many don’t update their anti-virus software, and many click on phishing emails or vague promises of nudity.
However, antivirus software is not infallible. New viruses are constantly created, and security companies battle to keep up. While rigorous security would reduce the occurrence of crime, even the best anti-virus programs cannot stamp it out entirely.
Furthermore, much cybercrime is real scams where the victim cannot be blamed. The most concentrated financial damage these days comes from romance scams, where the victim’s emotional desperation leaves them vulnerable. Police lament that even when they do warn people they are being scammed, in over 75% of the cases, these warnings are ignored. While these scams aren’t that relevant to gaming, if a Kelly-lookalike ever tried to scam me… I’m not sure I could resist.
Finally, blaming the victim is simply inappropriate. In the offline world, even if a house was left completely unguarded, a theft is still a theft. While precautions can and should be taken, the responsibility for all crime lies on the perpetrator.
The rise of Skynet
The activities of obvious hackers like Lulzec attract media attention. However, it’s not these hackers that you should fear. Rather, it’s the bots.
Botnets are responsible for most cybercrime. Just like how Skynet was created, a botnet is thousands of computers unknowingly infected with a bot. This botnet is then used to conduct crime on a large and dispersed area, by running mass phishing scams and fraud across multiple states and countries.
This works because police investigations are prioritised by damage. No one, for example, will seriously investigate a $10 theft. Unfortunately, that’s what the majority of cybercrime is. Criminals will use a botnet to steal small amounts, such as $10, from a hundred people in each state. Done across all seven Australian states, that’s $7,000. Rather than lose your life savings, you’re far more likely to get pinged for a small amount.
How do we combat cybercrime?
Because botnets are so important for cybercrime, ‘making an example’ out of individual hackers is pointless. Instead, identifying and disrupting botnets is key.
The first step’s to make it harder for bots to take hold. Very basically, this requires better internet security from PC users. If you’re not using an anti-virus, you really should. If you’re downloading copyrighted material illegally, you really shouldn’t—bots will piggyback on it.
The second step’s to identify botnets. This requires a more focused effort from government. Currently, the government’s cybersecurity focuses on protecting national security. However, that’s not where the problem lies. Organised cybercrime is growing at a far faster rate than espionage.
The third step is to clean infected computers. Japan runs a model program for this—the Cyber Clean Centre. The Centre is a partnership of government, ISPs, and internet security companies that assists PC users in identifying and removing bots from their computers. When an ISP detects bot activity, the user is informed, and asked to take action. The Centre then assists the user to remove the bot.
Australian ISPs are running a similar system to the Japan model, called iCode. This is based on cooperation between ISPs to detect bots, and help users remove them. It’s a start, though completely ISP-based.
We need more investment
Currently, Australian Government efforts to disrupt botnets are inadequate. The problem is not enforcement—it’s investment. Our traditional enforcement agencies are simply incapable of dealing with the problem. We have no real centralised agency to address the problem, and little collected data on cybercrime in Australia.
Until we get this investment, Australian internet users will be vulnerable. Protecting your own PC is good, but it doesn’t stamp-out the existing botnets, used to make further attacks on you. It doesn’t identify cases where bots manage to run the gauntlet of antivirus software, evading deletion. It’s not enough for the Government to leave it to private companies.
Cybercrime is a complex, wide-ranging problem. Blaming the victims is unnecessary. Blaming hackers misses the point. What’s needed is a rigorous attack on the real enemy—Skynet.
Legal Opinion: Does the class-action lawsuit over Aliens: Colonial Marines have a chance?
Our gaming lawyer examines the case.
Legal Opinion: What happens when a studio goes bankrupt?
We look at what's required to buy and sell the rights to a game.
Legal Opinion: How games inspire the murder of innocents (and why that isn’t their fault)
Games can influence the minds of killers, but that doesn't mean games are to blame.
You can use the following bbCode
[i], [b], [img], [quote], [url href="http://www.google.com/"]Google[/url]
Leave a Reply
You must be logged in to post a comment.
facebook
twitter
google+
rss
My blame is still on the victims though. Let us be frank: if no-one every clicked on spam than spam would not exist. And as a person who works in business IT retail, I can tell you that it is the people who are usually to blame.
There is almost a beautiful naïvety to your anti-virus example there. While you are spot on about the constant battle, assuming people would HAVE adequate protection in the first place is way off. It is rare to find someone who will buy Internet security with their computer purchase and I work in BUSINESS retail (it is horrific the amount of businesses who set up their IT sans consultation).
The massive problem that we have been unable to overcome is the fact that we can sell guns to idiots. Except, unlike the invidious nature of a gun, a computer with an internet connection is as insidious as they come. People do not have to have a licence, or formal training, or explain that they understand the dangers and risks of turning on their machine, instead, you can go into any store that sells computers and buy a device that can lead to a loss in funds, identity, integrity and even make them a proxy cyber criminal; all because of ignorance.
You need a licence to sell real estate yet you can open the door to the criminals for free…
Hi Pithony,
That seems to be a simple misunderstanding. I’m well aware that many don’t have AV software at all. :) It’s not 100% infallible even when it’s used, though… this is why I don’t think we can’t blame the victim as you suggest.
Patrick Vuleta, They are still to blame for the spam in my inbox!
Also, a lot of malware taking hold in people’s machines is not the highly advanced stuff that is crippling Middle Eastern nuclear programmes but old hat tricks that have been working for a few years now (if they were nto working they would have been retired way back when)…
The fault is always with the criminal 100% of time. If I leave my keys in the car at night an some lowlife steals it…. it is his fault for being the thief.Grated the “victim has a right to “leave the keys in his car” without someone stealing it.
When it comes to spam like issues maybe, but I had my credit details stolen and used in Las Vegas last year and I put it directly down to Steam when it was hacked as it happened not long after. As the retailer Steam is responsible for their security of my information.
Isn’t it against the law to leave your keys unattended in your automobile?
Hehehe…
tas,
There we are :P…
Ctrl+F “Leliana” “Kelly”
Was not disappointed.
Just like in the real world, ignorance is not a valid excuse. The fault lies with both the perpetrator and the victim.
But more importantly, pinothyj can no longer post comments on news stories in blue. This needs to be fixed ASAP!
“Australian ISPs are running a similar system to the Japan model, called iCode. This is based on cooperation between ISPs to detect bots, and help users remove them. It’s a start, though completely ISP-based.”
Subtle hints there from Internode and IInet that we may have access available to a similar product/service? Or am I getting my hopes up?
And why does everything need a little “i” in-front of it. Seriously, iCode?
@Palzero: Did you fall for my Lelianaroll?
@Pithony: Well the criminal is still guilty of the crime. “Finders keepers” doesn’t apply here.
@Spkypwnsuall (how did you come up with that name?): the iCode website is http://www.icode.net.au/
Right now it looks mostly to be a self-help website. The Japan model goes further, and enjoys more cooperation from government and IT security companies.
And no, neither iiNet nor Internode is giving you hints here – just part of the research I did to find out what Australia’s position on all this is.
Thanks for commenting guys!
Can certainly be significantly reduced if everyone was more careful about how they used computers, mobile phones, email etc. So some of the blame does lie with the end user.
That said things like stuxnet & flame went undetected for many years. Not everyone is going to have the time or expertise to monitor the PC(s) and net connection for unusual traffic, which is how most of these attacks succeed. Even if you do monitor your net traffic, it may only report back once at a set time, or after a certain amount of idle time.
Also, it’s Lulzsec. Not Lulzec.
‘lulzec’ is an affront to the Queen’s English.
That’s a good read Patrick, good stuff.
Seeing as council cannot make law, there is some debate as to the enforceability of that particular piece of legislation ;)
I have fortunately never had money stolen from me over the internet however I get a few spam emails a week and I cant possibly imagine anyone clicking a vague email telling me that some girl is waiting for me at a seemingly legit URL(But mousing over shows it actually goes to something very suss). I have managed to make use of Internodes custom E-Mail filtering by setting it to automatically delete emails from a Hotmail or gmail account. That task in itself has prevented me getting a lot of spam.
“The second step’s to identify botnets. This requires a more focused effort from government. Currently, the government’s cybersecurity focuses on protecting national security. However, that’s not where the problem lies. Organised cybercrime is growing at a far faster rate than espionage.” – Patrick Vuleta
Great article on the whole (though its more ethics than legal opinion). However this particular paragraph is a little bit silly, don’t mean that in a personal sense I just think there are some holes in your argument here.
First – unless you count yourself as an intelligence professional, within certain sections of DSD in particualr, I’m not really sure you can really make solid comparative claims about levels of ‘cyber-espionage’ vs ‘cyber-crime’. From either a quantative or a qualitative point of view.
Second – if you are indeed a lawyer you have a better understanding of the jurisdicional issues which complicate legislation, regulation and law enforcement in regards to this issue in particular.
Defence is clearly a responsibility of the Commonwealth and is very well resourced. It is also, as should be expected, hard for the general public to guage it’s effectiveness due to the hidden nature of much of this activity.
Domestic law enforcement is a responsibility split between the States, Territories and the Commonwealth. Though the internet primarily regulated by Commonwealth legislation as a form of telecommunicaiton, if used to commission a crime made illegal by state law… well it makes enforcement and an effective policy response complicated as they both come from separate jusicdictions.
I say that because when you make a blanket statement like, “…’government’ should do/invest more.” Most people on this site will likely go, ‘yeah, they should, the assholes’, without understanding the implications of what your saying.
To be fair, a lot of the victims were born and grew up before the internet was even created. Unlike car security.
Not to forget the basics of internet security doesn’t come with Windows; it is essentially a trial by fire.
Blame lies solely with the perpetrator; I will always blame them as the reason we don’t have a ‘perfect’ society.
Just wondering if anyone has a link to the cost of Cybercrime in Australia. Is that billions per year?
Hi Ivan, thanks for the feedback. :)
A bit of digging around showed actual industry professionals saying those types of things, too. There are many bemoaning that the government’s not investing enough.
I was directly quoted in this article :D.
TBH most people still associate being internet secure with AV, when most crime is based on scams and social engineering. No AV can protect you from your own stupidity.
On the car analogy. If someone left their keys in the door and it was stolen the reaction would be “aw man that was stupid”. However someone has a simple password on the web that gets hacked the reaction is “fuck the website who let my account get hacked”.
Not to mention, most of the big name AV suites under default install settings are incredibly invasive. I’d rather deal with a clean install every 6 months than use the horrific layers of ‘protection’ I’ve seen bogging down so many office setups.
I am usually alert enough to pick up anything suspicious because of the years I’ve spent working with computers that I don’t have a virus scanner running all the time. However I will manually scan my computer and any file that I feel warrants it on the spot. But continous protection kills performance just too much for me.
Patrick Vuleta,
All good. I have no doubt that industry professionals are bemoaning – this is usually what they do when talking about govt :P
I’m just pointing out that investment and government response on the defence releated side of this coin is vastly less complex than the approach to the civil side.
If you’re ever serious about putting something to government (Vic or Fed) in relation to this let me know.
Thanks for the comments. :)
wait… so, the victims are to blame?
she deserved it because she was wearing a short skirt.