The fight against cybercrime needs a comprehensive approach. Given that technical measures alone cannot prevent any crime, it is critical that law enforcement agencies investigate and prosecute cybercrime effectively
Cyber-attacks such as WannaCry and NotPetya, affected thousands of computers, disrupting businesses and public institutions around the world. Investigation of cybercrimes often has an international dimension, and it is an arduous task to identify and catch the culprits. However, the existing international cooperation on cybercrime is a fragmented one, which complicates investigations and risks leaving the perpetrators at large.
In most of the cybercrimes, whether economic fraud, data breach, identity thefts, the chances of perpetrators getting caught is infinitesimal. Hence cybercrimes become a less risky and more lucrative business and keep cybercriminals motivated to continue attacks. Leaving the organization and companies with no other options than investing more and more on securing their data and trying to build comprehensive solutions to prevent hackers from attacking their networks. IT budgets are shrinking and but security budgets are going up. There are now security department under a CSO, or a risk officer, which are being allocated a lot of budgets. Studies say global spending on information security products and services will surpass $114 Bn in 2018, an increase of 12.4% from last year.
Why prevention is no longer enough for cybersecurity
Technology solutions alone are simply not enough to stop pervasive threats. A holistic approach to cybersecurity is necessary to effectively tackle cyber threats. Organisations, of any nations, that operate solely on the belief that security merely starts and ends with a set of purchased security technology tools are still leaving themselves vulnerable to threats and attacks. If the cybersecurity program of a country deals only with technology and does not
address elements like organization, culture, human factor and legal measures it cannot effectively address cybersecurity. The holistic approach for cybersecurity mainly contains three aspects, (a) Building robust cyber secure infrastructure (b) Addressing human dimensions of cybersecurity and (c) Legal measures to nail cybercriminals. (Refer the above flowchart).
Recently, there is a huge rise in the volume and sophistication of the cyber threat environment. To be able to combat the increasing threat landscape, organizations must have a robust cybersecurity framework to ensure that they are adequately protected from cyber-attacks. Cyber-attacks have a direct effect on security spend. A large portion of security spending is driven by an organisation's reaction toward security breaches as more high-profile cyber-attacks and data breaches affect organisations worldwide. Investment in Cybersecurity is the need of an hour, but the bigger question is “Can you have the assurance of 100% safety from cyber attacks after building a robust infrastructure”? the answer is big “NO”.
No matter how robust the immune system, individuals will fall sick at some point and will have to be taken to hospitals.
Research studies show 90% of all cyber attacks stemmed from some type of human error or behaviour. People, the weakest link in the cybersecurity chain. The Information Commissioner’s Office, United Kingdom reported that 93% of incidents it investigated in Q4 of 2016-17 were caused by human error. The ‘people’ factor is often ignored, which is the most critical element in building a strong defence.
Over the course of the last few years, it’s been hugely gratifying to see interest in the human side of cybersecurity grow. Focusing on awareness of cybersecurity issues is probably higher than ever, but we are not seeing much progress when it comes to changing behaviors. Although we recognize how difficult it is to make progress with the human side of cybersecurity, it often seems that expertise in the human factors is still not valued by the industry as highly as technical expertise.
If any organisation thinks, just by giving short-term training to the employees on disciplined online behaviour will take care of human dimensions and errors, then they are grossly mistaken. The cyber security concept and the online behaviour should become part of socialisation and adopted as culture, right from early age.
For cybercriminals, the idiom "crime doesn't pay" is laughable. Internet crime is worse than ever, and the reasons are clear: It's highly lucrative and far less risky than old-fashioned traditional crimes. Commit traditional crimes and have high chances of landing in jail but steal someone's identity and your odds of being caught are almost infinitesimal. Not to blame any law enforcement agency, discovering and prosecuting cybercrimes is possibly harder than any other area of law enforcement. Rules of evidence requirements, as well as cross-national boundaries, make Internet crime especially difficult to track and prosecute.
Difficulties in prosecuting of Cybercriminals
The absence of a global consensus on the types of conduct that constitute a cybercrime; the absence of a global consensus on the legal definition of criminal conduct; the inadequacy of legal powers for investigation and access to computer systems, including the inapplicability of seizure powers to computerized data; the lack of uniformity between the different national procedural laws concerning the investigation of cyber crimes; the lack of extradition and mutual legal assistance treaties, synchronized law enforcement mechanisms that would permit international cooperation in cybercrime investigations, and last but not the least the Geopolitics will never allow the cybercriminals to be brought before justice.
In most of the organisation, the area of investments (refer red circle in the flowchart) are mainly focused on technology solutions (building robust infrastructure) and a little bit of human dimensions of cybersecurity. Nobody is seriously addressing the need of building international legal infrastructure and cooperation, with a strong enforcement mechanism to nail the cybercriminals.
If the international community is not coming to a consensus on legal measures to deter cybercriminals, can’t we say that the cyber-attacks, data breaches, and other online crimes are part of design meant only to sell the products and boost their business called as “CYBERSECURITY”?
[The opinions expressed in this article are the personal opinions of the author. The facts and opinions appearing in the article do not reflect the views of LiveLaw and LiveLaw does not assume any responsibility or liability for the same]