What distinguishes cybercrime from other types of crime, and why is this important to the cyber security profession?

When considering what distinguishes cybercrime from other types of crime, we could use the AFP definition and simply conclude that it is when ICT is either the target of, or plays a major role in perpetrating a crime. Or we could look to the variety of techniques, while social engineering and deception are the most common form of cybercrime (Broadhurst, 2017, p. 223) it can also include: exploiting software and supply chain vulnerabilities or poor security settings; various techniques for bypassing passwords; rubber-hose cryptanalysis. We could also consider its scale, given its “enormously enhanced potential for transnational offending” (Grabosky, 2001, p. 247), combined with becoming industrial in nature (Broadhurst, 2017, p. 232), it could even be seen as an export in some jurisdictions (Dahan, 2019). But does the ability to conduct a crime in a varied, remote and more efficient or even industrial manner distinguish it from other crimes? Grabosky thinks not, that we are seeing the same crimes, but that cybercrime differs only in the medium used to commit the crime (Grabosky, 2001, p. 243). To draw a parallel, we wouldn’t reclassify burglary based on whether the perpetrator departed on foot or by e-scooter. 

I think a distinguishing feature of cybercrime is its scope. Cybercrime is generally undertaken by state-sponsored actors or organised crime (Broadhurst, 2017, pp. 222-223). These parties are known to be connected, buying and selling exploits from one another (Dupont & Whelan, 2021, p. 83). Considering this with Dupont & Whelan’s “crime-security continuum” (2021, p. 83) it becomes apparent that cybercrime has the potential as a threat spanning individuals and the state (i.e. from fraud to war), this concern is confirmed by Australia’s latest Cyber Threat Report. It describes a threat landscape which includes criminals and state-backed actors targeting individuals, business, critical infrastructure and government  (ACSC, 2021). That cybercrime transcends the traditional boundary of crime and security, with its “interaction between cybercrime and cyber-war-like activities” (Broadhurst, 2017, p. 223) is what distinguishes it from other types of  crime.

This scope and the scale of cybercrime is important to the cyber profession, not only due to the technical complexity and sheer volume of work they present, but because combined they establish a significant ethical dimension to cybersecurity. The proliferation of insecure connections and devices increases cyber criminals’ choice of threat vectors (Lusthaus, 2018, p. 222) against assets which include “absolutely anyone or anything that can be reached via cyberspace” (von Solms & van Niekerk, 2013, p.100). Humans and society can be directly harmed or affected by cybersecurity decisions (Hally, 2022) which could have potential to jeopardise individuals’ trust in the social contract and “put into question the role of the State” (Couzigou, 2020, pp. 502-503). Because of this, the cybersecurity profession must ensure that decisions are considered within the broader context of a connected society and the rights of those within it. 

References

ACSC. (2021, September 15). ACSC annual cyber threat report 2020-21. Cyber.Gov.Au. https://www.cyber.gov.au/acsc/view-all-content/reports-and-statistics/acsc-annual-cyber-threat-report-2020-21

Broadhurst, R. (2017). Cybercrime in Australia. In A. Deckert & R. Sarre (Eds.), The Palgrave Handbook of Australian and New Zealand Criminology, Crime and Justice. Springer.

Couzigou, I. (2020). Hacking-Back by Private Companies and the Rule of Law. Heidelberg Journal of International Law, 80(2), 479–444.

Dahan, A. (2019, January 29). How a piece of Brazilian malware became a global cybercrime export. TechRadar Pro. https://www.techradar.com/news/how-a-piece-of-brazilian-malware-became-a-global-cybercrime-export

Dupont, B., & Whelan, C. (2021). Enhancing relationships between criminology and cybersecurity. Journal of Criminology, 54(1), 76–92. https://doi.org/10.1177/00048658211003925

Grabosky, P. (2001). Virtual criminality: Old wine in new bottles? Social & Legal Studies, 10(2), 243–249. https://doi.org/10.1177/a017405

Hally, L. (2022, February 6). Public obligation of cybersecurity professionals. A Cyber Security Blog by Luke Hally. https://www.lukehally.au/ethics/public-obligation-of-cybersecurity-professionals/

Lusthaus, J. (2018). Industry of anonymity: Inside the business of cybercrime.

Smith, F., & Ingram, G. (2017). Organising cyber security in Australia and beyond. Australian Journal of International Affairs, 71(6), 642–660. https://doi.org/10.1080/10357718.2017.1320972

Taddeo, M. (2019). Is cybersecurity a public good? Minds and Machines, 29(3), 349–354. https://doi.org/10.1007/s11023-019-09507-5

Townshend, A., & Lonergan, T. (2021, September 28). Australia must adopt unorthodox options to disrupt China’s grey-zone threats. The Guardian. https://www.theguardian.com/australia-news/commentisfree/2021/sep/28/australia-must-adopt-unorthodox-options-to-disrupt-chinas-grey-zone-threatsvon Solms, R., & van Niekerk, J. (2013). From information security to cyber security. Computers & Security, 38, 97–102. https://doi.org/10.1016/j.cose.2013.04.004