Full Report
Cybercrime: there's too much of it, and we need to do more to deter it. With the President of the United States now making frequent references to "doing more about cybercrime" now is a good time to look at what steps must be taken.
Analysis Summary
# Best Practices: Cybercrime Deterrence Strategy
## Overview
These practices focus on **cybercrime deterrence**, which means making criminal activity less appealing by increasing the risk of detection and punishment, and reducing the potential benefits derived from the crime. This strategy complements traditional cybercrime *prevention* measures (like strong authentication and encryption).
## Key Recommendations
### Immediate Actions
1. **Acknowledge the Severity:** Recognize that cybercrime is widespread and requires an active, committed response beyond mere discussion.
2. **Prioritize Resource Allocation (Government/Policy Level):** Commit real resources toward identifying, apprehending, and prosecuting cyber criminals, regardless of their location.
### Short-term Improvements (1-3 months)
1. **Establish International Dialogue:** Initiate or participate in standing, senior-level working groups with other nations to foster regular dialogue on cybercrime cooperation.
2. **Develop Bilateral Cooperation Frameworks:** Focus on building partnerships to enhance capacity for combating cybercrime, specifically coordinating with law enforcement agencies in other jurisdictions.
3. **Improve Legal Frameworks:** Actively pursue the development of improved extradition procedures between cooperating nations to ensure perpetrators can be brought to justice.
### Long-term Strategy (3+ months)
1. **Implement Cooperation Strings on Aid:** Integrate cybercrime cooperation requirements (e.g., adherence to anti-cybercrime protocols, commitment to extradition) as conditions for receiving international aid.
2. **Increase Penalties and Enforcement:** Advocate for and support legislative changes that increase the risk of conviction, apprehension, and punishment (e.g., longer prison sentences, revised fraud/abuse acts) to increase the perceived risk of the crime.
3. **Foster Social Disdain:** Develop and promote public narratives that deepen the social disdain and moral sanction associated with committing cybercrimes.
## Implementation Guidance
### For Small Organizations
* **Focus on Internal Prevention:** While external deterrence is policy-driven, small organizations should maximize internal cybercrime *prevention* (authentication, malware defense) as immediate operational defense against the activities deterrence aims to reduce.
* **Support Larger Initiatives:** Encourage and participate in industry-specific information-sharing groups to contribute to the overall deterrent environment.
### For Medium Organizations
* **Engage in Sectoral Partnerships:** Actively participate in sector-specific threat intelligence sharing to increase the collective visibility and detection capabilities against criminal groups targeting the sector.
* **Advocate for Policy:** Support industry bodies that engage policymakers to push for the international cooperation and stricter legal frameworks outlined in the deterrence strategy.
### For Large Enterprises
* **Lead International Engagement:** Leverage global presence to proactively establish bilateral working relationships with international law enforcement agencies and government partners in jurisdictions where operations are heavily present.
* **Measure and Report Impact Gaps:** Collaborate on initiatives that better measure the systemic cost of cybercrime to provide robust data supporting increased national resource allocation and legislative action against perpetrators.
## Configuration Examples
*This article focuses on policy and strategic deterrence rather than specific technical configurations. Therefore, no direct configuration examples are provided.*
## Compliance Alignment
The core principles align with several policy goals, although the focus is non-technical:
* **International Cooperation:** Aligns with general goals of international security frameworks that rely on mutual legal assistance and information sharing (e.g., principles often underlying standards like **ISO/IEC 27001** regarding managing external relationships and compliance).
* **Risk Management:** The strategy supports the overarching goal of **NIST Cybersecurity Framework (CSF)** by focusing on deterrence as a non-technical method to reduce the overall risk profile associated with malicious cyber activity.
## Common Pitfalls to Avoid
1. **Focusing Solely on Prevention:** Treating prevention (technical defense) as sufficient response without actively pursuing deterrence (increasing criminal risk/cost).
2. **Lack of Commitment:** Treating deterrence efforts as only a matter of public statements rather than committing real legislative and resource action.
3. **Ignoring International Dimensions:** Assuming cybercrime can be managed solely within national borders, ignoring the location-independent nature of perpetration.
4. **Inaction Due to Difficulty:** Delaying hard measures (like political pressure or legislative reform) because implementation is challenging or politically complex.
## Resources
* **Reference for Cybercrime Tool Markets:** RAND Corporation, *Markets for Cybercrime Tools and Stolen Data: Hackers’ Bazaar* (For understanding the "benefits" side of deterrence).
* **Reference for Deterrence Theory:** Durlauf & Nagin, *The Deterrent Effect of Imprisonment* (For understanding how punishment affects criminal behavior).
* **Reference for Measurement:** Anderson et al., *Measuring the cost of cybercrime* (For arguments supporting increased resource allocation).