Exploring Cybersecurity and Cybercrime: Threats and Legal Responses
Lilian Edwards, Law, Policy and the Internet (Hart Publishing: Forthcoming)
Posted: 10 Apr 2017 Last revised: 14 Apr 2020
Date Written: April 5, 2017
“The only way to patch a vulnerability is to expose it first… the flip side being that exposing the vulnerability leaves you open for an exploit”.
Elliot Alderson, Mr. Robot, s2 ep 4, 14m25s.
Cybersecurity is a convoluted domain to navigate, filled with esoteric terminology, acronyms and an ever-shifting roster of actors and threats. We can begin by thinking about the contested term ‘hacker’ to get a sense of the diversity. Hackers could be framed as merely sitting somewhere on the spectrum between law abiding white hats and criminal black hats, but that neglects the richness of the various tribes who mix and overlap. To take a few there are:
- traditional cyber criminals organising campaigns to infect laptops or smartphones with remote access tools, recording victims in precarious acts through their webcams and extorting them to prevent release of the footage.
- Organised crime groups running peer to peer marketplaces on the ‘dark net’ enabling trade of drugs, people, or extreme pornography.
- Groups, like Lulzsec or Anonymous, loosely unite as hacker collectives, using hacking for social justice and retaliating to organisations for perceived immoral acts.
- State sponsored hackers attacking foreign infrastructure in so called advanced persistent threats or patriotic campaigns to spread propaganda, steal military secrets or interfere with foreign elections.
- Solitary characters hacking from their bedroom into US military or national security infrastructure, seeking to prove existence of UFOs and spending years fighting extradition.
Popular culture plays with many of these stereotypes, from recent, critically acclaimed TV series Mr Robot back to 1980s and 1990s cult classic movies War Games and Hackers. Unpacking the diversity of hacker communities (an interesting anthropological and criminological topic of inquiry) helps us get a sense of the multitude of actors, trends, motivations, threats and practices that cybersecurity regulation needs to contend with.
Effective regulation in this setting is complicated by the convergence of IT and a blurring between physical and online lives with mobile and embedded computing. IT is increasingly going beyond the desktop, where wearable health devices and smart home appliances are increasing. This occurs at the macro level too, with computation and sensing being embedded in the urban built environment to manage transport or energy infrastructure.
Legitimate and illegitimate economies associated with cybersecurity encapsulate both security vendors, consultants and IT firms trying to patch or address threats and organised crime groups trying to find the vulnerabilities and exploit them, for example by stockpiling and trading zero day attacks. In addressing the challenges, law enforcement agencies need to contend with skillset or resource deficits and procedural challenges of cooperating across borders to address heterogeneous, transnational cybercrimes.
As we explore in this chapter, regulating cybersecurity risks requires ways of cutting through the surrounding fear, uncertainty and doubt to find strategies that enable measured, balanced responses. However, as ever, the fast pace of technological change is in contrast with the patchwork of regulatory and policy frameworks that can react to these novel phenomena at different speeds.
In this chapter, we explore some of the complexities around regulating cybersecurity in the UK, Europe and Internationally. We analyse both legal and technical literature to provide a balanced picture of both the threats and responses, with attention to novel contemporary challenges of regulating cyberwarfare or building a secure Internet of Things. Cybersecurity risks from emerging technologies cannot be solved from a purely legal approach, instead cooperation and participation between many stakeholders is necessary. Technologists, regulators, industry and the public all have a role to play.
Keywords: cybercrime; information security; hacking; computer misuse act
Suggested Citation: Suggested Citation