Professor of International
Security Studies, University of Pittsburgh and 2001-2002 Visiting Scientist at
CERT/CC, a center of Internet security expertise at Carnegie Mellon University.
Williams is also the editor of the journal "Transnational Organized
Crime" at http://www.pitt.edu/~rcss/toc.html
The capabilities and
opportunities provided by the Internet have transformed many legitimate
business activities, augmenting the speed, ease, and range with which
transactions can be conducted while also lowering many of the costs. Criminals
have also discovered that the Internet can provide new opportunities and
multiplier benefits for illicit business. The dark side of the Internet
involves not only fraud and theft, pervasive pornography, and pedophile rings,
but also drug trafficking and criminal organizations that are more intent upon
exploitation than the disruption that is the focus of the hacking community.
In the virtual world, as in
the real world, most criminal activities are initiated by individuals or small
groups and can best be understood as "disorganized crime." Yet there
is growing evidence that organized crime groups are exploiting the new
opportunities offered by the Internet. Organized crime and cybercrime will
never be synonymous. Most organized crime will continue to operate in the real
world rather than the cyberworld and most cybercrime will be perpetrated by individuals
rather than criminal organizations per se. Nevertheless, the degree of overlap
between the two phenomena is likely to increase considerably in the next few
years.
Organized Crime and
Cybercrime
Organized crime is primarily
about the pursuit of profit and can be understood in Clausewitzian1
terms as a continuation of business by criminal means. Consequently, just as
brick-and-mortar companies move their enterprises on to the Worldwide Web
seeking new opportunities for profits, criminal enterprises are doing the same
thing. Criminal organizations are not the only players in illicit markets, but
they are often the most important, not least because of the added
"competitiveness" that is provided by the threat of organized
violence. Moreover, criminal organizations tend to be exceptionally good at
identifying and seizing opportunities for new illegal enterprises and
activities. In this context, the Internet and the continuing growth of
electronic commerce offer enormous new prospects for illicit profits.
In recent years, there has
been a significant increase in the sophistication of organized crime and drug
trafficking groups. Colombian drug trafficking organizations, for example, have
followed standard business practices for market and product diversification,
exploiting new markets in Western Europe and the former Soviet Union. Criminal
organizations and drug traffickers have increasingly hired financial
specialists to conduct their money laundering transactions. This adds an extra
layer of insulation while utilizing legal and financial experts knowledgeable
about financial transactions and the availability of safe havens in offshore
financial jurisdictions. Similarly, organized crime does not need to develop
technical expertise about the Internet. It can hire those in the hacking
community who do have the expertise, ensuring through a mixture of rewards and
threats that they carry out their assigned tasks effectively and efficiently.
Organized crime groups
typically have a home base in weak states that provide safe havens from which
they conduct their transnational operations. In effect, this provides an added
degree of protection against law enforcement and allows them to operate with
minimal risk. The inherently transnational nature of the Internet fits perfectly
into this model of activity and the effort to maximize profits within an
acceptable degree of risk. In the virtual world, there are no borders, a
characteristic that makes it very attractive for criminal activity. When
authorities attempt to police this virtual world, however, borders and national
jurisdictions loom large -- making extensive investigation slow and tedious, at
best, and impossible, at worst.
The Internet itself provides
opportunities for various kinds of theft, whether from online banks or of
intellectual property. But it also offers new means of committing old crimes
such as fraud, and offers new vulnerabilities relating to communications and
data that provide attractive targets for extortion, a crime that has always
been a staple of mafia organizations.
The anonymity of the
Internet also makes it an ideal channel and instrument for many organized crime
activities. The notion of a criminal underworld connotes a murkiness or lack of
transparency. Secrecy is usually a key part of organized crime strategy and the
Internet offers excellent opportunities for its maintenance. Actions can be
hidden behind a veil of anonymity that can range from the use of ubiquitous
cybercafes to sophisticated efforts to cover Internet routing.
Organized crime has always
selected particular industries as targets for infiltration and the exercise of
illicit influence. In the past, these have included the New York City garbage
hauling and construction industries, the construction and toxic waste disposal
industries in Italy, and the banking and aluminum industries in Russia. From an
organized crime perspective, the Internet and the growth of e-commerce present
a new set of targets for infiltration and the exercise of influence -- a
prospect that suggests that Internet technology and service firms should be
particularly careful about prospective partners and financial supporters.
In sum, the synergy between
organized crime and the Internet is not only very natural but also one that is
likely to flourish and develop even further in the future. The Internet
provides both channels and targets for crime and enables them to be exploited
for considerable gain with a very low level of risk. For organized crime it is
difficult to ask for more. It is critical, therefore, to identify some of the
ways in which organized crime is already overlapping with cybercrime.
Major Trends in Organized
Crime and CyberCrime
Organized crime groups are
using the Internet for major fraud and theft activities. Perhaps the most
notable example of this -- albeit an unsuccessful one -- occurred in October
2000 and concerned the Bank of Sicily. A group of about 20 people, some of whom
were connected to mafia families, working with an insider, created a digital
clone of the bank's online component. The group then planned to use this to
divert about $400 million allocated by the European Union to regional projects
in Sicily. The money was to be laundered through various financial
institutions, including the Vatican bank and banks in Switzerland and Portugal.
The scheme was foiled when one member of the group informed the authorities.
Nevertheless, it revealed very clearly that organized crime sees enormous
opportunities for profit stemming from the growth of electronic banking and
electronic commerce.
Indeed, organized crime
diversification into various forms of Internet crime is closely related to a
second discernible trend -- organized crime involvement in what was once
categorized as white-collar crime. The activities of the U.S. mob and Russian
criminal organizations on Wall Street fall into this category. During the late
1990s there were numerous cases of criminal organizations manipulating microcap
stocks using classic "pump and dump" techniques. While much of this
was done through coercion or control of brokerage houses, the Internet was also
used to distribute information that artificially inflated the price of the
stocks. Among those involved were members of the Bonnano, Genovese, and Colombo
crime families as well as Russian immigrant members of the Bor organized crime
group. As criminal organizations move away from their more traditional
"strong arm" activities and increasingly focus on opportunities for
white-collar or financial crime, then Internet-based activities will become
even more prevalent. Since Internet-related stock fraud results in a
$10,000-million-per-year loss to investors, it offers a particularly lucrative
area for organized crime involvement.
This is not to suggest that
organized crime will change its character. Its inherent willingness to use
force and intimidation is well suited to the development of sophisticated
cyberextortion schemes that threaten to disrupt information and communication
systems and destroy data. The growth of cyberextortion is a third significant
trend. Extortion schemes are sometimes bungled, but they can be conducted
anonymously and incur only modest risks, while still yielding high pay-offs.
Indeed, this might already be a form of crime that is significantly
under-reported. Yet it is also one that we can expect to see expand
considerably as organized crime moves enthusiastically to exploit the new
vulnerabilities that come with increased reliance on networked systems.
A fourth trend is the use of
what were initially nuisance tools for more overtly criminal activities.
Perhaps the most notable example of this occurred in late 2000 when a variation
of a virus known as the Love Bug was used in an effort to gain access to
account passwords in the Union Bank of Switzerland and at least two banks in
the United States. Although this episode received little attention -- and it is
not entirely clear who the perpetrators were -- it gives added credence to the
theory that organized crime is developing relationships with technically
skilled hackers.
A fifth trend that we can
expect to see is what might be termed jurisdictional arbitrage. Cybercrimes --
certainly when they are linked to organized crime -- will increasingly be
initiated from jurisdictions that have few if any laws directed against
cybercrime and/or little capacity to enforce laws against cybercrime. This was
one of the lessons of the Love Bug virus. Although the virus spread worldwide
and cost business thousands of millions of dollars, when FBI agents succeeded
in identifying the perpetrator, a student in the Philippines, they also found
that there were no laws under which he could be prosecuted. The Philippines
acted soon thereafter to pass prohibitions on cybercrimes, and other countries
have followed. Still, jurisdictional voids remain, allowing criminals and
hackers to operate with impunity. Indeed, it is possible that some
jurisdictions will increasingly seek to exploit a permissive attitude to
attract business, creating information safe havens (paralleling offshore tax
havens and bank secrecy jurisdictions) that make it difficult for law
enforcement to follow information trails, and offering insulated cyber-business
operations from which illicit businesses can operate with a minimum of
interference.
A sixth trend is that the
Internet is increasingly likely to be used for money laundering. As the
Internet becomes the medium through which more and more international trade
takes place, the opportunities for laundering money through over-invoicing and
under-invoicing are likely to grow. Online auctions offer similar opportunities
to move money through apparently legitimate purchases, but paying much more
than goods are worth. Online gambling also makes it possible to move money --
especially to offshore financial centers in the Caribbean. Moreover, as e-money
and electronic banking become more widespread the opportunities to conceal the
movement of the proceeds of crime in an increasing pool of illegal transactions
are also likely to grow.
A seventh trend involves
growing network connections between hackers or small-time criminals and
organized crime. In September 1999, for example, two members of a U.S.-based
group known as the "Phonemasters" were convicted and jailed for their
penetration of the computer systems of the telecommunications companies MCI,
Sprint, AT&T, and Equifax. One of those convicted, Calvin Cantrell, had
downloaded thousands of Sprint calling card numbers. They were sold to a
Canadian, passed back through the United States, resold to another individual
in Switzerland, and finally the calling cards ended up in the hands of
organized crime groups in Italy. Network connections between the two kinds of
groups are likely to deepen and widen.
In addition, of course,
organized crime groups use the Internet for communications (usually encrypted)
and for any other purposes when they see it as useful and profitable. Indeed,
organized crime is proving as flexible and adaptable in its exploitation of
cyberopportunities as it is in any other opportunities for illegal activity.
The implications are far-reaching and require a response from government that
is strategic, multi-level, multilateral, and transnational in nature.
Responses to the Organized
Crime-CyberCrime Synergy
The response to the growing
overlap between organized crime and cybercrime requires a truly comprehensive
strategy. There are precedents and models for this that can be particularly
helpful, even allowing for the need to balance law enforcement and national
security concerns against such considerations as personal privacy. The key principles
that have guided the international community's responses to transnational
organized crime and money laundering can serve as one good model.
The Financial Action Task
Force (FATF), a body set up by the G-7, has attempted to create norms and
standards for governments and financial institutions to follow in the
development of laws, regulations, and enforcement mechanisms at the national
level. Although criticisms can be made of the FATF, in 2000 it launched an
effective "name and shame" campaign that identified 15
"non-cooperative" jurisdictions whose efforts to combat money
laundering were grossly inadequate. In some cases, the results were remarkable,
leading to much more stringent anti-money laundering programs and far greater
transparency of financial activities. While the FATF's campaign was the
culmination of a 10-year effort, it nevertheless provides an approach that
could usefully be emulated by the international community as it moves to combat
cybercrime. The Council of Europe Convention on Cybercrime, largely supported
by the United States, is the first major step in this direction and can be
understood as the beginning of the process of setting norms and standards that
national governments ultimately will be expected to meet in their legislative, regulatory,
and enforcement efforts.
Underlying the convention
approach is a fundamental recognition of the need to harmonize national laws.
In recent years, international cooperation in law enforcement has been achieved
through a series of extradition and mutual legal assistance treaties (MLATs)
that allow governments to share information and evidence with each other. For
MLATs and extradition treaties to go into effect, however, there is usually a
requirement of dual criminality (i.e. the crime involved must be designated as
a crime in both jurisdictions). In other words, international cooperation is
enormously facilitated by convergence of what is criminalized in national
jurisdictions. Furthermore, as pointed out by Ernesto Savona, head of the
Transcrime Research Center in Trento, Italy, the imposition of similar laws in
various countries both spreads the risks that criminal organizations have to
confront and goes some way towards equalizing the risks across jurisdictions.
In effect, the more widespread the laws, the fewer the safe havens from which
organized crime-controlled hackers (or indeed individual hackers) can operate
with impunity
Harmonization is necessary
for both substantive and procedural laws. All countries have to reappraise and
revise rules of evidence, search and seizure, electronic eavesdropping, and the
like to cover digitized information, modern computer and communication systems,
and the global nature of the Internet. Greater coordination of procedural laws,
therefore, would facilitate cooperation in investigations that cover multiple
jurisdictions.
In addition to appropriate
laws, it is also important that governments and law enforcement agencies
develop the capacity for implementation of these laws. This requires the
development of expertise in the area of cybercrime as well as effective
information sharing across agencies within a country and across national
borders. Moreover, this sharing has to go beyond traditional law enforcement
bodies to include national security and intelligence agencies. It is also
essential to create specialized law enforcement units to deal with cybercrime
issues at the national level. Such units can also provide a basis for both
formal international cooperation and informal cooperation based on transnational
networks of trust among law enforcement agents. Ad hoc cooperation and
multinational task forces can both prove particularly useful -- and there are
already cases where international cooperation has been very effective. Indeed,
successful cooperation can breed emulation and further success.
The other important
component of a strategy to combat cybercrime is partnership between governments
and industry, especially the information technology sector. Once again, there
are precedents. In recent years, the major oil companies, although very
competitive with one another, established information sharing arrangements and
worked very closely with law enforcement to minimize infiltration by organized
crime figures and criminal companies. Government-private sector cooperation of
this kind is not always easy but it is clear that a degree of mutual trust can
make a difference. For cooperation to be extended, law enforcement agencies
have to exercise considerable care and discretion not to expose company
vulnerabilities, while the companies themselves have to be willing to report
any criminal activities directed against their information and communication
systems.
Even if considerable
progress is made in all these areas, organized crime and cybercrime will
continue to flourish. If steps are made in these directions, however, then
there is at least some chance that cybercrime can be contained within
acceptable bounds, that it will not undermine confidence in electronic
commerce, that it will not so enrich organized crime groups that they can
further corrupt and threaten governments, and that the big winner from the
growth of the Internet will not be organized crime.
1 Refers to the German philosopher Karl Von Clausewitz, well-known for
the maxim "war is the continuation of policy by other means."