Five Levers Lawmakers Can Use to Tackle Cybercrime
Steve Durbin, Chief Executive of the ISF, explores?five interrelated elements deemed critical for your business to tackle cybercrime and bolster cyber security capabilities.
A European Commission report, led by the Information Security Forum with contribution from?CC-Driver,?a consortium of 13 partner organizations from nine European countries, issued a cyber security?framework?of five interrelated elements deemed critical to tackling cybercrime and bolstering cyber security defenses. Funded by a €5m European Commission Horizon 2020 research program, the report is compliant with the European Commission’s ethical, legal and security requirements.
1) Strategy
Strategy is defined here as the high-level plan consisting of objectives to be achieved and the organisation’s direction to achieve said goals. Objectives can include bolstering cyber security capabilities, improving cyber security awareness or tackling cyber security-related offences. For a strategy to be effective, it must consist of comprehensive and balanced guidance for all stakeholders and not just focus on a subset of individuals or groups. Strategy must also clearly define the key performance indicators (KPIs) alongside realistic timelines to provide all stakeholders with a more transparent review process and assurance. It is often the case that identification and prevention of cyber threats receive more attention than the latter stages of the cybercrime lifecycle – conviction and punishment. CC-Driver recommends that all stages of the cybercrime lifecycle must receive an equal focus from lawmakers.
2) Legislation
Legislation is a fundamental element that governs the behaviour of people in the cyber-sphere. Since the cyber-sphere has no physical boundaries, no single entity, government or individual control, it is extremely difficult to regulate. Therefore, legislative authorities and governments must come together and harmonise cybercrime definitions, penalties and fines. Cybercrime reforms should be performed regularly compared to other forms of legislation because the cyber-sphere is fast evolving and regulations can quickly become obsolete if not updated regularly. Lawmakers must maintain a web-based repository of cybercrime offences that is globally accessible so that other countries can take benefit. Users can educate themselves on the different types of crime offenses, and perpetrators are made aware of the consequences of their actions. Legislation must also encourage victims to come forward and explore avenues of legal remedy. Cybercrime offences have a low conviction?rate,?which can act as a deterrent for victims to come forward. Legislation should also include guidance for non-culpable actors like penetration testers, academics, researchers, journalists or even negligent members of the public as there have been?cases?of non-culpable individuals who’ve been prosecuted when, ideally, they shouldn’t have been.
3) Engagement
Engagement means initiatives or activities (such as training, programs, campaigns) that try to increase the reach and awareness of cyber security and cybercrime-related issues. If potential victims are made aware of cyber-threats and how they can mitigate cyber-risks and if potential criminals are made aware of the consequences of committing cybercrime offences, then this can help reduce cybercrime to a great extent. Such engagement and education must start from a young age.?Statistics?show that cyber-criminals tend to be younger in comparison to traditional criminals in the physical world. Specific demographics should be engaged more than others;?data?shows adults under 25 and over 75 are most vulnerable to cyber fraud. As people spend more time online, legislators must leverage well-known online platforms and?gamification?techniques as a means to disseminate engagement activities.
4) Enforcement
Enforcement translates to efforts in policing the cyber-sphere and protecting its citizens online. Combating cybercrime is a shared responsibility between lawmakers and its citizens and therefore, enforcement agencies must announce incentives that encourage reporting of cybercrime. Enforcement authorities like police officers, judiciary and lawmakers should undertake cyber security training to be more effective in their responsibilities. Lawmakers must also provide meaningful data and metrics (in technical and non-technical terms) that aid in effective decision-making for budget holders. Enforcement actions must address root causes, not immediate incidents. For example, phishing is responsible for the?majority?of ransomware attacks, so the focus should ideally be on mitigating phishing.
5) Assessment
Assessment translates to collecting, managing and analysing accurate and reliable cybercrime data. Our research found that various countries across Europe use different tools and technologies to analyse cybercrime data, limiting the ability to aggregate, compare and build robust datasets. Countries must therefore try to harmonise their metrics as much as possible to facilitate swift and efficient comparisons. International collaboration must be encouraged to facilitate a greater exchange of cybercrime information. For example, having an international platform for accessing cybercrime data and creating rapid response mechanisms and secure communication channels between governments. Finally, insights extracted from regular analysis and reporting of cybercrime data must be continuously fed into the engine to execute strategy, legislation, engagement and enforcement reforms.
It’s time the global anti-cybercrime ecosystem comes together, synchronises its efforts and formulates global protocols that can benefit everyone. Cybercrime is an increasingly pervasive, international threat that cannot be tackled in isolation.