Sunday, 27 November 2011

Cyber Security Strategy 2011

On Friday, the UK government released its latest Cyber Security Strategy. The Strategy sets out three objectives, underpinned by a fourth:

  1. "Tackle" cybercrime.
  2. Build resilience against cybercrime.
  3. Contribute to an "open, stable and vibrant" cyberspace.
  4. Attract & build upon skills to support all of these objectives.
In my view, the fourth is by far the most important of these objectives. There is a great deal that we do not yet know about Internet-mediated harms. Not only is the nature of the threat constantly developing, but so much is still to be learned about the individuals who drive criminality online.

Much of the Strategy is concerned with building defences against such harms. Certainly, resilience is very important, and I am pleased that the Strategy acknowledges that both industry standards and security awareness are important to reducing the opportunities for such harms. However, resilience strategies ultimately amount to nothing more than target hardening, ignoring the underlying issues. No crime, in my view, can adequately be understood as a 'routine activity', and policies which make this mistake can never hope to "tackle" crime.

The Strategy seems to be driven by a belief that it is possible to "design out crime online" (page 30, para. 4.32). Unfortunately, this is simply not possible. As Murray has argued, code-based solutions are ultimately 'worked around' by the active matrix: skilled and motivated users capable, ultimately, of rejecting code-based regulation by subversion. Further, any infrastructure-based solutions (e.g. the 'Internet kill switch', in any case useful only against certain kinds of harm) risk compromising the openness and neutrality of the network (see Carolina on the bordered Internet): an indirectly topical area in light of the Leveson Inquiry into the proper relationship between the state and the free media.

Returning to the question of whether cybercrime can be 'designed out' of the global network, readily manipulable but privatised and decentralised, it will come as no surprise that I prefer an approach that preserves both the neutrality of the network and the "open, stable and vibrant cyberspace" that it is an objective of this government to preserve and to further. Indeed, the two arguably go hand in hand.

I say that the solution demands a better understanding of the social causes of cybercrimes, of all flavours. Tackle these, and we stand a chance of enjoying a network shaped not just by code, but by common norms. Technical resilience is important, but social resilience and Durkheim's "internal policeman" cannot be overlooked, else in my view we risk "liddism" in our policymaking (Rogers 2002, Reiner 2010).

Clearly, achieving an understanding of cybercrimes in all their flavours is a big nut to crack, however I suspect that there are certain commonalities between offenders operating across each 'generation' of cybercrime (Wall 2007). In my dissertation 'Policing the Internet', I relabel Wall's three generations: e-jemmies (crimes committed within discrete computer systems), network crime (crimes exploiting connectedness to inflict harms remotely), and distributed crime (crimes which use networks to distribute and automate the infliction of remote harm). Wall predicts a fourth generation will exploit emerging ambient intelligence technologies as we move towards the 'Internet of Things'. Analysing this tendency in people to exploit new technologies could well reveal something important about the nature of criminality more broadly — especially important in light of this impending fourth generation of cybercrime. While it is likely that offenders for whom the Internet is merely a tool for offending that would happen in a world without the Internet remain the elusive province of ordinary criminologies, research into the nature and degree of social exclusion of other categories of cyber-offenders is desirable to understand what it is about the Internet that fuels offending, and how we can work to address it.

Worryingly, the Report seems to make assumptions about the nature of offending online: the sentence "criminals still regard exploiting cyberspace as a profitable and low-risk option" (emphasis added) marks an assumption that all cybercriminals are rational agents. Perhaps some behaviour can be so explained, but not all, and in any case there seems to be very little evidence (certainly none of which appears in the Strategy) to support this view.

Buried at page 23 of the Strategy is this precious sentence: "We want a UK where[, inter alia, p]eople are clear that, as in the offline world, we are each responsible for our behaviour in cyberspace". How do we (as a society, not just a state) inject this sense of responsibility, this normative code into the disparate and privatised fabric of cyberspace? Certainly not, in my view, by focusing entirely upon "threat management" in a technical sense.

I cannot stress enough that the Strategy certainly has laudable aims, and much is to be said for its content. It pledges to improve the police response to cybercrime and work internationally to deny cybercriminals 'safe havens' where regulation is weak, backed by a timely pledge to reinforce the Convention on Cybercrime as the UK enters its chairmanship of the Council of Europe. The judiciary are to be encouraged to respond to new threats using existing laws, whilst Parliament reviews the fitness for purpose of the Computer Misuse Act (see my earlier post on the risk of moral panic and over-criminalisation). Security agencies are to be encouraged to focus on the disruption of cybercrime even where convictions are unlikely: again, a laudable and realistic view in light of the inevitable jurisdictional issues inherent in e-crime, but one that flirts with defeatist 'liddism' (see above).

Also to be commended is this official recognition of the crucial role of the private sector. But how is this awkward relationship to be managed? Only 2% of the budget is allocated to this project (page 26), the rest being spent mostly on resilience measures. The Strategy mentions a partnership with the private sector to develop "cyber-relevant sanctions": what are these? Mention is made of "online sanctions for online offences" — does this allude to the controversial disconnection rule, or are we talking about something else? How would these sanctions be metered out, and by whom? On what standard of proof? Questions of legitimacy, oppression and subversion seem far too important to be answered by a fraction of a 2% cut of the cyber security budget. (See Laidlaw on the human rights responsibilites of Internet Information Gatekeepers.)

Returning to the fourth and overarching objective, the Strategy strongly encourages "R&D". What is not clear is whether the government had technical or social research in mind. Technical research is of course important to continue to improve resilience. However, we need social research to answer the question of normativity in cyberspace.

In summary, we seem to be focusing too much on target hardening and disruption. The deterrence and prevention of cybercrimes can only be effective in the long run if we understand the threat as necessarily social rather than merely technological. Is it merely opportunity that drives cybercrime? Is it true that those who commit crimes online would just be committing crimes offline anyway? Perhaps not.

As Clemente points out, the extent to which even this Strategy can be delivered in an age of austerity remains to be seen. However, what I am suggesting need not cost any more. I am simply arguing that the policymakers behind the Strategy seem to be making assumptions about the criminologies of cyberspace that could ultimately be the undoing of their otherwise laudable objectives. The involvement of foreign states and the private sector are crucial if we are to build this "open, stable and vibrant cyberspace", and I am pleased that the Strategy recognises this. However, by focusing too much on target hardening and too little on understanding the causes of cybercrime, we risk losing an opportunity to nip cybercriminality in the bud. My plea therefore is to legislators and independent research councils the world over, to fund the social research that these policies so badly need.

Saturday, 5 November 2011

The case for cyber criminology

Dr. Jaishankar, an Indian academic criminologist, is the founder and editor of the open access International Journal of Cyber Criminology. In his latest editorial, Jaishankar pleads the case for an "holistic" approach to the study of cybercrime.

Presently, e-crime seems mostly to be studied, or at least taught, from a 'crime science' perspective. Cybercrime thus seems largely to be understood as a technological phenomenon, rather than a social one. Courses like Murray's and Wall's are rare, exploring both the forensic and the socio-legal aspects of information technology, across several jurisdictions.

One of Jaishankar's contributions to the emergent field of cybercriminology is his "Space Transition" theory of cybercrime, which argues that people behave differently as they move between offline and online 'spaces'. As I pointed out in my previous post, unless the effect of convergence and the deepening pervasion (/ mediation / augmentation) of everyday life by networked technologies is also met with effective normative regulation of online spaces, cyberanomie may prevail.

If this regulation is to be effective in this dynamic new space, it must be evidence-based and research-led. Jaishankar cites a study noting that cybercriminological research, as an emergent discipline, has its fair share of methodological problems to overcome. It is my sincere hope that aspiring cybercriminologists will be increasingly well-received by 'traditional' criminology departments (and those who fund them), so as to nurture a high-quality and interdisciplinary approach to the causes and consequences of cybercrime.

Wednesday, 2 November 2011

"This debate belongs to you": cyberanomie and Internet rights

In the run-up to the London Conference on Cyberspace this week, William Hague again called for states to agree upon the rules of cyberwarfare.

In a world where national infrastructure is increasingly dependent upon networked technologies, the potential remotely to exploit this reliance is enormous. Our increasing dependence on technology places cyberwarfare ever higher up the information warfare agenda. This much is uncontroversial, and as one commentator pointed out, much of what was discussed at #LondonCyber was somewhat banal.

That said, Hague's closing speech summarises the 'best bits', distilling principles which in my view ought to be treated by policymakers the world over as something close to a constitutional model. By adopting this model, national laws will address the needs of a world reliant upon networked technologies. However, more must be said on the content of these laws if regulation on the global network is to be effective against arbitrage. Hague's speech sets the agenda for further international debate on the legislative and judicial development of cyberlaw, but it's up to us all to contribute to that debate.

Consistent regulation is important to guard against cyberanomie: the perception of lawlessness that underpinned the faulty perception of borderlessness (per Carolina) and anonymity that inspired JP Barlow to declare cyberspace a self-governing extraterritory. In the face of consistent and effective regulation, users will never forget that their actions are ultimately grounded by and effective within the physical world, creating a sense of accountability that will remind users to consult what Durkheim called their "internal policeman" when deciding how to conduct themselves online, applying the same standards online and offline. Users seeking to escape normative accountability by commenting anonymously or under a pseudonym will be caught by a cultural tendency to ignore, prohibit or deny weight to such comments.

The case for effective normative regulation is not only grounded in the defence of national interests and the preservation of our infrastructures, but in the defence of the modern self. Turkle identifies a heavy degree of investment of the self in technology. Bernal writes extensively on privacy and identifies an undervalued currency of personal data, and Laidlaw considers what responsibilities ought to be embraced by the gatekeepers controlling this data. On the topic of cybercrime specifically, Hague acknowledges that younger generations growing up in a world pervaded by technology increasingly do not draw a distinction between online and offline spaces. Because of our degree of self-investment in technology, criminality is as much a threat to autonomy (see my previous post) and individual interests online as it is offline  including in virtual worlds (see my essay proposing a right virtuńĀlis, link to follow).

It is my hope that the growing threat of cyberwarfare and cyberterrorism, together with the awareness raised by and discussions begun at #LondonCyber, will lead to debate on the broader norms of interaction online. Murray describes users as interacting within an 'active matrix' of connected Lessigian dots: this matrix must publicly discuss and decide upon what behaviours are and are not acceptable within international communities of users, and states must consider this when agreeing upon policy. #LondonCyber is a model forum in this respect, encompassing matters between states, between state and citizen, and between citizens, interacting with each other on a global scale.

The threshold between criminality and abnormality ought thus to be determined in the public sphere, and states ought further to facilitate and encourage this debate. Kaspersky's provocative remarks at #LondonCyber serve as a reminder that the 'war on terror' rhetoric situates terrorism somewhere between war and crime: a debate on Internet rights (per Murray) would clarify where acts of cyberterrorism, and harmful online behaviour more broadly, ought to fit within the law.

Later posts on this blog will contribute to this debate by discussing specific harms mediated wholly or partly by technology. In the meantime, whether here or elsewhere, do share your thoughts. In the words of William Hague, "this debate belongs to you".

Sunday, 30 October 2011

Vulnerable cyberautonomy

As respected legal writer @davidallengreen points out, perhaps the most remarkable thing about the Occupy London protest movement has been the unexpected scale of its impact.

One of the consequences of this movement has been, quite by accident, a serious impact on St. Paul's Cathedral. St. Paul's is an icon of the City, but is not connected to the capitalist civic that the City is said to represent. It is, to that extent, an innocent bystander. Does this make the effect it suffers more deserving of intervention? Does the fact that these consequences were not intended by the protestors affect their level of responsibility for them?

Any pro-social creature is mindful of the impact of his actions and inactions on others. Social norms evolve around consideration for others: standing on the right on the escalators to the tube, saying 'please' and 'thank you', not playing loud music at night. To renege on this mindfulness is considered antisocial, even criminal.

Peaceful protest, however, is not a criminal act. Neither is trespass, generally speaking. Yet, section 3 of the Computer Misuse Act 1990 criminalises the now commonplace 'distributed denial of service' (DDoS) attack: an act which might be described as digital trespass, and is often politically motivated, causing a website or other service temporarily to close its doors.

The parallel with the Occupy London movement is clear. Under the Computer Misuse Act, a digital Occupy movement which made use of DDoS would be a criminal act: rather than facilitating peaceful protest, the police would no doubt use their newly-expedited powers to 'seize' domains to hamper the movement and criminal prosecutions might follow, carrying the possibility of considerable custodial sentences. No digital 'ring of prayer' could hope to interfere with this process. How can this inconsistency be explained?

Ramsay applies his 'theory of vulnerable autonomy' to explain the expansion of criminalisation inherent in civil preventative orders such as the ASBO. He suggests that a state-level concern for 'vulnerable autonomy' demands 'liability for failure to reassure' others of a disposition to observe social norms, to be considerate of others' needs.

It is argued that a concern for vulnerable cyberautonomy can explain the breadth of the net cast by section 3. Given the inconsistency with the comparable law of trespass, the criminalisation of 'digital trespass' seems to be a legislative over-reaction to a new kind of threat. Could it be that there exists a 'right to access' other websites, and a de facto duty on Internet users to reassure each other of a disposition not to interfere with this right?

One of the key differences between offline and online protest is the visibility of the cause: offline visitors to the cathedral are met by protestors with their tents and placards, and can even visit the 'information tent' to find out more about the cause. A digital 'occupation' in the form of a DDoS attack would simply deny access to the would-be user, without any explanation  unless the website had been hijacked and replaced with another bearing a particular message, which is more akin to vandalism than trespass.

Indeed, those engaging in a denial of service attack intend to block access to the affected service by legitimate users. The same cannot be said of the Occupy protestors, as the effect upon St. Paul's was quite unintended. However, it is not necessarily the case that DDoS attacks are malicious per se. Indeed, that the Occupy movement would cause some kind of disruption to the City was plainly foreseeable. Would a digital 'occupation', in the form of a DDoS attack, really be so markedly different from an 'occupation' or picket line to justify criminal regulation?

The differences between the worlds of atoms and bits then stretch the 'trespass' analogy  but, it is argued, not fatally so. Notwithstanding these differences, it is argued that the over-broad applicability of section 3 is the result of a catch-all approach on the part of the draftsmen, placing the onus of fairness in its application in the hands of the discretion of public prosecutors and the interpretive powers of the courts. The trial of Paul Chambers ought to be a warning against trusting either of these safeguards when dealing with so-called cybercrime.

This overreaction might be explained by the fact that the effectiveness of many DDoS attacks is bolstered by the expansion of 'botnets' by unlawful means: unsuspecting users are infected with viruses or duped into downloading infected software, causing their computers to join the botnet without the user's knowledge or consent. This is a criminal wrong which ought to be dealt with separately, rather than relying on a catch-all section 3.

An amended section 3 could build in an exception to reassure peaceful protestors that they will not face prosecution for seeking to bolster their cause with technology; or perhaps limit the offence to DDoS against 'protected sites', mirroring the criminalisation of trespass at sections 128-131 of the Serious Organised Crime and Police Act 2005. DDoS ought to be treated as a civil wrong, like its trespass cousin, with the possibility of claims for damages for loss of revenue. States, it is argued, have no business criminalising the peaceful use of technology to draw attention to a particular cause. A compromise could be drawn by issuing cyber-ASBOs against the most prolific orchestrators of malicious DDoS attacks.

It is at least arguable that section 3 is an example of what Husak called overcriminalisation. The novelty and complexity of cybercriminality, and the importance of tech-neutral drafting in a society in which technologies evolve more quickly than statutes (@AndrewDMurray), creates a dangerous temptation for Parliament to over-react to new threats.

We — the community of users and lawyers — must be vigilant in our scrutiny and prolific in our discourse if we are to mitigate against this risk. The extent of the 'right to access' is something we all ought to be discussing as part of Murray's call for an Internet Bill of Rights. In this spirit, comments are very welcome indeed.

Image courtesy of

Saturday, 29 October 2011

Welcome to

If you're interested in technology, society and law, you're in the right place!

I'm fascinated by the ways in which technology shapes our interactions, and what changes this could bring to our collective sense of right and wrong. So, on this blog I'm going to post occasional reflections on topics relating to law and technology, with a special focus on e-crime and policing.

I'm an LSE graduate with an interest in IT law, and my hope is to stimulate debate amongst an audience of interested laypersons, lawyers, technical experts, criminologists, sociologists and academics from other disciplines. Whether technophobe or technophile, your contributions are welcome here!

The first post will be along in the next couple of weeks. In the meantime, you can follow this blog and its author on Twitter: @ecrimeblog and @rhanstock respectively. If there's anything in particular you'd like to see featured on this blog, please let me know.

Stay tuned...