Bud Levin1

I appreciate the invitation to share a few thoughts at this conference on the future of cybercriminal behavior. I have been having adventures in computing since 1964, when I was programming in assembly language on the then brand new IBM System/360 ( http://www-1.ibm.com/ibm/history/exhibits/mainframe/mainframe_PR360.html ). Back then, cybercriminals were the furthest thing from my mind – and I dare say, from the minds of most others. Times do change.

A practical prior to understanding cybercriminal behavior is understanding the characteristics of people who are likely to be available to commit and to be victimized by such behavior. The first brief section of my talk will use as an example a couple of dimension of demographics.

Most of you have noticed that there is no shortage of pedophiles who use the ‘net. My guess is most of those who chase pedophiles could go on-line and within a few minutes open a new felony case. The supply of pedophiles probably is enough to drive the criminal justice system into a state of collapse due to resource shortages.

The supply of children under age 9 is now about 38 million ( http://www.census.gov/population/projections/nation/summary/np-t3-b.pdf ). By 2030, there will be about 46 million children under the age of 9 ( http://www.census.gov/population/projections/nation/summary/np-t4-f.txt ). That's a 21 percent increase in the number of potential victims for pedophiles.

However, our biggest group of cybervictims in future years probably will not be children. This country is getting older. A lot older. As of the year 2000, we had 35 million people age 65 or older ( Federal Interagency Forum on Aging-Related Statistics, 2000 ). This segment of the population is growing rapidly, thanks to the baby boom generation. By the year 2030, the number of people 65 years of age or older will have doubled, to 70 million. The over 65 group will thus have five times the growth of the under 9 population. That growth in the over 65 group means a lot of potential victims for virtual crimes as well as physical crimes.

The majority of people in that older age group are female, since males don't age well. Of women aged 65 and over, only 41 percent are married and living with a spouse ( http://www.census.gov/prod/99pubs/p20-514u.pdf , Table 7 ); another 41 percent lived entirely alone ( Federal Interagency Forum on Aging-Related Statistics, 2000, Table 5A ) . That means a lot of lonely women, many of them increasingly acquainted with life on the Internet, ripe for victimization in diverse ways.

The median household net worth for households headed by people 65 and older is $150 to $200 thousand dollars. That's a lot of money that can be targeted by bad guys.

There are some pretty obvious technical implications for these demographics, but demographic change is by no means all that will be driving the future of cybercriminal behavior.

Consider the antics we've been observing on the Internet for the past year or two. For example, any software patching that depends on any action at the user level at all – even such mechanisms as LiveUpdate and Windows Update – is hopeless. There are too many noncompliant users and too many unobservant users. Patching will have to be centrally controlled and of the push-down variety. Many businesses and even my college are doing this already, but it's not clear how one does push-down patching to the level of the individual user's home computer without raising privacy concerns as well as a variety of other legal and ethical issues.

Even more important, we have less lead time to cope with sundry viruses and worms and their ilk – instead of a few days or weeks, we may have hours or, eventually, only minutes. Our entire human-intensive system of software modification and updating is a sitting duck, an obsolete approach to increasingly serious threats. If we keep doing business as usual, the good news is that you folks will have even more cybercriminals to catch.

One possibility is that we will go from a model of software ownership to one of software rental, using a new legal theory – that of virtual landlord-tenant. A landlord-tenant model would imply reasonable access by the landlord, thus creating a context in which the software owner would have a limited right to invade one's computer for the limited purposes of maintenance, updating, and detection of illegal use.

We are at a very early stage of a complicated version of chess in which the players are just now learning some of the moves. Cybercrime, whether using the computer or targeting the computer, is in an early developmental phase. It is nowhere near finished form and probably will not near stability at least for the next decade or two. Part of the reason for this is that we are still busily creating new cybercrime statutes.

There are many other worry zones regarding cybercriminal behavior. I will offer eight of them for your consideration:

1. The movement of software development and support and operations to other nations will inevitably create vulnerabilities because of various breaches of trust and difficulties of prosecution. According to one reasonably reliable source, the Gartner Group, “One in 20 end-user IT jobs to move offshore by late 2004” ( http://www.computerworld.com/printthis/2003/0,4814,83568,00.html ).
   
2. Because cybercrime has been internationalized so early in its development, the effective investigator will need more than a modicum of forensic knowledge and skills. The investigator will need to have a broad education in the ways of heterogeneous nations and cultures. The investigator will need to be able to communicate easily and routinely with peers in other nations, without going through cumbersome chains of command. Work-arounds are proliferating, but using them may place well-intentioned investigators in peril from organizational forces for conformity.
   
3. A few months ago Scott Charney, the Chief Security Strategist at Microsoft, gave a talk on what he called “Trustworthy Computing” at a conference at the University of Washington ( http://www.ebiz.washington.edu/nwebiz/Conference/presentations/2003/Charney/1 28 February 03 ). One of his points is germane here. He defined trustworthy computing as having three components: reliability, security, and privacy. My observation, although not necessarily his, is that the average home computer user has achieved reliability, security, and privacy only because nobody has bothered to attack the user's computer in a serious way. That is coming. Soon.
   
   The targets are increasing dramatically; cybercriminals will multiply as well. Soon we will become accustomed to attacks on the net-centric home including computer-controlled home security systems, on wearable computers, IP phones, and the focused hacking of tax forms such as Turbo-Tax and other financial documents that are stored on millions of home computers. We are creating an extremely target-rich environment for perps.
   
4. Our inability to comport copyright and other intellectual property issues with modern communications systems and our increasing reliance on private entities such as the Software Publishers Association to enforce this emerging area of law will have interesting manifestations.
   
5. Cybercriminals have engaged us in a vicious cycle of mutual escalation. We will no more crush cybercrime than we have crushed criminal assaults. We can, however, become much more sophisticated in how we identify “persons of interest” and likely victims. In doing so, of course, we run the risk of overwhelming the criminal justice system and going well beyond the knowledge base of many prosecutors and judges and defense attorneys. Change in the criminal justice system comes slowly. Very slowly. That's not necessarily a bad thing overall as it reduces the number and severity of knee-jerk irrational responses the system might otherwise make.
   
6. One characteristic of cybercriminal behavior that we tend to overlook is that it is adaptive, at least in the eyes of the perpetrator. In effect it is contingency-governed. Perps do what they perceive is in their own best interest. Thus, we can protect cyberturf somewhat parallel to how we can protect physical turf. For example, “crime prevention through environmental design” (CPTED. e.g., Crowe, (2000) is a model that might serve us well.
   
   The trick, of course, is to design an environment that is unfriendly to criminal behavior yet is still functional for the intended user. That's not easy in a physical setting. It's very difficult in the instability that characterizes the virtual setting. However, until and unless we look at cybercrime as merely an extension of routine crime, and cybercriminals as merely an extension of our routine customers, we'll likely be missing the boat on prevention and trying to push back an ocean that is full of perpetrators.
   
7. Our cybercrime fighting will remain inefficient – we will remain several steps behind the bad guys. Partly this is a result of how fragmented our effort is – see http://www.ncfs.org/cybercrime.pdf . (Handout). Complex as it is, this graphic provides only “organizations within the Federal Government dealing with Computer Forensics and/or Computer Security”. It ignores state and local governments as well as the private sector. It does not even list the High Tech Crime Consortium and the High Tech Crime Investigation Association. Our fragmentation will not go away as it is intrinsic to how we in the U.S. practice law enforcement. Inefficiency in law enforcement is not necessarily a bad thing in terms of the larger society, but it can be a serious annoyance for those trying to enforce the law.
   
8. As we learn to fight emerging cybercime and cybercriminals, we will find ourselves in unproductive conflicts. One of those conflicts is and will be the perceived conflict between security and privacy of private citizens. Remember “DCS1000” aka “Carnivore” and “Total Information Awareness”?
   
   The primary focus of this conflict between security and privacy is not legal, but cultural. At some point, we in law enforcement will be reined in because we've become too enthusiastic yet again. The public does not want highly effective policing nor does the public want a cop under every bed. Or in every computer. It will behoove us to remember that.
   

So much for those eight worry zones. Let's take a broader view now.

The world is changing rapidly. The behavior of cybercriminals will be changing as well. If we are to stay in the game at any kind of meaningful level, we will need to change, too.

The most significant change within the next decade or two will be that cybercriminals will become pervasive and yet basic vanilla criminals, studied and written about and prosecuted about as competently as we handle the rest of our criminal caseload. We should, at this point begin to think about what the next wave of criminality will become, as cybercriminality retreats into routine business for us in law enforcement.

References

Crowe, T. (2000). Crime prevention through environmental design . Amsterdam : Butterworth-Heinemann, 2 nd ed.

Federal Interagency Forum on Aging-Related Statistics. (2000). Older Americans 2000: Key Indicators of Well-Being . Federal Interagency Forum on Aging-Related Statistics, Washington , DC : U.S. Government Printing Office.  August. http://www.agingstats.gov/chartbook2000/OlderAmericans2000.pdf

Note:

1 Dr. Levin is professor of psychology and administration of justice at Blue Ridge Community College and Commander, Policy and Planning, Waynesboro Virginia Police Department. levinb@brcc.edu www1.brcc.edu/levin