19 August 2013
How do we find out about cyber criminals in the UK? This is the question Security Lancaster set out to answer at a workshop with attendees from the face of our legislative and data collection institutions, ranging from solicitors to government agencies and departments.

A number of conclusions were drawn from discussions with the attendees, the majority of which indicated that the collation of suitable public data to make rational and justifiable decisions on the cyber criminal impact in the UK should be considerably improved.

One aspect that caught people's attention is the concept of adapting the sentencing guidelines to take into account the use of technology as an aggravating or mitigating factor.

Technology is complicated and evolving fast, with an even faster evolution in social uses of this technology for legitimate and criminal enterprise. The issue comes when you are trying to work out what is and isn't a cyber crime - one of the fundamental questions you need to answer if you are going to measure this criminal act.

Recently, cyber crime classification has evolved to provide two main categories Computer Enabled and Computer Dependent. For the latter category we have created or updated legislation, such as the Computer Misuse Act, to deal with new crimes, crimes which could not have existed before the advent of a new technology. The difficulty comes when you have old crimes with existing legislation, such as fraud, which have been enhanced or adapted through the use of new digital technology which is the computer enabled category.

Should legislation be updated in respect to a crime like fraud to encompass the new digital techniques and could we even legislate fast enough to do this? This is one of the distinctions that we discussed in depth during the workshop, when new crimes come into being time must be taken to consider them and generate appropriate laws of the land.

However, it would appear1 that many of the cyber crimes that do occur currently fall into the bracket of computer enabled, old crimes reinvented for the digital age. How can we possibly deal with such a situation?

Here the concept for the idea of sentencing guidelines comes from a fact long discussed in the military that digital technology and cyber security technologies act as force amplification for the action of an individual or group to increase the impact and outcome on the target.

The same can be seen in cyber criminality, a stock market "pump and dump" scam is greatly amplified through the ability to email nearly everyone connected to the Internet simultaneously, where as previously the same fraudulent act would have taken considerable effort and time to communicate with the same number of people in order to elicit a response.

A simple physical analogy is the concept of a fist fight. If the fight is one on one with no weapons, the impact of the physical blows on each individual is limited to physical strength of the combatants. If however, one of the individuals deliberately brings a weapon to the fight, this would amplify the individual's ability to do harm to the other and is considered an aggravating factor in sentencing for crimes such as Assault Occasioning Actual Bodily Harm. Similarly an individual's capability to defraud thousands of people is enhanced via the use of digital equipment.

The concept of using sentencing guidelines to manage computer enabled crime has some interesting implications. It creates a focus on the impact to the victim(s), creating a victim focused process.

The focus on impact of the use of technology, rather than the way the technology is used enables the legal system to move away from having to understand complex technical details of how the technology was used.

Our existing legislation and criminal definitions can be left alone, fraud is still fraud instead of being "computer fraud" with the accompanying complexities that title potentially has.

And finally for the purposes of the original intention of the workshop, we can ask the simple question, "Was the use of computers a consideration in sentencing?" in order to gain statistical details on the impact of computer enabled crime.

To be clear neither of us are legal experts, Claire is an applied statistician and Daniel is a computer scientist, this field was represented at the workshop along with criminology and formed part of the collective discussion between individuals who normally sit on opposite sides of the table to develop these ideas and others.

We believe at Security Lancaster, Lancaster University's research centre that brings together research in cyber security, security futures, investigative expertise, violence and society, and transport and infrastructure protection, that it is multi-disciplinary thinking that is required if we are to be able to tackle these new and emergent societal issues.

Through working together and across traditional disciplinary and organisational boundaries, we are asking the "what if?" questions that could provide the solutions to problems we might face in the future.

Footnotes

1 We say this as our work has demonstrated a lack of substantive evidence to validate the claim.