The imagined birth and life of cybercrime
Cybercrime is not embodied crime. That should be obvious. Cybercrime has a separate genesis to embodied crime. Preventing cybercrime consequently needs a separate approach. That should also be obvious, but very obviously isn’t. Australia’s cybercrime strategy teeters atop a drug-like dependence on a mechanism of apprehension. The obvious impotence of that mechanism compounds its own problem by undermining what little deterrence it has against the steadily growing wave of cybercrime. That tsunami isn’t going to end up splashing gently against our shores; Australia needs a proactive and anticipatory strategy against cybercrime, not one that leaves its fate to the impotent gears of the apprehension machine. A proactive and anticipatory strategy is not hard to derive. It almost plops into our waiting hands if we simply examine what makes cybercrime different to embodied crime.
That list of differences is surprisingly terse. Most of the precise differences between embodied crime and cybercrime are encapsulated by only a few facets of the cyberspace imaginary; a socially-endemic schema informing (dictating, motivating...) our cyber behaviour. The Chicago school has long favoured nurture over nature as the genesis of crime and deviance. Positivists would scoff that the Chicago attitude holds no merit in the real world. They’re partially correct; the privileging of nurture over nature is perhaps nowhere more tenable than in that unreal world of cyberspace. Cybercrime is very much a learned cyber behaviour; one that is the consequence of 40 years of simultaneous technological addiction and obfuscation.
Computing was born in secrecy. As a wartime effort, leaking anything about the strategic machines would have endangered the whole project. ARPAnet, the Internet’s precursor, was equally under lock and key throughout the late 60s and 70s. The whole thing seemed so clandestine that the popular speculation was of ARPAnet as a network that could survive the impending nuclear war. Even after its expansion, ARPAnet was kept to the few literati of university campuses across the United States (Ceruzzi (2012); Hafner and Lyon (2006)). Knowledge of this early cyberspace was rare. Access was a fantasy.
The turn of the 80s consequently birthed cyberpunk. Pictures of a budding cyberspace sprang up in the international psyche like Paterson’s Curse. WarGames, Blade Runner, Neuromancer, and an armful of their peers threw a spotlight on the exciting, thrilling, and rabidly untameable and lawless cyber frontier. BBSes and filestores seeped into households through newly-personal computers and beckoned a generation into cyberspace. They re-enacted exactly what they’d seen and ensured that cyberspace kept the promise made by cyberpunk. Mayhem raged and thrived on the early Internet. Feuding hacker groups, FBI arrests, practical jokes gone wrong, teenage digital hijinx cum digital heists (Sterling 1992); the cyber frontier was, and was made to be, just like the movies.
While the Internet boomed, so did its hosts. Graphics and clicking replaced typed commands. The touchscreen began to replace the mouse. Thinness replaced thickness. Replacement replaced repair. Black-boxing1 permitted ubiquity through accessibility. But ubiquity and accessibility conjured a further sense of mystique and intrigue. Marvelling at computers without being privy to what happens under the hood stirred a doe-eyed reverence for anyone who can get those damn things to work. Our incessant genuflection at the feet of technological whiz-kids even today whips up the cybercrime storm into a tempest worser still.
Tech is unknown, exciting, and sexy. Tech wizards are unknown, exciting, and sexy. Whether your understanding of hacking is of the benign-but-brilliant digital pioneers or of the more contemporary savvy outlaw, how could you see hacking as anything but cool, mysterious, and edgy in the eye of such a perfect, terrible storm? Who wouldn’t want to be that guy or gal? Who wouldn’t want to be the person that, in the wake of digital ubiquity, can practically bend the fabric of reality to their will? The very idea is enough to make you feel a little stuffy.
And so it did. Every year, more were drawn to cyberspace by the cyberpunk/cyber frontier imaginary. And it hasn’t mellowed out in the 40 years since the dawn of the imaginary. It’s gotten worse. The cyberpunk/cyber frontier precedent set by cyberspace’s formative years left broken windows that law enforcement agencies are still unsuccessfully scrambling to patch up. New initiates to cyberspace cyclically follow and reproduce the mayhem and lawlessness set out by those that came before (McLaughlin, Newburn, Hallsworth, et al. 2013). Attempting to crack down on cyberspace has been tragically counterintuitive; the consistent failure of law enforcement to apprehend a meaningful (or any) majority of cybercriminals has cemented the cyber frontier imaginary and created a death spiral of ever-increasing cyber threat . Collective efficacy, the crime-preventing sense that a community or space is under guard and protected, is wholly absent on the web. Its absence is made all the more prominent by perpetually stymied law enforcement institutions.
And once you’re in, you’re in deep. The more the fledgling hacker navigates the wild cyber frontier honing her skills, the more outlaws and rogues she sees. They swap skills, trade tools, banter, and every word echoes over and over again to fill the cyber air with a resonant coolness. And the digeratus outlaws themselves are reified, justified, and compounded in their attitudes. Even if society were to wake up from its cyber reverie and decry the whole thing as fiendishly boring and passe, these few initiated wouldn’t care. The continued differential association amongst hackers ensures that their norms and culture, even if they align with wider society, are separate from it (McLaughlin, Newburn, Akers, et al. 2013). At this point, hacker subculture has undergone a cancerous mitosis.
What recourse do we have? The digital chemotherapy is weaponisation. Cybercrime occupies an unusual overlap in the Venn diagram between criminal skills and transferable or useful skills. The seduction of that imaginary can be weaponised against cybercrime itself. There are perfectly lawful and useful ways for wannabe and already-are hackers to participate in the hacker subculture. What’s more is that those avenues for participation offer a means to protect against the less law-abiding whiz-kids of the world. Rather than attempt to erase a popular depiction decades in the making, why not exploit it and put out the call: "Help wanted! Hack for money and fame!"
There aren’t enough outlets for the whiz-kids to show off their prowess in lawful ways. So, we need more. More hackathons. More recruiting. More notoriety. But more subtlety. The contemporary cyber security circuit has all the schoolyard appeal of a balding dad taking too much interest in a science fair project. The draw of cybercrime is the thriller-like mystique of the game, and corporate men in grey suits with grey project propositions and grey prizes are anti-thriller. A more savvy lure away from the dark side doesn’t dangle a corporate ladder in front of at-risk whiz-kids; it dangles the exact same thing the dark side does and makes no mention of the fact that this is the light. Instead of the Prime Minister dryly announcing that cyber security is Australia’s Next Big Thing, why not pose a challenge? Take a leaf from Cicada 3301’s book and leave cryptic digital challenges that invite anyone who thinks they can roll with the big shots to do exactly that. Even better if you don’t post your challenge on a government site. Or, leave a honeypot. Run rumours throughout the underground that the government or Company Z has their secret formulae in a difficult, but still crackable cyber bunker. At the end, send successful heisters congratulations and an invitation. Most importantly, maintain the allure even after you’ve caught your fish. It might be a little dry to keep the cowboys in a public servant office, so don’t. Government work can be good enough for cyber rogues. Form APTs2 and their defensive counterparts; your own state-sponsored rogues, separate from the government, but still decidedly good guys.
Of course, some won’t be swayed. Some will be too principled, or maybe just too far gone, man. A few players will remain in the shadows and keep on with their dirty work. Why? Faced with the chance to do something good and lose none of the world that they live in, what dastardly seduction is there in staying put and hurting people?
None. There is exactly zero appeal in hurting people. But you aren’t really hurting anyone in the cyber game. The popular dichotomy has forever been between the Internet and *real life*, as if the former were somehow separate from the latter. And isn’t it? There is something very unreal about cyber happenings. Like that infamous Nevadean city, what happens on the web seems to stay there. Real life lost (or never really had) the big-screen drama that the cyber frontier imaginary maintains. Cyberspace feels like a separate realm because it is; absent of any of the rules of the embodied world, cyberspace becomes its own space. Moreso when cyberspace is also absent of any of the traditional modes of communication and interaction between human beings: there are very few visible human faces, there’s no body language, there’s seldom even audio. And then the sheer deluge of content sweeps away what little humanity is present into a single, amorphous mob if you don’t pay enough attention. Being in the cyber is to be a droplet in a hurricane and see (and ignore) thousands of other droplets.
Bilateral anonymity has a profoundly dehumanising and, consequently, disinhibiting effect on our cyber behaviour. Digital dirty work doesn’t feel like dirty work is because our interaction with other cyber denizens is muted by the lack of anything human to interface with (Phillips and Milner 2017). You have no one’s eyes to gaze into as you steal their bank details, no one to see cowering in fear as you threaten them with the loss of all their digital belongings or humiliation with the leak of a private photograph. From a superficial perspective, even the most destructive cybercrime really only deals with stuff, never people. To anyone except the victim (and even the victim themselves, sometimes), cyber crime has no victim. Batman is only cool because he doesn’t kill people. Hackers are only cool because they and we never see (or wilfully ignore, or can’t see) the damage they do. This is a neutralisation - psychological bias that amoralizes or justifies a deviant act. Denial of the victim through depersonalisation both seduces hackers initially and keeps them coming back for more.
Any remedy to this is complex, but there are immediate approaches that will work to introduce a sense of victimisation. A tried-and-true moral panic will go some way to constructing a moral burden for cybercrime. The particular way in which this burden is proselytised doesn’t matter. Anything will do; government ad campaigns, increased media sensationalism, even stories from penitent cyber-criminals themselves as obtained from restorative justice techniques.
In spite of this, sometimes hackers will remain cool because we’re very aware of the damage they do. Grey-hat hackers3, are motivated because of an overwhelmingly visible victim (though not necessarily a sense of victimisation). These hackers are terrorists slash freedom-fighters, depending on how deeply you agree with their (typically) political motivations. Their behaviour is not informed by the cyberspace imaginary, but by a greater purpose. Cyber-crime is the means to a political end; the notoriety and novelty of the cyberspace as a frontier is auxiliary at best to grey-hat motivations. Although this psyche is described by neutralisations of the condemnation of the condemners or an appeal to higher loyalties, it is not as straightforward to undermine as the victimisation neutralisation. These neutralisations speak to the grey-hat’s act as an act embedded in the embodied world and merely unfolding in the cyber, rather than a more purely cyber act. The neutralisations cannot be undone by affecting the cyber imaginary because these aren’t cyber behaviours.
But we aren’t defenceless against these attacks. Sensationalism may have you believe that today’s digital infrastructure is about as secure as waggling your finger at someone and firmly telling them to stop. The cyberspace imaginary’s lawless frontier feeds into that, and the inscrutability of the cyber world conjures a fatalistic sense that no matter how much effort you pour into a cyber defence, it will never hold up. That’s not true. There are mathematical reasons behind your IT desk telling you to use a minimum number of characters, letters, and arcane magick symbols in your passphrase. There are mathematical assurances behind the hardware and software we use to make our cyber world safer. And the mathematics dictates that, done right, digital security is unfeasible to crack. The shortcomings are human. With an army of adept recruits helping the good guys under the paradigm proposed here, those shortcomings will be quickly whittled down. Better cyber security doesn’t even depend solely on the new paradigm; simply espousing the idea of a crackdown on cyberspace lawlessness and equipping those in the line of fire (businesses, but even personal users) with the right tools will suffice in this domain. Proper armament can look like anything from subsidising cyber security departments and employees for businesses to cyber security firms taking the initiative to develop one-click setup tools for home users that instantly fortify most weak points with saner defaults.
Things may still go wrong. In all likelihood, the most determined hackers will find a way through. But eliminating the low-hanging fruit will dissuage many budding cybercriminals. Those opportunistic few who only arrive on the scene to scope it out will face capable guardians and few appropriate victims; according to rational choice theory, these script-kiddies will be nothing to worry about (McLaughlin, Newburn, and Chamard 2013). The sense of collective efficacy this new paradigm offers will be a hard blow to the era of the lawless cyber frontier. In the long term, there will still be an air of mystique about the whole thing, but the imaginary of a Wild West will be made a delusion. Newbies will be drawn into the fold in the right way. Oldies will be faced with a choice: join the good guys, or face an ever-increasing army of young (and old) blood. The Spartans and Custers of cyberspace will hold out till the end, but they’ll have no victory. The stemmed flow will allow our mechanisms of apprehension to regain some balance and go after the holdouts new and old.
With the right thinking, we can introduce the era of the cyber Cold War imaginary. It will play to our favour. But every moment we spend ignoring how the hackers and public think is a moment that the Wild West imaginary can dig its heels in even further. We must adapt and evolve our daydream or drown in the coming cyber tsunami.
Black-boxing is the practice of making the internals of a device, process, or other entity invisible and irrelevant to the use and function of the device from a user’s perspective.↩︎
APT: Advanced persistent threat. Groups of cybercriminals who have a consistent presence and pose a consistent threat. Typically state sponsored.↩︎
Grey-hat is industry parlance for morally-ambiguous (but not totally bankrupt) hackers. Think hacktivists like Anonymous.↩︎