The FBI maintains a list of its most wanted cyber criminals, and continues investigations to capture those individuals, most of whom have been indicted for violating one or more U.S. laws. The details that are included under each of those individual’s names and likenesses reveals that virtually all of them reside or operate from locations outside of the United States. This adds a significant challenge to the FBI’s efforts, as the likelihood of apprehending and extraditing any one person to be tried in the U.S. for a cybercrime depends upon the cooperation and treaty relationships of the country in which that person resides. Businesses that rely on U.S. law enforcement efforts as part of their cyber protection policies should assess the risk of a cyberattack that originates outside of the country’s borders, and should understand that even when one cybercriminal gets caught, illicit hacking activity will continue.
Netting a Cybercriminal on the Open Sea
The sequence of events that follows the capture of a cybercriminal therefore depends on where that person is captured. If he is apprehended in the United States or in a country that has a solid extradition treaty with the U.S., his path to justice will be more direct. The Justice Department might charge him with violations of the Computer Fraud and Abuse Act, the Wiretap Act, as well as violations of other statues and regulations, depending on the specifics of the cybercriminals illicit actions. Prison sentences, financial penalties and restitution orders will also depend upon the magnitude of the financial losses caused by the cybercriminal, and can range from prison terms of a few months to twenty or more years, and financial penalties and restitution in the millions of dollars.
Outside of the United States, a number of countries are gaining reputations as good places for cybercriminals to operate. Companies that are concerned with cyber protection would do well to monitor for electronic activity that originates from one of the cybercriminals’ preferred countries, which include India, Poland, Turkey, France, Italy, Spain, Brazil, the United Kingdom, Germany, and China. Notably absent from this list are Russia and the former Soviet republics, and North Korea. The threads that tie these countries together and that make them attractive to the cybercrime community are their strong internet infrastructure, lax regulatory environments, educated populations, and absence of opportunities for legitimate businesses.
Notwithstanding a few high-level successes in capturing and shutting down illicit hacking activity, law enforcement’s ability to bust cybercriminals remains very limited. Cybercriminals maintain loose but organized online affiliations and are geographically diverse. Their numbers are relatively small and they are very mobile. They need little more than a laptop and a good internet connection to conduct their activities. Many use the untraceable Dark Web to advertise and sell their services to buyers who are looking for tools to initiate distributed denial of service (DDoS) and other types of cyberattacks. Perhaps the most difficult aspect of stopping cybercriminals is that when one hacker is apprehended, several more are waiting in the background to replace the captured cybercriminal.
A corporate cyber protection policy must therefore consider that although some cybercriminals will be caught, many others will remain free and will continue to attack corporate networks and electronic infrastructure. Companies can work with law enforcement to reduce the frequency of these attacks, but they need to establish structures that limit their damage and that provide compensation to recover financial losses associated with cybercrime. A cybersecurity insurance policy can limit a company’s direct financial losses from cybercrimes that destroy internal servers and systems and from liability to third parties whose information is lost or stolen during a cyberattack.