Look at any one of the dozens of reports about cybercrime levels, and you’ll inevitably come away with the conclusion that online crime is getting worse by the day. And you’d be right. But then look at the news reports and count how many stories you see about arrests of cybercriminals. Not so many.
So why don’t these guys end up in jail? Well, it’s complicated.
The first problem is jurisdiction. The wonderful thing about the Web is that it knows no borders, but that’s also one of the key enablers for cybercrime. A hacker in Brazil can attack a computer in the Marshall Islands just as easily as he can attack one in the next town over. But if, by some chance, the attack is discovered, who investigates it?
In most cases, the authorities in the victim’s country are responsible for the investigation. But if they’re lucky enough to actually trace and locate the attacker in Brazil, they have another problem: Brazil doesn’t have any cybercrime laws. So that’s a dead end.
The next issue is that many cybercrime incidents don’t result in enough losses to interest law enforcement agencies. One consumer losing $1,000 through a phishing attack is of no interest whatsoever to the FBI. A thousand people losing $1,000 each is a different story. But unless the attacks can be tied together and attributed to one person or group, prosecutions are relatively rare.
And then you have the problem of attribution. Anonymity is a valuable tool for online activists, political dissidents and many other people on the Web, but it’s a major hurdle for law enforcement agencies. Finding the person responsible for an attack can be difficult under the best conditions and virtually impossible in some cases.
Add all of these factors up, and you have a hard road for the police and a fairly easy time of it for the bad guys. The laws are beginning to change and international cooperation is improving, but it’s a slow process.