Cybercrime: How Can the United States Seek Justice?

Photo by Towfiqu Barbhuiya on Unsplash.
Background

Every day across the world, there are about 2,200 cyber-attacks.  This means that there are almost one million cyber-attacks conducted every year.  The most prevalent cause of cyber-attacks is human error, which accounts for over 80% of the attacks.

Cyber-attacks may include malware, phishing, identity-based attacks, and spoofing.  These four categories of cyber-attacks are commonly used to exploit human error.  A malware attack occurs when a malicious program, such as a virus, is downloaded onto a computer and destroys the computer’s network or server.  Phishing attacks utilize email and social networking websites to convince a user to share their sensitive information or to download a file that will infect the computer with a virus.  Further, identity-based attacks happen when a hacker steals the identity of a valid computer user and operates the computer as if they are the authorized user.  Finally, spoofing occurs when a cybercriminal acts as though they are an individual the computer user trusts, such as the user’s boss.  It is common for cybercriminals to send an email out to a company, acting as one of the company’s lead officers, and ask for specific information.

How the US Government Handles Cyber-Attacks

The government is constantly monitoring cybercrime in an attempt to keep up with and prevent the attacks.  The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) are the main organizations that investigate and track cybercrime.  DHS collaborates with several other agencies, such as the U.S. Secret Service and Immigration and Customs Enforcement’s (ICE) Cyber Crimes Center, to combat cyber criminals and train experts to understand the technologies and tactics that cybercriminals use to infiltrate computer systems.  Despite these efforts, cybercrime costs the government, citizens, and companies in the United States over $1 billion in losses per year.

So how can the federal government prosecute cyber criminals?  The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, is the main federal law governing the prosecution of cybercrime.  It “outlaws conduct that victimizes computer systems” and “protects federal computers, bank computers, and [federal] computers connected to the internet.”  The CFAA’s subsections include provisions that prohibit hacking that exposes governmental and financial information as well as damaging a computer that affects interstate or foreign commerce.  Penalties for committing a crime included in the CFAA range from imprisonment for less than a year to a maximum of life imprisonment.  However, it is often difficult for the government to pinpoint the exact identity of cybercriminals to bring them to justice, especially if they are located in a different country.

Difficulty Prosecuting Cybercriminals

When most cybercriminals perpetrate a cyber-attack, they remain anonymous.  This leaves the government with the challenging task of tracking the cyber criminal’s IP address.  Cybercriminals often use VPNs, or virtual private networks, to hide their IP addresses.  Once a VPN is used, the government can only identify the hacker by any information they provide to websites, such as logging into accounts.

Once the government locates a cybercriminal living in the US, the process for beginning prosecution is relatively straightforward.  However, for the government to prosecute a cybercriminal living in a foreign country, the US must have an extradition treaty with the country.  Eighty-six countries do not have extradition treaties with the US including Russia, North Korea, and China, which are responsible for the majority of cyber-attacks conducted against the US.

If a cybercriminal commits a cybercrime in a country that does not have an extradition treaty with the US, then the US government can try to extradite the cybercriminal if they travel to a country that does have an extradition treaty with the US.  In that case, the US government must contact the Office of International Affairs (OIA), ask the foreign country to arrest the cybercriminal and submit forms detailing the extradition request.

However, even if a foreign country has an extradition treaty with the US, it does not mean that the country will agree to extradition.  The foreign country “may decide against an extradition request if they deem the diplomatic issues to be troublesome.”  Some of the factors that a country may consider when it is deciding whether to extradite a suspect include the citizenship of the suspect, the offenses charged, whether a complaint was filed, and whether the case could proceed to trial.

When a foreign country with an extradition treaty with the US decides not to extradite the suspect, the country can do one of two things; it can either prosecute the suspect itself or take no action.  For example, a British cybercriminal named Lauri Love was suspected of hacking into US military computers in 2018.  The United States petitioned the British government for extradition. Britain refused to extradite Love, reasoning that Love had various mental health concerns and the US prison system would not provide adequate support for his medical needs.  Britain decided it would handle the prosecution of Love, but ultimately decided not to conduct a trial.  Love now works as a professional cyberhacker and political activist.

For these reasons, it can be difficult to prosecute cybercriminals, especially if they commit a crime thousands of miles away from their targets.

How to Prevent Future Cyber-Attacks

One evolving measure the US could use to mitigate cybercrime is using AI-driven cybersecurity.  AI’s use of deep learning and language processing can aid in identifying threats such as fraud and malicious software.  Supervised AI algorithms can identify email cyberattacks with 98% accuracy.  However, AI’s ability to prevent past cybersecurity attacks is not an accurate predictor of its ability to prevent future attacks.

Ultimately, the US government, private companies, and other organizations need to continue to have their employees complete cybersecurity training. Educating the employees on both the risks of cyberattacks and the various types of attacks will decrease their frequency.  The more people become aware of cyber threats, the less susceptible the United-States-based computers, programs, and systems will be to cyber security attacks.

Final Takeaways

Cyber-attacks present an ever-evolving threat to US technology.  There are a plethora of types of cyber-attacks and it can be difficult to trace the perpetrators and bring them to the US for prosecution.  To combat attacks, the US may consider using developing technology, such as AI, to identify imminent cyber threats.  Otherwise, the US needs to focus on educating its citizens on the risks and consequences of cyber-attacks.

Avatar photo
About Anna Goldsmith (3 Articles)
Anna is a third-year student at Campbell University School of Law and is a Staff Writer for the Campbell Law Observer. She is from Fayetteville, North Carolina, and graduated with honors from the University of North Carolina at Chapel Hill with a bachelor’s degree in Peace, War, and Defense and Political Science and a minor in Russian language and culture. In her free time Anna enjoys going on runs, reading mystery novels, and spending time with her cat Chai. Anna’s areas of interest are data privacy law and intellectual property.