- Jeffrey Thomson, criminal intelligence analyst, Canadian Anti-Fraud Centre, North Bay, Ont.
- C/Supt. Jeff Adam, Director General, Technical Investigation Services, Ottawa, RCMP
- Bessie Pang, Executive Director, The Society of the Policing of Cyberspace (POLCYB), Richmond, B.C.
Cybercrime is far from being a new phenomenon. Yet, even today, we hear things like "there's no likelihood of arrest", "we won't extradite to Canada", "this is outside of our jurisdiction", "the evidence is in another country" and "we don't have the resources." Are these conclusions indicative of law enforcement's knowledge of cybercrime? Do they reflect our capacity to investigate? Or is it something else?
Some have even said that Canada isn't equipped with laws to investigate extraterritorial offences, despite Section 7 of the Criminal Code of Canada, which, "permits some offences to be tried in Canada as if the offence had occurred here."
These challenges are not new. Early assessments and studies on cybercrime (2007 to 2009) identified that as the world became more reliant on the Internet, cybercrime would increase. This research predicted that new technologies, software, malware, security of computer systems, anonymity and jurisdictional issues would pose challenges to law enforcement and that law enforcement would need more capacity to investigate these crimes. And yet here we are today, almost 10 years later, and we're still hearing about the same issues.
So, what's at the heart of these issues? For many police services, it's capacity and knowledge. Police officers attending to the calls for crimes such as business email compromises or ransomware are expected to investigate, collect statements and evidence for crimes that many have never dealt with and often don't understand.
And even when they are able to pull together a good file, many are left saying "now what do we do?" The money went to another country, the emails or fake websites are hosted in another country, the illicit drugs seized were purchased on the Dark Web, or even the criminals are located in another country.
Do police in Canada have the tools and powers to go after the perpetrators? And would they have the support of the already over-tasked public prosecution system, one that many officers consider too lenient when it comes to punishing cyber thieves, fraudsters and other criminals, and one that is likely also suffering from the same challenges of dealing with cybercrime?
In 2014, the Government of Canada enacted the Protecting Canadians from Online Crime Act (Bill C13). Considered by some as Canada's response to implement obligations to The Budapest Convention on Cybercrime (2001), Bill C13 was adopted to increase the power of law enforcement in their investigation of online activity. But again, what does this mean for policing today? Would a survey of police officers find that they know and understand this new bill?
So perhaps the questions is not what is the greatest challenge in policing cybercrime but rather why has policing cybercrime become so challenging? A typical answer has been provided to the first question: resources and capacity, including knowledge, and training built into every level of policing. As for the second question, this is another philosophical question that could identify areas for improvement, where limited investment could fill some of the intelligence gaps we face today.
C/Supt. Jeff Adam
The policing principles that came from Sir Robert Peel in 1829 were established in an era where the victim, the offender and the police/judiciary were all co-located in geography. The first principle — to prevent crime and disorder — was focused on the "localness" of crime and the ability of the police to carry out their functions of preserving law and order.
You can see where this is going. The public contract, which is to maintain order and prevent crime, gather evidence, arrest the perpetrator and bring them to justice, is shattered when the new realities of an interconnected world are considered. When the offender is almost always in another country, the geopolitical boundaries that have served nations well for hundreds of years are irrelevant in cyberspace. And to consider being prescribed by those boundaries would negate the value of the Internet to commerce, education and cultural sharing around the world.
The police culture in Canada today is one that has developed over time: prevent crime, maintain order, gather evidence and present the accused for trial. Much of our resources have been focused on the deliverables inherent in those functions and, where those measures are most easily captured, is in the latter two activities in that list. It's far easier to count and report on offences, arrests, convictions and clearances than it is to report on how many crimes were prevented or how victims were assisted and supported.
But in cyberspace and the crime that's in that space, the ability to arrest the offender and bring them to justice is much more challenging. So if police can't bring the offender to justice, much more effort will move toward crime prevention and victimization, and then this question: are police the most appropriate agency to perform those functions in this new space? I believe that the answers to this will involve a whole-of-society approach, since the traditional and well-practised approach to crime won't be effective in addressing cybercrime. This will not be solved by the police alone.
There are other challenges in investigating cybercrime. Where is the evidence? When an offender hacks into data that is hosted on the cloud, where did the offence take place? And who is investigating?
The Internet has caused an enormous, wide-ranging and profound change in how we live our lives and communicate with each other. How we work together to adapt and respond to the challenges cybercrime brings will change how a community engages to police cyberspace, not how the police do the policing.
In today's digitally connected world, our daily lives are intricately woven into the maze of Internet of Things (IoT), ranging from the use of smart fridges and thermostats, to the smart mattresses that can adjust to improve your quality of sleep. According to a report from Berg Insight, Europe and North America had 17.9 million smart homes in 2015. North America will see 46.2 million smart homes by 2020, comprising 35 per cent of all households.
Consumers are constantly being propelled into the fleet of rapidly evolving smart technologies. While consumers are swift to adopt various smart appliances at home and in the workplace as convenient appendages to their daily activities, they are generally less vigilant against the possible cybersecurity vulnerabilities that could expose them to cybercriminals and hackers.
In general, when considering IoT purchases, consumers are not likely to ask the sales associate whether or not the smart mattress or smart coffee-maker was patchable (software update for fixing security vulnerabilities), yet these are indeed the questions that consumers need to include in search-for-product information.
The risk of cybercrime victimization amongst certain community sectors, such as seniors, immigrants and refugees, is further elevated, due to physical, social, language, cultural and physical barriers in accessing cybercrime awareness information. For instance, a senior with limited mobility could now deploy various medical devices to maintain independent living. Some of these devices could deliver real-time health data to the physician, others could notify a family member by text, email or phone call when the senior skipped a meal. A "smart garment" could even activate wearable airbags during a fall.
Despite the obvious medical benefits, a patient is unlikely to have discussed with the physician how a compromised smart medical device might impact his/her health, particularly during an emergency.
Empowering consumers to make informed decisions, based on the cybercrime risks and benefits of some IoT products, could be life-saving when certain smart devices cease to deliver smart solutions.
As a not-for-profit, international organization, The Society for the Policing of Cyberspace (POLCYB) strives to enhance private-public collaboration to facilitate information-sharing in policies, strategies and good practices in cybercrime prevention, detection and response.
POLCYB also promotes public education on cybercrime awareness. From POLCYB's perspective, the most significant challenge lies in enhancing accessibility to public education information on IoT vulnerabilities in relation to cybercrime risks. Exploring effective service-delivery modes in community outreach strategies is essential.
In addition to the call for private-public partnerships in promoting public education, seeking collaboration from community-based organizations is essential. Organizations and services, such as counselling services, immigrant and refugee settlement services, assisted-living facilities and community centres, could be encouraged to collaborate with law enforcement and industry partners to modify and deliver cybercrime prevention information to better suit the needs of their respective community groups. Once service providers have received proficient cybercrime prevention training, they could, in turn, act as focal points from which information could be passed on informally to their clients.
Public education is an important facet of cybercrime prevention, but law enforcement agencies require support from community groups. Ongoing community capacity-building will become increasingly essential as IoT continues to penetrate into all sectors of our community.