When the bike that I parked got stolen a few years ago, I did not report it to the police. Getting your bike stolen is one of those things that just happens to you, at least here in the Netherlands. I was even inclined to say that it was my own fault, because I did not lock it properly. From experience I know that the police cannot do much and reporting the stolen bike is simply too much effort for not getting any results.
What creates the crime, the criminal or the situation? This is a classic question among criminologists. Due to the fundamental attribution error, we tend to underestimate the role of situational factors for a crime. This however, is wrong, says an article by Ronald V Clarke in the 2016 May-June issue of The Criminologist (found via Bruce Schneier’s blog.) This has consequences for how to prevent crime. Instead of focusing on preventing people to become criminals, it may be more effective to focus more on situational prevention.
Clarke mentions that especially in situations where people did not have high expectations from the authorities, crime was reduced. By making it harder to commit the crime, the opportunity costs where simply too high for the criminal. Good examples are locking your bicycle, city guards, reducing the amount of cash in a store, better lighting etc. Instead of relying on the authorities, a form of self defense was applied. To quote the article:
“It is surely not because these businesses and organizations are trying to make society safer from crime. Rather, it is because experience has taught them they get only limited help from the authorities when they become crime victims. Therefore if they are to become more efficient and reduce their costs they must make themselves less vulnerable to crime. To do so they must make crime more difficult, more risky, less tempting and less rewarding.”
Today’s cybercrime situation is not unlike bike theft, in that little help can be expected from the authorities. In an earlier post, I discussed a report from the Dutch CPB (Bureau for Economic Policy Analysis). It contains an interesting analysis of the causes of software vulnerabilities, but also talks about cybercrime. According to that report,
- cybercrime is often not reported, because there is little faith in the legal system to catch the criminals
- the probability of getting caught is very low
- the penalty is extremely low compared to the profit
- cybercriminals are opportunistic, like traditional criminals
If we combine this information with Clarke’s analysis, we could conclude that the most effective solution to the cybercrime problem would be to make the crime less attractive, in other words, to apply “cyber self defense”. However, we do not see many results yet from cyber self defense. It is interesting to ask why that is.
Why is cyber self defense failing?
I can think of four reasons why cyber self defense would not be effective.
The first reason is that the potential victims may not be aware enough of the problem, and therefore do not take appropriate measures. There is a big element of truth in that, but as we see more and more cybercrime stories in the news this lack of awareness is slowly disappearing. Still, more awareness is needed.
Related to that may be the fact that although people are aware of insecure situations, they still behave in an insecure way. Always keeping your guard up takes discipline and costs energy, energy that we would like to spend on more pleasant and productive things. After a while, we tend to be less sharp and accept insecure situations, even though we know we should check things. Failing to check a cryptographic fingerprint, accepting an untrusted server certificate, connecting to unknown WiFi networks, even if the warning is displayed in our face, we sometimes decide to accept the insecure situation. And most of the times, nothing bad happens, which reinforces our belief that things are not so bad and we may just be paranoid. Also here, more awareness certainly helps to keep us disciplined, but wouldn’t a technological solution to the problem be far more effective?
And that is where the security sales persons enter the picture. Just get the right set of products, a firewall, a virus scanner, or even better, an all-in-one solution, and you will not have to worry about security anymore. That is a comforting thought, a bit like having a good bicycle lock. But how do we really know whether these products are effective? Security is, after all, invisible. Security tools are good, but blindly trusting them is not. Ineffective security measures will lead to a false sense of security, which may even be more dangerous than knowing that you are not secure.
So, in the end, should we conclude that we are helpless and simply cannot defend ourselves? I would like to be less grim, but there is a crucial component in the cybercrime story that is our Achilles’ heel: insecure technology. Think of an IT product. How many people are capable of checking the security, and fixing it if it is broken? Now compare that with a refrigerator or washing machine. You cannot simply call a software repair person to check and repair the software that you are running. If you are lucky, you can pay for a software support contract. In theory, open source software would give you the possibility to have it checked and repaired, but it would cost even an expert user too much time to completely check the security of an open source mobile phone operating system, let alone repair it. The choice is to accept security bugs and hope that they never affect you, or spend a lot of time or money to get a secure alternative. Of course, there are exceptions, and many people do try to fix security problems in open source software, but still not enough. We are too dependent on something over which we have little control.
What can the authorities do?
Perhaps the last point is where the authorities can really help, by somehow reducing the number of security problems in the software products that we buy. Several possibilities exist, ranging from liability to a stamp of approval. The earlier mentioned CPB report discusses these. To protect consumers they suggest to make the provider of the software or service liable for at least a certain amount or force them to ensure a minimum level of security. As a consumer, I would be happy with such a law, but I would not be working in security if I did not see a few difficulties.