Skip to main content
SNAFU - Situation Normal, All Fouled Up

SNAFU - Situation Normal, All Fouled Up

Lyal Collins
Digital Crime Deterence Walled Gardens
Table of Contents

Digital Crime: meh, so what? #

Cybercrime is almost a daily topic in the IT press, and sometimes mainstream press.

Incidents and ramifications are explored in varying degrees of detail, depending on the skills of the reporter, and the PR skills of the victim, whether an individual or an organisation.

Occasionally, a success is hailed - a malware C&C is taken down, or some fake/criminally owned domains are seized.

Even more rare is those times when one or more individuals is convicted of a criminal act and sentenced. Meanwhile hundreds, thousands and sometimes millions of virtually identical crimes occur before each rare prosecution has concluded. Compared to the number of online scam or fraud events, such acts are indeed very rare - perhaps so rare an aspiring PhD student will one day use this as the central research theme of a thesis.

More commonly, press articles bemoan the lack of legislation to deter or prosecute such fraud and deceptive behaviour, or the inability of courts and legal processes to apply legislation in a timely manner. Politicians routinely issue statements and policy briefings on the topic, and several years an incremental outcome may emerge - if we are lucky

Side note: The Australian Echidna and Fairy Penguins, and New Zealand kakapo are all highly evolved, niche species that are successfully adapted to their native habitats. Or were, until those habitats began undergoing significant changes in the past 2 centuries, and which continue today, rendering them at threat of extinction.

Human activity, feral cats and dogs, road traffic, pollution are just some of the predatory or threat vectors that have recently, in evolutionary terms, impacted these natural populations.

Nevertheless, these species, and many others facing virtually identical threats, are coping with the aid of enclosed, controlled habitats that seek a return to the pre-human world in which they evolved.

Information security - the protection of technology assets from misuse is important. Companies need mechanisms in place to reduce internal and external threats, regardless of legislation or organised digital criminals.

However, digital criminals, massively organised and with significant agility, are a growing and undeterred threat to most business. Like natural predators, digital criminals tend to target organisations with suitable size or niche ‘value’ (e.g. specific kinds of services or data).

Without any meaningful natural predator (e.g. cross-border laws, penalties, restriction of movement, etc.). The limited prosecutions which have occurred across jurisdictions are a minuscule percentage of digital crime volumes, both by event, and both financial loss.

While individual organisations and industry associations erect substantive defences as forms of ‘walled garden’ against their individually controllable risks, they often fail to meaningful address the supply chain, both up and down stream.

In an interconnected world, there is an intersection between the arms race of defences/attack vectors, and simply a matter of time before a successful breach occurs resulting in productivity and financial losses. Sustaining the arms race in an unbalanced conflict such as the digital crime arena is a no-win game - criminals can, and simply have been able to evolve faster than any defenses over increasingly complex organisational systems.

Evolving Deterrents to Digital Crime #

If the traditional ‘predators’ of traditional crime (money laundering laws, prosecutions and prison have become comparatively ineffectual, then new forms of ‘predator’ or deterrent are needed.

Evolving meaningful deterrents from today’s commercial and legal environments is unlikely to be effective, simply because if they were possible, they would have emerged by now.

Instead, new or substantially different mechanisms are needed. For example, the infamous US gangster Al Capone was most effectively punished not for the crimes he directed, but the evasion of taxes on illicit gains.

Form of Digital Crime Deterrents #

This paper is insufficient to propose or outline the form of effective deterrents to digital crimes, however, it is fair to speculate some deterrent factors could be:

  • Leverage new forms of inter-jurisdictional investigation and cooperation
  • Greater transparency or stringency on cross-board money transfers, both by frequency and by value
  • Some form of multi-jurisdiction court and judicial process, allowing evidence to be gathered and presented once, rather than per jurisdiction.
  • Alternative funding and staffing arrangements to traditional and digital law enforcement.

Future papers are intended to explore some ideas in more definite form and potentially expand discussion of potential viable deterrent factors.

Achieving new deterrent factors against digital crimes is not going to be easy. Arguably, there is strong evidence traditional approaches have not worked, with most advanced economies now suffering economic impacts approaching 1% of GDP. The proceeds of digital crime will soon be the third largest global economic force after those of the US and China by 2025 according to some analysts, exceeding USD$10.5 Trillion.

There are two potential futures: One where governments and organisations, both public and private sector, evolve new deterrents to digital crime while the alternative has commercial activity occurring within comparably minute ‘walled gardens’ that have strong defences against digital crime, at the expense of innovation, agility and growth.

Whichever future emerges, one thing is clear: Standing still means the probability of being a victim of digital crime approaches 100%.

SNAFU - widely believed to have originated in USA military use as an unofficial acronym applying to chaotic or poorly planned situations.

Perhaps I should trademark a new industry buzzword - SNCFU: “Situation Normal, Continually Fouled Up”

Disclaimer #

The information in this article is provided for research and educational purposes only. Aura Information Security does not accept any liability in any form for any direct or indirect damages resulting from the use of or reliance on the information contained in this article.