Why Massive Fraud Bust Is No DeterrentThere's No Substitute for Better Security
A recently filed federal indictment charges Vladimir Drinkman and several alleged co-conspirators with having perpetrated not just one, but a series of the largest and most notorious cybercrimes in history - a virtual hall of cyberfraud fame.
See Also: Passwords Alone Aren't Enough
An important purpose of prosecution is to make clear that the rule of law can and will prevail. It is important to demonstrate that a climate of lawlessness will not be tolerated.
The indictment has caused some to wonder if this particular indictment - or similar, future prosecutions - are likely to significantly dampen or deter cyberbank fraud.
Moreover, thinking of the prosecution in this way - as a deterrent to cyberbanking fraud - will only serve to weigh down this and future indictments with unrealistic and overly burdensome expectations that distract us from focusing on those things that can actually "deter" cyberbanking fraud.
Asking if criminal indictments like those against Drinkman, et al., will deter cyberbanking fraud is like asking if similar indictments have curbed bank robberies or drug trafficking. They have not and will not.
The Irresistible Lure
Sophisticated crimes like those described in the Drinkman indictment will continue to be undertaken by large, sophisticated and well-funded criminal organizations. This is because of the irresistible lure and the potential for a substantial payoff for the criminal effort.
Willie Sutton reportedly said, when asked why he robbed banks, "Because that's where the money is."
Cyberbanking fraud, in all of its forms, is increasingly "where the money is." There is just too much money involved for prosecutions to have a chance of deterring cyberbanking fraud.
In addition, we as a community have acted, and continue to act, slowly, and often ineffectively, regarding cybersecurity. Thus the cost-to-benefit analysis is heavily weighted in favor of the cybercriminal. Well-hidden, well-funded and internationally based cybercriminals are incentivized to undertake the effort, despite the distant possibility of prosecution.
Creating a Safe Environment
Criminal prosecutions can be an aid to better security, but not a substitute for it. Criminal prosecutions will not, by themselves, deter cyberbanking fraud; but they can help create an environment where cyberbanking is viewed as a relatively safe activity for users. What do I mean?
As an assistant U.S. attorney in San Francisco, I headed the narcotics unit and prosecuted major criminal organizations back in the heyday of illegal drug trafficking during the 1980s.
Did we stop major drug trafficking? No. Did we significantly deter the volume and frequency of trafficking? Not in any significant sense.
But what we did was make it safer, sometimes substantially safer, in some places and for some people. In short, we were able to keep trafficking under control by reducing its scope and scale.
In drug prosecutions, safety is the difference between anger and annoyance, and death or serious injury. Safety means that for a time we are able to significantly reduce the level of violence and serious injury and death, so that people can live more "normal" lives.
In cyberbanking fraud, safety means that the community feels like the criminals are not in control and that their banking business is relatively secure. The community feels secure, in spite of the fact that the number of attacks against banks may stay the same or even rise.
Rule of Law
An important purpose of prosecution is to make clear that the rule of law can and will prevail. It is important to demonstrate that a climate of lawlessness will not be tolerated. In any effort to prevent or turn around and untenable situation, it is often necessary to puncture the aura of invincibility.
In the terms of the "Old West," it is the difference between a town with a marshal and one without. While both towns could have been violent, the community with the marshal felt safer and more secure. As a result, many of those towns developed and prospered.
The Drinkman prosecution demonstrates that law enforcement can be effective against those who commit crimes, even if they are well-hidden and far away. Similarly, the series of Microsoft lawsuits taking down several large botnets, though not criminal prosecutions, have served the same purpose.
These prosecutions might be termed "individualized deterrence." They deter significant individual criminal actors by removing them from the field.
But, just as in drug trafficking and bank robbery, cyberbanking fraud cannot be significantly deterred by law enforcement actions until the underlying cause of the problem is addressed.
Cyberbanking fraud won't diminish or disappear until cyberbank security is improved. Deterrence is in the mind of the perpetrator. Good security is in the hands of the cyberbanking community, both provider and customer. Good security is the best way to favorably influence the risk-reward equation.
Draw inspiration from bank robbery to support this point. Banks robberies have declined, not as a result of more prosecutions, but as a result of improved security technologies and techniques.
Thus, good security works, whether the bad guy is deterred or not.
Good security is the best deterrent we have. Let's use it.
Joe Burton is managing partner at the San Francisco of law firm Duane Morris, where he focuses on information security and cyberfraud issues as well as civil, criminal and appellate litigation.