This article originally appeared in the Washington Post
Imagine calling your local police after you’ve been mugged and being told, “Sorry, muggings are complicated. We don’t handle those. Try the FBI.”
That’s exactly what happens every day when Americans call their local police to report online bank fraud, tax-return fraud and other crimes committed via the Internet. I work on this a lot as a police detective. From what I’ve seen, outside of a few cutting-edge offices like Manhattan’s district attorney and some amazing computer crime task forces that work with the FBI or the Secret Service, the vast majority of American police and prosecutors have received precious little training in how to investigate and prosecute cybercrimes.
This must change. All policing — even a fair amount of cyberpolicing — is local. Many of the cybercrimes that hit people in the wallet aren’t complex, cross-jurisdictional hacks by Ukrainian ninjas. Instead, Internet-enabled cons like card-skimming, business email compromise, tax-return refund fraud and electronic fund transfer fraud often begin and end locally. The perpetrators are frequently small-time crooks known to the cops for other types of crime.
We can’t tackle all cybercrime, but we should make an effort to pick low-hanging fruit. The feds do a great job at the cases they work on. But they can’t possibly handle the total workload. Americans have lost more than $107 billion since 2011 just to identity theft.
Only a quarter of identity theft victims report it to the police. Those who do most often have their report taken and receive a pamphlet for their effort. Simple tax-return refund fraud — usually through online filing — cost U.S. taxpayers more than $6 billion last year, and that was after the IRS thwarted 1.4 million fraudulent identity theft tax returns, preventing $8.7 billion more in payouts. Business email compromise and invoice fraud cost American companies nearly $1 billion. And ransomware is growing fast.
Part of the problem is cultural: The FBI moved early and aggressively, especially after 9/11, to “own” cybercrime investigation in America. Now, local police officers think of anything remotely “cybery” as the feds’ problem.
FBI cyber investigators hate to admit they’re brutally overworked and must triage cases to only the most serious. It’s certainly not a stated policy, but in my experience, a cybercrime only becomes “serious” around $200,000 of loss. This makes sense — federal investigators are busy. The FBI also will usually work state-sponsored hacks (like the DNC attack); cases receiving lots of media attention (like the tweet attack against journalist Kurt Eichenwald); or hacks of email of government officials and celebrities (like the Democratic Congressional Campaign Committee, Jennifer Lawrence and possibly Emma Watson).
In Dallas, someone recently exploited a vulnerability in the way emergency sirens are triggered, setting off sirens throughout the city in the middle of the night. That kind of thing gets prompt attention. Rule of thumb: If your hack gets on CNN, you’re probably going to jail.
Yet federal prosecutors also pursue only the cases with the strongest evidence. If they’re going after big fish, they want rock-solid cases. That means few federal cybercrime cases wind up being tried. The feds just don’t have the resources to go after the local tweakers who’ve graduated to tax return refund or invoice fraud.
Instead, investigating these garden-variety cyber-scams falls to untrained local cops, and that means many of them are never investigated or prosecuted at all. Only big city departments have cybercrime squads with trained detectives like me, and they are critically backlogged.
Police wouldn’t refuse to investigate an insured stolen car, but when a bank card is skimmed and then used to fraudulently buy goods, some officers will refuse to investigate because the bank makes the account holder whole. “You’re not the victim, the credit card company is,” they say. But the banks won’t press charges. My friends who work in bank fraud departments have said they consider it part of the cost of doing business; the banks would rather eat the loss and move on than get bogged down in investigations that might never pan out and rarely end in restitution. Credit card fraudsters know this.
This week on a Dallas-area investigations email list I run, an officer posted that he arrested someone with a quarter-ounce of methamphetamine, six laptops, 20 disks, and a ledger of banking logins and anonymization configuration instructions. He was asking our group of 900 officers from 120 agencies if anyone knew what to do with anything other than the meth.
He got one reply.
Every state has computer crime laws, but state and local prosecutors bring hacking charges in only a small handful of cases (child-exploitation images are, rightly, considered separately, and that’s where most cyber-savvy cops spend much of their time). There’s no Texas database that tracks cybercrime prosecutions. The largest prosecutor’s offices in the state report prosecuting low single-digit numbers of cyber cases over the last five years.
That meathead with the meth and the laptops? He straight-out told the arresting officer that he would walk on the computer charges. The officer told me he thinks the guy is right.
Few nonfederal prosecutors have cyber prosecution training, let alone experience. Some local prosecutors don’t understand the basics of cybercriminal scheme economics. Cybercrime investigations seem complicated and are definitely confusing to a jury. Business victims often want to stop talking about a cyber breach as soon as possible. All this and more means prosecutors don’t usually go out of their way to encourage cops to pursue these cases.
With all this going against them, and with lots of calls to handle, officers have learned not to take cybercrime cases seriously. It’s not that they’re unwilling, but police have very limited resources. No supervisor will let a cop investigate a crime that he knows won’t be prosecuted. It’s not even usually considered “real” police work. Like other “cybercops,” I am the target at work of a range of good-natured jokes about video games and Internet porn.
Repairing identity theft takes victims about 30 hours of effort, thousands of dollars, and a significant amount of anguish. The two groups most frequently hit — the working poor and small businesses — are also the least able to absorb even modest losses. Low-income victims must sometimes go days or weeks before receiving reimbursement from their bank. Being deprived of even $50 for a few days is an enormous burden on someone barely making ends meet. The average loss to a cybercrime in 2015 was $3,718.
Small businesses and even cities hit by cyber bank fraud might never get reimbursed, or they may have to sue to get their money back. Banks are not required to reimburse fraudulent transfers from business accounts, although many do.
Aggravating this problem is the fact that legislators rarely hear what tools prosecutors need to win cybercrime cases. When federal prosecutors only take surefire cases — and district and county attorneys take none — the only people pushing legislation are politicians who want to appear tough on cybercrime. As a result, penalties might stiffen, but the crimes remain rarely prosecuted.
Cash-strapped states cannot fix this alone. The federal government and business groups must work together to fund national training for prosecutors and police in the basics of cybercrime economics, methods and investigative concepts. There are great people doing this, it just needs dramatic expansion.
Cops and local prosecutors must learn how cybercriminals work, especially in the more common scams. They should learn what forensic evidence is available and how to capture it. They should learn how to follow the money and to write the subpoenas and search warrants to obtain evidence.
We can’t win if we don’t fight. Right now, we’re not even fighting.