Organized Crime and Cybercrime:
Synergies, Trends, and Responses
By Phil Williams
Professor of International Security Studies
University of Pittsburgh
2001-2002 Visiting Scientist at CERT/CC,
a center of Internet security expertise at Carnegie Mellon University
Many governments, businesses, and individuals around the world are just beginning to learn how to make best use of the latest information technologies. But organized criminal enterprises have already discovered these technologies as new opportunities for exploitation and illegal profits.
The capabilities and opportunities provided by the Internet have transformed many legitimate business activities, augmenting the speed, ease, and range with which transactions can be conducted while also lowering many of the costs. Criminals have also discovered that the Internet can provide new opportunities and multiplier benefits for illicit business. The dark side of the Internet involves not only fraud and theft, pervasive pornography, and pedophile rings, but also drug trafficking and criminal organizations that are more intent upon exploitation than the disruption that is the focus of the hacking community.
In the virtual world, as in the real world, most criminal activities are initiated by individuals or small groups and can best be understood as "disorganized crime." Yet there is growing evidence that organized crime groups are exploiting the new opportunities offered by the Internet. Organized crime and cybercrime will never be synonymous. Most organized crime will continue to operate in the real world rather than the cyberworld and most cybercrime will be perpetrated by individuals rather than criminal organizations per se. Nevertheless, the degree of overlap between the two phenomena is likely to increase considerably in the next few years.
Organized Crime and Cybercrime
Organized crime is primarily about the pursuit of profit and can be understood in Clausewitzian1 terms as a continuation of business by criminal means. Consequently, just as brick-and-mortar companies move their enterprises on to the Worldwide Web seeking new opportunities for profits, criminal enterprises are doing the same thing. Criminal organizations are not the only players in illicit markets, but they are often the most important, not least because of the added "competitiveness" that is provided by the threat of organized violence. Moreover, criminal organizations tend to be exceptionally good at identifying and seizing opportunities for new illegal enterprises and activities. In this context, the Internet and the continuing growth of electronic commerce offer enormous new prospects for illicit profits.
In recent years, there has been a significant increase in the sophistication of organized crime and drug trafficking groups. Colombian drug trafficking organizations, for example, have followed standard business practices for market and product diversification, exploiting new markets in Western Europe and the former Soviet Union. Criminal organizations and drug traffickers have increasingly hired financial specialists to conduct their money laundering transactions. This adds an extra layer of insulation while utilizing legal and financial experts knowledgeable about financial transactions and the availability of safe havens in offshore financial jurisdictions. Similarly, organized crime does not need to develop technical expertise about the Internet. It can hire those in the hacking community who do have the expertise, ensuring through a mixture of rewards and threats that they carry out their assigned tasks effectively and efficiently.
Organized crime groups typically have a home base in weak states that provide safe havens from which they conduct their transnational operations. In effect, this provides an added degree of protection against law enforcement and allows them to operate with minimal risk. The inherently transnational nature of the Internet fits perfectly into this model of activity and the effort to maximize profits within an acceptable degree of risk. In the virtual world, there are no borders, a characteristic that makes it very attractive for criminal activity. When authorities attempt to police this virtual world, however, borders and national jurisdictions loom large -- making extensive investigation slow and tedious, at best, and impossible, at worst.
The Internet itself provides opportunities for various kinds of theft, whether from online banks or of intellectual property. But it also offers new means of committing old crimes such as fraud, and offers new vulnerabilities relating to communications and data that provide attractive targets for extortion, a crime that has always been a staple of mafia organizations.
The anonymity of the Internet also makes it an ideal channel and instrument for many organized crime activities. The notion of a criminal underworld connotes a murkiness or lack of transparency. Secrecy is usually a key part of organized crime strategy and the Internet offers excellent opportunities for its maintenance. Actions can be hidden behind a veil of anonymity that can range from the use of ubiquitous cybercafes to sophisticated efforts to cover Internet routing.
Organized crime has always selected particular industries as targets for infiltration and the exercise of illicit influence. In the past, these have included the New York City garbage hauling and construction industries, the construction and toxic waste disposal industries in Italy, and the banking and aluminum industries in Russia. From an organized crime perspective, the Internet and the growth of e-commerce present a new set of targets for infiltration and the exercise of influence -- a prospect that suggests that Internet technology and service firms should be particularly careful about prospective partners and financial supporters.
In sum, the synergy between organized crime and the Internet is not only very natural but also one that is likely to flourish and develop even further in the future. The Internet provides both channels and targets for crime and enables them to be exploited for considerable gain with a very low level of risk. For organized crime it is difficult to ask for more. It is critical, therefore, to identify some of the ways in which organized crime is already overlapping with cybercrime.
Major Trends in Organized Crime and CyberCrime
Organized crime groups are using the Internet for major fraud and theft activities. Perhaps the most notable example of this -- albeit an unsuccessful one -- occurred in October 2000 and concerned the Bank of Sicily. A group of about 20 people, some of whom were connected to mafia families, working with an insider, created a digital clone of the bank's online component. The group then planned to use this to divert about $400 million allocated by the European Union to regional projects in Sicily. The money was to be laundered through various financial institutions, including the Vatican bank and banks in Switzerland and Portugal. The scheme was foiled when one member of the group informed the authorities. Nevertheless, it revealed very clearly that organized crime sees enormous opportunities for profit stemming from the growth of electronic banking and electronic commerce.
Indeed, organized crime diversification into various forms of Internet crime is closely related to a second discernible trend -- organized crime involvement in what was once categorized as white-collar crime. The activities of the U.S. mob and Russian criminal organizations on Wall Street fall into this category. During the late 1990s there were numerous cases of criminal organizations manipulating microcap stocks using classic "pump and dump" techniques. While much of this was done through coercion or control of brokerage houses, the Internet was also used to distribute information that artificially inflated the price of the stocks. Among those involved were members of the Bonnano, Genovese, and Colombo crime families as well as Russian immigrant members of the Bor organized crime group. As criminal organizations move away from their more traditional "strong arm" activities and increasingly focus on opportunities for white-collar or financial crime, then Internet-based activities will become even more prevalent. Since Internet-related stock fraud results in a $10,000-million-per-year loss to investors, it offers a particularly lucrative area for organized crime involvement.
This is not to suggest that organized crime will change its character. Its inherent willingness to use force and intimidation is well suited to the development of sophisticated cyberextortion schemes that threaten to disrupt information and communication systems and destroy data. The growth of cyberextortion is a third significant trend. Extortion schemes are sometimes bungled, but they can be conducted anonymously and incur only modest risks, while still yielding high pay-offs. Indeed, this might already be a form of crime that is significantly under-reported. Yet it is also one that we can expect to see expand considerably as organized crime moves enthusiastically to exploit the new vulnerabilities that come with increased reliance on networked systems.
A fourth trend is the use of what were initially nuisance tools for more overtly criminal activities. Perhaps the most notable example of this occurred in late 2000 when a variation of a virus known as the Love Bug was used in an effort to gain access to account passwords in the Union Bank of Switzerland and at least two banks in the United States. Although this episode received little attention -- and it is not entirely clear who the perpetrators were -- it gives added credence to the theory that organized crime is developing relationships with technically skilled hackers. A fifth trend that we can expect to see is what might be termed jurisdictional arbitrage. Cybercrimes -- certainly when they are linked to organized crime -- will increasingly be initiated from jurisdictions that have few if any laws directed against cybercrime and/or little capacity to enforce laws against cybercrime. This was one of the lessons of the Love Bug virus. Although the virus spread worldwide and cost business thousands of millions of dollars, when FBI agents succeeded in identifying the perpetrator, a student in the Philippines, they also found that there were no laws under which he could be prosecuted. The Philippines acted soon thereafter to pass prohibitions on cybercrimes, and other countries have followed. Still, jurisdictional voids remain, allowing criminals and hackers to operate with impunity. Indeed, it is possible that some jurisdictions will increasingly seek to exploit a permissive attitude to attract business, creating information safe havens (paralleling offshore tax havens and bank secrecy jurisdictions) that make it difficult for law enforcement to follow information trails, and offering insulated cyber-business operations from which illicit businesses can operate with a minimum of interference.
A sixth trend is that the Internet is increasingly likely to be used for money laundering. As the Internet becomes the medium through which more and more international trade takes place, the opportunities for laundering money through over-invoicing and under-invoicing are likely to grow. Online auctions offer similar opportunities to move money through apparently legitimate purchases, but paying much more than goods are worth. Online gambling also makes it possible to move money -- especially to offshore financial centers in the Caribbean. Moreover, as e-money and electronic banking become more widespread the opportunities to conceal the movement of the proceeds of crime in an increasing pool of illegal transactions are also likely to grow.
A seventh trend involves growing network connections between hackers or small-time criminals and organized crime. In September 1999, for example, two members of a U.S.-based group known as the "Phonemasters" were convicted and jailed for their penetration of the computer systems of the telecommunications companies MCI, Sprint, AT&T, and Equifax. One of those convicted, Calvin Cantrell, had downloaded thousands of Sprint calling card numbers. They were sold to a Canadian, passed back through the United States, resold to another individual in Switzerland, and finally the calling cards ended up in the hands of organized crime groups in Italy. Network connections between the two kinds of groups are likely to deepen and widen. In addition, of course, organized crime groups use the Internet for communications (usually encrypted) and for any other purposes when they see it as useful and profitable. Indeed, organized crime is proving as flexible and adaptable in its exploitation of cyberopportunities as it is any other opportunities for illegal activity. The implications are far-reaching and require a response from government that is strategic, multi-level, multilateral, and transnational in nature.
Responses to the Organized Crime-CyberCrime Synergy
The response to the growing overlap between organized crime and cybercrime requires a truly comprehensive strategy. There are precedents and models for this that can be particularly helpful, even allowing for the need to balance law enforcement and national security concerns against such considerations as personal privacy. The key principles that have guided the international community's responses to transnational organized crime and money laundering can serve as one good model.
The Financial Action Task Force (FATF), a body set up by the G-7, has attempted to create norms and standards for governments and financial institutions to follow in the development of laws, regulations, and enforcement mechanisms at the national level. Although criticisms can be made of the FATF, in 2000 it launched an effective "name and shame" campaign that identified 15 "non-cooperative" jurisdictions whose efforts to combat money laundering were grossly inadequate. In some cases, the results were remarkable, leading to much more stringent anti-money laundering programs and far greater transparency of financial activities. While the FATF's campaign was the culmination of a 10-year effort, it nevertheless provides an approach that could usefully be emulated by the international community as it moves to combat cybercrime. The Council of Europe Convention on Cybercrime, largely supported by the United States, is the first major step in this direction and can be understood as the beginning of the process of setting norms and standards that national governments ultimately will be expected to meet in their legislative, regulatory, and enforcement efforts.
Underlying the convention approach is a fundamental recognition of the need to harmonize national laws. In recent years, international cooperation in law enforcement has been achieved through a series of extradition and mutual legal assistance treaties (MLATs) that allow governments to share information and evidence with each other. For MLATs and extradition treaties to go into effect, however, there is usually a requirement of dual criminality (i.e. the crime involved must be designated as a crime in both jurisdictions). In other words, international cooperation is enormously facilitated by convergence of what is criminalized in national jurisdictions. Furthermore, as pointed out by Ernesto Savona, head of the Transcrime Research Center in Trento, Italy, the imposition of similar laws in various countries both spreads the risks that criminal organizations have to confront and goes some way towards equalizing the risks across jurisdictions. In effect, the more widespread the laws, the fewer the safe havens from which organized crime-controlled hackers (or indeed individual hackers) can operate with impunity
Harmonization is necessary for both substantive and procedural laws. All countries have to reappraise and revise rules of evidence, search and seizure, electronic eavesdropping, and the like to cover digitized information, modern computer and communication systems, and the global nature of the Internet. Greater coordination of procedural laws, therefore, would facilitate cooperation in investigations that cover multiple jurisdictions.
In addition to appropriate laws, it is also important that governments and law enforcement agencies develop the capacity for implementation of these laws. This requires the development of expertise in the area of cybercrime as well as effective information sharing across agencies within a country and across national borders. Moreover, this sharing has to go beyond traditional law enforcement bodies to include national security and intelligence agencies. It is also essential to create specialized law enforcement units to deal with cybercrime issues at the national level. Such units can also provide a basis for both formal international cooperation and informal cooperation based on transnational networks of trust among law enforcement agents. Ad hoc cooperation and multinational task forces can both prove particularly useful -- and there are already cases where international cooperation has been very effective. Indeed, successful cooperation can breed emulation and further success.
The other important component of a strategy to combat cybercrime is partnership between governments and industry, especially the information technology sector. Once again, there are precedents. In recent years, the major oil companies, although very competitive with one another, established information sharing arrangements and worked very closely with law enforcement to minimize infiltration by organized crime figures and criminal companies. Government-private sector cooperation of this kind is not always easy but it is clear that a degree of mutual trust can make a difference. For cooperation to be extended, law enforcement agencies have to exercise considerable care and discretion not to expose company vulnerabilities, while the companies themselves have to be willing to report any criminal activities directed against their information and communication systems.
Even if considerable progress is made in all these areas, organized crime and cybercrime will continue to flourish. If steps are made in these directions, however, then there is at least some chance that cybercrime can be contained within acceptable bounds, that it will not undermine confidence in electronic commerce, that it will not so enrich organized crime groups that they can further corrupt and threaten governments, and that the big winner from the growth of the Internet will not be organized crime.