Cybercrime

Definition and delimitation

Cybercrime is understood to be all those forms of crime that are committed by means of modern IT. According to a narrower linguistic usage, cybercrime only includes those acts whose object of attack are computers, data, data networks and data processing. ^[1]

Cybercrime in the broader sense includes, for example, the distribution of pornography online, fraud on eBay or insults by means of e-mails or on websites. Since the internet can connect people with criminal tendencies worldwide who would hardly ever have met in the analogue world, solidarity effects occur that lower the inhibition threshold to commit even extreme forms of criminal behaviour. One example is the production and exchange of violence-oriented child pornography.

Cybercrime in the narrower sense includes, for example, attacks on other people’s computers or data processing through “hacking”, data espionage or data alteration. Computer fraud is particularly widespread, in which a computer (e.g. an ATM) is tricked by deception-like means into granting the perpetrator a service to which he is not entitled (e.g. the payment of a sum of money). Another frequently occurring form of cybercrime is the DoS attack (“Denial of Service”), in which the internet pages of a company are overloaded and thus blocked by mass requests. Such attacks are often staged by many computers at the same time, which is why one speaks of a DDoS attack (“Distributed Denial of Service”). DoS and DDoS attacks are often accompanied by protection rackets.

History and specifics

The development of cybercrime is closely linked to the development of computers and especially the internet. With each technological innovation, new forms of socially harmful, and often criminal, behaviour emerge. The corona pandemic has led to a sharp increase in cybercrime. ^[2] Today, cybercrime threatens all areas of application of modern IT. It thus represents one of the greatest technical, social and legal policy challenges of our time.

Cybercrime is characterised by several special features: It is typically a distance crime and easily crosses national borders, which often makes prosecution difficult. Moreover, in such cases, the question arises as to which legal system has jurisdiction at all. Secondly, the internet offers the possibility of attacking a very large number of targets virtually simultaneously, for example, through fraudulent e-mails sent simultaneously to hundreds of thousands of potential victims. A third special feature is that the growth of the internet means that new, often completely inexperienced people are always available as potential victims. Due to the expansion of networking from classic PCs to notebooks, tablets and smartphones to the Internet of Things, the number of possible objects of attack is constantly increasing.

Whereas in traditional crime, there is usually a threat of singular personal injury or damage to property, cybercriminals can generate billions in damage and put thousands of people at risk by attacking hospitals, authorities or critical infrastructures with just a few clicks of a button. For example, the networking of hospitals makes it possible to threaten medical facilities from abroad, and the currently rapidly advancing digital networking of road traffic makes similar scenarios seem likely for it.

After all, there are also factors that facilitate law enforcement on the internet. These include, above all, the fact that perpetrators always leave traces on the internet, which can be analysed by means of increasingly powerful computer forensics ^[3] increasingly powerful computer forensics. The question of how far the state may use technical means to control the internet (e.g. data retention) is one of the most important issues in police and criminal procedure law today.

Problems

Since internet technology is similar worldwide, the forms of cybercrime are also similar. For this reason, there have been efforts for a long time to internationally standardise the penal norms for combating cybercrime. Even with internationally uniform criminal norms, however, law enforcement beyond national borders often causes problems.

The rapid progress of internet technology also means that new forms of cybercrime are constantly emerging. For example, so-called “deepfakes” can be created by means of virtual reality ^[4] that show people in sexually connotative situations, for example. Since in such a case, no IT system is attacked, but rather an attack is made on a traditional legal right (honour) by means of new IT possibilities, this is a cybercrime in the broader sense. A new form of cybercrime in the narrower sense is, for example, when AI is used to test the vulnerabilities of an IT system and, under certain circumstances, to break through them.

A problem that has recently become visible in the context of cybercrime is the question of civil and criminal liability for susceptibility to sabotage. Today, critical technical systems are generally protected against attacks. But how secure does such protection have to be? If, for example, an IT security engineer has used a security system that could be relatively easily overcome by attackers, then in addition to the question of the criminal liability of the actual perpetrators, there is also the question of the responsibility of the person who had to ensure the security of the system. In this context, it must be remembered that no system can offer 100 per cent security. A certain residual risk always remains. It still needs to be clarified which security requirements are appropriate for which technical systems and should be legally enforced. In jurisprudence, the related questions are often discussed under the heading of “permissible risk”.

A central problem in the legal management of cybercrime is provider liability. Internet providers provide the infrastructure without which internet traffic (and thus also the criminal activities that take place there) would not be possible. This makes it questionable whether a provider can be liable to prosecution, for example, if it does not prevent a criminal user known to it from posting hate messages or child pornography online. In the early days of the internet, providers were privileged under liability law so as not to unnecessarily hinder the growth of the internet. However, in the age of almost ubiquitous networking, in which even medical facilities and road traffic are increasingly connected to the internet, it becomes questionable whether these liability privileges have not become obsolete.

Measures against cybercrime

Germany was one of the first countries in the world to enact penal norms against cybercrime. These are primarily the offences of data alteration (§ 303a StGB), computer sabotage (§ 303b StGB) and spying on data (§ 202a StGB). In addition, there is forgery of documents by computer (§§ 269, 270) and computer fraud (§ 263a StGB). Standards for the protection of data security also exist in data protection law, for example, in the GDPR.

However, technical measures to protect computer systems are more effective than protection under criminal law, whose preventive effect always remains questionable. In addition, there is the need to develop sufficient sensitivity to the fact that one should behave at least as carefully in the digital space as in the old analogue world within the framework of the media competence that is required on all sides. This means, for example, the use of elementary self-protection measures (effective passwords, use of anti-virus software, etc.). Without sufficient protection against cybercrime, the digital transformation of our society is in danger of failing.

Research

At bidt, the doctoral project “Secure lightweight authenticated encryption for critical infrastructures in the Internet of Things” is investigating which cryptographic methods are suitable for protecting networked devices in the Internet of Things against modern attacks.

---