Introduction
An effective cybercrime investigation capability is underpinned by Cybercrime Investigation Building Blocks (CIBB): Structure, Major Systems, Facilities, Personnel, and Training. This framework delineates the resources required and emphasizes the importance of their strategic integration. Achieving a balance between these elements is essential for developing a dynamic and resilient response to the multifaceted challenges of cybercrime.
Exploring these building blocks in detail reveals how each contributes to an agency’s capability.
Understanding Cybercrime Categories
Cybercrime can be thought of as a crime that is enabled through the emergence of technology. It is traditionally divided into two categories: cyber-enabled crime and cyber-dependent crime. Each category reflects how much technology is instrumental in committing the crime.
Cyber-enabled and cyber-dependent crimes present unique but related challenges for investigation and resource allocation.
What is Cyber-enabled Crime?
Cyber-enabled crime refers to traditional criminal activities transformed in scale or form using the internet and digital technologies. While not born in the digital age, these offences have found a new and often more potent expression through them. Examples of cyber-enabled crime include online fraud, where traditional deceit or scam tactics are applied on a global scale through the internet, and cyberbullying, which extends the reach and impact of harassment beyond physical spaces to digital platforms. Identity theft is another prevalent form of cyber-enabled crime, where personal information is illicitly obtained and used for fraudulent purposes, made significantly more accessible and more lucrative by access to digital data.
What is Cyber-dependent Crime?
Cyber-dependent crimes against computers are illegal activities that can only exist in the digital world. These crimes are born from and facilitated by computer networks or devices. The unauthorised access to or manipulation of computer systems, websites, or networks epitomises cyber-dependent crime. Another example is the creation and dissemination of malware, software designed to disrupt, damage, or gain illicit access to computer systems. Additionally, denial of service (DOS) attacks, which aim to make a machine or network resource unavailable to its intended users by overwhelming it with a flood of internet traffic, are crimes that could not exist without the digital infrastructure of modern computing.
The specific category of cybercrime an agency encounters significantly influences the nature and extent of the resources necessary to bolster its investigative capabilities. This interplay between the cybercrime type and the investigative resources necessary is a critical consideration that we will revisit in greater detail later.
Challenges Unique to Cybercrime
Cybercrime introduces unique challenges for an investigative agency – challenges that set it apart from traditional crime.
Jurisdictional Issues
Cybercrime, especially cyber-dependent crime, is rarely initiated from the same geographic jurisdiction where the offence occurs. This presents a substantial challenge for law enforcement agencies, as legal frameworks and the ability to pursue cross-border investigations vary significantly from one country to another. Differences in laws, regulations, and the willingness of governments to cooperate can hinder the investigation and prosecution of cybercrimes, allowing perpetrators to exploit these gaps in international law enforcement coverage.
Evidence Collection Difficulties
Unlike traditional crime, where physical evidence might be more readily available and stable, cybercrime evidence is digital, making it inherently volatile and easy to manipulate or destroy. Identifying, collecting, and preserving digital evidence requires specialised knowledge and tools. Furthermore, the transient nature of digital data and cybercriminals’ ability to operate from remote, often undisclosed locations complicates the evidence-collection process.
Technological Sophistication
The heart of cybercrime’s unique challenge is its technological sophistication. Cybercriminals often employ advanced technologies, such as encryption and anonymisation tools, to carry out their activities, making detection and attribution difficult. Many investigative agencies are not accustomed to addressing such sophisticated threats and require different procedures, equipment, and personnel than they traditionally do.
The rapid pace of technological change also means that strategies and tools for combating cybercrime must continually evolve, requiring law enforcement to stay abreast of the latest digital trends and cybersecurity measures.
Investigating Cybercrime: An Agency’s Capability
Investigation capability is not just the sum of available tools and specialised personnel; it is an agency’s overall capacity to respond to cyber threats.
An agency’s investigation capability is significantly influenced by its legal and operational framework, ideally empowering it to act swiftly and effectively across jurisdictions.
Distinguishing Capability from Capacity
‘Capability’ and ‘capacity’ are often used interchangeably yet denote distinct aspects of an agency’s ability to combat cybercrime.
Capability refers to the range and quality of an agency’s functions and processes in investigating cybercrimes. It encompasses the skills, knowledge, technologies, and methodologies that the agency employs to identify, pursue, and mitigate cyber threats. Capability is qualitative, focusing on how effectively an agency can use resources to achieve its objectives. For instance, an agency with high capability would possess advanced digital forensic tools, skilled personnel proficient in their use, and effective procedures for responding to cyber incidents.
On the other hand, capacity denotes the volume or amount of resources an agency has for cybercrime investigations. This quantitative measure includes the number of personnel dedicated to cybercrime, the extent of technological resources, and the availability of financial and logistical support. Capacity addresses whether an agency has sufficient resources to handle the scale of cybercrime it faces, regardless of how sophisticated or advanced those resources may be.
An agency might have a large capacity with significant resources at its disposal. Still, without the corresponding capability to employ those resources effectively, its efforts against cybercrime may not reach their full potential. Conversely, an agency with high capability but limited capacity could manage smaller-scale incidents efficiently but struggle with larger or more complex cyber threats.
The Building Blocks of Cybercrime Investigation
The strength of an agency’s cybercrime investigation capability depends upon the group of inputs we call the Cybercrime Investigation Building Blocks (CIBB). These building blocks—Structure, Major Systems, Facilities, Personnel, and Training—collectively underpin an agency’s investigative capability.
Building Block 1: Structure
Structure primarily encapsulates how an agency organises itself to address cybercrime effectively. This includes whether an agency, like many today, opts for a specialised, dedicated team focusing solely on cybercrime or integrates cybercrime response capabilities across frontline personnel. It also involves the agency’s approach to collaboration, assessing whether it actively engages in partnerships with other agencies—often those in nearby jurisdictions—to leverage multi-agency opportunities and resources.
The structure extends to the processes and charters within the agency that guide the allocation of resources and responsibilities. This aspect of the structure is crucial for ensuring that tasks are distributed according to the agency’s strategic objectives and operational capabilities. An efficient structure enhances clear communication, enables swift decision-making, and promotes effective coordination both internally and with external partners. By deploying the right resources at the optimal times, an agency can maximise the impact of its investigative efforts against cybercrime.
Building Block 2: Major Systems
Major Systems refer to the array of technology and software foundational to cybercrime investigation efforts. This broad category spans digital forensic tools, incorporating software and hardware, which may be centralised within specialist units or disseminated more widely throughout the organisation, depending on the agency’s structure and strategy. Beyond forensic tools, major systems also cover cryptocurrency tracing software, essential for tracking financial transactions related to cybercrime, and case and evidence management systems that streamline the investigative process. Data analysis software can further complement these tools, offering sophisticated means to sift through vast quantities of data for actionable intelligence.
Building Block 3: Facilities
Facilities embody the essential physical infrastructure supporting cybercrime investigation operations. Digital forensic laboratories may be sufficiently numerous and well-equipped to handle the volume and complexity of cases the agency encounters. The decision on whether to develop these labs in-house or outsource their capabilities is strategic and influenced by the agency’s operational demands and resource availability. Facilities also include secure data centres and communication networks, which may be critical for safeguarding sensitive information and facilitating discreet operations. Additionally, deniable internet connections for covert engagements may be significant, allowing investigators to interact with suspects or infiltrate online criminal networks without revealing their law enforcement identity.
Building Block 4: Personnel
Personnel encompasses the workforce required for an effective cybercrime investigation capability, spanning frontline staff, investigators, analysts, forensic experts, support staff, and executives. Personnel planning is central to the concept of personnel, which involves an agency identifying (and resourcing) the specific roles, competencies, and organisational positioning required to respond to cybercrime effectively. Recruitment plays a vital role in maintaining the strength of these teams, given the high turnover rates often observed in specialist roles. Ensuring the agency is equipped with adept personnel across all levels, from technical experts to strategic leaders, is foundational to sustaining robust cybercrime investigation capabilities. These individuals’ expertise and adaptability make them an indispensable asset in the agency’s ongoing efforts to mitigate cybercrime.
Building Block 5: Training
In an environment where cybercriminals continuously refine their methods, agencies building an effective capability must keep pace and stay ahead. This involves a commitment that goes beyond traditional training models. Recognising the limitations of solely in-house training efforts, many agencies now must extend their training scope beyond internal resources. This often means outsourcing certain aspects of cybercrime training to external experts who can offer the latest insights and techniques in cybersecurity. Such a shift not only broadens the workforce’s skill set but also ensures that the training remains at the cutting edge of technological and procedural advancements.
We propose a structured, layered training program that begins with induction and onboarding for recruits, extends through specialised courses aimed at enhancing investigative skills, and is capped off with an executive development program designed to prepare senior leaders for the strategic challenges of cybercrime management.
Combining the Building Blocks
While each CIBB element is crucial in its own right, their combined effect truly enhances an agency’s investigative capability. The coherent operation of these elements enables agencies to respond to cybercrime, deter it, and mitigate its impact efficiently.
The interaction among the CIBB elements fosters a dynamic and resilient investigative capability, one that is greater than the mere sum of its parts.