Strict punishments for cybercrime are useless. Here is why
What motivates people to commit crimes is something that has vexed academics and policymakers alike for several decades. Economist Gary Becker famously proposed his notion of the "rational criminal" in the 1960s. Such an individual will logically think through the potential fruits of their labor and offset this with the possible costs should they be caught and punished.
Of course, just as the rational economic actor has largely given way to a more nuanced perspective espoused by behavioral economics, our understanding of the modern criminal is equally sophisticated. This is especially true in the world of cybercrime. For instance, a few years ago, a research by Arizona State University was conducted to try and shed light on the motivations behind ethical hacking.
For such individuals, the payoff isn’t a direct financial one, but they do nonetheless undergo some of the same analyses as those outlined by Becker, albeit with the payoffs often being of a social or ethical nature.
Attack and defense
Of course, in many criminal instances, measures are taken to both stop crimes from taking place by organizations and to increase the chances of getting away with it by the criminals.
"A cybercriminal with greater skills or more advanced technology has a better chance of circumventing the target’s security measures, but the intended victim’s countermeasures make it less likely that the cybercriminal will succeed," say the authors of a new paper that assesses the risks and payoffs for modern cybercriminals.
The researchers construct a model that attempts to illustrate the processes through which the criminal attempts to go about their work, the victim tries to stop them, and the social planner establishes punishments and deterrents.
It's a dance in which the social planner usually moves first, as they set the penalties should the criminals be caught. The potential victim then moves second by implementing various measures to protect themselves from cyberattacks, or at least to be able to identify the attacker should one occur. Last, but not least, the cybercriminal makes their move in deciding whether to launch their attack, how to do so, and what measures to use to avoid detection.
The model suggests that strict punishments for cybercrime don't actually do much good. Indeed, far from deterring criminals, they actually seem to increase the amount of effort the criminals put into avoiding detection.
This somewhat counter-intuitive finding arises from the fact that the criminal will be basing their decision in large part on the likelihood that they will be caught. Therefore, if the punishment for detection is increased, then they will exert extra effort to ensure they don't get caught, which also makes the reward that much more likely.
"Thus, as criminal penalties increase, cybercriminals use more sophisticated programming, and the cybercrime is more likely to succeed," the researchers explain. "Because of this, increased fines can lead to reduced social welfare, especially when the victim’s loss is large."
What's more, a larger penalty for cybercrime may also induce the potential victim to reduce their own efforts to limit the chances of hacks occurring. In other words, making punishments more severe can have the counter-intuitive consequences of making criminals work more effectively and victims less effectively to ensure the crimes succeed.
Indeed, the researchers believe there are certain circumstances in which the cybercriminal will not be deterred regardless of the size of the punishment they face. This scenario unfolds when the benefits to the criminal are huge but the loss to the victim is relatively small.
"When deterrence is impossible, the fine should be as large as possible when the loss to the victim is relatively small, but the fine should be 0 when the loss to the victim is above some threshold," the researchers explain. "The reason is that when the loss to the victim is small, the large penalty keeps her from investing too much in self-protection, but when the loss is larger, the penalty of 0 keeps the offender from trying so hard to succeed."
So if large punishments don't really deter cyber criminals, what can lawmakers do? One option would be to fine the victims so that they have a greater incentive to keep the criminals out and ensure their systems are secure.
This incentive for the victim to bolster their defenses can work effectively in deterring the cybercriminal as it makes the chances of a successful attack that bit smaller. The researchers argue that while in most crimes, punishing the victim would be seen as unfair and unjust, this is often not the case for victims of cybercrime. This is because the actual victim is usually the customer whose data is stolen.
"Deterrence occurs when the loss to the victim and the associated externality are large and the benefit to the cybercriminal is relatively small," the researchers explain.
With cybercrime on the rise during the Covid-19 pandemic, the findings from the paper perhaps provide some food for thought for lawmakers seeking to provide an effective deterrent.