MAHARASHTRA NATIONAL LAW UNIVERSITY, MUMBAI

CYBER LAW

NOTE ON CYBER CRIME IN UK AND LAW

SUBMITTED TO: DR. ANAND RAUT

SUBMITTED BY:

JASON LAISHRAM

2020 129

SECTION A

1
Abstract

The escalation of cyber risks has led to the classification of cyber-crime as a 'Tier One'
national security concern in numerous countries. In light of this significant threat,
governmental entities have declared a considerable allocation of resources towards the
implementation of cybercrime prevention initiatives. The necessity of addressing cybercrime
is apparent due to the complex and interconnected nature of the Internet, which presents
considerable obstacles for law enforcement in combating cybercriminal activities. Expertise
and proficiency in cybersecurity are essential in effectively addressing this issue. Prior
research on policing cybercrime has indicated that local law enforcement officials often face
challenges due to their limited technical expertise, which consequently hinders their
effectiveness in combating cybercrime. Law enforcement agencies are continuously
improving their capacity to combat cybercrime by establishing dedicated units specifically
focused on addressing such offences. However, a scarcity of empirical studies exists that
investigates the policing challenges associated with economic cybercrime from the
perspective of experienced police officers employed in cybercrime divisions. This study aims
to fill the existing vacuum in the literature through empirical research. The researchers
utilised a theme analytic approach to examine semi-structured interviews that were
administered to proficient law enforcement professionals functioning in cybercrime divisions
within the United Kingdom.

The primary issues identified include a deficiency in international collaboration, the

underreporting of occurrences related to economic cybercrime, and a lack of awareness
among potential victims. The perspectives of police personnel towards the engagement of the
corporate sector in combating economic cybercrime seem to be cautious, maybe stemming
from ethical considerations. The utilisation of public-private partnerships in the realm of
cybercrime mitigation has demonstrated efficacy in bolstering the overall effectiveness of
efforts to combat cybercrime. The Cybersecurity Act (Regulation 2019/881) of the European
Union (EU), which entails the restructuring of the European Union Agency for Network and
Information Security (ENISA), serves as a recent illustration of the collaborative efforts
between public and commercial entities in addressing cybercrime. Nevertheless, the findings

2
of this study indicate that it would be prudent to broaden the reach of this programme beyond
European Union nations in order to uphold cybersecurity on a global scale.

Introduction

The emergence of the Internet and its subsequent integration into commercial contexts has
had a profound impact on various aspects of human interaction, including socialisation,
consumer behaviour, and communication methods. Nevertheless, the ubiquitous utilisation of
the Internet is not devoid of its inherent challenges. There is a contention that the utilisation
of the Internet for commercial purposes has not alone presented novel prospects for engaging
in conventional criminal activities, but has also engendered the emergence of innovative
types of criminal behaviour.

Large-scale breaches resulted in the unauthorised disclosure of personal data, rendering

individuals susceptible to fraudulent activities. Additionally, the WannaCry ransomware
attack, which targeted the NHS and numerous other entities globally, posed significant risks
to individuals' well-being and caused disruptions to essential services. The present landscape
of tactics is witnessing a change towards targeting businesses rather than individuals. While
there is a rise in phishing attacks targeting individuals, the number of successful attempts has
decreased due to heightened awareness among people.1

The challenge of attributing cyber-crime is often complicated due to the growing overlap
between nation states and criminal organisations, resulting in a fuzzy difference between the
two entities. The prevalence of cyber-crime assaults against the United Kingdom remains
mostly attributed to Russian-language criminals that engage in the provision of ransomware
as a service. While it is true that young individuals involved in illegal activities are generally
motivated by peer recognition rather than monetary gain, it should be noted that organised
cyber-crime groups in the United Kingdom are primarily driven by the pursuit of financial
benefit. Cybercriminals endeavour to exploit human or security flaws with the intention of
directly pilfering passwords, data, or monetary resources. The prevalent cyber risks
encompass several forms, such as hacking, which involves unauthorised access to social

1 (2007) Cybercrime: The Transformation of Crime in the Information Age: Cambridge: Polity Press.

3
media and email accounts, as well as phishing, which entails the dissemination of deceptive
emails soliciting security information and personal data. Additionally, the category of
malicious software encompasses ransomware, a type of malware employed by criminals to
seize control of files and demand payment in exchange for their release. Distributed denial of
service (DDoS) assaults targeting websites, frequently accompanied by extortion, are a
prevalent cybersecurity concern.

The scope and intricacy of cyber-attacks encompass a broad spectrum. The availability of
readily accessible technologies enables individuals with limited technological expertise to
engage in cyber-criminal activities, as the awareness of the possible financial gains grows
more common. The continuous advancement of malware's technical capabilities has resulted
in an expansion of its detrimental effects, while also enabling the emergence of novel
criminal activities, exemplified by the crypto mining software that targets digital currencies
like Bitcoin. Cyber-attacks have significant financial implications and can cause disruption
and distress to individuals and organisations. The aforementioned activities have a
detrimental impact on the economic stability of the United Kingdom, resulting in significant
financial losses up to millions of pounds annually for the UK economy. The National Crime
Agency (NCA) is dedicated to enhancing the United Kingdom's capacity to withstand cyber-
attacks and enhancing the law enforcement's ability to counter the threat of cyber-crime. This
is achieved by the proactive pursuit of individuals responsible for such activities, regardless
of their geographical location.

Recent research illustrates that cybercrime is the fastest grown crime in the world. It is
predicted that 23% of United States (US) population experienced cybercrime victimization in
2018.2 Similarly, Action Fraud reported that Internet users lost £34.6m as a result of
cybercrime between April and September 2018, which indicates a %24 rise when compared
to the previous 6 months.3 This increased cyber threat has caused public tension, which

2 Reinhart, R. J. (2018) One in Four Americans Have Experienced Cybercrime. Available at: https://
news.gallup.com/poll/245336/one-four-americansexperienced-cybercrime.aspx (Accessed: 04/11/2023.

3 BBC (2019) UK cyber-crime victims lose £190,000 a day. Available at: https://www.bbc.co.uk/news/
uk-47016671 (Accessed: 04/11/2023

4
motivated national and international bodies to put cybercrime and cybersecurity on top of
their agendas.4

Defining Cyber-Crime

There exists a prevailing consensus within the literature that a universally accepted definition
of cybercrime is lacking5 The Council of Europe Cybercrime Convention (ETS No. 185),
commonly referred to as the Budapest Convention, represents an early global effort to
establish a common framework for addressing cybercrime. However, this convention has
been subject to criticism due to concerns over the potential infringement on public liberties
and the extensive authority granted to governments in terms of computer surveillance, search,
and seizure. Instead of offering a general description, this convention emphasises the
significance of deterrence. The Council of Europe Convention on Cybercrime (2001) outlines
the parameters of deterrence, specifically targeting the confidentiality, integrity, and
availability of computer systems, networks, and data. It also addresses the misuse of these
systems, networks, and data, and proposes criminalization measures for such activities. The
Convention further organises cybercrime into distinct subcategories, which are presented
under four titles. Several cybercrimes were classified into these four categories.

Nevertheless, the authors have expressed criticism towards this method, arguing that it fails
to encompass certain forms of cybercrime such as stalking, extortion, online identity theft,
and spamming.6In 2007, the Commission of the European Communities issued a message to
the European Parliament regarding the mitigation of cybercrime. According to the European
Commission7, cybercrime is characterised as unlawful activities that are carried out through
electronic communications networks and information systems, or that target these networks
and systems. In contrast to the expansive definition put out by the Council of Europe, the

4Kshetri, N. (2020) ‘The Global Cybercrime Industry and Its Structure: Relevant Actors, Motivations, Threats,
and Countermeasures’, pp. 1-34 in The Global Cybercrime Industry: Springer.

5 Levi, M., Doig, A., Gundur, R., Wall, D., and Williams, M. L. (2015) The Implications of Economic
Cybercrime for Policing: City of London Corporation. Available at: https://www.cityoflondon.gov.uk/business/
economicresearch-and-information/research-publications/Documents/Research2015/Economic-Cybercrime-
FullReport.pdf.

6Clough, J. (2014) ‘A World of Difference: The Budapest Convention of Cybercrime and the Challenges of
Harmonisation’, Monash UL Rev. 40: 698.

7 European Commission (2007) Towards a General Policy on the Fight Against Cyber Crime Available at:
https://eur-lex.europa.eu/LexUriServ/ LexUriServ. do?uri= COM:2007:0267:FIN:EN:PDF.

5
Commission adopts a more limited interpretation of cybercrime. Once more, this definition
fails to encompass instances pertaining to illegal actions conducted through the internet.

For a significant period of time spanning more than 10 years, analysts have engaged in
speculation regarding the potential ramifications of a cyber-attack. The hypothetical
situations encompass a spectrum of possibilities, including the occurrence of a virus that
disrupts financial records or renders the stock market non-functional8, the deliberate
dissemination of deceptive information leading to the shutdown of a nuclear reactor or the
opening of a dam, as well as the disruption of the air traffic control system resulting in
aeroplane accidents, might be expected to have significant and far-reaching consequences in
terms of both economic and physical ramifications. Although none of these possibilities have
been observed thus far, there is a consistent occurrence of multiple cyber-incidents9.
However, a universally agreed-upon definition for classifying these occurrences as cyber-
attacks, much alone as cyber-warfare, has yet to be established. The lack of a universally
agreed upon definition has posed challenges for experts hailing from various nations in
formulating synchronised policy suggestions, as well as for governments in engaging in
coordinated actions. Therefore, the initial phase of establishing a precise definition for cyber-
attacks is a crucial undertaking in order to effectively confront the escalating menace they
provide. After providing an overview of many existing definitions, we propose a
comprehensive definition that adequately includes the core action that gives rise to the
problems associated with cyber-attacks.10

Cyber-Crime in UK

The counter-terrorism policy of the United Kingdom, commonly referred to as CONTEST,

follows the Four Ps Model. This model is designed to effectively address the terrorist threat
faced by the UK and has four key components: prevention, pursuit, protection, and

8Duncan B. Hollis, Why States Need an International Law for Information Operations, 11 Lewis & Clark L.
Rev. 1023,1042(2007).

9CLARKE & KNAKE, supra note 7, at 6; see, e.g., More Than Firewalls: Three Challenges to American Cyber
Security, asymmetric THREAT (Aug. 2011), http://asymmetricthreat.net/docs/ snapshot201 l_08.pdf (citing
Clarice’s definition); Understanding Cyber Warfare.

10In Part IV of this Article, we explore methods by which the U.S. government and other governments can
adopt the proposed definition or a similar, uniform definition.

6
preparedness.11 The term "pursue" pertains to the legal process of prosecuting individuals
who have committed offences and disrupting their illicit activity. On the other hand,
"prevent" signifies the act of safeguarding individuals from engaging in criminal behaviour
and becoming offenders. The primary objective of Protect is to mitigate risks and safeguard
both the public and private sectors by minimising vulnerabilities. The ultimate objective of
the prepare idea is to mitigate the adverse effects experienced by victims, particularly when
used within the context of law enforcement's response to economic cybercrime. The findings
of their study indicate that while this particular model requires modification in order to
effectively address the challenges posed by economic cybercrime in the context of policing, it
nonetheless provides significant perspectives on combating such criminal activities. The
participants were requested to assess the impact of law enforcement on the wider
cybersecurity landscape within the context of this conceptual framework.12

In light of the increasing prominence of cyber threats and the consequential rise in public
concerns regarding cybersecurity, it is noteworthy that there exists a dearth of empirical study
pertaining to the identification and comprehension of the obstacles encountered in the
enforcement of economic cybercrime. Prior empirical research mostly focused on the
attitudes of non-expert police personnel towards the field of cybercrime enforcement. The
findings of these investigations revealed that local law enforcement officials exhibited a
deficiency in their technical competencies when it came to addressing cybercrime incidents.
The study's findings indicate that police officers possess a certain level of confidence in their
technical abilities to investigate cases of economic cybercrime. However, they acknowledge
the necessity of seeking external expertise due to the rapid advancements in information
technologies. This study reaffirms prior research findings by highlighting the absence of
global collaboration in addressing cybercrime and ensuring cybersecurity13

This finding, which corroborates prior research, suggests that there has been a lack of
cooperation among states and international/transnational entities in addressing the worldwide

11 Home Office (2014) The Serious and Organised Crime Strategy, London.

12Williams, M., and Levi, M. (2015) ‘Perceptions of the e-crime Controllers: Modelling the Influence of
Cooperation and Data Source Factors’, Security Journal 28(3): 252-271.

13Kshetri, N. (2010) ‘The Global Cybercrime Industry and Its Structure: Relevant Actors, Motivations, Threats,
and Countermeasures’, pp. 1-34 in The Global Cybercrime Industry: Springer.

7
issue of cybercrime. The act of deleting digital evidence has been identified as a contributing
factor to the low rate of successful prosecutions. According to the testimonies of police
officers, a notable factor contributing to this issue is the limited understanding exhibited by
Internet users. Certain interviewees also recognised that individuals using the Internet were
occasionally unaware of their victimisation. This underscores the necessity for additional
educational initiatives aimed at enhancing knowledge pertaining to internet risks. According
to the testimonies provided by police officials, it has been observed that a significant number
of cybercrime incidents occurring in metropolitan areas have proven to be challenging to
prosecute. Therefore, cybercrime teams primarily prioritise high-profile cases that attract
public attention or result in substantial financial losses.

A significant portion of the financial losses can be classified as "de minimis," indicating that
online offenders engage in the theft of relatively tiny sums of money in order to avoid legal
consequences. The utilisation of this particular approach by internet offenders seems to
impose a greater burden on law enforcement agencies, hence resulting in evading detection
by law enforcement authorities. In relation to the participation of private enterprises in the
realm of cybercrime enforcement, law enforcement officials have expressed significant
apprehension on the ethical considerations associated with private firms, specifically
pertaining to their commitment to serving the public interest and conducting impartial
investigations. Certification in cybersecurity is another innovation brought about by this new
act. ENISA will be in charge of the preparation of cybersecurity certification systems for the
European Union (European Commission, 2019)14. The introduction of this new act is a clear
indication of EU’s commitment to sustain public-private partnership in combatting
cybercrime.

According to recent findings, companies in the United Kingdom have lost over £6.2 million
to cyber scams over the course of the previous year, with a 31% spike in reported incidents at
the peak of the epidemic (May-June). According to an analysis conducted by the cyber
security firm Nexor on data obtained from the police, 3,445 companies in the United
Kingdom fell prey to fraudulent online activity between September 2019 and September
2020. Since the lockdown was implemented, there have been a total of 1,740 instances

14The EU cybersecurity certification framework. Available at: https://ec.europa.eu/digital-single-market/en/eu-

cybersecurity-certificationframework (Accessed: 04/11/2023.

8
documented, hacking via email or social media was the most prevalent kind of attack,
accounting for 53% of all assaults over the course of the year and resulting in a loss of £2.9
million.15 During the duration of one year, it was discovered that the second most prevalent
kind of assault on companies was a scam that was brought on by the hacking of computer
systems.

The data also indicated, on a per-companies basis, the regions of the nation in which firms
suffered the greatest financial losses as a direct result of a cyber assault. Outside of London,
the West Midlands had the worst hit, suffering a loss of £133,461, which was followed by the
South East (£118,159) and the South West (£74,691) London led the way in terms of the
amount of money that was lost, which was £308,338. Because we have been forced out of our
normal routines and away from dependable systems during the last half a year, malevolent
hackers have had countless chances to intercept private information belonging to people and
enterprises. "The extent of the problem across the country was detailed in a recent report,"
Sarah Knowles, Senior Security Consultant at Nexor, said. "Across the country, millions of
people switched to work from home, and for many businesses, this left the door ajar as cyber
security took a back seat with such short notice." [Cyber security] "took a back seat with such
short notice, with the extent of the problem across the country being detailed in a recent
report." "It's crucial that when we either migrate back to our workplaces or perhaps
permanently embrace a more remote style to working, that we don't allow these sorts of
assaults to once again harm our companies. We can accomplish this by ensuring that we don't
allow these types of attacks to affect our businesses. This boils down to ensuring that we
make an investment in staff awareness training so that they are alert to questionable emails,
calls, or messages and that the appropriate reporting protocols are followed.

Conclusion

National and international initiatives such as the UK Cybercrime Strategy 2016/2021 place
an emphasis on reducing disparities among national jurisdictions and creating strong
coordination between policing bodies and other private and governmental actors of
cybersecurity in order to alleviate policing problems related to cybercrime. This is done in an
effort to alleviate the burden of cybercrime on the policing community. In spite of all of these

15 Graham, L. (2021) Cybercrime costs the global economy $450 billion.

9
attempts, there just aren't enough empirical studies done on this subject. This empirical
research contributes to the cybercrime and cybersecurity literature by describing some of the
issues that cybercrime units have experienced. The research was conducted by examining the
difficulties of policing economic cybercrime through the lenses of police officers. The
importance of the protect approach from the Four P’s model for policing cybercrime was
emphasised by the officers who took part in this research. This emphasis suggests that the
police need to move beyond their stated roles, which mostly centre on investigating and
prosecuting those responsible for the incidents. In order to accomplish this goal, law
enforcement agencies need to engage in more comprehensive collaborative efforts with
various third parties. Consequently, the public police need to clarify their function within the
larger context of cybersecurity assembling.

The responsibilities of police forces should be expanded so that they include not only the
investigation of cybercrimes but also the provision of coordination and collaboration between
various actors in cybersecurity, the prevention of cybercrime, and the protection of netizens.
New tactics should be developed to accomplish this expansion. In spite of the fact that
ENISA's new position will make a contribution to the maintenance of cybersecurity, the
analysis of interviews indicated that the absence of cooperation with nations that are outside
the jurisdiction of the EU provided a substantial problem. As a result, ENISA or another
agency ought to make concerted efforts to form partnerships with nations that are not
members of the European Union.

10