The Federal Bureau of Investigation (FBI) has revealed it is seeking around 123 alleged cyber criminals globally to face charges before a US court.
International cybercrime coordination cell (IC4) unit chief Steven Kelly told the RSA Conference that the number was sourced from a recent fugitive apprehension initiative, which sought to “understand who all of the charged individuals in cybercrime cases are throughout the FBI”.
“I believe when I looked a week ago it was 123 [individuals],” Kelly said.
“I think it’s a massive number. It’s a lot of people that have not been brought to justice because they are all over the world; they’re in places where we don’t have an extradition treaty, and that’s a problem.”
Kelly – together with representatives from the European Cybercrime Centre and the US Department of Justice – raised concerns about the number of accused cyber criminals that remained at large.
“We’re not going to build a deterrence model for cybercrime if we can’t get our hands on these people,” Kelly said.
“If we’re spending a couple of years to make a case, bring it to a grand jury, get it charged – and then we can’t get the guy or girl then we’re not going to deter cybercrime.
“They will continue to act with impunity and in safe havens. One of our focus areas is how to do better at that.”
John Lynch, chief of the computer crime and intellectual property section of the US DoJ’s criminal division, said fugitives could be sought via extradition or other means.
“Extradition treaties have been around for a long time but they are sometimes limited in the types of crimes that they cover,” Lynch said, noting most treaties weren’t “drafted in contemplation of the internet”.
Countries that have restrictions on extraditing their own nationals could be asked to pursue charges within their own jurisdictions.
“In those situations there’s generally what’s known as an ‘extradite or prosecute’ clause in the treaty,” Lynch said.
“In that case, prosecutors from one country can essentially turn over the evidence to the other country and the country that is not extraditing is required to make a good faith effort to prosecute the crime. That is something we’ve also taken advantage of.”
Lynch noted it could also be possible to “pick up an individual in a third country”, a strategy the US is reportedly using to locate – and try to extradite – accused Russian hackers.
However, Kelly indicated a general preference for “quiet apprehension” of those facing cybercrime charges.
“Ordinarily we’d want to stay quiet and keep the indictment sealed so that the individual doesn’t know that they’re under charges and therefore we have more options for apprehension,” he said.
“There’s been times when we’ve gone ahead and gone public. It does put pressure on them [and their lifestyle]. But quiet apprehension is always the best.”
One other option that both Europe and the US have turned to in recent times was diplomatic sanctions against the individual, or potentially against a country thought to be harbouring them.
“One of the things we’ve looked at in the EU are diplomatic consequences, and bringing a sliding scale of diplomatic response and sanctions,” European Cybercrime Centre head of business Steve Wilson said.
“There is a process underway just now in the European Commission to look at the practicalities of this in relation to cyber to actually put a consequence back to a country that either condones or actively decides to push people to commit this type of crime.
“The big issue is attribution but I think we’re getting better at this.”
Lynch noted that the US had similarly “established a sanctions regime specifically addressing cyber actors” in the past couple of years.
“At the end of last year we actually implemented against a couple of actors who had been charged in the United States with running a ransomware scheme and botnet and another one that was involved in some major data breaches,” he said.
“That is not necessarily the preferred approach for law enforcement, but it can impose consequences, making it difficult for them to travel or obtaining some of the profits from what they’ve undertaken … in appropriate cases.”
Ry Crozier travelled to the RSA Conference 2017 in San Francisco as a guest of RSA.