Floor Jansen, Ph.D., advisor to the Dutch National High Tech Crime Unit, began with an in-depth description on how to identify cybercriminals.

The typical cybercriminal looks very different from the criminals of serious organized crime, she said. The average age of a cybercriminal is 19, as opposed to a drug trafficker’s 40 to 50 years of age. Their recidivism levels are also very low, and it doesn’t take much to deter them away from cyber offenses. Lastly, they quite often have autistic traits.

Cybercriminals have several key identifiable characteristics, Jansen went on to discuss.

Firstly, they have no clear distinction between what is right and wrong online because these boundaries in the online world are less obvious. As they hide behind computer screens, they typically never see the damage they inflict on victims. While most cybercriminals usually come from good families, their parents are unaware of the full scope of what their kids are doing online, she added.

They tend to be negatively influenced by their peers, who also spend hours online and are not within reach of the positive influence of parents or educators. Finally, while the reward for crime is primarily money, cybercriminals’ motivations are more intrinsic—some do it just for fun and because they know they can.

With low recidivism levels, interventions aimed at deterring cybercrime are important and effective. A “hack right” intervention aimed at first time offenders studies the offender and creates a tailored approach, which could include training about online boundaries, cyber based community service, coaching by ethical hackers, and presenting positive alternatives to cybercrimes.

When discussing rehabilitation of hackers, Jansen finds that a combined approach works best. They need social workers who have the right tools to talk to and educate kids, and they also need the help of cybersecurity experts to help understand where these boundaries between right and wrong lie. The two work together to fill in each other’s gaps.

Greg Francis, the Acting National Prevent Lead of the U.K.’s National Crime Agency, said he believes law enforcement is an important tool in deterring cybercrime.

“Law enforcement, sometimes I believe—and this is not an agency view, this is my view—can be so focused on the blood and thunder, the arrest and prosecution, they sometimes forget that their job is to also provide service.”

That’s where knock-and-talks come into the picture.

Knock-and-talks are a type of cease-and-desist where if someone is at the periphery of any type of crime, law enforcement will go into the individual’s house and give them a warning. These methods help raise the awareness of law enforcement online and increase perception of risk that is otherwise not visible. In fact, Francis said, “every single one we’ve delivered over the four years—up to 500 cease-and-desists have been signed—not one has pushed back. I think we’ve got only got one case where we can say that individual has gone back and committed a crime.”

“The question is what is a more productive response to a potential crime?” Francis asked. “To wait for it to happen, because that’s where the blood and thunder is, or to make sure that the ones that we’re investigating are there because they’ve made an informed choice?”

FBI Director Christopher A. Wray gave the keynote at the Jan. 9 opening session of the Fordham-FBI 2018 International Conference on Cyber Security. He spoke of “the Going Dark problem” of protected electronic devices, and the lapse of part of the Foreign Intelligence Surveillance Act (FISA), should Congress fail to renew it this month.

Due to an industry practice of encrypting cell phones, computers, and other electronic consumer products, Wray said that last year the FBI was unable to access the content of nearly 7,800 devices, even though “there is lawful authority to do so.”

“Each one of those devices is tied to a specific subject, a specific defendant, a specific victim, a specific threat.,” said Wray, who was appointed last year following President Trump’s firing of then-director James Comey. “We are not looking for a ‘back door’ . . .[but]the ability to access the device once we’ve obtained a warrant from an independent judge, who has said we have probable cause.”

“it’s an urgent public safety issue.”

He also called for the immediate extension of Section 702 of the FISA, which allows the government warrantless monitoring of internet and phone communications to gather foreign intelligence information.

Wray, a former federal prosecutor who was in private practice when tapped for the director’s position, gave his talk from the “fresh perspective” of someone returning to law enforcement after approximately a decade.

“Back then, ‘tweeting’ was something only birds did. Now…well, let’s just say it’s something that’s a little more on my radar,” Wray said.

Wray defended the agency’s impartiality, saying that it is the honest process, not the result, that his FBI agents are passionate about.

“If the bureau starts chasing results, that’s fool’s gold. There is always going to be somebody unhappy about something that we do,” he said. “[We] let the facts go where they go.”

Higher Stakes, More Complexities

Since he last worked in law enforcement, Wray said “the [cyber]threats are growing more complex, and the stakes are higher than ever.” In fact, he noted that the term “cybercrime” is nearing redundancy, as nearly all crimes today—from terrorism to human trafficking to gangs to organized crime—involve some technological or digital component.

The FBI has been successful in infiltrating and destroying some major global operations: Wray mentioned the takedown last summer of AlphaBay, an online black market for drugs, malware, stolen identities, and more. Yet upcoming challenges incorporating more AI and cryptocurrencies will require new approaches and collaborations.

To those ends, he said, one of the main challenges facing the FBI today is finding persons who are high-end cyber-proficient, and to raise the game to stay ahead of threats. “The sad realization is that there are too few people in this country—in any country—who have that expertise. It’s a great place to be, if you are a college kid right now.”

Joseph M. McShane, S.J., president of Fordham, introduced Wray and fielded questions to him following his talk. Citing the foreign meddling in the 2016 U.S. presidential election, Father McShane emphasized cybersecurity’s vital contribution to world institutions.

“The work the FBI does has never been more important, not merely to the security of democratically-elected governments, but to world markets and to the infrastructure of civilization itself.”

(Read Director Wray’s full remarks.)

READ MORE ICCS DAY 1 COVERAGE:

To Take Out Dark Net Marketplace, Luck, Skill, Cooperation Required

Operation Harbor: an Insider’s Look at the Hunt for a German Router Hacker

There’s No Hiding

Technology offers no guarantee of “absolute security” online, said Ed Stroz, GABELLI ’79, a former FBI agent and current co-president of the cybersecurity firm Stroz Friedberg LLC. He instead highlighted the human foibles that can leave computer networks and online bank accounts vulnerable.

“When you talk about people losing money, usually the root cause of that is that somebody was tricked,” he said. “If I call you and … talk you into believing that I’m from the bank and you should take the following steps, a technologist cannot fix that.”

He spoke in Manhattan on Feb. 23 as part of the Gabelli School of Business’ Flaum Leadership Lecture Series, founded by veteran business consultant and Fordham University President’s Council member Sander Flaum, who moderated the event.

The only way to completely avoid cyberthreats is to stay off the internet, Stroz said. He noted that the FBI and other “three-letter agencies” keep networks unhooked from the web if they want to ensure they won’t be hacked; to protect in-person conversations, they use secure rooms, usually windowless, where no mobile devices are allowed.

Staying off the internet isn’t an option for most of us, of course, any more than staying home all the time is a feasible way to keep from catching a cold, he said. But basic precautions can help manage the risk, he said: Don’t reuse passwords. Add more layers of authentication for your email and other online accounts. Also, he said, practice good “web hygiene” by downloading your computer’s updates when prompted—and not just for your own sake.

If hackers hijack your computer or other device to launch an attack on someone else, “you don’t want to be standing there saying, ‘Well, I didn’t think it was important to load the updates,’” he said.

While technology-related companies could be doing more to protect consumers, he said, “we all have an obligation to be good citizens, digital citizens.”

He said that cyberattacks on large retail chains in recent years got the companies’ attention because, unlike other security issues, they had a chilling effect on business. Asked about future threats, he said hackers will likely focus more on attacking data’s integrity.

“Let’s say you’re a medical organization and you have blood test results, and I change them and then I notify you and say, ‘I want this amount of money because I went in and changed the blood test results. You won’t know which ones. How much is it worth to you to get some type of satisfaction on that?’ The implications, I think, will be substantial.”

He also noted the importance of “measuring people” in a work setting, fostering a caring work environment and making sure that people who handle sensitive data can be trusted. “The insider risk is the thing that could hurt you the most,” he said

He spoke at the University Club before an audience of approximately 100 alumni, students, and friends of the Gabelli School. Asked about leadership, he said that while some are born with innate charisma that makes them natural leaders, anyone can develop leadership skills. But leadership starts with looking inward rather than outward.

“What do people see in another individual that makes them willing to follow?” he said. “You have to sort of evaluate yourself if you want to be a leader and say, ‘What am I projecting, and what does that mean?’”