Cybercrime; prevention vs. repression

<originally a Dutch column>

Cybercrime and cyber-warfare are currently the trendy terms the government throws around to acquire additional laws and powers. If it can also link cybercrime to the distribution of images of child abuse (also known as child pornography), the government has hit political pay dirt and can do pretty much what it wants. What continues to puzzle me is how all this focus on the distribution of such images actually protects the child victims themselves.

Bart Schremer published his opinion piece recently, providing an overview of the issues that law enforcement agencies are facing. On the one hand society (or at least the media) expects law enforcement to solved all crime immediately, preferably on a modest budget. On the other hand most Dutch people would still prefer to avoid a police state along the lines of the North Korean or American model.

But in all discussions on permissible methods of detection, hacking police officers and crime-fight-using politicians is missing, is why cybercrime has grown so enormously. The fact that our reliance on IT is increasingly complex will certainly have contributed. But one other important factor is the huge digital illiteracy among the vast majority of citizens. Aside from some half-hearted campaigns, the government has done little to teach citizens anything of real use or value.

If you have been online for a while (ie more than 15 years), it is difficult to imagine that many Internet users today do not know how a URL is constructed or what is does – and with today’s browsers you don’t need to know. I often see people typing the name of a site into Google (which is set as the homepage) and then clicking on it. And so, without batting an eye, they click their bank details through to, or something similar. Just because the logo was in the mail, is it still the help desk of the ING bank? If people could understand the difference between a top level domain and the rest of the URL, they could probably work out for themselves if the ING bank is really based in Russia.

One of the main causes of the proliferation of cybercrime is the profound ignorance of most computer users. This ignorance is partly caused by an education system that teaches handy computer tricks rather than real understanding. The "computer licence" is simply a course in MS Windows & MS-Office and provides no insight whatsoever into what a computer actually does or how networks function. Not that everyone needs to be a system programmer, but ensuring a bare minimum of understanding  (such as the ‘reading’ a URL) could avoid so much pain.

In addition, the vast mono-culture of computer systems is a major problem that the government is actively propagating. Thus, in the Netherlands, it is virtually impossible to finish high school without access to a system with MS-Windows and MS Office. Running a school  and getting it funded is even harder. Studying at many universities without a Google account is rapidly becoming  impossible, and a Facebook account is required to function in other institutions

The Lower House listening to the arguments, noted in 2002 that “software playes a crucial role in the knowledge society, and that the supply side of the software market at that time is highly monopolised.” It asked the government to fix this

These are the first sentences of the 2002 Vendrik Paralimentary Motion on the dysfunctional desktop software market. But this malfunctioning market aspect was soon forgotten in many discussions about various open standards and what open source web-system really is the best. But it did focus so primarily to a disturbance of the software market, not the internal management of secondary schools, municipalities and other public sector agencies

A lot of hot air is wasted discussing nebulous cloud systems, but interaction with these clouds still occurs primarily via desktop/laptop systems. And the market for these systems remains almost as monopolised as in 2002. Whoever has control over these desktops, has de facto control over most information processing in the Netherlands. To date mostly criminals seem to be interested in our desktops. And because the desktop landscape of the Netherlands is an extreme software mono-culture, and this makes us vulnerable, and yet for the last ten years the government has done virtually nothing to reduce this vulnerability

Meanwhile the role of IT in the minute-by-minute functioning of our society has greatly increased in recent years. What about hospitals, ports, airports, schools, police stations, and ambulance dispatchers? All of them can only function with working desktop PCs. And those PCs are often running Windows without the latest updates. Criminals or foreign cyber armies can take over these systems, gain a stranglehold on our society and unlike rumbeling tanks we would only figure this out after it was already done (or even much later than that).

If cybercrime and even cyber-warfare were really so vitally important, it would be logical for the government to institute a computer education that really teaches, to dismantle of our software mono-culture, and reduce our high dependency on foreign service-providers. Real advances in these areas would make so much more sense than abrogating yet more power to a government that displays ever more totalitarian tendencies and, at the same time, highly questionable competence.

Update, while writing this column a criminal (presumed to be from Russia) made my point by infecting 100.000 computers via a java vulnerability and a hack of the Dutch news website around lunchtime. All infected computers ran MS-Windows. More details in the post-mortum rapport of Fox-IT.