Cybercrime and Cybersecurity in the Global South
Author: Nir Kshetri
Publisher: Basingstoke; UK: Palgrave Macmillan, 2013. 256 p.
Reviewer: Peter Grabosky | September 2013
This addition to the growing body of literature on cybercrime focuses on what the author refers to as the Global South. By this he means the world’s poorer nations, those undergoing transition from former Communist states, and a few anomalous cases such as Saudi Arabia and its affluent neighbours on the west coast of the Persian Gulf. In other words, he is primarily concerned with places other than North America, Western Europe, and Australia/New Zealand. The term seems strange to a reviewer who resides below 35 degrees south latitude in an affluent English-speaking democracy, but it appears to be one that we must live with.
Kshetri’s interesting book divides the Global South into distinct regions, devoting a chapter each to the former Soviet Union and Eastern Europe, China, India, the Middle East and North Africa, Latin America and the Caribbean, sub-Saharan Africa, and the developing nations of the Pacific Islands. The world may be shrinking in a figurative sense, but globalization does not necessarily produce homogenization.
The most interesting aspect of the book is its comparison of offender characteristics, crime types, and victims from one region to another. The author explains these differences in terms of political economy. They reflect the level of economic development, state capacity, information technology skill sets, availability of legitimate employment, cultural factors and political influences from country to country. For example, the former Soviet Bloc is home to many skilled IT professionals. Therein reside some of the world’s most talented virus writers, whose products may be purchased in illicit cyber-markets, or used against targets elsewhere in the world. Russia in particular responds to cybercrime selectively, reserving its resources to address activities seen to threaten domestic interests, but turning a blind eye to attacks from Russia against foreign targets (primarily financial institutions and their customers). In some instances, the Russian state may encourage or collaborate in attacks abroad, as appears to have been the case with politically motivated denial of service attacks against Estonian and Georgian targets in recent years.
By contrast, African cybercriminals have limited technological skills, but some excel at social engineering. African states generally lack the capacity to control cybercrime.
Cybercrime is by no means a monopoly of civilian criminals. Kshetri notes that 108 of the world’s countries have offensive cybercrime capabilities. States have also used digital technologies against political dissidents. The governments of Myanmar and Mauritania, for example, use botnets to attack political adversaries.
Despite its steadfast denials, China is renowned for its activities relating to economic espionage and theft of intellectual property from states in what Kshetri would term the Global North. Less well known is the vulnerability of its domestic population to a range of cybercriminal activity primarily involving financial fraud and other forms of electronic theft. He attributes this local vulnerability to the relative lack of civilian technological capacity and to the state’s preoccupation with other security matters. One thing evident from Kshetri’s book is that states differ widely in the forms of cybercrime that they find most objectionable. Attacks against domestic targets are understandably greater cause for concern than attacks from one’s own country against targets on the other side of the world. According to Kshetri, Saudi authorities regard blackmail of women as particularly problematic.
The prospects for a seamless web of cross-national cooperation in such a diverse world may seem dim. The Council of Europe Cybercrime Convention has been heralded as a model of international cooperation in relation to cybercrime. Nevertheless, some nations from the Global South, perhaps because of their historical experiences as subjects of European imperialism or because they were not involved in the development of the COE convention, have expressed a preference for a convention under UN auspices. If such an initiative ever does eventuate, it is unlikely to do so for quite some time. Meanwhile, the Global South will be host to cybercriminal havens for the foreseeable future.
Kshetri does however cite a number of examples of successful collaboration. Officials in China have cooperated with their counterparts in the United States to shut down a child pornography website. In 2011, China and Taiwan successfully conducted a joint investigation of credit card fraud in Southeast Asia — something that was unimaginable just a few years earlier. This book was published just prior to the intensification of mutual accusations by China and the United States regarding the other nation’s cyber espionage activity. Whether this conflict will be resolved amicably remains to be seen.
Ironically, cyberspace appears more conducive to cross-national criminal collaboration. The author reports that attacks against Israeli information infrastructure in 2009 were undertaken by a Russian organization financed by Hamas or Hezbollah. Hackers from the Philippines who stole funds from AT&T customers reportedly transferred the funds to Saudi-based militant group. Chinese-made equipment used to “skim” credit card details is sold in the United States. Russian organized criminals are reported to have extensive international links, assisting Japanese counterparts to attack law enforcement databases, helping Australian scammers to move money, and providing material assistance to Malaysian cybercriminals. Kshetri also suggests that Ukrainian producers of scareware have opened a call centre in India.
China, alleged to be engaging in economic espionage, denies the practice, and claims that it has been the target of numerous attacks originating in the United States. Aside from implicit acknowledgement of its involvement in cyber attacks on Iranian nuclear enrichment facilities, the US will not admit that it ventures illicitly into China’s corner of cyberspace. The initials of the US National Security Agency, responsible for signals intelligence, are alleged to stand for “Never Say Anything.”
The global economy provides some interesting opportunities for cybercrime. Much of the world’s IT hardware is manufactured in China. Much software is manufactured in the United States. It may have occurred to authorities in both countries to arrange for insertion in their respective products of technologies that would facilitate access to the systems of the other. Chinese authorities claim that many attacks against information systems in their country appear to have originated in the United States. The Chinese may perhaps be forgiven for their suspicions, which appear to have been vindicated by the unauthorized disclosures of former NSA contractor Edward Snowden.
Criminologists recognize that crime follows opportunity. Every new technology, and every new application, can be vulnerable to criminal exploitation. The advent of mobile telephony has proven to be a fruitful target. Kshetri advises us that in 2011, 20% of cyberattacks in the UAE occurred through mobile internet. As phone banking becomes more common, so too are ‘phishing’ messages to mobile banking customers.
The author relies on abundant journalistic sources, at times rather uncritically. A pioneer cybercrime investigator once told me that there was a great gap between what cyber criminals do, what they think they do, and what they say they do. It is doubtful that hyperbole is the exclusive province of the offender; the flip side of ‘bragging rights’ is the temptation for actual or prospective victims to accentuate a perceived problem. The software and entertainment industries have nothing to gain by understating their losses at the hands of pirates. The information security industry would be disinclined to play down the vulnerability of its prospective consumers. Law enforcement and security agencies, seeking enhanced powers and competing for limited resources in an austere fiscal climate, are unlikely to embrace the electronic equivalent of ‘reassurance policing’. We learn that “at least 75% of UAE residents became victims of cybercrime in 2010” and “South African organizations lose about US$20 billion per year in cybercrimes.” This latter figure represents 5% of South Africa’s GDP, and seems rather steep. So too does the figure of annual losses due to cybercrime of $1 trillion US dollars.
Casual acceptance of claims, from whatever source, is risky. The book is brimming with statistics. Unfortunately, most are reported uncritically, and some are perplexing to the reader. For example, Table 1.2 contains adjoining columns, one headed “Rate of Attacks per 10,000 Internet Users,” and the other, “Number of Attacks per 10,000 Internet Users.” Statistics reflecting rates of growth of course depend upon the size of the base figure. A 100% increase from 2 cases to 4 is less remarkable than a doubling from one thousand to two thousand. There is a blizzard of rank orderings of countries on various indicators. Unfortunately, these include such sub-state jurisdictions as Guam and Puerto Rico. One table reports the unhelpful aggregation of “UK and India combined.” More straightforward accounts occur in such volume and detail that they make for hard going: “Morocco ranked seventh worldwide in the number of attacks per 10,000 Internet users in the first half of 2002.” “Brazil ranked fourth worldwide in spam generation for the week ending 11 March 2012.”
In general, the book could have been edited more carefully. References to “thieves, burglars, rubbers and organized crime groups” are not reassuring, nor is knowledge that cybercrime issues are “tightly inked” with cybersecurity orientations. One also encounters a reference (in the present tense) to India’s “Soviet counterparts.” The index could also have been more comprehensive.
Notwithstanding these shortcomings, the book provides an interesting perspective on cybercrime in non-western countries. Its breathtaking range of coverage provides a lens into locations and settings that might otherwise be overlooked by cybercrime researchers from the Global North. The chapter on China complements Chang’s recent book Cybercrime in the Greater China Region (Edward Elgar, 2012). The Middle Kingdom is likely to be at the epicentre of cybercriminality for some time to come.
Peter Grabosky, Ph.D. is a Professor at the Regulatory Institutions Network at Australian National University.