Cybersecurity Requires Rethinking Cybercrime Investigation

Virtual Detective Oversight

Cybersecurity Awareness Month is a good time to take stock of what can be done differently to improve cybersecurity. Since this awareness event began in 2003, the cyberthreat risk has become astronomically higher. Digital assets are even more vulnerable to theft and compromise. Bad actors across the globe present an ever-greater danger, making cybercrime detection and prevention a central security focus.

Given this reality, it is time to embrace security strategies that not only manage risk but also work toward actively reducing these threats.

Cybersecurity methodologies have evolved based on the fundamental premise that little can be done to stop cybercrime. Instead, the cyberthreat risk is best minimized through protection and preparedness. The goal is to guard the castle gate against the possibility of invasion and be ready to defend the treasure if and when the enemy gets inside. Cybersecurity has operated under this risk management premise for decades now, tacitly accepting that even the best security measures may never be enough.

In the cyber environment of 2021, let alone what lies ahead, it is time to let go of this premise and add cybercrime investigation to the security discussion. Disrupting and removing cybercrime threats is the one thing that will vastly improve every organization’s level of security. What if security principles included the goal of shutting down attackers? What if, instead of assuming cybercrime is unstoppable, security strategy incorporated aggressive, collaborative investigations designed to put attackers out of business?

The AML Model

One does not have to look far to find a successful model for this approach—a page can be taken directly from financial institutions’ (FIs) anti-money laundering (AML) programs. Every day, AML professionals investigate how cybercriminals earn and move the proceeds of their illicit activities. Along with anti-fraud and other financial intelligence units, AML groups identify an array of cybercrimes, record critical evidence about suspicious activity and prevent numerous crimes from being completed. AML programs then report the information and evidence they uncover to the Financial Crime Enforcement Network (FinCEN), a government agency that analyzes the data and makes it accessible to law enforcement investigators. Most cyber crime is driven by profit, so AML work provides a significant window into criminal operations as well as the strong potential for disruption.1

Many believe that investigating cybercrime is exclusively law enforcement’s job. But as AML work demonstrates, law enforcement cannot do it alone. The nature of cybercrime—technical, anonymous, financial and international—requires law enforcement to work hand in hand with those institutions and industries that have access to information about what the criminals are doing. In many ways, AML professionals have been deputized by the government to investigate and gather evidence about money laundering and other criminal activity. Without this collaboration, law enforcement could not learn about and respond to the enormous volume of financial crime.

Taking the AML Model to the Next Level

The AML model shows what can be done when one aspect of cybercrime investigation is prioritized, funded and given adequate resources. This model should be expanded so that FIs are maximizing their investigative capabilities, using all the information coming in through their various services and internal departments. While AML programs by no means eliminate money laundering, imagine how exponentially more rampant these crimes would be without the AML framework. That unchecked scenario is what the world endures because there is no systematized investigation into the full scope of cybercrime.

AML’s cybercrime investigation efforts largely came about because of U.S. Bank Secrecy Act (BSA) regulations and FinCEN’s 2016 guidance on cyber-enabled crime.2 But security self-interest—not just new laws and regulations—should be the real motivation to expand these practices. Taking concerted action to stop the individuals who attack systems, victimize customers, misuse services and steal billions of dollars a year would be a game changer in terms of both improving cybersecurity and stopping crime.

For FIs, intensified programs for cybercrime investigation can be built by integrating existing professional and technical resources. AML and other financial crime units are hard at work unraveling cybercrime events within the financial system. IT and information security departments already monitor and alert to numerous forms of cyberattack, as well as investigate internal and external data, device and network compromises. Physical security groups and human resources departments already investigate infrastructure and authorized user concerns, in addition to other abuses of internal resources. More departments and specialties could easily be added to the list.

Some integration and collaboration among departments might already exist in FIs. But when cybercrime investigation is viewed as an essential component of protecting the institution itself, then the combined power of each discipline’s knowledge, experience and real-time observations will be optimized. For example, if data collection and analysis were integrated processes across the institution, links among cyberthreats could be revealed—such as common cyber-identifiers used by both network intruders and money launderers. If employees were cross-trained and cross-tasked among investigative departments, they could better identify and gather evidence of criminal activity and its interconnections.

Embracing deeper cybercrime investigation would also improve existing cybersecurity prevention and response practices. A comprehensive understanding of what is attacking and exploiting data and systems—or, more often, attempting to attack them—is essential to both formulating appropriate protective measures and responding responsibly to compromise events. Moreover, incorporating a strong investigation component will help organizations comply with all regulations, as well as demonstrate the reasonableness and diligence of their security practices if civil, regulatory or insurance questions arise.

Law Enforcement and the AML Model

Intensified FI cybercrime investigation should lead to increased law enforcement and government action against cybercriminals. However, that increase will not happen unless changes are made to the national law enforcement approach. FinCEN was created to provide law enforcement with evidence from FIs to pursue financial crime investigations.3 But the raw truth is that if cybercriminals are to be stopped in meaningful numbers, law enforcement investigation capacity must expand greatly. FIs can supply increasingly useful information to FinCEN, but if there is not enough investment in cyber law enforcement, its power is lost.

Law enforcement efforts that mirror the AML model would be profoundly more effective. Just as FIs have systematized the evidence collection and reporting of cyber-enabled crimes ,the law enforcement side needs dedicated personnel and resources to receive and investigate this evidence (along with evidence from other sources). The volume and complexity of cybercrime cannot possibly be addressed by a small number of hardworking investigators within High Intensity Financial Crime Areas (HIFCAs) and other specialized units.4 Rather, a unified, organized and much larger law enforcement response to cybercrime is required. A parallel can be found in the law enforcement response to drug trafficking, the complexity and geographical scope of which eventually led to the creation of the Drug Enforcement Administration (DEA).

Leading the Charge for More Law Enforcement and Government Action

Pushing for increased law enforcement response will take persistent, proactive efforts, and it is in the security interest of FIs to lead this charge. FIs are in a unique position to do so. They have the necessary international reach, putting them in an unusually strong position to press the case for meaningful collaboration with government and investigative authorities worldwide. Both individually and collectively, FIs can yield enormous influence in advocating that governments prioritize and fund direct, aggressive action against cybercriminals, including the seizure of criminal equipment and financial assets. Because FIs stand so centrally within the storm of cybercrime, their voice on needed change will carry.

The financial sector can also support expanding private endeavors to locate and disable the communication sites and computer networks utilized by criminal actors. More investigations and civil legal actions targeting criminal infrastructure would effectively disrupt and remove ongoing cyberthreats.

Cybercrime Investigation Makes Assets and Operations More Secure

In sum, organizations are made safer by addressing the cause of their cybersecurity woes. FIs (and other organizations and industries) should make investigating cybercrime a priority. FIs can expand their investigative practices and lead the private sector in urging a major escalation of law enforcement and government action. The benefits are clear. The costs will be more than made up for by the savings in cyber damage and fraud loss. Countless security professionals have heroically defended their gates and responded to invasions, but the criminals keep coming in through the floor, windows, ceilings and walls. In the next 20 years, being cyber secure will take more than patching the holes and putting more guards outside. It is time to take the fight to the cybercriminals’ gates as well.

Antonia Merzon, Esq., CO, USA,

  1. Antonia Merzon and John Bandler, Cybercrime Investigations: A Comprehensive Resource for Everyone, CRC Press/Taylor & Francis, 2020.
  2. “Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime,” Financial Crimes Enforcement Network, October 25, 2016, This advisory informed FIs that BSA compliance includes reporting of cyber-enabled crimes and events to FinCEN, including cyber-identifiers and other related information. The advisory also encourages investigative collaboration among internal FI units and information sharing among FIs.
  3. 31 U.S.C.§310
  4. The HIFCA system was created under the Money Laundering and Financial Crimes Strategy Act of 1998 and helps coordinate federal, state and local efforts to address financial crimes in a particular geographical area or industry.

Leave a Reply