Among the various anxieties that currently plague affluent modern society, cybercrime surely ranks near the top. It makes sense; as data comes to define our lives to a greater and greater degree, the specter of some unseen hacker pilfering our information with impunity or emptying our bank account with the click of a mouse is justified cause for concern. But perhaps we should consider the alternative.
By way of illustration, consider two robberies of fairly recent memory—one old-school, the other new.
The old-school example is the 1997 holdup in North Hollywood in which two armed-to-the-teeth bandits attempted to blast their way out of a Bank of America they had just robbed of a little over $300,000 in cash. In the ensuing shoot-out with police, some 1,750 rounds were spent, and miraculously, only the perpetrators wound up dead. But the casualties didn’t end there. Eighteen people—11 cops and 7 civilians—were badly injured. The bloody incident led to upgrades in police firepower and contributed to the increased militarization of law enforcement agencies across the country.
The new-school heist, reported earlier this year, targeted more than 100 banks around the world, but mostly in Russia. Not a shot was fired. Instead of guns, the robbers used malware-laced spam to get past bank security. Once the malware was in the bank’s system, the hackers studied how transactions were conducted and used that knowledge to transfer money to their own accounts. By the time the scheme was discovered, they had made off with an unprecedented haul—estimates range as high as $1 billion. Few, if any, banks reported the incident; nor have any arrests been reported.
Assuming banks will continue to be robbed, which type of heist do you prefer—the new way or the old? The question is rhetorical, since both methods will no doubt persist. The new method, however, may be harder to defend against. Although law enforcement has made great strides in curbing old-fashioned crime, it’s less clear whether the good guys are winning the battle for cybersecurity.
Cybercrime, says Franklin Zimring, “is independent from crime in the streets, next year or in the next decade. It’s a risk we have to pay more attention to, because things are going better on city streets.” Zimring, a UC Berkeley professor of law and director of the law school’s criminal justice research program, is referring to the observed reduction in most violent crime in the United States. The statistics may surprise most Americans, fed as we are a steady news diet of murder and mayhem: According to the FBI, between 1993 and 2012 the homicide rate fell 51 percent, forcible rapes by 35 percent, robberies by 56 percent, and aggravated assault by 45 percent.
Sure, things are still bad, but they have been worse.
Think back to New York City in the ’70s and ’80s, when no one dared enter Central Park after dark, and even in daytime you were obliged to keep an eye out for trouble. Muggings were rife, the subways were dangerous, and life in the Big Apple was tinged with dread. Hollywood’s vision of New York’s future reflected the general paranoia. Remember Escape from New York Remember The Warriors? Manhattan, at least according to the moviemakers, was poised to descend into anarchy. And the rest of the country seemed to be following its lead.
Then something completely unexpected happened. Crime went down—in New York and in cities nationwide. During the period from 1991 to 2000, violent crime fell 33 percent around the country and then flattened out. In New York, the decline continued for another seven years. “Whatever New York was doing, it was better at reducing crime than what the rest of the U.S. was doing,” says Zimring, who in 2011 published The City That Became Safe: New York’s Lessons for Urban Crime and Its Control.
Among the things New York did right, according to Zimring, was increase the size of its police force by 41 percent—far more than any other U.S. city. Crucially, that extra manpower was used to shut down open-air drug markets, where dealers battled for control of the best corners. The drug dealing didn’t necessarily decrease, but drug-related violence did. As Zimring explains, “If my coke peddling and your coke peddling are both driven indoors, we’re not going to shoot each other.”
It wasn’t just the drug corners that were targeted; the NYPD also concentrated on other hotspots, putting the most cops where the most crimes were occurring. It sounds simple enough in theory: If you have a high incidence of criminal activity at, say, 125th Street and Lenox Avenue on most Tuesday nights, then you send more patrol cars there and the crooks will stay away. Then again, it sounds almost too simple: After all, wouldn’t the crooks just wait until Wednesday to carry out their crimes, or take their business to a corner across town?
The logic is impeccable, Zimring admits, but it also proved wrong. “Impulses to commit crime turn out to be more situational and contingent than what we thought they were.” It seems the bad guys are lazy. Instead of changing up their game in response to police activity, they “smoke a little weed, drink some wine, and watch TV. And they don’t commit robbery.”
The big trick was how to recognize the hotspots. For that, New York relied on CompStat, a program developed more than 20 years ago to analyze where and when crimes happened and then crunch the citywide data into somewhat digestible form. Today, the CompStat concept has grown more sophisticated and has spread to the rest of the States, in the form of software developed and sold by private companies under the generic label of “predictive policing.” Here in California, there’s PredPol, the predictive policing company cofounded by UCLA anthropologist Jeff Brantingham, which uses mathematical models to pinpoint urban areas, down to 500-square-foot units, “where crime will occur in the next 10 to 12 hours.”
Inevitably, the very idea of predictive policing elicits hand-wringing from civil libertarians who worry that it’s just old-fashioned profiling dressed up in high-tech duds.
“Crime patterns are very complicated, and they’re not stable,” says Brantingham. “Most people think there’s a bad neighborhood over there and a good neighborhood here. That may be true in long-term patterns, but today it’s more complicated—they pop up and disappear, then pop up over there.”
Inevitably, the very idea of predictive policing elicits hand-wringing from civil libertarians who worry that it’s just old-fashioned profiling dressed up in high-tech duds. Brantingham, however, insists that PredPol doesn’t take into account race or other social characteristics, and only predicts where and when crime is most likely to occur based on analysis of past crime patterns. “It’s up to the police to use this in a constitutional manner.”
Of the 50 or more police agencies using PredPol, one is the UC Berkeley Police Department. Operations commander and Cal alum Capt. Alex Yao says that after they first started using PredPol in July 2014, over the following 6 months the department saw an almost 20 percent reduction in aggravated assaults, and a 29 percent drop in burglaries. While he hesitates to give PredPol sole credit for the reductions in crime, Yao admits the numbers are impressive.
If high technology is helping the cops to battle crime, though, it’s also giving a leg up to the robbers. As Jim Bueermann, president of the Police Foundation, a nonprofit think tank based in Washington, D.C., puts it, “That’s the nature of criminal behavior. They’re very ingenious.”
Such ingenuity was recently captured by surveillance camera on a quiet Sausalito residential street. On a Thursday afternoon in February 2015, a Volkswagen Golf pulled up alongside a parked Audi. The VW’s driver reached out and touched the Audi, then drove around the block and parked not far behind his target. He got out of the VW, opened the Audi’s hatch, and stole a $15,000 bicycle belonging to a professional triathlete.
It wasn’t the first theft of this kind. Security experts say modern cars’ remote wireless fobs and keyless ignitions can easily be hacked.
Earlier this year, New York Times tech columnist Nick Bilton witnessed a couple of teenagers using a “little black device” to pop open his Toyota Prius parked just outside his Los Angeles home. Bilton talked to Boris Danev, the founder of a Swiss security company, 3db Technologies, who said the thieves used a “power amplifier” to boost the car’s wireless signal as it attempted to communicate with the fob. Ordinarily the fob opens the locks remotely, but only when the driver is within a few feet of the car. By amplifying the car’s signal, they were able to locate the fob in the house, and presto! Come on in.
“You can buy these devices anywhere for under $100,” Danev told Bilton, who wrote that he now keeps his remote fob in his freezer when he’s home.
If you can use a mobile phone to set your home’s thermostats, turn on the sprinklers, or, more to the point, unlock the front door, so can the bad guys. “The minute you set your house up for the Internet, it’s vulnerable.”
So, is this the future of crime? A mere swipe and everything is open sesame? Bueermann thinks so. “Cybercrime will expand dramatically,” the former chief of Redlands Police Department says. “As the world becomes more digital, we already see hacking into databases to get credit card numbers. And we’ll see hacking into alarm systems, cars, door locks, you name it.”
If you can use a mobile phone to set your home’s thermostats, turn on the sprinklers, or, more to the point, unlock the front door, so can the bad guys. “I’m an amateur propeller-head myself and I like that,” Bueermann says of all the whiz-bang things his smartphone will do, “but the minute you set your house up for the Internet, it’s vulnerable.”
“This is just the beginning, and it’s only going to get worse because we’re seeing so much success,” says Jim Stickley, a San Diego security consultant who advises firms on how to protect themselves. “People haven’t changed their game plan on how to secure a network, and the criminals have figured this one out.”
Peter G. Neumann is a senior principal scientist in the computer science lab at SRI International. He both finds cyber risks and designs systems to avoid many of those risks, and he calls cybercrime “low-hanging fruit” for criminals. There’s more instant gratification, he notes, and less chance of getting caught.
All of which is true, of course. But although the threat of hackers breaking into our bank accounts and the back seats of our cars may be troubling, at least no one gets hurt. In the case of the Audi, there wasn’t even any broken glass to clean up. Seen that way, the victim of the theft might even feel lucky.
Where cybercrime gets scary is when it rises to the level of terrorism. Neumann pointed to a 2007 incident in which Russian hackers, probably with the backing of the Russian state, managed to paralyze the country of Estonia (one of the most wired countries in Europe) by attacking the computer networks of its banks, media, and government.
“You can imagine a nation-state or an al Qaeda taking down our infrastructure,” Neumann says. “Every part of our critical national infrastructure is on the Internet—electric power, pipelines, aviation, railroads, finance, banks, money transfer, public transit, and water.” And so it seems our society may have entered an age of increased vulnerability, even as our streets have grown safer. Will that trend continue? Zimring believes there’s still too much uncertainty about the reasons for the decline in violent crime to say.
“We’re very clear where we are, but what we can’t do, with any real scientific confidence, is predict the future. You can’t predict what you can’t explain.”
Michael Taylor is a veteran Bay Area reporter specializing in crime, courts, and cars.