The analysis of the Socio-Technical Environment (STE) of Online Sextortion from a Cyber Security Perspective

Summary

Extortion is an old crime that has taken on a new dimension with developments in technology with the advent of modern communication technology, there is now the potential to affect anyone who is targeted and becomes trapped in an online sextortion racket irrespective of the geographic and social distance between extortioner and extortionee. The Federal Bureau of Investigation (FBI) (fbi.gov 2017) describe sextortion as "a serious crime that occurs when someone threatens to distribute a person’s private and sensitive material if they don't provide the perpetrator with images of a sexual nature, sexual favours, or money". The perpetrator may also threaten to harm a targeted individual's friends or relatives by using the information they have obtained from that person's electronic devices or online profile unless the target complies with their demands. The FBI state that online predators work to gain the trust of the targeted victim by pretending to be someone they are not. Predators look for their prey by lurking in chat rooms and record users who post or live-stream sexually explicit images and videos of themselves, or they may hack into a target victims’ electronic devices using malware to gain access to their files and control their web camera and microphone without them knowing it. 


The post asserts that online sextortion is a social-technical issue from a cybersecurity perspective by showing the socio-technical environment of online sextortion. It is about people using their devices to access different social media and/or messaging services. A malicious user uses these same devices and services to socially engineer and/or attack a target person(s), in order, to obtain information or data which the malicious user can then use against the target, in order, to extort from them. Classically much of the initial social engineering is a side-channel attack that is required to achieve the end goal. In themselves, in isolation, the social engineering may be impossible to distinguish from conventional social contact. The social aspect is that when people are affected, it affects their emotional state, dignity, may cause a financial harm and in some cases, may destroy their reputation. The social response revolves around education and awareness. The technology aspect is both the means that by which it happens and ways in which it may offer counters to online sextortion.


Social Technical Environment (STE) is used as a broader description of a Social Technical System (STS). It can be defined as the relationship between how people interact with technology and the role they use it for. The STS developed from computer systems design hierarchies. Shown below.







Online sextortion has most commonly occurred via phone/tablet messaging applications, social networking sites and video chats. Often the perpetrator uses multiple mediums and profiles. It ignores international borders leading to transnational child abuse. Also, online sextortion can lead to the perpetrator aiming to meet their victim as contact child sexual abuse. Shown below.






The model of STE of online sextortion from a cybersecurity perspective will be shown and how it was developed. The blog will discuss the role of crucial domains in preventing online sextortion and the work being carried out to counter perpetrators who carry out online sextortion. Finally, through the STE of online sextortion will show why a holistic approach is needed from a cybersecurity perspective to prevent online sextortion from occurring.

Background Information



An EUROPOL report (2017) of online sexual coercion and extortion form of crimes affecting children. The report aimed to raise awareness and to contribute to the public debate on what are the effective responses to it. The report determined two broad perpetrator profiles.

Offender Profile Sexual Motivation: Male.
·      Operates alone but trades the acquired content.
·      May act on both international or national level.
·      Activity-driven by knowledge of languages.
·      Targets female victims.
·      May know the victim in person.
·      Goal to obtain sexual material.

Offender Profile Financial Motivation: Both genders.
·      Members of an organised criminal enterprise.
·      Operates in teams based in developing countries.
·      May act at both international and national level.
·      Targets male victims in countries linked by language.
·      Does not know the victim in person.
·      Main goal: to obtain money.

The report noted there is no ‘typical' victim of sexual coercion and extortion. There are no determined patterns of causation as to how and why people become victims. They do note from studies (lse.ac.uk 2017 and ncbi.nlm.nih.gov 2011) that females are more likely to be affected than males and when minors are affected there is a correlation between higher risk of sexual coercion as result of unsupervised internet access and failure to perceive risks to online actions.

Victim Profile: Any person whose sexual material could be acquired by a perpetrator.
·      Usually female in case of sexually motivated perpetrators.
·      Usually male in case of financially motivated perpetrators.

The characteristics in cases of online sexual coercion and extortion affecting children:
 The naivety of the victims, either on a relational level or on a technical level.
·      The absence of parental control.
·      Willingness to share self-generated sexual content.
·      A significant amount of time spent online each day.
·      Use of social networks and other ways of online communication, especially through mobile devices.
·      Befriending strangers.
·      Sexualised conversions with strangers.
·      Lack of technical knowledge.


There is a mixture of factors that have seen reports of sextortion increase is the rise of always connected devies and applicationsbecause they open people to vulnerable scenarios where they may be taken advantage of. Reports from the NCA CEOP command (Toogood 2015) campaign about the increased risk that children face online due to them valuing popularity over privacy due to how social media services have been designed. Malicious people take advantage of this behaviour. For example, webcams and internet-connected devices are vulnerable to socially engineered hacks to install malware to gain control to carry out acts of sextortion. Also, part of the problem is some children’s naivety that they treat sharing of all type of information online as normal behaviour. They do not fully understand the wider consequences such as content being shared beyond their control and the long-term existent of the material online.

The EUROPOL report (2017) summarises what response needs to be implemented to counter or prevent online sextortion: 
  • Guidelines for IT industry.
  •  Prevention software.
  • Safer internet policies.
  • Studies on offenders in the virtual world/grooming.
  • Virtual – versus real-world studies.
  • Evaluation of national strategies.
  • Law enforcement-oriented actions.
  • Websites for the online reporting of online sextortion.
  • Police advise/warning in newspaper.
  • Education and awareness raising.




The STE Model of Online Sextortion




The STE model comprises three network models task, social and information. Task networks describe the relationships between tasks, their sequence and interdependences. Social networks analyse the organisation of the system (i.e. communications structure) and the communications taking place between the actors and agents working in the team. Information networks describe the information that the different actors and agents use and communicate during task performance (i.e. distributed situation awareness). 

It uses social, task and information networks to classify the connections between people and the actions they undertake. By using the networks to show the social links between victims and perpetrators. Also, the tasks that occur during the process of online sextortion. Finally, what information is exchanged between the victims and perpetrators during online sextortion.

The STE of online sextortion involves the interaction of many different platforms, the users and participants in the system and the threats agents that form part of online sextortion. By understanding how these individual elements interact and relate to each other ways to counter and prevent online sextortion can be better understood and proposed. The role of cybersecurity is integrated into the model as means to counter, prevent and mitigate online sextortion from happening.

Application of this model

Four domains: law enforcement, political, institutional and personal (or intercommunal) will be dusscussed from a cyber security perspective into how they might be applied to the STE of online sextortion in order to counter it. 

The application of the philosophy of Louis Brandeis, “sunlight is the greatest disinfectant”, in which exposure of deviant behaviour reduces the likelihood or incidence of such behaviour would be expected to be a positive way forward. Increased general awareness about sextortion and the harm it causes helps victims feel more confident about coming forward to prosecute their tormentors. This connection to STE of online sextortion from a cybersecurity perspective is that many of the resources and legislation that gives people protection and the right to justice applies to this area as well. 


For law enforcement role to tackle online sextortion deterrence is one of the primary means to deter perpetrators from committing malicious acts. In policing, deterrence of crime relies on two key principles for it to be effective. (nij.gov 2017) Theses are:


1.     Police deter crime by increasing the perception that criminals will be caught and punished.
2.     Incarceration can act as a deterrent when individual fears incarceration before they commit a crime and thus refrain from committing future crimes. Though for incarceration to act as a deterrent the severity of punishment must be sufficient.


For cyber deterrence to work there three key components: a credible defence; the ability to retaliate; and, the will to retaliate. (Wei 2015). It is possible for these components to be adapted to law enforcement since from a defence perspective cyber deterrence seeks to dissuade the attacker from acting for fear of retaliation. For law enforcement, cyber deterrence needs to be able to dissuade the perpetrator from committing acts of online sextortion for fear of being caught and incarcerated in prison. The problem is at this moment there is no single doctrine from a law enforcement perspective which has yet to be developed. Concerning the STE of online sextortion, there are only partial solutions from government, NGOs and technology companies which only when brought together as part of a holistic solution might fill the role of a cyber deterrence.

The Governments and other international bodies need to make use of education policy and collective action to tackle online sextortion by aligning responses to it. Also, Government departments and agencies act to deal with fraudulent messengers to prevent phishing by blocking IP addresses used for malicious actions. They could expand this to block IP addresses being used by organised crime groups who are carrying out online sextortion. This would disrupt crime groups means to socially engineer people thus depriving them of income. NGOs and charities often take the lead in education and awareness campaigns to improve children's and adults' internet safety and ensure that they can recognise online malicious attacks, for example, phishing attacks and malware downloads. By working more closely with Government bodies and technology companies, they could further improve their education and awareness campaigns and be able to reach more people than they could alone.

Technology companies already have in places measures to block and remove users who break the terms of the agreement of the services they provide which often involves the false profiles that can be used to carry out online sextortion and they also have policies in place to co-operate with law enforcement warrants and investigations. Now, this is a passive and reactive way to deal with online sextortion. Technology companies could take a more active role by using software and AI to determine whether a user is using false profiles which could be used to carry out malicious acts.

Families and individuals are now being encouraged to take a more active role in their online security. Parents could be encouraged to use applications like Oyoty help their children learn and improve their security behaviour when online. While it doesn't prevent online sextortion directly but by enhancing users' security behaviour, they should have the knowledge and awareness to avoid being caught out in a social engineering scam which online sextortion is a specific type of social engineering.

As the market for cyber insurance develops and matures, it might lead to companies, organisations and maybe individuals developing better security behaviour.



Recommended Future Actions
1
Greater use of holistic planning
2
Law enforcement should develop a cyber deterrence strategy
3
Improved recording and auditing of digital evidence
4
Expanded use of IP blocking of known malicious addresses
5
Greater co-operation between Government, NGOs and technology organisations to improve cyber safety and security education and awareness
6
Technology companies should develop software and AI to remove false profiles before they can be used for malicious acts
7
Encourage better personal security behaviour through feedback applications like Oyoty aim to achieve
8
Expanding cyber insurance to cover and protect individuals


Conclusion


The analysis of the socio-technical environment of online sextortion from a cybersecurity perspective has shown that it cannot be treated separately as a purely social problem (social engineering) or the technical problem (vulnerabilities of devices and software) that can cause online sextortion to happen. Instead due to the wide-ranging and overlapping nature of the issues surrounding online sextortion, a holistic view must be taken. It showed why online sextortion is a socio-technical issue from a cybersecurity perspective. 


Through this blog post about the STE and the discussion of online sextortion from a cybersecurity, perspective has shown what measures from a government level, NGO area, technology organisations and from a personal/intercommunal are being done to prevent online sextortion. Also, it has shown that measures within different cybersecurity areas have the potential to be applied to preventing online sextortion. These include the blocking of IP addresses and adapting cyber-deterrence from the defence theatre to law enforcement. The hypothetical measure is using A.I to determine whether a social media/online profile is genuine or not because of the problem in teaching software to be able to carry out such a task with a high degree of accuracy and precision would not be easy. Also, the responsibility of carrying out such checks of users’ profiles would have to satisfy privacy and data protection regulations. When these measures are paired with government policy and education campaigns, they have the collective potential to prevent online sextortion. By examining these cybersecurity measures which are already used in the real-world they can be applied to the STE of online sextortion with minimal effort to prevent it. Within the context of the socio-technical environment of online sextortion from a cybersecurity perspective, this holistic approach is already being used in a limited to tackle online sextortion and if further developed upon could to lead to a situation where situation on the future where many incidents of online sextortion are prevented when compared today. Finally, do these proposed ideas have potential to be applied to real-world use? The answer is yes, by using the STE of online sextortion to develop a holistic cyber security strategy to prevent online sextortion is possible. 

Comments

  1. Network security pretty much covers all of the types of security within a network, from components like databases and cloud servers to applications and the users remotely accessing the network.

    ReplyDelete

Post a Comment

Popular posts

Personal Interest - Unbuilt fleets of the Royal Navy

A personal interest post - Replacing the Tornado in the RAF

Personal Interest - Cancelled/Unbuilt British Army Projects