The analysis of the Socio-Technical Environment (STE) of Online Sextortion from a Cyber Security Perspective
Summary
Extortion is an old crime that has taken on a new dimension with developments in technology with the advent of modern communication technology, there is now the potential to affect anyone who is targeted and becomes trapped in an online sextortion racket irrespective of the geographic and social distance between extortioner and extortionee. The Federal Bureau of Investigation (FBI) (fbi.gov 2017) describe sextortion as "a serious crime that occurs when someone threatens to distribute a person’s private and sensitive material if they don't provide the perpetrator with images of a sexual nature, sexual favours, or money". The perpetrator may also threaten to harm a targeted individual's friends or relatives by using the information they have obtained from that person's electronic devices or online profile unless the target complies with their demands. The FBI state that online predators work to gain the trust of the targeted victim by pretending to be someone they are not. Predators look for their prey by lurking in chat rooms and record users who post or live-stream sexually explicit images and videos of themselves, or they may hack into a target victims’ electronic devices using malware to gain access to their files and control their web camera and microphone without them knowing it.
The post asserts that online sextortion is a social-technical issue from a cybersecurity perspective by showing the socio-technical environment of online sextortion. It is about people using their devices to access different social media and/or messaging services. A malicious user uses these same devices and services to socially engineer and/or attack a target person(s), in order, to obtain information or data which the malicious user can then use against the target, in order, to extort from them. Classically much of the initial social engineering is a side-channel attack that is required to achieve the end goal. In themselves, in isolation, the social engineering may be impossible to distinguish from conventional social contact. The social aspect is that when people are affected, it affects their emotional state, dignity, may cause a financial harm and in some cases, may destroy their reputation. The social response revolves around education and awareness. The technology aspect is both the means that by which it happens and ways in which it may offer counters to online sextortion.
Social Technical Environment (STE) is used as a broader description of a Social Technical System (STS). It can be defined as the relationship between how people interact with technology and the role they use it for. The STS developed from computer systems design hierarchies. Shown below.
Online sextortion has most commonly occurred via phone/tablet messaging applications, social networking sites and video chats. Often the perpetrator uses multiple mediums and profiles. It ignores international borders leading to transnational child abuse. Also, online sextortion can lead to the perpetrator aiming to meet their victim as contact child sexual abuse. Shown below.
The model of STE of online sextortion from a cybersecurity perspective will be shown and how it was developed. The blog will discuss the role of crucial domains in preventing online sextortion and the work being carried out to counter perpetrators who carry out online sextortion. Finally, through the STE of online sextortion will show why a holistic approach is needed from a cybersecurity perspective to prevent online sextortion from occurring.
Background Information
The naivety of the
victims, either on a relational level or on a technical level.
The STE Model of Online Sextortion
The STE model comprises three network models task, social and information. Task networks describe the relationships between tasks, their sequence and interdependences. Social networks analyse the organisation of the system (i.e. communications structure) and the communications taking place between the actors and agents working in the team. Information networks describe the information that the different actors and agents use and communicate during task performance (i.e. distributed situation awareness).
It uses social, task and information networks to classify the connections between people and the actions they undertake. By using the networks to show the social links between victims and perpetrators. Also, the tasks that occur during the process of online sextortion. Finally, what information is exchanged between the victims and perpetrators during online sextortion.
The STE of online sextortion involves the interaction of many different platforms, the users and participants in the system and the threats agents that form part of online sextortion. By understanding how these individual elements interact and relate to each other ways to counter and prevent online sextortion can be better understood and proposed. The role of cybersecurity is integrated into the model as means to counter, prevent and mitigate online sextortion from happening.
Application of this model
Four domains: law enforcement, political, institutional and personal (or intercommunal) will be dusscussed from a cyber security perspective into how they might be applied to the STE of online sextortion in order to counter it.
The application of the philosophy of Louis Brandeis, “sunlight is the greatest disinfectant”, in which exposure of deviant behaviour reduces the likelihood or incidence of such behaviour would be expected to be a positive way forward. Increased general awareness about sextortion and the harm it causes helps victims feel more confident about coming forward to prosecute their tormentors. This connection to STE of online sextortion from a cybersecurity perspective is that many of the resources and legislation that gives people protection and the right to justice applies to this area as well.
Conclusion
The analysis of the socio-technical environment of online sextortion from a cybersecurity perspective has shown that it cannot be treated separately as a purely social problem (social engineering) or the technical problem (vulnerabilities of devices and software) that can cause online sextortion to happen. Instead due to the wide-ranging and overlapping nature of the issues surrounding online sextortion, a holistic view must be taken. It showed why online sextortion is a socio-technical issue from a cybersecurity perspective.
Through this blog post about the STE and the discussion of online sextortion from a cybersecurity, perspective has shown what measures from a government level, NGO area, technology organisations and from a personal/intercommunal are being done to prevent online sextortion. Also, it has shown that measures within different cybersecurity areas have the potential to be applied to preventing online sextortion. These include the blocking of IP addresses and adapting cyber-deterrence from the defence theatre to law enforcement. The hypothetical measure is using A.I to determine whether a social media/online profile is genuine or not because of the problem in teaching software to be able to carry out such a task with a high degree of accuracy and precision would not be easy. Also, the responsibility of carrying out such checks of users’ profiles would have to satisfy privacy and data protection regulations. When these measures are paired with government policy and education campaigns, they have the collective potential to prevent online sextortion. By examining these cybersecurity measures which are already used in the real-world they can be applied to the STE of online sextortion with minimal effort to prevent it. Within the context of the socio-technical environment of online sextortion from a cybersecurity perspective, this holistic approach is already being used in a limited to tackle online sextortion and if further developed upon could to lead to a situation where situation on the future where many incidents of online sextortion are prevented when compared today. Finally, do these proposed ideas have potential to be applied to real-world use? The answer is yes, by using the STE of online sextortion to develop a holistic cyber security strategy to prevent online sextortion is possible.
Extortion is an old crime that has taken on a new dimension with developments in technology with the advent of modern communication technology, there is now the potential to affect anyone who is targeted and becomes trapped in an online sextortion racket irrespective of the geographic and social distance between extortioner and extortionee. The Federal Bureau of Investigation (FBI) (fbi.gov 2017) describe sextortion as "a serious crime that occurs when someone threatens to distribute a person’s private and sensitive material if they don't provide the perpetrator with images of a sexual nature, sexual favours, or money". The perpetrator may also threaten to harm a targeted individual's friends or relatives by using the information they have obtained from that person's electronic devices or online profile unless the target complies with their demands. The FBI state that online predators work to gain the trust of the targeted victim by pretending to be someone they are not. Predators look for their prey by lurking in chat rooms and record users who post or live-stream sexually explicit images and videos of themselves, or they may hack into a target victims’ electronic devices using malware to gain access to their files and control their web camera and microphone without them knowing it.
The post asserts that online sextortion is a social-technical issue from a cybersecurity perspective by showing the socio-technical environment of online sextortion. It is about people using their devices to access different social media and/or messaging services. A malicious user uses these same devices and services to socially engineer and/or attack a target person(s), in order, to obtain information or data which the malicious user can then use against the target, in order, to extort from them. Classically much of the initial social engineering is a side-channel attack that is required to achieve the end goal. In themselves, in isolation, the social engineering may be impossible to distinguish from conventional social contact. The social aspect is that when people are affected, it affects their emotional state, dignity, may cause a financial harm and in some cases, may destroy their reputation. The social response revolves around education and awareness. The technology aspect is both the means that by which it happens and ways in which it may offer counters to online sextortion.
Social Technical Environment (STE) is used as a broader description of a Social Technical System (STS). It can be defined as the relationship between how people interact with technology and the role they use it for. The STS developed from computer systems design hierarchies. Shown below.
Online sextortion has most commonly occurred via phone/tablet messaging applications, social networking sites and video chats. Often the perpetrator uses multiple mediums and profiles. It ignores international borders leading to transnational child abuse. Also, online sextortion can lead to the perpetrator aiming to meet their victim as contact child sexual abuse. Shown below.
Background Information
An EUROPOL report (2017) of
online sexual coercion and extortion form of crimes affecting children. The
report aimed to raise awareness and to contribute to the public debate on what
are the effective responses to it. The report determined two broad perpetrator
profiles.
Offender Profile Sexual Motivation: Male.
· Operates alone but trades
the acquired content.
· May act on both
international or national level.
· Activity-driven by
knowledge of languages.
· Targets female
victims.
· May know the victim
in person.
· Goal to obtain sexual
material.
Offender Profile Financial Motivation: Both genders.
· Members of an
organised criminal enterprise.
· Operates in teams
based in developing countries.
· May act at both
international and national level.
· Targets male victims
in countries linked by language.
· Does not know the
victim in person.
· Main goal: to obtain
money.
The report noted there is no ‘typical' victim of sexual coercion and
extortion. There are no determined patterns of causation as to how and why
people become victims. They do note from studies (lse.ac.uk 2017 and
ncbi.nlm.nih.gov 2011) that females are more likely to be affected than males
and when minors are affected there is a correlation between higher risk of
sexual coercion as result of unsupervised internet access and failure to
perceive risks to online actions.
Victim Profile: Any person whose
sexual material could be acquired by a perpetrator.
· Usually female in
case of sexually motivated perpetrators.
· Usually male in case
of financially motivated perpetrators.
The characteristics in cases of online sexual coercion and extortion
affecting children:
· The absence of
parental control.
· Willingness to share
self-generated sexual content.
· A significant amount
of time spent online each day.
· Use of social
networks and other ways of online communication, especially through mobile
devices.
· Befriending
strangers.
· Sexualised
conversions with strangers.
· Lack of technical
knowledge.
There is a mixture of factors that have seen reports of
sextortion increase is the rise of always connected devies and applicationsbecause they open people to vulnerable scenarios where they may be taken
advantage of. Reports from the NCA CEOP command (Toogood 2015) campaign about the increased
risk that children face online due to them valuing popularity over privacy due
to how social media services have been designed. Malicious people take
advantage of this behaviour. For example, webcams and internet-connected
devices are vulnerable to socially engineered hacks to install malware to gain control
to carry out acts of sextortion. Also, part of the problem is some children’s
naivety that they treat sharing of all type of information online as normal
behaviour. They do not fully understand the wider consequences such as content
being shared beyond their control and the long-term existent of the material
online.
The EUROPOL report
(2017) summarises what response needs to be implemented to counter or prevent
online sextortion:
- Guidelines for IT industry.
- Prevention software.
- Safer internet policies.
- Studies on offenders in the virtual world/grooming.
- Virtual – versus real-world studies.
- Evaluation of national strategies.
- Law enforcement-oriented actions.
- Websites for the online reporting of online sextortion.
- Police advise/warning in newspaper.
- Education and awareness raising.
The STE Model of Online Sextortion
The STE model comprises three network models task, social and information. Task networks describe the relationships between tasks, their sequence and interdependences. Social networks analyse the organisation of the system (i.e. communications structure) and the communications taking place between the actors and agents working in the team. Information networks describe the information that the different actors and agents use and communicate during task performance (i.e. distributed situation awareness).
It uses social, task and information networks to classify the connections between people and the actions they undertake. By using the networks to show the social links between victims and perpetrators. Also, the tasks that occur during the process of online sextortion. Finally, what information is exchanged between the victims and perpetrators during online sextortion.
The STE of online sextortion involves the interaction of many different platforms, the users and participants in the system and the threats agents that form part of online sextortion. By understanding how these individual elements interact and relate to each other ways to counter and prevent online sextortion can be better understood and proposed. The role of cybersecurity is integrated into the model as means to counter, prevent and mitigate online sextortion from happening.
Application of this model
Four domains: law enforcement, political, institutional and personal (or intercommunal) will be dusscussed from a cyber security perspective into how they might be applied to the STE of online sextortion in order to counter it.
The application of the philosophy of Louis Brandeis, “sunlight is the greatest disinfectant”, in which exposure of deviant behaviour reduces the likelihood or incidence of such behaviour would be expected to be a positive way forward. Increased general awareness about sextortion and the harm it causes helps victims feel more confident about coming forward to prosecute their tormentors. This connection to STE of online sextortion from a cybersecurity perspective is that many of the resources and legislation that gives people protection and the right to justice applies to this area as well.
For law enforcement role to tackle online sextortion deterrence is one
of the primary means to deter perpetrators from committing malicious acts. In
policing, deterrence of crime relies on two key principles for it to be
effective. (nij.gov 2017) Theses are:
1.
Police
deter crime by increasing the perception that criminals will be caught and
punished.
2.
Incarceration
can act as a deterrent when individual fears incarceration before they commit a
crime and thus refrain from committing future crimes. Though for incarceration to
act as a deterrent the severity of punishment must be sufficient.
For cyber deterrence to work there three key components: a credible
defence; the ability to retaliate; and, the will to retaliate. (Wei 2015). It
is possible for these components to be adapted to law enforcement since from a
defence perspective cyber deterrence seeks to dissuade the attacker from acting
for fear of retaliation. For law enforcement, cyber deterrence needs to be able
to dissuade the perpetrator from committing acts of online sextortion for fear
of being caught and incarcerated in prison. The problem is at this moment there
is no single doctrine from a law enforcement perspective which has yet to be
developed. Concerning the STE of online sextortion, there are only partial solutions
from government, NGOs and technology companies which only when brought together
as part of a holistic solution might fill the role of a cyber deterrence.
The Governments and other international bodies need to make use of education
policy and collective action to tackle online sextortion by aligning responses
to it. Also, Government departments and agencies act to deal with fraudulent
messengers to prevent phishing by blocking IP addresses used for malicious
actions. They could expand this to block IP addresses being used by organised
crime groups who are carrying out online sextortion. This would disrupt crime
groups means to socially engineer people thus depriving them of income. NGOs
and charities often take the lead in education and awareness campaigns to
improve children's and adults' internet safety and ensure that they can
recognise online malicious attacks, for example, phishing attacks and malware
downloads. By working more closely with Government bodies and technology
companies, they could further improve their education and awareness campaigns
and be able to reach more people than they could alone.
Technology companies already have in places measures to
block and remove users who break the terms of the agreement of the services
they provide which often involves the false profiles that can be used to carry
out online sextortion and they also have policies in place to co-operate with
law enforcement warrants and investigations. Now, this is a passive and
reactive way to deal with online sextortion. Technology companies could take a
more active role by using software and AI to determine whether a user is using
false profiles which could be used to carry out malicious acts.
Families and individuals are now being encouraged to take a
more active role in their online security. Parents could be encouraged to use
applications like Oyoty help their children learn and improve their security
behaviour when online. While it doesn't prevent online sextortion directly but
by enhancing users' security behaviour, they should have the knowledge and
awareness to avoid being caught out in a social engineering scam which online
sextortion is a specific type of social engineering.
As the market for cyber insurance develops and
matures, it might lead to companies, organisations and maybe individuals
developing better security behaviour.
Recommended Future Actions
|
|
1
|
Greater use of holistic planning
|
2
|
Law enforcement should develop a cyber deterrence strategy
|
3
|
Improved recording and auditing of digital evidence
|
4
|
Expanded use of IP blocking of known malicious addresses
|
5
|
Greater co-operation between Government, NGOs and technology organisations to improve cyber safety and security education and awareness
|
6
|
Technology companies should develop software and AI to remove false profiles before they can be used for malicious acts
|
7
|
Encourage better personal security behaviour through feedback applications like Oyoty aim to achieve
|
8
|
Expanding cyber insurance to cover and protect individuals
|
Conclusion
The analysis of the socio-technical environment of online sextortion from a cybersecurity perspective has shown that it cannot be treated separately as a purely social problem (social engineering) or the technical problem (vulnerabilities of devices and software) that can cause online sextortion to happen. Instead due to the wide-ranging and overlapping nature of the issues surrounding online sextortion, a holistic view must be taken. It showed why online sextortion is a socio-technical issue from a cybersecurity perspective.
Through this blog post about the STE and the discussion of online sextortion from a cybersecurity, perspective has shown what measures from a government level, NGO area, technology organisations and from a personal/intercommunal are being done to prevent online sextortion. Also, it has shown that measures within different cybersecurity areas have the potential to be applied to preventing online sextortion. These include the blocking of IP addresses and adapting cyber-deterrence from the defence theatre to law enforcement. The hypothetical measure is using A.I to determine whether a social media/online profile is genuine or not because of the problem in teaching software to be able to carry out such a task with a high degree of accuracy and precision would not be easy. Also, the responsibility of carrying out such checks of users’ profiles would have to satisfy privacy and data protection regulations. When these measures are paired with government policy and education campaigns, they have the collective potential to prevent online sextortion. By examining these cybersecurity measures which are already used in the real-world they can be applied to the STE of online sextortion with minimal effort to prevent it. Within the context of the socio-technical environment of online sextortion from a cybersecurity perspective, this holistic approach is already being used in a limited to tackle online sextortion and if further developed upon could to lead to a situation where situation on the future where many incidents of online sextortion are prevented when compared today. Finally, do these proposed ideas have potential to be applied to real-world use? The answer is yes, by using the STE of online sextortion to develop a holistic cyber security strategy to prevent online sextortion is possible.
Comments
Post a Comment