Hey look, this is not the type of book I would usually read out of interest, but since I reviewed it for a trade publication a couple of months ago and found it pretty interesting I thought I would share my thoughts.
The full title of this 2012 book is Cybercrime in the Greater China Region: Regulatory Responses and Crime Prevention Across the Taiwan Strait. It is the PhD thesis of Taiwan-born Lennon Yao-chung Chang at Australia National University. It might sound kinda boring — and there are stretches that remind you very clearly that this is an academic paper — but there are plenty of interesting ideas here because of the fascinating political dynamics at work between Taiwan and China, both of which rank near or at the top in terms of malicious internet activity (in terms of perpetrators and victims).
As this is a relatively untapped area of research, the paper does suffer from limited access to data, especially in China, where every question from a Taiwanese academic would naturally be met with scepticism. The majority of information is therefore accumulated through empirical data and interviews with internet professionals in the private and public sectors and law enforcement on both sides of the Taiwan Strait.
Don’t worry if you don’t know much about Taiwan-China relations, cybercrime laws or internet terminology, because those are the things Chang addresses first in the book. He combs through the political situation between the two countries and the official lines of “reunification” and “independence”, and how this would pose difficulties in co-operative cybercrime investigation, prosecution, enforcement, and the concept of dual criminality. He also discusses at some length the legislative provisions from both countries — some of which, particularly in Taiwan, were not developed until only a few years ago (to my surprise, given Taiwan’s reputation as a technology leader).
Chang also explains what are malware, torjans, viruses and bots, which can turn computers effectively into “zombies” that can then be controlled to attack others. The problem with these cybercrime tools is that they adhere well to criminal theory — low cost, low risk and high reward, lots of opportunities and targets, and the lack of a proper reporting system.
The leading legal document tackling international cybercrime is the Council of Europe’s Convention on Cybercrime, but it happens to be relatively useless to both China and Taiwan. The problem with China is that they are just not that interested in the convention because its laws are too different, and more importantly, the Chinese government wants (or arguable needs) to maintain more control over its internet channels at the expense of the privacy and free speech of its citizens. On the other hand, Taiwan would love to be involved, but it’s not recognised as a country by signatories and is not part of the United Nations.
While the China and Taiwan have in place a number of cooperation agreements between non-governmental organizations that could potentially cover cybercrime, laws still cannot be enforced without government assistance. There are, of course, no official bilateral agreements between the two countries on cybercrime.
The discussions about these diplomatic difficulties and contradictions are where the book gets most interesting. China is really only willing to co-operate with Taiwan if it is also a victim of the same crime, and even then, there are the complexities of the Chinese concepts of guan-xi (personal relationships) and ren-qing (favours) which could prove to be huge stumbling blocks in any joint effort. Even the latest debacle involving Edward Snowden, the ex-NSA contractor who spilled the beans on US internet and phone surveillance, shows just how hard it is to get anything done when Beijing is involved.
The parts of the book I enjoyed the most were the painfully hilarious interviews with Taiwanese experts and officials on cybercrime issues. The problem with Taiwan’s cybercrime enforcement can be summed up as follows: the people who understand the law don’t understand the technology; the people who understand the technology don’t understand the law; the people who want to change the law don’t have the power; and the people who have the power don’t want to change the law. On top of that, all cybercrime investigation teams in the country are pitifully small and often can’t be bothered chasing cybercriminals because of the low success rate.
My favourite quote from the whole book comes from a Taiwanese cybercrime professional. The quote, sadly, would be less funny if it weren’t so true:
Even if the laws are adequate, our…judges and prosecutors are all IDIOTS in the area of technology. This is what I feel ashamed of…We have advanced laws, retarded law enforcement officers, and an insufficient law enforcement system…Almost all the law enforcement officers, around 99% of them are idiots, what can we do? That is nothing to do with laws. Brains need to be changed. What I am always emphasizing is that courts need to be professional. If judges are not professional, then how can we persuade others that our courts are professional?
So how does Chang suggest we can change the situation? Well, the last portion of the book is dedicated to his recommendation, which is to develop a “wiki” approach to cybercrime that embraces an information-sharing platform with a gatekeeper and very specific protocols. The voluntary Aviation Safety Reporting System is noted as a possible blueprint.
Chang also calls on the media, especially in Taiwan, to not sensationalise cybercrime and to change the “image” of the victims, who often do not report out of fears of losing face and being audited. He compared the victims of cybercrime to the victims of sexual assault and infectious diseases in the sense that there is a stigma attached to them — this has to be changed in order for cybercrime enforcement to take the next step, he says.
Giving this kind of book a rating is difficult because as an academic paper it lacks of proper narrative thread and has many dry patches that could put anyone not using the book for research (and probably them too) to sleep. The fact that English is not Chang’s first language often sticks out like a sore thumb, notwithstanding the best efforts of his editors. The lack of data and cooperation from China was also frustrating at times. But I suppose for an academic paper it does have some very interesting sections and even a few that I found quite funny. Given the dearth of information available about this topic for now, the book is also possibly the most authoritative piece of research on it, so extra brownie points for that.
But let’s not pretend anyone would read it unless they had to.