Sextortion as cybersecurity: Defining cyber risk too narrowly

This post orginally appeared on the Lawfare blog.

When we think of cybersecurity, we don’t think of sexual violence. Sexual assault, rape, and child molestation are problems of intimate contact between individuals in close proximity to one another. By contrast, we tend think of cybersecurity as a problem of remote attacks that affect governments, major corporations, and—at an individual level—people with credit card numbers or identities to steal.

We don’t think of teenagers or young adults as cybersecurity targets, because they don’t have things that the cyber-attackers we recognize most readily want. They don’t have intellectual property worth stealing and taking to China. They don’t have information of value to foreign intelligence agencies. They don’t have data so precious to them that they will pay ransom to organized crime gangs to decrypt it. They don’t, generally speaking, have money. They don’t, we conclude, have things of value that are vulnerable to cyber attack.

One thing I have learned from the work I have been doing (with Cody Poplin, Quinta Jurecic, and Clara Spera) on sextortion is that this conclusion is entirely wrong.

Teenagers and young adults do have in the cyber domain—as in the physical world—items of extreme value to attackers: their bodies. They also may have pictures of their bodies. They have the ability and technical capability to take more such pictures. And critically, they have friends in their contacts list who have those things as well and who trust them. To a certain group of attackers, just as in the physical world to rapists, these are items worth courting criminal sanction to steal.

It is, I think, a great mistake not to think of sextortion in cybersecurity terms.

At the risk of sounding like Bernie Sanders, our current cybersecurity debate treats as “real” cybersecurity only the concerns of the powerful. If the target is a big bank, that’s cybersecurity. If the target is the Sony Corporation and the intruder is North Korea, that’s cybersecurity. If the target is OMB, that’s cybersecurity too. And if the target is a rich person whose identity is worth stealing because there’s money in his bank account, that’s cybersecurity.

But if the target is a teenager or a young adult and perpetrator’s aim is sexual, we call that something else. We call it “online safety.” We call it child protection. If the victim is a child, we call it child pornography. We use an entirely different part of our brain—and our law—to think about the problem. And if the victim is an adult woman, we don’t really think about the problem much at all.

This despite the fact that the modality of attack may be precisely the same as the modality of attack against that big institution in the classic cybersecurity incident. The average teenage or young-adult Internet user is the very softest of cybersecurity targets. He doesn’t use strong passwords or two-step verification, as a general rule. He clicks on links when a plausible interlocutor sends them. He reuses weak passwords across multiple accounts. And he shares material easily with other teenagers whose cyberdefense practices are even laxer than his own. This is why the sextortionists thrive.

Sound familiar?

The similarities do not end there. One reason cyber attacks are proliferating is that the groups that conduct them have learned to scale things. They can attack lots of targets. Ditto the sextortionists. Moreover, a surprising number of the cases we looked at cross international borders—just like “real” cybersecurity incidents. Sixteen cases (21 percent of our sample) involve a perpetrator victimizing at least one person in a country other than that in which he is himself residing. It used to be impossible to sexually assault someone in a different country. That is no longer true. The same cybersecurity vulnerabilities that are making our corporations and government agencies ripe for cyber exploitations from foreign intelligence agencies and hackers are making teenagers and young adults ripe for highly-remote sexual exploitations. And the same features that make cyber exploitation of other data scalable are making these attacks scalable too. The result is an international remote sexual assault at a remarkably large scale, just as we see international remote cyber exploitation at a large scale.

At least some of the solutions, moreover, are common to other cybersecurity problems. Back in February, I  spoke on this issue at an event Bobby Chesney organized at the University of Texas on a panel alongside ACLU technologist Chris Soghoian. Soghoian drew my attention at that time to a question on which I had not focused previously but which ended up featuring prominently in our recommendations: Why are hardware manufacturers leaving webcams uncovered? Come to think of it, why are hardware manufacturers installing software-driven webcams that don’t have a physical off switch? People use their laptops in bed to watch movies, after all. Why are computer and phone makers putting cameras we can’t physically turn off in our bedrooms? And why are we letting them?

I think the answer to this question is that we don’t instinctively think of the risk of sexual violation as in any sense a cybersecurity risk. The result is that we don’t mind having a remotely-operable camera in our bedrooms. And more broadly, we don’t encourage kids and young adults whom we would caution again highly risky physical world behaviors to take basic cybersecurity precautions. But Soghoian’s point about webcams is not just right as to webcams. It’s right more generally: A huge number of the cases we looked at would simply not have happened had victims had the most rudimentary cybersecurity training. That suggests that sextortion is, as much as it is a sexual violence problem, a cybersecurity problem. And that, in turn, suggests that we have to understand cybersecurity vulnerability as including risks like sexual coercion and violence.

People concerned about cybersecurity and people concerned about sexual victimization—of children and adults alike—should be talking more to one another. More broadly, we need to think about the way we conceptualize cybersecurity and ask whether we are defining it too narrowly, to include only the cybersecurity risks of the strong and powerful and to ignore the cybersecurity risks of the most vulnerable in our society. They, it turns out, have data to protect too.

You can read more about sextortion and find the full report here.