Cybercrime transcends national borders and includes a range of offences generally associated with a profit motive such as fraud, extortion and identity theft. Cybercrimes that involve at least one state actor are often referred to as cyberwarfare. Cybercrime not only impacts security of the person but also implicates the broader right to privacy when personally identifiable information is stolen by way of unauthorized computer intrusion. But how is cybercrime defined and can its parameters be distilled to a core element for analytical purposes?

1. Introduction

The term “cybercrime” is not defined in Canadian criminal law although unauthorized use of a computer and possession of devices to obtain unauthorized use of a computer system are offences contained in the Criminal Code. Nevertheless, the term cybercrime is commonly used to broadly describe crimes that involve a computer, network or a networked device. The term generally refers to the use of a computer as an “instrument to further illegal ends” such as fraud, identity theft or drug trafficking. (here) Some cybercrimes involve direct attacks against computers to damage or disable them and others involve deploying malware to infect a computer with a virus that spreads to other computers. (here) Most reported cybercrimes are profit driven such as ransomware attacks and theft of banking data or credit card information. The variety of threat actors runs the gamut from the lone wolf engaged in cyberbullying to state-sponsored actors carrying out sophisticated attacks against corporate entities, public utilities and government institutions. Social engineering and phishing emails are common tactics associated with many types of cybercrime.

2. Forms of Cybercrime

Cybercrime takes many forms with countless potential targets. It may be a relatively simple event with a narrow impact or a complex one with widespread implications. Here are three common cybercrimes that I discussed in previous posts to On The Wire. (here, here and here) Malware is malicious software that infects individual devices and systems in order to damage or gain access to computers or networks. Malware includes viruses, ransomware and spyware. It is usually spread through contaminated emails and websites. Ransomware is a form of malware that takes control of a system or network preventing users from accessing their data. The data is held hostage pending the payment of a ransom, usually in cryptocurrency, in exchange for a decryption key. The ransom demand is often accompanied by a threat to dump the user’s data on the internet if the ransom is not paid. Denial of service, or distributed denial of service, is the tactic of bombarding connections to a website with requests to overload the system. The website is effectively shut it down denying service to clients or customers. Social engineering is the act of deceiving or manipulating a target into providing personal information that is then used to carry out fraudulent activity.

3. Toward a Definition

Cybercrime functions in the digital world of borderless anonymity. The Royal Canadian Mounted Police, Canada’s federal police agency, defines cybercrime as “any crime where a cyber element has a large role in a criminal offence.” (here) The term captures two categories of crime: (a) crimes where technology is being targeted; and, (b) cases where technology is used to commit a crime. Crime where technology like computers and networks are targeted includes ransomware, malware, hacking and botnet attacks. According to the RCMP “these crimes are often committed for profit, to cause reputational damage, conduct espionage and/or steal personal information to commit identity fraud or sell on the dark web.” Many of these crimes are now offered as a service that implicates more than one person in the commission of the crime. Cases where technology is used to commit a crime include fraud, money laundering and drug trafficking.

The European Commission is the European Union’s main executive body that proposes legislation, upholds EU treaties and ensures Member States apply EU law and policy. (here) The Commission has characterized cybercrime as consisting of “criminal acts committed online by using electronic communications networks and information systems.” (here) It has classified cybercrime into three categories: (a) crimes specific to the internet such as attacks against information systems or phishing (e.g. fake bank websites to solicit passwords enabling access to victims’ bank accounts); (b) online fraud or forgery comprised of large-scale fraud committed online through instruments such as identity theft, phishing, spam and malicious code; and, (c) illegal online content including child sexual abuse material, incitement to racial hatred, incitement to terrorist acts and glorification of violence, terrorism, racism and xenophobia. (here)

The term “cybercrime” is distinct from the term “computer crime” although the latter may embrace the former. The U.S. Department of Justice has broadly defined the term “computer crime” as “any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution.” (here) The DOJ divides computer related crimes into three categories: (a) where a computer is the “object” of a crime such as the theft of computer hardware or software; (b) where a computer is the “subject” of a crime that encompasses any attempt to interfere with the services and activities provided by computers and their servers; and, (c) where a computer is the “instrument” used to commit traditional crimes such as identity theft and copyright infringement. The 2024 Internet Crime Report published by the FBI stated that the top three cybercrimes in 2024 were phishing/spoofing, extortion and personal data breaches. (here and here)

On December 24, 2024, the United Nations General Assembly adopted the Convention against Cybercrime by Resolution 79/243. (here) The convention provides a framework for how law enforcement agencies in different countries coordinate cybercrime investigations and will come into force after forty states have become parties. The convention was adopted over objections by human rights advocates, cybersecurity experts and technology companies who criticized it for expanding the surveillance and data collection capabilities of authoritarian regimes. (here) Writing for Lawfare, Kate Robertson of the Citizen Lab at the Munk School of Global Affairs & Public Policy, University of Toronto, said the convention’s “mandate calls for surveillance and cross-border-data-sharing powers over a breathtaking range of online content – a vision that, as advocated by Russia and China, and other adversaries, dramatically overshoots a narrow focus of combating cybercrime.” (here)

4. Conclusion

Can the parameters of cybercrime be distilled to a core element that provides a cornerstone for analytical purposes? While there is no universally accepted definition of cybercrime, noticeably absent from the United Nations convention, it is essentially an act using technology to facilitate a crime. The European Parliament has employed the term to describe the “use or exploitation of information and communication technology (ICT) and/or the internet to commit crime.” (here) The following two categories of cybercrime used by the European Parliament are attractive because they embody the core element of technologically facilitated crime: (a) cyber-dependent crimes; and, (b) cyber-enabled crimes. Cyber-dependent crime is “any crime that can only be committed using computers, computer networks or other forms of information communication technology” typified by malware and hacking. Cyber-enabled crimes are “traditional crimes facilitated by the internet and digital technologies” including fraud through phishing and counterfeiting. Cybercrime is actually, then, not a new crime but a new way of committing crime in general.