Skip to main content
NCBI home page
Elsevier - PMC COVID-19 Collection logoLink to Elsevier - PMC COVID-19 Collection
. 2023 Mar 28;10:100282. doi: 10.1016/j.chbr.2023.100282

Facing cyberthreats in a crisis and post-crisis era: Rethinking security services response strategy

Matthieu J Guitton a,b,, Julien Fréchette c
PMCID: PMC10043949  PMID: 37008183

Abstract

The recent years have witnessed two major events that have deeply impacted cybersecurity threats. First, the COVID-19 pandemic has drastically increased our dependence upon technology. From individuals to corporations and governments, the overwhelming majority of our activities moved online. As the proportion of human activities performed online is reaching new peaks, cybersecurity becomes a problem of national security. Second, the Russia-Ukraine war is giving us a glimpse of what cyberthreats may look like in future cyberconflicts. From data integrity to identity thievery, and from industrial espionage to hostile manoeuvres from foreign powers, cyberthreats have never been that numerous and diverse. Due to the increase of the magnitude, of the diversity, and of the complexity of cyberthreats, the current security strategies used to face cybercriminality won't be sufficient in the post-crisis era. Therefore, governments need to rethink globally their national security services response strategy. This paper analyses how this new context has impacted cybersecurity for individuals, corporations, and governments, and emphasis the need to reposition the economical identity of the individuals at the center of security response. We propose strategies to optimize law enforcement response from police to counterintelligence, notably through formation, prevention, and interaction with cybercriminality. We then discuss the possibilities to optimize the articulation of the different levels of security response and expertise, by emphasizing the need for coordination between security services, and by proposing strategies to include non-institutional players.

Keywords: Counterintelligence, Cybercriminality, Cybersecurity, Industrial espionage, Police forces, Security forces

1. Introduction

The recent years have witnessed two major events which have deeply impacted the cyberthreat landscape and the needs for cybersecurity efforts. The first of these two events was the COVID-19 crisis. More than a year of partial or total lockdown of the population has left a strong imprint on people and structures at a global level. As the populations of the world repeatedly went in and out of lockdowns, economy collapsed, public health systems got overwhelmed, schools and universities closed their classrooms, international travels went down to level never seen in the modern times. Yet, not all sectors faced the same struggles. As communication technologies appeared as a panacea to mitigate the effects of impacts of enforced social distancing, at least one sector of the world economy took advantage of the pandemic, cybercriminality (Almeida et al., 2020; Kumar et al., 2022; Lallie et al., 2021; Okereafor & Adebola, 2020; Tasheva, 2021). The second of these two events is the current Russia-Ukraine war, which combines both a conventional and a cyberwar component -a and with this cyber dimension of the war providing extremely interesting insights on how modern war might look like in a future where technology gets preponderant, particularly in economical activities (Guchua et al., 2022; Serpanos & Komninos, 2022; Willett, 2022).

Cyberthreats are not new. Ill-intentioned people did not awaited the COVID-19 crisis to see the potential that digital spaces represented for criminal activities (Brinson et al., 2006; Guitton, 2019a; Palmieri et al., 2021). Cyberthreats were already existing before the COVID-19 crisis, ranging from cybercriminality (Donalds & Osei-Bryson, 2019; Donner et al., 2014; Palmieri et al., 2021) to hostile actions posed by (or suspected to be posed by) foreign actors – something that is now commonly referred to as cyberwar (Poindexter, 2015). Yet, as for many things, the COVID-19 pandemic has exacerbated and accelerated the major technology-driven societal changes that were evidenced since a few decades (Almeida et al., 2020; Beaunoyer et al., 2020). Interestingly, the corporate sector was extremely quick to embrace this new reality, pushed by the necessity to pursue business activities despite the crisis context (Almeida et al., 2020). Yet, awareness of cybersecurity threats remained low in most cases (Tasheva, 2021). The forced social distancing of the population resulted to a massive increase of the exposure to digital spaces and applications, and consequently increased the vulnerability to cyberthreats. Not surprisingly, one of the economic sectors that was the fastest to take advantage of the pandemic and to adapt was the sector of criminality. Indeed, the increase of criminal opportunities led to an increase of cybercriminality, due to existing cybercriminals becoming more prolific, to more and more conventional (i.e., not originally Internet-based) criminals investing the cyberspace, or to a combination of these two factors (Lallie et al., 2021; Pranggono & Arabo, 2021). At the same time, the massive migration of day-to-day activities to digitalized space has also resulted in an increase of cybersecurity awareness amongst the users (Beaunoyer et al., 2020), leading to a acceleration of the evolution of cybercriminal methods (Kumar et al., 2022; Tasheva, 2021). The disembodiment of the crime, and especially the delocalization of criminals who are not anymore in immediate physical contact with their victim, makes the crime solving percentage drop, and thus the perceived cost/benefit ratio for criminal raise.

When it comes to cyberthreats, digital spaces have to be understood – and approached – while keeping in mind their double-fold nature. Indeed, Internet-based cyberspace is both a vector and a set of tools to access to the crime, and a place where the crime can take place (Guitton, 2019a). The Russia-Ukraine war, which started in early 2022, also shades a new light on the potential targets of future cyberwar. Indeed, and whilst military and governmental agencies have obviously been targeted heavily by both sides in the cyberspace, it is interesting to note that cyber-attacks are considerably more diffuse and diverse, and targets numerous corporate structures besides military objectives (Guchua et al., 2022; Serpanos & Komninos, 2022; Willett, 2022). Post-crisis cyberthreats will result from the increase of the range and of the magnitude of citizens’ use of digital spaces, alongside the complexification of the threats, both in terms of technical sophistication and of diversity of targets.

In this ultra-globalized and non-state-centered context, the pre-crisis response strategies to cyberthreats won't be enough to answer the new reality. In order to answer optimally these threats, public security services will have to deploy new forms of integrated strategies of cybersecurity, investigation, and law enforcement response, both for the visible, apparent components of national security (police, anti-fraud units) and for the less visible components (counterintelligence). As well, security responses will need the different components of the national security continuum to be more coordinated. Therefore, the post-crisis reality will force political leaders to rethink security services structures and responses to face the continuous and accelerated evolutions of the cyberthreats.

In this text, we will analyse how the security services response strategy needs to evolve to face cyberthreats in a post-crisis context. We will expose how the COVID context has impacted cybersecurity for individuals, corporations, and governments, and emphasis the need to reposition the economical identity of the individuals at the center of security response in the light of the Russia-Ukraine cyberwar. Having presented the reality of cybersecurity in this new context, we will propose strategies to optimize law enforcement response from police to counterintelligence, notably through formation, prevention, and interaction with cybercriminality. We will then analyse the possibilities to optimize the articulation of the different levels of security response and expertise, by emphasizing the need for coordination between security services, and by proposing strategies to include non-institutional players. Finally, we will explore some of the challenges related to this evolving situation.

2. Cyberthreats in a post-crisis context

2.1. The continuum of targets

Before the beginning of the pandemic, cyberthreats were globally understood, analysed, and treated alongside three levels of targets, which were mostly considered as independent from each others: the individual, the corporate, and the governmental levels. Individual and corporate levels refer to cybercriminal actions aiming at causing some for of harm (typically financial or reputational) to individual citizens and companies, respectively. Governmental cyberthreats were referring to actions related to cyberwar, from disinformation attempts to hostile intelligence actions (Kury, 2019; Poindexter, 2015). We will discuss below how the pandemic has changed this reality, and how the borders between these three levels are being more and more blurred.

The time spent online has drastically increased since the beginning of the pandemic in early 2020. From earlier epidemics, we know that socially and economically disadvantaged people are at higher risk when it comes to the consequences of the crisis. This is true as well for the current pandemic. Indeed, beside the question of physical access to technological devices, digital inequalities have a major impact on cybervulnerability (Beaunoyer et al., 2020). Those who do not have high enough level of digital and technological literacy will present an increased vulnerability to cyberthreats. On the other hand, people have acquired better equipment to face the need to spend more time online, notably for professional purposes, and, after the initial months, have overall become more aware of cyberthreats – both from the perspective of individuals whom digital literacy raised by practical experience (Beaunoyer et al., 2020), and from a corporate perspective, although advances in cybersecurity awareness seems slower than at an individual level (Tasheva, 2021). However, that unfortunately applies mostly for those who already have sufficient resources, hence reinforcing digital inequalities as well as the chiasm between the more favored users, and those with the greatest vulnerability to cyberthreats.

Citizens can be directly or indirectly victims of cyberattacks – directly, as direct targets of cybercriminals (e.g., after phishing attempts), or indirectly, as indirect targets of attacks against banks or administrations. In this second case, individuals are not just co-lateral damages, since even if the attacks are made on and through larger structures, the real targets are indeed the individuals. Attacking a big company can just be a way to collect massive amounts of information related to individual accounts. Interestingly, this is a first instance of interactions between the corporate and/or governmental levels, and individual level. If these interactions were already emerging before the crisis, they are fated to take more and more importance as citizens are more and more relying on digital spaces for their daily activities. With the pandemic, several countries provided financial help to their citizens. Consecutively, the cases of identity thievery are massively increasing, as frauds to tax agencies can become potentially extremely lucrative for cybercriminals, since they can simultaneously target large numbers of people. Although COVID-19-related financial helps are now over, the COVID-19-forced displacement of citizens to digital spaces is irreversible – and hence is the increase of the vulnerability of individuals to cyberthreats.

What is seen at the micro scale of the individuals is also happening at a larger scale, either for corporate or governmental organizations. The massive migration to professional activities to digital modalities have increased corporate risks by increasing the vulnerability to cyberthreats (Almeida et al., 2020). Companies however did not remain inactive. Instead, major investments have been made by company to reinforce their hardware and to acquire cybersecurity tools and expertise to mitigate as much as possible their exposition to technology-related risks (Tasheva, 2021). Of note, the support provided by companies to their workers in terms of cybersecurity also has a positive impact on the degree of vulnerability of these employees to cyberthreats in their private life, exemplifying a blending of the corporate and individual levels. The pandemic has also put some industries under the spotlight. As the crisis demonstrated the limits of our system, the importance of biotech and high-tech companies has become critical. Consequently, the risks for these companies to become the target of industrial espionage is dramatically increasing. This is indeed being witnessed – at least partially – in the current Russia-Ukraine cyberwar, where companies which are not directly state-controlled are nonetheless being the target of cyberattacks, or attempts of cyber-espionage (Serpanos & Komninos, 2022; Willett, 2022). In the near future, this will lead to complex situations, in which classical means of espionage merge with cyber-intelligence. Of note, in this new context, cybercriminals are potentially not anymore independent criminals. Instead, not just foreign governments as thought in a conventional vision of cyberwar, but also foreign companies not directly related to a foreign governments could see in the post-crisis reality new opportunities to get access to critical technologies or information.

This last point brings the issue of the merging between corporate and governmental levels. Indeed, as geopolitical equilibriums have been heavily impacted by the pandemic and by the Russia-Ukraine war, industrial espionage of biotech of high-tech companies might become a question of national security. Furthermore, counterintelligence is complicated by the increased dependency upon technologies of information. The impact of the complexification of the interactions between technology and geopolitical equilibriums was already evidenced before the pandemic, either from a government/government perspective with the Russian influence on US elections (Kury, 2019) or from a merging between political and economical interests with the Warwei affair between Canada and China (Fife, 2018). As it already appears to be the case in the Russia-Ukraine war, the post-crisis world will likely see a drastic increase of these cross-level challenges, with corporate challenges becoming governmental challenges when it comes to cybersecurity, as private, corporate interests become directly relevant for national security. Industrial cyberespionage faces problems of jurisdiction, as cybercriminals located in foreign countries are typically more difficult for national authorities to arrest – when they are not simply out of the reach. With the likely increase of industrial espionage, combined with the increase of relevance for national security of the corporate targets, more cooperation will be necessary between public security and corporate security services.

The vulnerability to corporations to cyberthreats in the post-COVID era represents for governments an indirect threat. Yet, the current situation has also increased the direct vulnerability of governmental institutions to cyberthreats, which was already existing prior to the pandemic (Binns, 2019). Indeed, the increase of reliance of citizens on online official services makes the totality of the systems more vulnerable. The way individual and governmental levels are related in the post-crisis context is different from the pre-COVID situation. Indeed, before the pandemic, cyberthreats were clearly distinct: individuals were mostly subjected to cybercriminality, while governments were concerned by cyberwar risks. With the COVID, citizens potentially become an entry point for governmental networks. Thus, cybersecurity threats which would have typically targeted the individual level might potentially become a concern for national security.

2.2. The need to reposition the economical identity of the individuals at the center of security response

Although some forms of cybercriminality (for instance, cyberterrorism or attempts of election manipulations) are not driven directly by monetary gain, most of non-state cybercriminality is motived by economical reasons (i.e., the cybercriminal aiming at making monetary gains from his actions in the cyberspace). Or note, this growing importance of the vulnerability of economical structures in a post-pandemic era, as well as the economical rationale of most cybercriminality attacks is being more and more acknowledged by the cybersecurity community (Kumar et al., 2022). In this view, cybercriminality is not different from any other form of criminality. Yet, there is a fundamental difference in the modus operanti between cybercriminality and conventional pre-Internet criminality. This difference is directly related to the disembodied nature of cyberspace. Cybercriminality typically takes place without direct contacts between the perpetrator and the potential victim – contacts that are leading more often than not to some forms of physical violence characterizing a large proportion of pre-Internet individual crimes. With the disembodiment of inter-individual relations, cybercriminality can solely occur on the economical aspect of the crime.

Whether targeting individuals or organizations, cybercriminality typically aims at directly taking advantage of information, or of access to information, in a important proportion of cases in order to acquire an undue economical advantage, whether this is a direct of indirect monetary gain. While this appears relatively obvious when considering cybercriminality targeting large structures – companies or governmental agencies – this is sometimes overlooked when considering individual citizens. Therefore, there is a critical need to reposition the economical identity of the individuals at the center of security response. Especially in a context of digital crimes, an individual is more than just his physical reality. In a digital and digitalized world, each individual is a knot in a complex network. An individual is an access gate to a variety of network (both personal, and professional), as well as a potential access gates to data (again both personal, and professional). Penetrating the cyberidentity of an individual can give a cybercriminal access to such data. It also potentially gives a direct connection to other individuals – particularly to professional collaborators – who could have access to data that the original victim did not had access to. Therefore, by targeting in an organisation a peripheral individual who would not benefit from high cybersecurity protection, a cybercriminal could access more central individuals who could not have been accessed directly due to their personal cybersecurity defenses, and thus have access to information critical to the economical viability of the company.

Despite the inherently economical nature of most cybercrimes not driven nor related to ideology (i.e., excluding cyberterrorism and political cybercriminality), the way cybercrimes are currently being investigated is not systematically acknowledging the economical dimension. To be more exact, the economical dimension of cybercrimes is considered only from an individual perspective rather than from a group perspective. At a national level, central antifraud services are typically sorting identified phishing attempts alongside their source, and not alongside their potential macro-target (for instance, people from a given profession, or employees of a same company or cluster of companies). The disconnection goes further, as information regarding potential vulnerabilities is not transferred back to local police officers. With the information being fully centralized in specialized services, local security agents are not aware of the specific level of vulnerability of the local actors they are supposed to protect.

This situation brings important challenges both in terms of organization and of interactions between local and specialized police services and counterintelligence. To the initial “physical” mission of local police officers, two layers have to be added: a mission of protection of national interests (including the interests of the companies contributing to the economical wellness of the country) in addition to the interests of the individuals, and a cybersecurity layer. Obviously, local police officers have already a lot of tasks to perform, and they don't have neither the technical resources and expertise, nor the time to take on their shoulder the fight against cybercriminality. Yet, several actions could be taken to optimize the global security response. The first line of action is to increase the interactions between local and central security services. This will have to be done by reinforcing the channels of communication between anti-fraud services and field agents, notably in order to provide a better access to critical information at the early stage of the investigations. The interactions between police and counterintelligence should also be increased and enhanced (something that we will develop later on in this text). As communication is a process that goes in both directions, local police officers should also be encouraged to contact central services (either antifraud units or counterintelligence) to transfer relevant information. Related to this point, the second line of action is to raise awareness of police officers on the macro-economic dimension of cybercriminality. Practically, the potential macro-economical dimension of cybercrime should be investigated – or at least explored – systematically. For instance, if several employees of a given company were victim of phishing, would that be only coincidental, or would that mean that email lists of the company have been compromised? Have these victims been targeted by chance, or in a global strategy to get specific data, or to otherwise harm the company deliberately? Systematically exploring the economic identity of a cybercriminality victim during the early step of a police investigation does not take that much time, yet it could bring critical insights into the real motives of the cybercriminal, and potentially allow to identify potential vulnerabilities. Field police officers may think that they have no impact on macroscopic – either macro-economic or national security – scales, as these scales appear rather far from their daily reality. Yet, the role of local police officers is central, as they are the first line of response, and the first security officers involved in the collection of evidences. If the evidences are not properly and optimally collected on the site of the crime, then further actions of more specialized security services (either computer forensic units or counterintelligence services) will not be optimal either. Furthermore, in both cases, the management of these crimes would benefit from the closer relations between field police and counterintelligence services that would have been built based on the treatment of economical cybercrimes.

3. Optimizing law enforcement response from police to counterintelligence

3.1. Formation

The mission of law enforcement services can not anymore be associated to the classical sight of a police officer patrolling the neighborhood alone in his or her car without any connection to the rest of the world. Although the immediate physical reality remains obviously important in order to protect the population, the reality of public security safety have to take into account the fact that modern criminality goes far beyond its immediate physicality. However, the typical training of law enforcement officers still mainly focuses on law and criminal psychology for the theoretical aspects, and on classical law enforcement methods, mostly related to physical control and legal aspects related to the use of force. Therefore, the first cornerstone to optimize the response from governmental security services – including both police and counterintelligence – is education. Although all agree that security services formation needs to be updated and upgraded to encompass the technological dimension of criminality, practically implementing these changes meets several challenges. These difficulties can be summarized alongside four main lines: 1) identifying what is needed, 2) acquiring a teaching expertise, 3) securing the ties between security and academia, and 4) sharing expertise and experiences amongst security services.

The first issue that is encountered when trying to design cybersecurity training for security services is to identify what are the needs. While answering this question might seem mundane, this is not the case. Indeed, what is really needed for a police officer on the field to properly deal with cybercriminality? How to identify cyberthreats? How to collect evidence? How to provide psychological support to victim of cybercriminality? How to do prevention and to provide advice? Answering these questions should guide the implementation of cybersecurity courses for law enforcement forces, including counterintelligence agents. Yet, when cybersecurity is included in police courses – and this is unfortunately not the case everywhere – it is done only marginally, and usually only from a legal (“what is a cybercrime?“), or a categorisation perspective (“what is a lure?“). Both cyberinvestigation technics and prevention technics are typically acquired on the field by most recruits. Even in conventional forensic sciences, not everything is taught the same to all. Training in proper data collection, preliminary exploration of motives, fine analysis of criminal behavior are typically not taught to regular police officers, but only to advanced detectives. When a cybercrime happens, the cybercriminality specialist intervenes only in a second time, long after the initial intervention of regular police officers. The detective specialized in cybercriminality will have to make up for what was not done by the first policemen involved due to their lack of formation in cybercriminality, potentially resulting in a loss of time, of resources, and, more importantly, of evidence. Identifying what would be needed for both police officers on the field or for counterintelligence analysts in central headquarters will be critical to ensure a coordinated security response.

The second difficulty to implement cybersecurity training is to acquire a teaching expertise. From an academic perspective, cybersecurity is still mostly considered from a computer science perspective. Although cybersecurity has been the target of prolific research, it still remains that, when compared to other aspects of cyberpsychology, cybersecurity and cybersecurity-related behavior are still comparatively understudied. This unfortunately results in a lack of availability of instructors able to teach cybersecurity at a satisfactory level. National security service members need to receive cybersecurity education delivered by experts, people typically holding terminal university degrees and having research experience.

The third issue faced when trying to decipher long-term development of cybersecurity cursus and curriculum for national security services is to reinforce the ties between security and academia. Historically, the relations between intelligence and counterintelligence community in the one hand, and the academic community in the other hand have been complex, and often infected by mutual mistrust and misunderstanding (Crosston, 2018). The evolution of global geopolitics in the last decades have led recently to an increase of suspicion toward relations between scientists and foreign powers (Hvistendahl, 2019; Normile, 2019). Although, strictly speaking, intelligence with foreign powers under a military understanding seems to be still limited, murky interactions of some U.S. scientists with foreign institutions, often accompanied by what some prosecutors qualified as “corrupting amounts of money,” have been evidenced (Mervis, 2020). This climate of suspicion is further severing the ties between national security services and the academic community, as demonstrated by recent political (Mervis, 2019). In a post-crisis era, where international economical competition is likely to become exacerbated, this issue of restoring the trust between these two worlds is going to become critical to optimize the formation of security services.

Finally – last but not least – the fourth issue is related to security services themselves. Indeed, in order to optimize a global response, communication between all the layers of the nation security services is critical. In the context of cybercriminality, information collected at the level of local polices have to reach quickly decision centers, and if needed, counterintelligence services. In order to share information efficiently, sharing expertise and experiences amongst security services is required. In other words, security services as diverse as police and counterintelligence need to share a similar language and to share similar tools in order to optimize the civil protection and the defense of national interests. Unfortunately, the different security agencies of a given country are still often considered as different entities (the “military”, the “police”, the “Intelligence services”), rather than the components of a same organisms (the “country”). Consequently, the basic formation of the agents of these different branches of security services is typically done without, or with very few, cross-training. In order to achieve a stronger inter-service dialog, common grounds will have to be shared at the initial training level, and cybersecurity training will have to be acknowledged in career evolution. Of note, what has been described above mostly applies to countries where policing system is structured in local police organizations. While this model is largely spread (as it covers for instance all North America and a significant part of European countries), it is not the only one. Yet, the same problematics also apply to countries where policing system is highly centralized, as at the end, local agents would only have a local – and not global – perspective of the crime, and even thus more integration would be needed even in centralized police systems.

3.2. Prevention

Preventing a crime to happen is the surest way to avoid having to face its consequences. While this is true for conventional criminality, it is even more so in the context of cybercriminality. Indeed, the weakest link when considering cybersecurity is typically user's behavior rather than purely technological failures (Guitton, 2019a; 2019b). As exemplified by Edward Snowden, human behavior is the weakest link of the cybersecurity chain (Lahneman, 2016). From the perspective of prevention, this dependency of cybersecurity protocols upon human behavior is a highly positive element. Indeed, in contrast to a software or hardware, behavior can be corrected easily with proper training. Therefore, actions aimed at preventing crimes could represent a powerful option in the official law enforcement services toolbox.

Having said that, if all would agree that prevention is important, the operationalizing in the context of cybersecurity brings some tricky challenges. Indeed, prevention is a direct consequence of the previous point, i.e., the formation of public security agents. Yet, prevention requires more than just having the theoretical knowledge. Indeed, other skills are required in order to convey optimally information to a wide public. Therefore, in addition to fundamental or applied knowledge, security experts aiming at providing cybersecurity prevention would also need to receive training in transversal skills – specifically in communication and pedagogy. Furthermore, pedagogy needs to be differentiated according to the anticipated target, as one would not teach the same way to corporate managers than to school children. Typically, these skills are unfortunately not emphasised in classical security curriculums. In the rare occurrences when these skills are taught, the target audience is usually other law-enforcement agencies, for instance in the context of intelligence/counterintelligence cursus where specialists with marked expertise would be trained to train other agents.

Police services – particularly those operating at a municipal level – often have dedicated agents or teams doing prevention in schools. Modern school prevention programs are more and more including come cybersecurity components (Harichandran et al., 2016). There is no question that efforts of prevention directed toward children are fundamental, especially in the context of cybercriminality (Harichandran et al., 2016). Yet, young people are not the only segment of the population that are vulnerable to cybercriminality, or who need to benefit from preventive interventions. Specifically, companies – including the smaller ones – would benefit from such interventions. Currently, cybersecurity training to companies is mostly provided by external consultants rather than by higher education institutions. This however brings several issues. First, this reinforces inequalities, as the smallest companies are not necessarily able to purchases such services. Second, there is neither control of quality of the content, nor of the competencies of the consultants. Third, the content itself is often not tailored to the specific needs of the company, and would typically focus on a technical perspective (with further offers of software or other costly external technical solutions) rather than focusing on users’ behavior (whether helping managers to identify the risks, or training the workers to avoid displaying at-risk behavior when online).

A way to avoid these pitfalls could be to extend the mission of prevention of police to the corporate sector. Police officers could include experts on Internet security that could provide consulting services to companies to help them secure their networks and the behavior of their workers. Alternatively, as governmental law enforcement services are still limited in terms of size, delegating part of this prevention mission could still be part of the solution. Yet, governments and public security services could maintain some form of control over the quality of the formations offered and on the skills and competencies of the instructors. Indeed, in most countries, some professions such as private security agents, private investigators, or even locksmiths need some kind of specific authorization delivered by governmental authorities to practice their trade. The same kind of official authorisation or credential could be developed and implemented for people or companies operating as consultants in cybersecurity.

All that being said, it is important to note that beside these “technical” issues, cybersecurity prevention might meet issues of long-term efficiency. Indeed, if the methods used by cybercriminals are widely presented, this will trigger an adaptative response of cybercriminals. When doing prevention, an equilibrium should be reached between exposing cybercriminals (so that the population can be protected), and publicizing what is exposed (so that cybercriminals are not fully aware of the extend of what is known by the general population). This leads us to the next point of this analysis.

3.3. Interacting with cybercriminality

While the digitalizing of the world has already started before the emergence of the COVID-19, this digitalization has been occurring at an accelerated pace since the start of the pandemic. Given the pace and the magnitude of the switch to the overwhelming majority of human activities from a purely physical to an hybrid physical/digital mode, it is illusory to believe that national security services can keep protecting the population they have the stewardship of by simply watching the evolution of cybercriminality, and reacting to it – even if with full strength. Anticipation of the directions and methods cybercriminals might use is critical. This can be achieved only if there are some degree of interactions between security forces and cybercriminals, or at least with those the closest to them in terms of technical expertise, i.e., hackers. It is out of order to reward cybercriminals for breaking laws or for inducing harms (even if economical and reputational and not directly physical) to people. Yet, deciphering ways for hackers to collaborate with national security services, and for their expertise to be included in police operational toolbox will provide a clear hedge for law enforcement services in their war against cybercriminality.

The lines between crimes and security needs have often been blurred in times of war, or after such times. After World War II, numerous Nazi scientists who were clearly qualifying as war criminals were offered new identities and new lives by some other countries. at the condition that they would give their expertise to their new homeland. Although we are not in a time of war, the COVID-19 pandemic is a crisis that can easily be compared to a situation of war, either due to its magnitude and worldwide impacts on population, or to the measures that have been taken by numerous countries (lockdowns, curfews) and that are comparable of those taken in time of war. This analogy with war is probably strong enough to allow governments to think about measures that could allow for recovering cybercriminals skills and expertise once their debt to the society have been paid, within a legal and ethically acceptable context.

As paradoxical as it may sound, interacting with cybercriminals also means increasing the interactions with the research community. Obviously, scholars are not criminals. Yet, like for any other subject, criminality and criminal behaviors are legitimate – and we would add necessary – targets of scholarly interest. Cybersecurity has been identified as one of the main challenges of cyber behavior research for the coming decade (Guitton, 2019a). Feeding cyberpsychology and cybersecurity researchers with up-to-date data, and with the actual needs of security services is the shortest way to insure that academic research is able to meet the demands of national security. This can be done only with the collaboration of national security services, and their will to share their field-acquired expertise and data with their national academic community, so that knowledge can be shared in both directions for the greater benefit of the country. Noteworthy, achieving this goal is not a small feat, especially considering the inherent secretive nature of intelligence and counterintelligence and the historically complex relations between them and academia (Crosston, 2018). Once again, the issue of mutual respect and trust between security and academic communities discussed in the previous section is critical.

4. Articulating the different levels of security response

4.1. The need for coordination

As in many cases, a common way for governments to react when a new form of threat appears is to create new services, or new divisions of existing services. Cybersecurity has not been an exception to this tendency. Indeed, the national security answer to the emergence of cyberthreats typically involves establishing new structures. The creation in 2018 of the Cybersecurity and Infrastructure Security Agency (CISA) as a standalone agency by the U.S. government epitomizes this trend. This logic is not evidenced just in the context of counterintelligence and national security, but also at the police level, as illustrated by the emergences in more and more countries of specific police units dedicated to cybercrime units (e.g., “computer forensics police units”). While this strategy might prove useful when dealing with localized threats (either localized in time such as natural disasters, or in space such as drug trafficking), this is however counterproductive in the context of cybercriminality.

The response of police services is typically organized following a two layer structure. The first level of organization follows a physical layering – alongside the various “jurisdictions” – from local to state police, with an additional federal level for federal countries. This layering of jurisdiction is associated with a layering of the resources, expertise, and therefore, capacities of answering criminality. For instance, police services of small municipalities won't have tactical units, or access to air support such as helicopters, nor expertise in organized criminality. The second level of layering is made alongside the type of crimes, with specialized units focusing solely on certain types of criminality, e.g., financial criminality, or international drug traffic (the “narcotics” of the U.S. police forces). As we discussed above, cybercriminality is of a different nature. Indeed, cyberthreats are touching all levels of society, from individuals to corporations and governments. While central counterintelligence agencies are obviously interested in cybercriminality, even police officers operating in small communities might be exposed to it. Therefore, cybersecurity response has to be transversal (i.e., encompassing all the levels of police forces organization, from the most local forces to the national security units) and transmodal (i.e., crossing the disciplinary borders of specialized units, from financial expertise to human – notably child – trafficking). The computer forensic police units that are emerging worldwide have to be integrated in the functioning of regular forces, as they can not be operating in a “parallel world”. Digitalized spaces are not independent from physical spaces, they are just a superimposed layer. Bringing this specialized cyber-expertise to local police forces will be critical.

As cybercriminality increases in an exponential way, and a targets are moving from individuals to larger corporate or governmental structures, counterintelligence will need to capitalize on all the strengths of the nation. Therefore, counterintelligence will have to rely more on the assistance of local police forces in order to gather information, and to benefit of the on-field expertise of those in direct contact with the population. However, satisfactory degrees of collaboration will be possible only if trust exists between services. Dialogues will have to start between services, notably police and counterintelligence.

Articulating a response across various services – each with their own culture and specificities – is not an easy task (Miller, 2019). It will requires proper dispatchers who will be able to hierarchize priorities, supervise, and match expertises. Working together will imply working more in network alongside conceptual maps of the different elements of a cyberthreat (eventually with the assistance of task-specific AI), instead of following conventional pyramidal strategies. Yet, the COVID-19 pandemic demonstrated us that it was possible to efficiently work together without being physically close. In a post-crisis era, the rationale of segregated departments won't be as salient as it uses to be, especially in a global cybersecurity context.

4.2. Including non-institutional players

Given the exponential multiplication of cyberthreat and their increasing complexity, relying on the different components of public security services – even if they succeed in coordinating their efforts and resources – might not be enough to insure an optimal response to cybercriminality. Indeed, ensuring the strength of all of the individual links of the cybersecurity chain can not anymore be done only through the action of public, national security services – even if their resources are combined. Instead, there will be a need to use external resources, and in some cases external expertises. For instance, police services do not have the mission – nor the resources – to do prevention in all private companies. Yet, such approach could prove extremely beneficial for the society in a whole. Police services could however coordinate the actions of private cybersecurity companies to help small businesses decipher their own cybersecurity strategy.

This needs of collaboration extend further than just prevention. Indeed, this collaboration can extend to preparedness. By sharing the knowledge public security forces (both police and counterintelligence) have on cybercriminality (ranging from the types of cybercrimes observed and the methods cybercriminals are using) with corporate actors of cybersecurity, private companies could be more prepared to face these threats in an efficient ways. Doing so is however tricky and will require important dialogues, as the exact disclosure of what is shared about cybercriminal methods and modus operanti should not be widely publicized, in order both for companies to be actually protected, and for law enforcement services to keep an edge against cybercriminals.

Yet, this collaboration between public and corporate security should go – and will probably have to in the near future – a step further, by extending from pre-crime actions (prevention and preparedness) to actual counter-criminality actions (investigation and intervention). Indeed, in a context of heavy industrial competition that has lead to a drastic increase of the risks of industrial espionage (Crane, 2005), large, often multi-national companies have developed their own security departments. While a few decades ago, these departments would only focus on physical security of the company's installations, they have since then encompassed cybersecurity. This phenomenon of industrial espionage is likely to tremendously increase in coming years, especially for companies of the high-tech and biotechnologies sectors. Given that some multi-national companies sometimes have resources even more important than some sovereign states, it is easy to understand that some corporate security departments might have, to some extend, expertise comparable to a small intelligence/counterintelligence unit. Furthermore, and independently of the internal security departments of private corporations, some large-scale companies specialize in providing security to industrial, commercial, or even public organizations. Increasing the cooperation of these corporate actors of (cyber)security with public forces, from police to counterintelligence, will be a keystone to optimize future cyberdefense strategies, as the economical interests of these companies are likely to be very similar (not to say isomorphic) to those of their countries of origin or of implantation.

Although this issue was already touched earlier on in the course of this text, two additional categories of players will also have to be taken into account in developing global and coordinated response to cybercriminality: hackers, and the academic community. Therefore, the optimizing of national cybersecurity response will have to rely on consortiums with a core provided by police and counterintelligence services, around which would gravitate numerous non-public actors including corporate security sectors, hacking community, and the academia (Guitton, 2019a). Creating these kinds of extremely heterogeneous and diverse consortiums will only be possible through consensus and shared trust – something that is far from being acquired at the moment, but for which massive efforts will have to be deployed if a country wants to keep its own national interests safe. As discussed above, the interactions between different institutional services is not optimal. The challenges are even greater when it comes to the interactions between public and corporate actors. Of note, this is not specific to security, as this could easily be observed in other sectors such as research. Yet, the domain of security adds another layer of secrecy that can easily obscure trusts. Shredding this veil of secrecy does not, however, comes without challenges. The next section of this paper will explore some of these new and emerging challenges.

4.3. Emerging challenges

Moving the cybercriminality response strategy from a single actor to a multi-component system will need to re-think the transmission of information and to reorganize the logic and protocols of data sharing. This triggers numerous challenges, which will need to be addressed in the near future if we want the response to cybercriminality to become optimal. Of note, these challenge are not anymore those of police, or of counterintelligence, but questions the society as a whole. In a simplified way, these challenges can be summarized in three sets: challenges related to data sharing, challenges related to social acceptability, and challenges related to the interaction with non-human agents.

A first set of challenges are related to data sharing across the different actors. These challenges are not purely technical, they are instead sociotechnical by nature, as the limitations are not only related to the technical aspects but are also associated to the behavior of the holders of the data. Indeed, and although all agencies are supposed to be working for the same final goal, i.e., the benefit of the population they serve, data sharing across services is far from being a natural reflex. Even in time of crisis, the circulation of data and information across various public agencies can prove to be complicated. For instance, and although it may sounds counterintuitive, efforts to fight the COVID-19 pandemic have been slowed down in U.S. due to difficulty for the different services of the U.S. administration to efficiently share relevant data (Piller, 2020). Without going as far as inter-agencies interactions, information may sometimes circulate only with difficulty within a given service. In the context of cybersecurity, data sharing is however central. Therefore, walls will have to be broken in order to allow a quick and fluid circulation of data across the different actors of public security, especially between the three members of the security response triad composed of counterintelligence services, police services, and large corporate security departments.

A second set of challenges are challenges related to social acceptability. Indeed, sharing data across various governmental agencies comes with its weight of ethical considerations. These ethical questions become even more prominent when the data are to be shared between public and private operators. In such context, ethical and practical considerations are typically related to confidentiality of the data. These problems are already existing, as police services often rely on private contractors to analyse some forensic elements. As the number of actors increases, the problem becomes to reach an equilibrium when sharing information with people more and more peripheral to the original victim (yet not necessarily from the crime itself). This raises the question to which point the data is considered relevant and sensitive, depending on the position on the cybercriminality continuum, as a lure is not equivalent to industrial espionage. Even if the sharing of data related to citizens is done in a technically-secured way, how this would be perceived by the population? In other words, ensuring the social acceptability of data exchanges between public and private actors will be critical, as for any other technological-based measure that could be potentially perceived as potentially contradicting individuals liberties (Georgieva et al., 2021). In terms of social acceptability, the difference between public and private actors is fundamental. Indeed, public officers have a legal obligation of ethical behavior: their affiliation to their service (being the police or intelligence/counterintelligence agencies) comes with a social – and legal – imputability. While theoretically submitted to the same ethical and deontological constraints, the imputability of private agents is less obvious in the eyes of the public. Police forces are under the control of the political power, which is itself, in modern democracy, under the control of public opinion. Private actors of security are not submitted to the same public control. Yet, security is not necessarily identical to law enforcement. In this view, the set of legal constraints surrounding security might not be fully adapted to the new reality of cyberthreats.

Finally, a third set of challenges is related to the interaction with non-human agents. Even if not being aware of it, standard Internet users are regularly interacting with non-human agents, ranging from legitimate bots to malevolent programs. As more and more interactions will take place between human users and artificial programs, awareness will need to be raised on the characteristics of these interactions in order to prevent citizens to fall for automated cybercriminality. At the same time, the promised arrival of artificial intelligence (AI) in the coming years or decade will change the way security services will work, notably when it comes to collect or analyse data. It is unlikely that AI will become full-fledged security agents in the near future. Yet, they might become powerful tools or valuable auxiliaries for members of security services. Therefore, having human agents accepting and acknowledging AI as potential collaborators will represent a major challenge to overcome in the coming years.

5. Conclusion

As for a lot of other domains, the impact of the COVID-19 pandemic on cybersecurity has been considerable. The pandemic has been both a trigger for change, and an accelerating factor. Most – if not all – of these changes are here to last. This is particularly the case for the increased dependency to Internet and communication technologies. As demonstrated by the raise of cybercriminality during the pandemic, and the increase of cyberattacks related to the Russia-Ukraine war, the vulnerability to governments, populations, and companies to cyberthreats has tremendously increased. Cybersecurity and digital investigations are involving more and more players, and more and more of these players are not institutional ones. Therefore, responses will have to take into account the diversity of security actors to coordinate the actions. The structure and dynamics of national security services will have to be optimized in order to merge forces. Network dynamics (eventually with the assistance of task-specific artificial intelligence) will have to be implanted in order to share experts and expertises. Education will have to be reinforced, and training will have to be hybridized across the different services – particularly across regular police and counterintelligence. Counterintelligence can not anymore be thought as an independent corps, as increased contacts and interactions with regular police forces will be critical to answer future cyberthreats.

Alongside inter-services coordination, research-informed education and training will be one of the main challenges to face. Typically, only the largest police services have a direct access to cybercriminality expertise. More often than not, cybercrimes are initially treated by regular investigators as if they were conventional crimes. It will be critical to reinforce significatively security personals education – both initial and continuous – on cyberpsychology. Beside formal education, it will be important to increase awareness to cyberthreats in all levels of police services. Indeed, local officers should keep in mind the possibility of a cyber dimension when treating any crime. Identifying the optimal profiles to recruit cybersecurity officers will also be a central challenge for the coming years – either by recruiting people already having an initial background in cyberpsychology or computer sciences, or by recruiting already trained and experienced security officers with an interest to cybersecurity. The lack of centralised cybersecurity standards of formation for security services is an issue that will have to be addressed as soon as possible.

While this text has emphasised the economical dimension of cybersecurity, it is critical to remember that the central mission of police services is to insure the security of the citizens, and not to protect private corporation interests – even if they might at some point overlap with national security interests. This is a fundamental difference between police in the one hand, that focuses on a “micro” level (the security of the citizens), and counterintelligence and private corporate security services in the other hand, that focus on the “macro” interests (the economic security of the companies or of the nation). These differences of approach are major, and one of the risks with the globalization of the risks is to loose the “micro” focus, i.e. the security of individuals. If citizens feel abandoned by official, then governance and national security policies can quickly become questioned by the population, with consequences easy to foresee on social peace and societal equilibriums. While cyberthreats are real, social acceptability of the actions of the security forces is a central parameter that should not be overlooked. Preparedness is central in the crisis management discourses of a lot of countries. However, the recent events have clearly demonstrated that we are still not fully prepared to deal with some of the impacts of major crises at a global level. Cybersecurity is a perfect example of that, yet it is one that an optimal response of national security services could counter.

Declaration of competing interest

There is no conflict of interest with this paper.

Data availability

No data was used for the research described in the article.

References

  1. Almeida F., Santos J.D., Monteiro J.A. The challenges and opportunities in the digitalization of companies in a post-COVID-19 world. IEEE Engineering Management Review. 2020;48:97–103. doi: 10.1109/EMR.2020.3013206. [DOI] [Google Scholar]
  2. Beaunoyer E., Dupéré S., Guitton M.J. COVID-19 and digital inequalities: Reciprocal impacts and mitigation strategies. Computers in Human Behavior. 2020;111 doi: 10.1016/j.chb.2020.106424. [DOI] [PMC free article] [PubMed] [Google Scholar]
  3. Binns C. In: Cybersecurity: Current writings on threats and protection. Gonzalez J.J. III, Kemp R.L., editors. McFarland & Company; 2019. Government employees unaware they are cyber crime victims; pp. 5–7. [Google Scholar]
  4. Brinson A., Robinson A., Rogers M. A cyber forensics ontology: Creating a new approach to studying cyber forensics. Digital Investigation. 2006;3S:S37–S43. doi: 10.1016/j.diin.2006.06.008. [DOI] [Google Scholar]
  5. Crane A. In the company of spies: When competitive intelligence gathering becomes industrial espionage. Business Horizons. 2005;48(3):233–240. doi: 10.1016/j.bushor.2004.11.005. [DOI] [Google Scholar]
  6. Crosston M.D. Fragile friendships: Partnerships between the academy and intelligence. International Journal of Intelligence & Counter Intelligence. 2018;31(1):139–158. https://doi:10.1080/08850607.2017.1337448 [Google Scholar]
  7. Donalds C., Osei-Bryson K.M. Toward a cybercrime classification ontology: A knowledge-based approach. Computers in Human Behavior. 2019;92:402–418. doi: 10.1016/j.chb.2018.11.039. [DOI] [Google Scholar]
  8. Donner C.M., Marcum C.D., Jennings W.G., Higgins G.E., Banfield J. Low self-control and cybercrime: Exploring the utility of the general theory of crime beyond digital piracy. Computers in Human Behavior. 2014;34:165–172. doi: 10.1016/j.chb.2014.01.040. [DOI] [Google Scholar]
  9. Fife R. 2018. Canada arrests Huawei's global chief financial officer in Vancouver. The Globe and Mail.https://www.theglobeandmail.com/canada/article-canada-hasarrested-huaweis-global-chief-financial-officer-in/ Retrieved from. [Google Scholar]
  10. Georgieva I., Beaunoyer E., Guitton M.J. Ensuring social acceptability of technological tracking in the COVID-19 context. Computers in Human Behavior. 2021;116 doi: 10.1016/j.chb.2020.106639. [DOI] [Google Scholar]
  11. Guchua A., Zedelashvili T., Giorgadze G. Geopolitics of the Russia-Ukraine war and Russian cyber attacks on Ukraine-Georgia and expected threats. Ukrainian Policymaker. 2022;10:27–36. [Google Scholar]
  12. Guitton M.J. Facing cyberthreats: Answering the new security challenges of the Digital Age. Computers in Human Behavior. 2019;95:175–176. doi: 10.1016/j.chb.2019.01.017. [DOI] [Google Scholar]
  13. Guitton M.J. Manipulation through online sexual behavior: Exemplifying the importance of Human factor in intelligence and counterintelligence in the Big Data era. The International Journal of Intelligence, Security, and Public Affairs. 2019;21(2):117–142. doi: 10.1080/23800992.2019.1649122. [DOI] [Google Scholar]
  14. Harichandran V.S., Breitinger F., Baggili I., Marrington A. A cyber forensics needs analysis survey: Revisiting the domain's needs a decade later. Computers & Security. 2016;57:1–13. doi: 10.1016/j.cose.2015.10.007. [DOI] [Google Scholar]
  15. Hvistendahl M. Concerns about ties to China prompt firings. Science. 2019;364(6438):314–315. doi: 10.1126/science.364.6438.314. [DOI] [PubMed] [Google Scholar]
  16. Kumar R., Sharma S., Vachhani C., Yadav N. What changed in the cyber-security after COVID-19? Computers & Security. 2022;120 doi: 10.1016/j.cose.2022.102821. [DOI] [PMC free article] [PubMed] [Google Scholar]
  17. Kury T.J. In: Cybersecurity: Current writings on threats and protection. Gonzalez J.J. III, Kemp R.L., editors. McFarland & Company; 2019. Now that Russia has apparently hacked America's grid, shoring up security is more important than ever; pp. 72–74. [Google Scholar]
  18. Lahneman W.J. IC data mining in the post-Snowden era. International Journal of Intelligence & Counter Intelligence. 2016;29(4):700–723. doi: 10.1080/08850607.2016.1148488. [DOI] [Google Scholar]
  19. Lallie H.S., Shepherd L.A., Nurse J.R.C., Erola A., Epiphaniou G., Maple C., Bellekens X. Cyber security in the age of COVID-19: A timeline and analysis of cyber-crime and cyber-attacks during the pandemic. Computers & security. Advance online publication. 2021 doi: 10.1016/j.cose.2021.102248. [DOI] [PMC free article] [PubMed] [Google Scholar]
  20. Mervis J. U.S. universities confront a security storm in Congress. Science. 2019;365(6453):531. doi: 10.1126/science.365.6453.531. [DOI] [PubMed] [Google Scholar]
  21. Mervis J. Prosecutor details China probe that snared chemist. Science. 2020;367(6478):614–615. doi: 10.1126/science.367.6478.614. [DOI] [PubMed] [Google Scholar]
  22. Miller S. In: Cybersecurity: Current writings on threats and protection. Gonzalez J.J. III, Kemp R.L., editors. McFarland & Company; 2019. Cybersecurity partnerships: Strength in numbers; pp. 171–173. [Google Scholar]
  23. Normile D. U.S. suspicions rankle Chinese scientists. Science. 2019;365(6452):415. doi: 10.1126/science.365.6452.415. [DOI] [PubMed] [Google Scholar]
  24. Okereafor K., Adebola O. Tackling the cybersecurity impacts of the coronavirus outbreak as a challenge to Internet safety. International Journal In IT and Engineering. 2020;8(2):1–14. [Google Scholar]
  25. Palmieri M., Shortland N., McGarry P. Personality and online deviance: The role of reinforcement sensitivity theory in cybercrime. Computers in Human Behavior. 2021;120 doi: 10.1016/j.chb.2021.106745. [DOI] [Google Scholar]
  26. Piller C. Data secrecy may cripple U.S. attempts to slow pandemic. Science. 2020;369(6502):356–358. doi: 10.1126/science.369.6502.356. [DOI] [PubMed] [Google Scholar]
  27. Poindexter D.F. McFarland & Company; 2015. The new cyberwar: Technology and the redefinition of warfare. [Google Scholar]
  28. Pranggono B., Arabo A. COVID-19 pandemic cybersecurity issues. Internet Technology Letters. 2021;4:e247. doi: 10.1002/itl2.247. [DOI] [Google Scholar]
  29. Serpanos D., Komninos T. The cyberwarfare in Ukraine. Computer. 2022;55:88–91. doi: 10.1109/MC.2022.3170644. [DOI] [Google Scholar]
  30. Tasheva I. Cybersecurity post-COVID-19: Lessons learned and policy recommendations. European View. 2021;20:140–149. https://journals.sagepub.com/doi/10.1177/17816858211059250 [Google Scholar]
  31. Willett M. The cyber dimension of the Russia-Ukraine war. Survival. 2022;64:7–26. doi: 10.1080/00396338.2022.2126193. [DOI] [Google Scholar]

Associated Data

This section collects any data citations, data availability statements, or supplementary materials included in this article.

Data Availability Statement

No data was used for the research described in the article.

Articles from Computers in Human Behavior Reports are provided here courtesy of Elsevier

RESOURCES