It is becoming more and more difficult to escape the notion of “big data” in all facets of modern life, a term that has become synonymous with any and all attempts to exploit and use large datasets for competitive advantage. This trend can be observed across all industries and sectors, through the use of data-mining techniques, textual and predicative analytics, and a host of other business intelligence (BI)- associated technologies. Increasingly, as covered in this particular volume, LEAs have begun to explore the potential uses of big data to enhance their own capabilities through instilling science and computational technology into their analytical, operational, and policymaking operations. The application of these tools aims to enable the more effective and efficient investigation, response, prediction, and even prevention of a host of criminal activities, as they gradually come to terms with the overwhelming increase in information available to them and the tools needed to draw information from these data. With this increase, traditional, established sources of information used by LEAs are fast being outpaced by the vociferous nature of the Internet and the amount of data to which it provides access. Despite the widespread use of these tools within the private sector, LEAs are still lagging behind in their use and understanding of big data and, as a result, are not exploiting it to its full potential. LEAs have long been extremely capable in their data-collection activities; however, they have not always exhibited the same level of competence in analyzing it and subsequently converting it into usable intelligence (Thomson Reuters, 2014).

Within England and Wales, law enforcement has undergone significant budget reductions of up to 20%, with further cuts planned for 2015. Because approximately 80% of police budgets are spent on staffing, this has meant that in real terms England and Wales have nearly 16,000 fewer officers in 2014 than they did in 2009, with some forces reporting significant cuts in preventative policing areas in particular (Travis, Thursday, July 18, 2013). These reductions have been generally achieved through restructuring and merging services with other forces and partners. While this has proved challenging, it has also provided an entry platform for the integration of big data analysis techniques and the information and intelligence that can be derived from them, with a number of police forces turning to big data analysis tools to maximize the effectiveness of their remaining resources.

Big Data is widely integrated into UK preventative policing deployment plans around acquisitive crime such as burglary and theft from vehicles, to assist and maximize the impact of operational officers on the ground. This approach has removed the unscientific, “tacit” nature of this type of policing—often referred to as the “bobby’s nose,” which is heavily dependent on the skill and experiences of one person. This more experiential style of practice, and the knowledge embedded within it, is difficult to capture and share with other stakeholders, and its effectiveness is often difficult to quantify (Brewster et al., 2014a; Glomseth et al., 2007). This approach is often also largely dependent on the detailed geographical and offender knowledge of the officer and cannot be easily transferred to other officers and areas of policing. Using data already within existing policing systems such as historical crime statistics, associated crime within the area, and other intelligence available, police forces have been able to predict with some accuracy areas where there is a high probability of offences occurring between specific times, enabling suitable intervention mechanisms to be put in place to prevent and detect them. Approaches such as this have been integrated across international policing to reduce crimes such as burglary and armed robbery (Haberman and Ratcliffe, 2012; Perry et al., 2013) and have proven to have a quantifiable impact on crime, as demonstrated by West Yorkshire Police’s “Operation Optimal,” a community policing based initiative targeted toward combatting burglary. This, and similar approaches have led to offense reduction rates of up to 50% in some communities in the UK (BBC News, Wednesday, November 7, 2012).

As these approaches continue to demonstrate practical value, they are certain to be regarded as key tools within the law enforcement “toolbox”, and questions will follow regarding their application in other areas of law enforcement. The wider challenge remains for these tools to be embedded within policing to exploit the data available to them into their other core business functions, such as over the course of a complex criminal investigation or public disorder incident, cognizant of the legal framework and ethical requirements imposed on and expected of LEAs operating within these contexts (see Chapters 15 and 16).

One such example of this is the EU, FP7 funded ePOOLICE (Early Pursuit Against Organized Crime Using Environmental Scanning, the Law and Intelligence Systems) project. ePOOLICE seeks to develop a software system, and supporting methodology, that scans the open-source environment to strategically identify, prevent, and even predict emergent organized criminal threats. The project aims to meet these objectives through the analysis of two key types of data, that which directly indicates the presence or possible presence of illicit activity and that which contributes to the creation of an environment that facilitates crime, such as political and economic instability or social unrest (Brewster et al., 2014b). One potential use case that can be used to demonstrate the utility of this and similar approaches is the trafficking of human beings.

Similarly to the approaches used to combat burglary and armed robbery, capability can be enhanced through examining the factors that are present in existing and previous forms of human trafficking, making it possible to identify patterns that may be repeated elsewhere. Using a basic model of the trafficking process (Figure 8.1), it is clear to see stages of the crime and how at specific stages “big” and open-source data can improve the quantity and quality of information available to LEAs.

The crawling and analysis of localized news articles, social media, and other Web data enables the identification of weak signals, such as events and seizures that may allude to the presence and emergence of trafficking in specific locations, or at a more strategic level, the presence of economic, social, and political conditions that provide a fertile environment for the supply of trafficking victims or demand for illicit services such as prostitution and forced labor.

Further, traditional, “physical” crimes, such as that of human trafficking, present the possibility to use data from open sources, such as the Web, to identify specific factors that may provide signals of illicit activity. These signals range from high-level, strategic information such as the fact that locations that are considered to be politically unstable or that those with low gross domestic product (GDP) have an increased propensity to be supply locations of trafficking victims (United Nations Office on Drugs and Crime, 2009), to lower-level, operational indictors, such as observations that indicate staff that at a particular business appear to be under the legal working age or appear to have been physically and/or sexually abused (ILO/International Labour Office, 2009).

Further, the use of social media and other big data sources in enhancing the situational awareness and decision-making capability of blue light services is increasingly evident in other areas. For example, in policing football matches and other large-scale events with potential for public order issues, social media can be mined for sentiment to identify indicators of crowd tension or incidents enabling policing resources to be deployed more intelligently during the events and for future deployments to be strategically informed by historical data. Similarly, geo-tagged data from smart devices used to connect with social media may be used to identify potential witnesses to serious and organized crime incidents, through identifying accounts or individuals that were in close proximity to a specific event at a specific time. The use of data in this way by blue light services goes beyond crime prevention and response, with its use in crisis management as a means of enhancing the awareness and communicative capability of command and control and first-response services to assist citizens in a range of disaster events, from natural disasters, terrorism attacks, and large-scale public disorder events (Andrews et al., 2013). However, when considering cybercrimes and criminal behavior committed through the use of the Internet, the use and utility of open-source-derived data by LEAs must evolve to enable understanding of the motivations behind them and factors that enable these incidents to take place.

Attempts to reach a universally agreed definition for cybercrime have been met with considerable challenge (Brenner, 2004). Existing definitions range from those describing it as any crime facilitated through the use of a computer to those that are facilitated through the use of computer networks, with some reports prefixing any crime that involves the use of a computer in some capacity with “cyber.” The United Kingdom’s Home Office, in a report published in October 2013, defined two types of cybercrime, cyber-enabled crimes and cyber-dependent crimes. Cyber-enabled crimes such as fraud and theft can be committed without the use of Information & Communication Technology (ICT); however, the scale or reach of these crimes is increased by the use of computers, networks, and other forms of ICT. On the other hand, cyber-dependent crimes can only be committed using a computer, computer networks, or other forms of ICT (McGuire and Dowling, 2013). In the latter, the motivations are largely focused on personal profit or monetary gain or in a form of protest and/or criminal damage. In the United States, the US Federal Bureau of Investigation (FBI) uses the notion of “high-tech” crimes to encompass cyberterrorism, cyberespionage, computer intrusion, and cyberfraud (Federal Bureau of Investigation, 2014). In this chapter, a synthesis of these definitions will be used to describe what will be referred to as cybercrime.

The Internet provides a platform for attacks such as cybercrime, cyberterrorism, cyberwarfare, and hactivism to grow. It is sometimes difficult to distinguish and draw a line between these concepts, because there are similarities and overlaps in the characteristics of the attacks, the motivations behind them, and the individuals and groups who initiate them. In this chapter, we aim to identify and categorize these motivations, briefly assessing other categories when there is an overlap, while discussing their implications on national security and the potential role of big data in combatting them.

Cybercrime imposes what can be considered as a key threat on national and economic security, a threat that continues to cost consumers and business billions of dollars annually (Finklea and Theohary, 2012). This threat increases the pressure on corporate and government computer networks and further undermines worldwide confidence in international financial systems. The threat on national security of cyber-oriented threats is further enhanced by the secrecy of institutions, such as those in the financial sector, which rarely disclose the fact that they have been subjected to, or compromised by cyberattacks, often with either no, or extremely limited public visibility, such as unexplained service or Website outages (Finkle and Henry, 2012). Despite institutions spending more than ever on securing their systems and data, the scale of criminal activity is also seemingly up-scaled, as transnational organized groups and even governments invest heavily in enhancing their cyber capability to realize financial gains and better inform their own intelligence efforts (The Economist, 2013).

When discussing nation states and governments, an additional dimension of cyber-related activity must be considered, that of cyberwarfare. The rise in prominence of cyberwarfare is typified by the US Air Force, which in 2006 adopted a new mission statement pledging to fight (and win) in “air, space, and cyberspace” (US Air Force, 2014). Cyberwarfare is the reapplication of cyberattacks for the purposes of espionage, sabotage, or to conduct attacks on a target’s strategic and tactical resources (Manoske, 2013). Nations have begun to use cyberattacks as an additional facet of their military armory, to achieve the same objectives as they would normally pursue through the use of military force: to achieve competitive advantage over rival nation states or to prevent rivals from achieving the same objectives (Brenner, 2007). Western governments and NATO are becoming increasingly aware and concerned about growing international cyber threats originating from countries such as China, attacks targeting key government and intelligence networks (Schneier, 2014). Cyberwarfare is acknowledged, with terrorism, to be one of the most serious national security threats facing western nations (Gercke, 2012).

As an additional facet of cybercrime, and more specifically the combative nature of cyberwarfare, it is possible to introduce the concept of cyberterrorism. After 9/11, the use of information technology by terrorists is increasingly being considered as part of an intensive discussion around the continued threat of international terrorism as a whole. Cyberterrorism has the potential to impact a range of critical national infrastructures (Jalil, 2003). However, it is also necessary to distinguish between cyberterrorism, that is, the direct use of cyber-related attacks to damage national infrastructures, and other terrorist uses of ICT, such as for propaganda, information/intelligence acquisition, planning and preparation of physical attacks, dissemination of radicalized material, communication, and financing (Gercke, 2012).

Cyberterrorists and criminals use computer technology in similar ways to the way in which more traditional weapons are used, with the aim of undermining citizens’ faith in their government’s ability to maintain the integrity of the systems, services, and infrastructure that make up the fabric of their everyday lives (Brenner, 2007). The evolution of terrorism into the virtual world has been foreseen since the 1980s, resulting in the formation of a dedicated definition of cyberterrorism as the use of network tools to shutdown critical national infrastructure or to coerce or intimidate a government or civilian population (US Department of Justice (2011)).

The categories of cybercrime, cyberterrorism, and cyberwarfare can be used as holistic terms to classify the overarching reasons behind cyberattacks. However, within these terms, it is necessary to acknowledge a number of subcategories that can exist within them. One such category is that of cyberespionage. Cyberespionage is, in many ways, similar to traditional forms of espionage, i.e., the unauthorized access to confidential information by an individual or government. Espionage in this way can be undertaken for a variety of reasons, such as for intelligence-gathering purposes, financial gain, or a combination of the two (Finklea and Theohary, 2012). The United States in particular has acknowledged the growing threat of foreign economic, industrial, and military espionage to national security and to the continued prosperity of the affected nation (Council on Foreign Relations, 2014). The tools used to conduct cyberspying can be the same as those used to commit a host of disruptive or destructive acts ranging from online activism to criminal activity and conceivably even an act of war. Due to the politically sensitive nature of these types of attacks, concrete examples are few and far between, and instead it is necessary to rely on alleged actions as opposed to factual reports to demonstrate their existence. As a recent example, there have been a number of accusations from the United States and China in recent years regarding the alleged hacking of industrial secrets and intent to commit economic espionage on the part of the other (Kaiman, Tuesday, May 20, 2014).

A further subcategorization of cyber-related crime is that of “hactivism.” Hactivism is concerned with the hacking of computer systems and networks in social, political and economic protest. However, the growing profile, and significance of these attacks in recent years has turned these attacks, in the eyes of some, from straddling the line between legitimate protest and basic criminal behavior, into a legitimate threat pon national security in the eyes of security professionals (Sterner, 2012). Perhaps the most contemporary example of a hactivist group is Anonymous, a group of individuals that has become synonymous with numerous attacks over the last decade, designed around the defense of online freedom and Internet neutrality. These individuals are motivated by sociopolitical issues such as the promotion of access to information, free speech, and transparency (Australian National Computer Emergency Response Team, 2013; Lockley and Akhgar, 2014). As one example of an attack by Anonymous in support of their campaign for Internet neutrality, four individuals operating under the moniker “Operation Paypack” carried out a number of distributed denial of service (DDoS) attacks on antipiracy organizations and banks that had withdrawn services from proprietors of the infamous WikiLeaks site (Addley and Halliday, Wednesday, December 8, 2010).

One such taxonomical categorization of cyberattacks has identified what it refers to as “actors” (van Heerden et al., 2012). In this classification, the following were identified as being potential originators of cyberattacks: commercial competitors, hackers, “script kiddies,” skilled hackers, insiders, admin insiders, normal insiders, organized crime groups, and protest groups; this classification adds value when considering the profile of the individuals and groups behind cyberattacks such as differentiating between insider and external attackers, protestors, criminals, and commercial competition. However, the following narrative deconstructs this classification further, to derive further insight into to underlying motivations that underpin cyber-attacks.

One such sub category is viruses. Viruses can cause damage ranging from mild computer dysfunction to more severe effects that cause systems to become inoperable. Viruses install themselves onto the user’s hardware without consent and cause damage by self-replicating. In 2013, the Massachusetts State Police Department fell victim to what is known is a “ransomware” virus. In this instance, the software infected the target machine, demanding that the users pay a ransom using the online “Bitcoin” currency to have access to their machines restored (Winter, 2013).

Worms, similarly to viruses, also cause damage through self-replication; however, they differ in characteristics because they commonly spread and cause damage to networks rather than specific machines and do not need to latch on to existing pieces of software as viruses do. In 2010, the computer worm Stuxnet was discovered. Stuxnet was designed to attack industrial systems, such as those used to control machinery in factory assembly operations. The main victim of the attack in 2010 was Iran and in particular its nuclear enrichment facilitates; speculation around the origin of the attack still continues to this day (Kushner, 2013). Worms are viruses that have the potential to have a range of differing impacts, from demanding and stealing money to rendering systems inoperable.

Trojans, as their name suggests, take a slightly different approach. These programs pose as legitimate pieces of software, which, once installed by the user, can be used to facilitate illegal access to the compute, and in turn used to steal information and disrupt the computers operations without the user’s knowledge or consent. Twenty-three-year-old Edward Pearson of York (UK), used variants of existing Trojan viruses to gain access to thousands of credit card details and the postcodes, passwords, names, and dates of birth of more than eight million people. In comments made after his arrest, Pearson was said to be motivated by his thirst for intellectual challenge (Leyden, 2012). These tools can also be used to create botnets on host computers. Botnets are clusters of computers infected by malicious software that are subsequently used to send out spam, phishing emails, or other malicious email traffic automatically and repeatedly to specified targets (McGuire and Dowling, 2013).

Alternatively, spyware, software that infects systems to facilitate the identification and extraction of personal information such as users’ login information, Internet habits, and payment information, is a further example of malware. Its activities are often carried out using key-logging software or through rerouting Web traffic from the user’s infected computer. Spyware is also often used by legitimate government agencies and law enforcement to intercept suspicious communications. Key-loggers in particular have been used in a number of cases by individuals to collect user information and bank account details.

An alternative approach, hacking, involves the unauthorized use of computers or network resources to exploit identified security vulnerabilities in networks, which can be used to gather personal data/information, to deface websites, or as part of DDoS attacks.

As an example, hacking group Anonymous, through a series of DDoS and Website defacement attacks, protested social injustices surrounding the 2014 World Cup in Brazil, most notably the allegations of alleged corruption in the Brazilian government, and the tournament’s organizing body, FIFA (Guerrini, 2014). In this particular instance, the hackers targeted the Brazilian Federal Police in an attempt to draw attention to the political and social issues surrounding the tournament.

In a less direct approach, a tactic referred to as “social engineering” has been used by hackers to gain access to individuals’ user accounts, billing information, and other personal data. The case of technology journalist Mat Honan in 2012 demonstrated how using only two key pieces of information, his email address and billing address, hackers were able to bypass the usual password authentication and encryption mechanisms that are used to protect data online. Using the data identified, hackers contacted and manipulated the telephone customer service systems of Apple and Amazon and used it to recover and reset the passwords on the respective accounts (Honan, 2012). Although unconfirmed, a similar approach is suspected to have been used to access and steal private images from a number of high-profile celebrities in 2014, images that were subsequently released online (Profis, 2014).

Phishing attacks, often facilitated using spam email, present a further threat to cybersecurity. Phishing emails have often been used by criminals attempting to steal banking information and login information and to fraudulently generate funds. Phishing emails are commonly sent in bulk to unsuspecting recipients, often posing as official communications from reputable companies asking users to follow web links to enter their login credentials and banking information. In 2010, in the aftermath of the Haiti earthquake, criminals attempted to cash in on sympathizers by seeking funds for bogus charities by sending thousands of emails. Attackers created a webpage asking users to make donations and subsequently used the financial and personal information provided to carry out fraudulent transactions (BBC News, Tuesday, February 16, 2010).

To take a holistic view of cybercrime motivations, it is important to duly consider the various facets that may contribute to the underlying notion of motivation. Therefore, although personal and emotional motivations can play a crucial role, political, economic, and social tensions, turbulence, and ideological trends can also drive criminals’ desire to commit cybercrime. Recent political pressures within the Korean peninsula, for example, may constitute key drivers for cyber-related attacks, motivations that go well beyond raw human emotion such as hate or the desire to challenge oneself or gain individual recognition within a specific community. Existing taxonomies (van Heerden et al., 2012) have identified the desire for financial gain, personal challenge, protest, spying, and nonfinancially motivated criminal activities as key reasons behind cyberattacks. Within these motivations, it is possible to derive that attacks can be political, financial, or driven by the desire for personal gratification (Fleishman, 2014). This variation may be related to differences in the targets of the attacks. Whether they target individuals, organizations, businesses, governments, or entire nations, the motivations can differ drastically from one to the next. According to the Australian Computer Emergency Response Team (CERT), the motivations or attack reasoning exhibited by organizations range from commercial advantage, malicious damage, using the system for further attacks, personal grievance, hactivism, negligence, illicit financial gain, and random or indiscriminate motive. The majority, if not all, of these motivations can be attributed back to the organizations seeking commercial or competitive advantage, with attacks commonly taking the form of information or intellectual property theft (CERT, 2013).

Cyberattacks, such as those exemplified here, have increasing potential to cause issues of national security, as cyberspace continues to form an important domain that underpins the complex systems that are used in commerce, the provision of critical infrastructure services such as power and water, and the protection of the state through the military and policing services. The growing role of cyberspace serves to amplify the potential impact of cyberattacks and consequently the ability of organizations and nations to function effectively in the aftermath of a serious attack (McGuire and Dowling, 2013).

Further classifications (see Kilger et al., 2004) have focused on the underlying motivations of cyberattackers, identifying causes such as seeking money, entertainment, entry to social cliques, and for status, while others have focused more on emotionally aligned classifications identifying curiosity, boredom, power, recognition, and politics. Of course, there is a clear overlap between psychology and motivation, a link that has been acknowledged, with links established between conditions such as compulsive disorder, narcissism, antisocial personality disorder, Asperger syndrome, and addiction in some instances of cybercrime-related activity (Campbell and Kennedy, 2009). However, these classifications also highlight the deviation between highly personal motives and those of a more commercial nature. For example, those acting on behalf of a nation state may not have any personal motivation for perpetrating an attack and instead may be acting in the interest of a government—and are likely be politically motivated. For example, in October 2010, an attack was discovered on the NASDAQ stock exchange in New York; the reported cause was alleged to have been a military attack by the Russian government with the aim of collecting intelligence on the NASDAQ exchange systems for use within their own Micex and RTS exchanges (Bender and Kelley, 2014).

The proposed taxonomy divides attack motivations into eight categories.

Sentiment analysis has been widely adopted in marketing practices to assess customers’ brand affections and feelings toward particular products and companies (Kasper and Vela, 2011) to support a number of business functions and ultimately provide another stream of data that can be used to enhance decision-making capability (Cambria et al., 2013). In other instances, it has been applied to predict polling results during political elections through gauging positivity and negativity toward the various candidates (O’Connor et al., 2010). The diversification demonstrated in the application of sentiment analysis in part stems from the rise and near ubiquitous adoption of social media. More recently, research efforts have focused on the development of approaches to use such techniques within differing contexts, dealing with the varying contextual nuance that comes with them. Such examples include the monitoring of public sentiment to establish national and regional “moods” through social media, enabling the identification of swings in public sentiments that may indicate friction in particular areas that could lead to social disorder, such as that which resulted in the London riots in 2011 (Sykora et al., 2013). Further, efforts have also been made to use sentiment mining within the context of national security. For instance, the EU, FP7-funded project ePOOLICE, as one aspect of its environmental scanning toolset, aims to use sentiment mining to visualize sentiment in relation to organized crime threats (ePOOLICE, 2013).

Social media has also been identified as a platform that is being used to radicalize individuals and terrorist groups to spread propaganda and promote extremist ideologies, and for organizing criminal activity (Yang and Ng, 2007). In response, projects led by LEAs have sought to identify means to use social media in more unconventional ways, which do not directly use computational and analytical tools. One such approach has aimed to use social media as a platform for credible voices within communities to provide access to moderate messages to attempt to stem the spread of extremist rhetoric online and particularly in social media, provide support to vulnerable individuals and communities and access to relevant, up-to-date and factual information in response to news and events that attract those with tendencies to spread extreme views (Staniforth and Nitsch, 2014). Reintroducing the notion of big ata and the concept of cybercrime presents the opportunity for the application of sentiment analysis in detecting and analyzing motives and intentions to commit cyberattacks.

Furthermore, the use of big and open-source data opens up a huge debate from an ethical and legal standpoint (see Chapters 15 and 16), an issue that is only re-enforced when considering the allegations that have surrounded Western intelligence agencies in recent years regarding the unlawful surveillance of citizens and the alleged illegal acquisition of personal data. This is, of course, an extremely complex and sensitive discussion, and it is beyond the scope of this particular chapter to present and analyze the various facets of this debate. However, it is important to ensure that this discussion takes place to restore and maintain public faith and confidence in intelligence agencies and the activities that they undertake (Greitzer et al., 2011).