Meet the Sicilian Mafia expert who delivered the Cyber Security Policy for the WA government
Roberto Musotto also explains how Aristotle helped him understand the economics of online crime.
Roberto Musotto first became passionate about understanding organised crime working on cases involving the Sicilian Mafia. In early 2019, he found himself in Perth where he would then apply his knowledge at the Office of Digital Government to help protect the WA public sector.
Ahead of his presentation at Legal Innovation Tech Fest, this native Sicilian spoke to us about the differences between the mafia and online criminals and the biggest cyber threats today.
How do organised crime organisations and terror networks use cyber threats to exploit weakness?
They do it in many ways. When you look at the current threat scenario, there is a lot of confusion between the two, but the main difference is that terror organisations use the internet to promote themselves – show off and glorify what they do to attract participants - and less to launch attacks, while criminal organisations mostly exploit internet data to monetise and organise.
It is one of the areas of my research I found quite fascinating because it is not just about the organisation of the crime, it is also about organising criminals. For example, for hate crimes, using online forms, many ‘lone wolves’ manage to get together and organise their thoughts into action.
Does this mean that terror networks seek to recruit people that are ‘techy’?
No. Some criminal groups just need eyes on the screen to launch attacks, so they do not have to understand how everything works to use cybercrime software. There was an example a few years ago where a group was selling software to that would stop websites from working. Some members had no idea how to launch these attacks first or code, but they were able to with basic instructions.
You have written a PhD thesis on the economics of organised crime. Where did your interest in this subject originate?
When I started out as a lawyer in Sicily, I wanted to be a corporate lawyer, but there was not much work around in that area, but there is a huge demand for criminal barristers. I began counselling on some of the trials surrounding the Sicilian Mafia, which gave me the research idea for my thesis. My research looks at how we think about organised crime. While traditional structures of groups like the mafia are understood – and they work well for law enforcement agencies and barristers - when you translate that to an online context, it does not really work that well.
I started wondering why, and it forced me to go all the way back to some very old, Greek philosophers like Aristotle, but also Kant and Weber, to try to find out perhaps how we could think about criminal organisations online. To sum up my research in just a sentence, it is that we, as humans, love categories - we try to put everything in a box, especially in the online crime context, it is not useful to apply traditional categorisations. So, rather than think about these online groups like we would with Cosa Nostra, instead we need to think of them as we would with online retailers like Amazon trying to attract clients and build up their criminal business.
It is a subject you seem very passionate about. Are you able to leverage it in your current work in Australia?
I am very passionate about this research. I have been trying to use it in my work the Office of Digital Government in Western Australia to develop some practical policies that can counteract those activities.
Can you tell us about the Cyber Security Policy you worked on for the public sector in WA?
It came about because Western Australia was lagging a little behind compared to the Eastern states regarding cyber security posture and how the public sector thinks about and reacts to cyber security.
To create safer environments, first it was necessary to understand why we want to do it and what we want to achieve. We needed to have a conversation about the different risks of each agency. With so many agencies, we decided to go with quite an abstract cyber security policy document that was designed to force each agency to think about their risks and be comfortable with the level of protection against those risks.
What would you consider the biggest cyber threats to the public sector?
The type of threats that will keep us up at night include denial of service, and – as is happening in Ukraine – there is a big concern for wiper malware. Different to ransomware designed to extract money from an organisation, the purpose of wipers is to erase. So, imagine if an agency’s entire registry was wiped without a backup, it would destabilise the entire democracy of that site.
Discover how this can be applied to your organisation during Roberto’s presentation on How to Write a Cyber Security Policy for Your Business – including the different concerns of private vs public sector organisations at Legal Innovation & Tech Fest.