cybercrime and cybersecurity issues in the developing pacific

PTC’12 ProceedingsThere are also instances in which DPIEs are used by international cybercriminals tolaunder cybercrime proceeds. In one such example, cybercriminals stole more than$685,000 from the superannuation fund of 121 individuals in Australia. The fund wastransferred to the Philippines and some DPIEs using low-value international fundstransfers (Fife-Yeomans, 2011). In another case, cyber Crime Investigations Unit of Fijipolice reported that three people in Fiji were working in partnership with foreignnationals to launder money by using Fiji as a transit point (Scheiche, 2011). The Fijiresidents were recruited through popular social networking sites.3. A FRAMEWORK FOR EXPLAINING CYBERCRIMES ASSOCIATED WITH DPIES3.1. INSTITUTIONS RELATED TO CYBERCRIMES IN DPIESThe nature of activities of cyber-criminals fits squarely with what Baumol (1990) callsdestructive entrepreneurship. Baumol (1990) hypothesized that the distribution ofproductive, unproductive, and destructive entrepreneurs in a society is a function of the“relative payoffs” offered to these activities by the society’s “rules of the game”. Theserules are also referred as formal and informal institutions, which embed economicactivities and actors (Granovetter, 1985; North, 1990; Parto, 2005). These institutions inthe context of DPIEs’ cybercrime landscape are discussed below.3.1.2. Formal institutionsDPIEs are characterized by weak formal institutions against cybercrimes. They lagbehind the curve in enacting and enforcing cybercrime related regulative laws and havevery little legislation specific to cybercrime and cyber-security (Ahmadu, 2006; Angelo,2009). In many DPIEs, hacking someone’s computer over a network connection is notyet considered as a crime. The most often cited case was that of an expatriate in 2008,who went to Fiji and engaged in a number of cybercrime activities with impunity. Heaccessed local firms’ networks in an unauthorized manner (Tabureguci, 2010).While some have enacted cybercrime laws, they have little capacity to enforce them.According to the Pacific Islands computer crime & security survey in 2008, perpetratorswere charged with an offence only in 5% of the reported cases. Factors such asinadequate legislation, insufficient evidence and international jurisdictional issues wereamong the most critical barriers to act on the reported cases (Phair, 2008). SiaosiSovaleni, a manager at the ICT Outreach Program of Secretariat of the PacificCommunity (SPC) under the Economic Development Division recently put the issue thisway: “Measures include criminal law and criminal justice action. Currently, most islandstates of the Pacific region are not sufficiently equipped to protect their societies againstcybercrime through criminal law, nor are they are in a position to engage in efficientinternational cooperation in this respect" (MIC, 2011).3.1.2. INFORMAL INSTITUTIONSThere has been a low level of awareness among governments, businesses andconsumers about cybercrimes and protection measures. One expert noted: “It(awareness) is still pretty low, as most enforcing agencies and legal agencies are notPage 6 of 21

PTC’12 Proceedingsaware of the issues, let alone have the tools to fight” (Tabureguci, 2009). In general,proportionally less cybercrime activities are reported than conventional crimes.According to the Pacific Islands computer crime & security survey conducted in 2008,only 20% respondents reported cybercrime incidents to law enforcement agencies(Phair, 2008).Industry and trade/professional associationsVarious professional and trade associations as well as non-governmental organizationsin DPIEs, which can be considered as informal institutions, are constantly emerging andinfluencing organizations and individual behaviors in new ways as a result of theirexpertise and interests in this issue. For instance, the non-profit organization, PacificIslands Telecommunications Association (PITA) has made efforts to provide ICT andsecurity awareness trainings to its members (AusCERT, 2008). Likewise, the PacificInternet Society (PICISOC) is concerned with what it believes is the lack of awarenessin the Pacific region of identity theft (Tabureguci, 2009). In an attempt to create cybersecurityawareness, PICISOC is working on Internet Trust and Identity. An ad hoc groupmeets regularly to exchange cyber security information. PICISOC members alsocreated an Advisory on 'Identity Theft' attacks(http://www.miniwiki.org/wiki/index.php?wiki=_content.www.picisoc.org%2Fphishing).Likewise, in April 2011, SPC teamed up with the Australian Government, the Council ofEurope and the Government of Tonga to organize a cybercrime workshop.3.2. EXTERNALITY MECHANISMS ASSOCIATED WITH CYBERCRIMEAccording to Demsetz, “[e]very cost and benefit associated with socialinterdependencies is a potential externality” (1967, 348). Put differently, economicactors with interdependent relations jointly produce an externality and whether it ispositive or negative is a function of how it is produced and who produces it (Frischmann& Lemley, 2007). To put things in context, DPIEs and the world economy mayexperience various types of externalities as a result of a unique combination ofeconomic, socio-political and cognitive feedbacks. Table 2 presents the nature offeedback systems in DPIEs that generate externalities via various mechanisms.3.2.1. FEEDBACK SYSTEMSEconomic feedbacksA central feature of the Internet economy is a near zero transaction cost. AmongDPIEs, Niue began offering .nu domains for free in 1997. Tokelau domain names arealso free. Tokelau sold its .tk domain name to the Dutch company, BV Dot TK, whichprovided the island with free high speed broadband and royalties from the domain salesis estimated to be "a few thousand dollars" each year (Pauli, 2011). Thus an appealingcombination for a cybercriminal is to combine the low transaction costs of with low“production” costs due to free domains. Moreover, Niue allows anonymous domainregistration (Lincoln, 2007). Cybercrime associated with anonymous domains are lowrisk.Overall, cybercrimes’ significant financial benefits, low costs (free domain names) alow probability of being caught and prosecuted (due to inter alia anonymous domainnames and weak laws and enforcement mechanisms) give them a high positivePage 7 of 21

PTC’12 Proceedingseconomic feedback (Becker, 1995; Kshetri, 2006). Free domain names have a magneticattraction for cybercriminals. Thanks to free domain names, .tk has become the thirdlargest country code top-level domain only behind .de (Germany) and .uk (the U.K.)(The Sydney Morning Herald, 2011). As of the mid-2011, Tokelau had more than 4million registered domains for a population of 1400 residents (Pauli, 2011).Sociopolitical feedbacksSociopolitical feedbacks are related to formal and informal institutions (North, 1990;Scott, 2001). Due to increasingly transnational and international nature, cybercrimesbenefit from jurisdictional arbitrage. Organized cybercrimes are initiated from countrieswith few or no laws and little enforcement capacity.While the virtual world of DPIEs’ has globalized rapidly, these economies’ integrationwith the outside world is limited. For instance, Vanuatu is not a member of the worldtrade organization (WTO) and the country is not obligated to comply with the Agreementon Trade Related Aspects of Intellectual Property Rights (TRIPS). While many forms ofcybercrimes are associated with and facilitated by infringements of intellectual propertyrights (IPR), Vanuatu has no IPR enforcement mechanisms.Some DPIEs’ jurisdictions offer attractive risk/reward profiles for locating firms engagedin or facilitating cybercrime activities. Among the six countries blacklisted by theOrganization for Economic Cooperation and Development in April 2002, three wereDPIEs: the Marshall Islands, Nauru and Vanuatu (Olson, 2002). An example of illegaland extra-legal firms using jurisdictional arbitrage to evade laws is Kazaa, the popularfile-sharing service, which made money principally by bundling its clients with adwareand spyware. Embroiled in legal difficulties, in the U.S. and in Europe, it was sold toSharman Networks for $500,000 in January 2002 (Vitzthum & Konsynski, 2009).Sharman Networks was incorporated in Vanuatu but the identities of the real owner andoperator of Kazaa were hidden in a maze of corporate entities. Vanuatu has absoluterespect for the secrecy of companies and such information is legally protected fromdisclosure in the country. Vanuatu is considered as a tax haven as it does not levyincome tax, and has no tax treaties with other countries (Healey, 2002). The countryimposes prison terms to any party disclosing financial information (Sharman, 2010).This means that Kazaa also avoided paying taxes on its advertising revenue, which wasestimated as $60 million a year (Sharman, 2010). A related point is that Vanuatu andother DPIEs’ are less likely to receive help from law enforcement agencies of wealthierneighbors due to their alienation from the latter. In addition, most DPIEs have noextradition treaties with most of the world economies, which makes them ideal places tocommit cybercrimes targeting victims all over the world as (Tabureguci, 2010).Institutional development in DPIEs is taking place more slowly. Cybercrimes’ newnesspresents challenges to the court systems in DPIEs 3 . Also explaining cybercrimes tojudges is a difficult task in these economies. This problem is further compounded by thefact that there are traditional types of court systems operating at the village level suchas Tikina Courts in Fiji or local customary courts known as Island Courts in Vanuatu(UN, 2004). As to the informal institutions, the level of stigmatization of cybercriminalshas not been so great in DPIEsPage 8 of 21

PTC’12 ProceedingsCognitive feedbacksThe cognitive feedback loops are associated with cognitive programs that are built onthe mental maps of individuals engaged in cybercrime activities and thus functionprimarily at the individual level. Factors such as the novelty of the technology, a lack ofpreviously developed mechanisms and established codes, policies, and procedures;and non-existence of an easily identifiable victims are likely to lead to much less incybercrimes guilt compared to conventional crimes.The cyberspace provides a variety of opportunities to commit crimes. Like the rest of theworld, pervasiveness and ease of use of tools such as social media and instantmessaging have led to an increase in peer-to-peer harassment and cyberbullying inDPIEs. In August 2011, two Facebook groups (anti Labasa club' and anti-Suva') in Fijiwere found to make derogatory, defamatory, discriminatory and offensive commentsabout residents of Suva and Labasa districts. Most of the offenders in the acts werebelieved to be high school students (radiofiji.com.fj, 2011).3.2.2. EXTERNALITY MECHANISMSInefficiency and congestion in the law-enforcement systemLaw-enforcement systems in DPIEs are characterized by congestion and inefficiencydue to, inter alia, the lack of law enforcement resources, scale of crimes, newness ofcybercrimes, a low-governmental priority, a lack of cross-border and industry–government cooperation, and victims’ unwillingness to report (Jones, 2007; Kshetri,2006). It is suggested that there is “a significant break down in law and order” in DPIEs(Tabureguci, 2010). Conventional crimes such as those involving drug trafficking haveoverburdened law-enforcement agencies. For instance, Fiji’s ex-Police Commissioner,Andrew Hughes noted that transnational organized crime groups have used the countryas a “staging ground” for illegal activities (Keith-Reid, 2004).Due to capacity and resource constraints, technological and organizational capabilitiesrequired to operate safe online systems are costly and difficult to procure for the DPIEs(UN, 2004). The governments are facing challenges to develop updated ICT policiesand legislation, including cybercrime policies. Only a small proportion of lawenforcement agencies, lawyers, Judiciary members and their staff are familiar with lawsrelated to e-commerce and cybercrime (UN, 2004). Inefficiency and congestion in thelaw-enforcement system in DPIEs generate positive externalities for criminals andnegative externalities for the society (Gaviria, 2000; Sah, 1991).Technology and knowVarious technological and know-how-related factors have attracted cybercriminals invirtual spaces associated with DPIEs. While free domain names perform poorly in termsof functionality, they are more than sufficient for carrying out most cybercrime functions.For instance, .tk and .nu domain names do not provide FTP access and users are notallowed to specify their own DNS servers. They use a simple redirect script to point toanother address. They are popular with webmasters on free hosting and also forPage 9 of 21

PTC’12 Proceedingsrenaming long URLs (internetblog.org.uk. 2009). While these domains may not beappropriate for performing cybercrime functions requiring sophisticated functionality,performance and direct interfaces, they are sufficient for most cybercrimes such asphishing and sending spams (internetblog.org.uk, 2009).Criminals, irrespective of their focus, may generate externalities by making crimerelatedspecialized knowhow, inputs and services available, forming a specialized “labormarket”; and facilitating the exchanges and spillovers of information and technology(Marshall, 1920). In this regard, criminal enterprises have created agglomerationeconomies in DPIEs for the production, trafficking and trade in illegal drugs (Reid et al.2006). The presence of such agglomeration economies is likely to facilitate “interindustry knowledge spillovers” (between illegal drug industry and cybercrime industry).Such spillovers are referred as Jacobs externalities (Jacobs 1969) 4 .Predisposition and propensity to commit cybercrimes associated with DPIEsThere has been an increase in predisposition and propensity to commit cybercrimestargeting to and/or originating from DPIEs. DPIEs’ lax regulations in virtual space,coupled with tighter regulations in some economies such as China, have caused manyforeign cybercriminals to use domain names associated with DPIEs to commit variouscybercrimes. For instance, it was found that most phishing activities associated with .tkdomain names actually originated from China and also targeted Chinese e-commercesites. Estimates suggest that 80% of Tokelau-registered names used for phishing weretargeting Chinese institutions (Field, 2011). While 28% of the phishing domainsworldwide were registered for malicious purposes, 100% domain used for phishingassociated with .tk was maliciously registered (Rashid, 2011).Since 2009, China’s new rules do not allow individuals to register .cn domains. Toregister for businesses, it is required to submit a copy of the business license. Thenumber of phishing attacks from .cn domains targeting Chinese businesses reducedfrom 2,826 from 228 domains in the second half of 2009 to 162 from 120 domains in thesecond half of 2010. Tighter regulations in China forced Chinese fraudsters to findpoorly regulated top-level domains such as .tk for phishing activities (Rashid, 2011).Table 2: Externality mechanisms and feedback systems producing increasing return in cybercrimeactivities associated with DPIEsExternalitymechanisms⇒Feedbacksystem⇓Inefficiency and congestionin the DPIEs’ lawenforcement systemTechnological, andknow-how-relatedfactors attractingcybercriminals in virtualspaces associated withDPIEsIncreasedpredisposition andpropensity to commitcybercrimes targetingto and/or originatingfrom DPIEsEconomic• Law enforcement agencies’lack of resources andcompetencies to fightcybercrimes.• Conventional crimes have• Improving connectivityin DPIEs is attractingcybercrimes.• Criminal enterpriseshave createdPage 10 of 21• Availability of freedomain names—cheap/free webaddresses appeal toscammers since they

PTC’12 ProceedingsSociopoliticalCognitiveoverburdened lawenforcementagencies.• Weak cybercrime laws inDPIEs.• Jurisdictional arbitrage.• Some DPIEs’ are less likelyto receive help from foreignlaw enforcement agenciesdue to their alienation.• Victims’ unwillingness toreport cybercrimes: lowreporting ratesagglomerationeconomies-- Jacobsexternalities.• Less regulatedcyberspace• If a free domain (e.g.,.tk or .nu) is blocked, acybercriminals caneasily get another forfree.• Ease of use of tools tocommit cybercrimes(e.g., social media andinstant Messaginghave facilitated peer-topeerharassment andcyberbullying).need to switch domainsoften as they areconstantly blacklisted.• Other economies (e.g.,China) are tighteninglaws and enforcementmechanisms pushingcybercriminals to focuson DPIEs.• The level ofstigmatization ofcybercriminals has notbeen so great inDPIEs.• Less guilt incybercrimes.3.3. CONTROLS, RESTRICTIONS AND REGULATIONS AGAINST CYBERCRIMESWhile legitimate firms strive to build public confidence in the value of their products andservices, which would facilitate the firm's efforts to attract customers and obtain theirloyalty and patronage for the long term, cybercrime firms must overcome and avoidvarious controls, restrictions and regulations set and enforced by governments, potentialvictims and other actors. Regulation is defined as "controlling human or societalbehavior by rules or restrictions"(Koops et al., 2006, p. 81). Various forms of regulationsinclude the government’s legal restrictions, self-regulation, social regulation (e.g.norms), co-regulation and market regulation. Formal and informal institutions providevarious offensive and defensive control mechanisms against cybercrimes. Individualinternet users’ defense and control mechanisms play an important role.In addition, de jure or de facto guardians in the private sector such as ISPs, IT securitycompanies, technology providers as well as possessors of assets in digital/digitizableforms (e.g., financial institutions) can help regulate cybercrime activities. As evidencedand revealed by various security breaches, these actors have been ineffective to controlcybercrimes in DPIEs. In 1999, some students at the University of the South Pacific inSuva, Fiji hacked the University’s system, retrieved other students’ passwords, and sentabusive messages to others using the hacked email accounts (Fonua, 2002). Likewise,in the early 2000s, hackers exploited a security hole in the system of Kalianet, an ISP inTonga to crack the password system. They could get free access to the internet andhad information about most of the emails (Fonua, 2002). In sum, the various forms ofcontrols and regulations are currently weak in DPIEs. Nonetheless, some of them areimproving (Table 3).Page 11 of 21

PTC’12 ProceedingsTable 3: Various forms of controls for cybercrime activities in DPIEsActors Nature of control Improving signsGovernment• Weak cybercrime lawsand enforcementmechanisms• Collaboration with neighboringcountries (e.g., Australian lawenforcement agencies helping Fiji)• Collaboration with supranationalagencies: Interpol conducted aworkshop against cybercrime in Fiji in2009 (Brennan, 2009).• Some have made significant progressin cybercrime legislation (e.g., Tonga’sComputer Crimes Act 2001).• Some measures are taken to educatejudges and law enforcement agencies.Potential victimControl by informalinstitutions (socialcontrol)De jure or de factoguardians in the privatesector (ISPs, IT securitycompanies, technologyproviders possessors ofassets indigital/digitizable forms(e.g., financialinstitutions)• Lack of awareness ofcybercrimes(Tabureguci, 2009).• Two thirds oforganizations consideredtheir managers’ ITsecurity qualification,training, experience andawareness insufficient(Phair 2008).• Underdeveloped ethical,moral, and social valuesagainst cybercrime.• Small anti-virus market4.0. DISCUSSION AND IMPLICATIONS• Measures are being taken at variouslevels to create cybercrime awareness• PICISOC is working to create cybersecurityawareness.• PITA has made efforts to provide ICTand security awareness trainings to itsmembers• Some banks have enhanced securitymeasures.• IT security companies such as AVGhave an active presence in DPIEs(cso.com.au, 2011).DPIEs are digitizing rapidly. However, apart from desired effects of high economicproduction efficiency and improvement in political and social life, negative side effectshave become apparent. In his regard, the above discussion provides an assessment ofhow their position vis-à-vis other developing and industrialized countries is likely tochange over time and with increasing digitization.Given DPIEs’ heterogeneity, a one size fits all approach may not work to tackle andaddress cybercrime problems. There is a wide variation among the DPIEs in terms oflevels and patterns of cybercrime activities and associated factors. While many DPIEshave no specific cybercrime legislation, some have made significant progresses. In thesame vein, creating awareness about cybercrimes may be a cost-effective approach forPage 12 of 21

PTC’12 Proceedingsrelatively large DPIEs such as Fiji, Samoa and Vanuatu, but not for smaller economiesin the regions such as Kiribati, Nauru, Niue and Tokelau (UN, 2004).Due to various forms of cyber-offenses associated with DPIEs, the benefits and powerof ICTs have not been fully utilized in these economies. The above discussion wouldhelp incorporate cybercrime related elements in their ICT strategies and take othermeasures to promote a safe cyberspace. This is important as restoring and preservingreputations and image tarnished by lax regulations in the past is of paramountimportance for some DPIEs.A consideration of behavioral and technological defense mechanisms in theseeconomies is important. Individual and organizations who connect to the Internetwithout strong defense mechanisms create negative externalities by such activities asfacilitation the generation spam, hosting phishing sites and distribution of illegal andobjectionable contents. Prior research has indicated that organizations in developingcountries that are adopting the Internet without considering the costs and efforts neededto secure the systems have generated a negative externality (Otis and Evans, 2003).Some ISPs in industrialized countries reportedly block contents originated fromproblematic networks based in DPIEs and other developing countries (Garfinkel, 2002).To understand drivers and effects associated with cybercrimes in the DPIEs, let usrevisit the research questions posed in the beginning (Table 4).Most DPIEs offer anattractive inter-jurisdictional arbitrage for cybercriminals to locate virtual and physicalactivities. Weak formal institutions against cybercrimes in these economies also offer anattractive benefit/cost ratio for cybercrime organizations. Factors such as congestionand inefficiency in law-enforcement systems, availability of free domain names that aremore than sufficient for carrying out most cybercrime functions, agglomerationeconomies for the illegal drugs industry permit cybercriminals to benefit from positiveexternalities. Cyber-offenses’ tremendous economic costs are likely to affect bandwidthstarvednations such as DPIEs disproportionately. Finally, if other economies tightenlaws and enforcement mechanisms against cybercrime, cybercriminals are likely to bepushed to operate from DPIEs. DPIEs’ role as instruments of such crimes may lead torejection from and ostracization by developed countries.Table 4: Revisiting the research questionsResearch questionsRQ1: DPIEs’ position inthe global cybercrimeecosystemRQ2: Nature of formaland informal institutionsOur findings• Cybercriminals benefitting from inter-jurisdictional arbitrage: large benefitsto locate cybercrime activities in these economies and there is virtually novisible danger.• Most cybercrimes associated with DPIES are not committed by theirresidents.• Underdeveloped IT industries and lack super hacker skills.• Increasing digitization is likely to make DPIEs more attractive targets.• Weak formal institutions against cybercrimes-- a lack of cybercrimelegislation in some DPIEs.• Low level of awareness among governments, businesses and consumersabout cybercrimes and protection measures: A lack of effective InternetPage 13 of 21

PTC’12 ProceedingsRQ3: ExternalitymechanismsRQ4: DPIEs’comparison in terms ofcybercrime impacts andits ingredients withvarious internationalbenchmarks and trendsRQ5: Implications forthe rest of the worldsafety groups to educate users on cybercrimes (Tabureguci, 2007).• Only a small proportion of cybercrimes are reported to law enforcementagencies.• Law-enforcement systems are characterized by congestion andinefficiency-- the lack of law enforcement resources, scale of crimes,newness of cybercrimes, a low-governmental priority, a lack of crossborderand victims’ unwillingness to report-- Conventional crimes haveoverburdened law-enforcement agencies.• While free domain names perform poorly in terms of functionality, they aremore than sufficient for carrying out most cybercrime functions.• Agglomeration economies for the production, trafficking and trade in illegaldrugs: inter industry knowledge spillovers or Jacobs externalities• Increasing pervasiveness and ease of use of tools such as social mediaand instant messaging have led to an increase in peer-to-peer harassmentand cyberbullying.• Cyber-offenses’ tremendous economic costs affect bandwidth-starvednations disproportionately: potential downsides large and costly: a highdegree of vulnerability to cybercrime-- reliance on the Internet foremergency management and disaster recovery, limited or no redundancyin ICT infrastructure, a lack of knowledge, ability and experience to dealwith cyber-attacks, and thin and dysfunctional formal and informalinstitutions.• If other economies tighten laws and enforcement mechanisms againstcybercrime, cybercriminals are likely to be pushed to focus on DPIEs.• DPIEs’ role as instruments of such crimes may lead to rejection from andostracization by developed countries.We make the following additional observations:4.1. DPIES’ UNUSUAL AND IDIOSYNCRATIC FEATURES FROM THE STANDPOINTOF CYBERCRIMESDPIEs have unique cultural, educational and social dispositions and orientation andmany unusual and idiosyncratic features in the geopolitics of cybercrimes. Theydemonstrate a high degree of vulnerability to cybercrime due to, inter alia, a highreliance on the Internet for emergency management and disaster recovery, limited or noredundancy in ICT infrastructure, a lack of knowledge, ability and experience to dealwith cyber-attacks, and thin and dysfunctional formal and informal institutions to dealwith offenders (Network Strategies, 2010).Cyber-offenses such as spam have the tremendous economic costs which affectbandwidth-starved nations such as DPIEs and landlocked countries. They sufferdisproportionately from the clogging of their networks. The needs of these countries areoften ignored or unacknowledged in international forums (ORDIG, 2005). The sameseems to be true in international cybercrime related initiatives.4.2. PATH DEPENDENCE AND CYBERCRIME IN DPIESThe path dependence approach argues that different events steer history in a particulardirection, which can influence the path a technology undertakes (Arthur, 1988; North,1990). Some DPIEs were among the easiest and cheapest ways to enter internationalPage 14 of 21

PTC’12 Proceedingsbanking. In the 1990s, Nauru, Niue and Vanuatu encouraged the proliferation of roguebanking activities as a fast way to quick wealth (Wechsler, 2001). Nauru allowedanyone to set up banks for as little as $25,000 without the physical presence of thefounders. In 1998 Russian criminals reportedly laundered about US$70 billion through450 banks in Nauru (Seneviratne, 2000). Likewise, in 1999, in the US$7 billion moneylaundering scandal at Bank of New York, half allegedly went through Nauru.Consequently, Nauru suffered arguably the harshest sanctions imposed on any country,including those against Iraq and Yugoslavia. Western banks including Deutsche Bankand Bankers Trust do not permit dollar-denominated transactions involving Nauru. Hitt(2000) forcefully argued: “In the digital age, this action packs the same wallop as anold-fashioned gunboat blockade”. In 1999, Palau and Vanuatu were blacklisted byinternational banks over similar concerns (Ranmuthugala, 2001). Since the Internet hasfacilitated money laundering, DPIEs’ history makes them especially vulnerable.Bank secrecy is becoming slowly eroded and diluted in economies such as Switzerlandand the Cayman Islands. Criminals involved in online money laundering are findingDPIEs such as Nauru increasingly attractive thanks to their underregulated financialsystems (Wasserman, 2002)History has repeated itself. Some have considered the Internet as a heaven-sentopportunity to make quick money with minimum efforts and engaged in activities suchas the establishment of Internet gambling, and renting or selling the cyberspace. Ifpoorly implemented in practice, these strategies have potential to backfire by attractingunproductive and destructive entrepreneurial activities rather than the productive ones.4.3. POSITIVE AND ENCOURAGING SIGNSSome positive and encouraging signs have begun to emerge in DPIEs’ cybersecuritylandscape. It is apparent that there have been efforts to build formal and informalinstitutions. For instance, many DPIEs have enacted laws to encompass key conceptsin international conventions against cybercrime. Some DPIEs have strengthened theirregulative institutions through international collaboration and partnership. In 2007, theFiji police requested the help of two Australian federal police officers to investigate over120 cybercrime cases (SPAMfighter News, 2007). As of 2009, Fiji’s special cybercrimeunit had two cyber forensics specialists, a certified application forensics specialist, amobile forensics specialist and 13 additional experts (newslinkservices.com, 2009).Policy makers as well as businesses in the region have emphasized the importance ofcybercrime education to the community and customers (vanuatunews.com, 2011).Businesses have provided an added measure of safety, security and control to the user.In the early 2010, the Australia and New Zealand Banking Group (ANZ) launchedsecurity features for internet banking in Fiji including data encryption, firewalls and thelatest security technology (fijilive.com, 2010). ANZ educates consumers about onlinethreats such as phishing, spyware, adware, viruses and worms, Trojans (e.g.,ttp://www.anz.com/samoa/en/personal/ways-bank/internet-banking/protectbanking/internet-security-threats/).In June 2011, National Bank of Samoa (NBS)published Security Alerts warning its customers that they have been targeted withphishing emails which led them to fake bank websites (nbs.ws 2011). Similar alertsPage 15 of 21

PTC’12 Proceedingswere issued by ANZ banks for its customers in Tonga and other DPIEs(http://www.anz.com/tonga/en/personal/ways-bank/internet-banking/protect-banking/security-alerts/).5. CONCLUDING REMARKSStrengthened laws and enforcement mechanisms in some countries are pushingcriminals to DPIEs, which have both the virtual and the physical environments underregulated.Especially, criminals are finding DPIEs’ cyberspace as an attractive locationfor committing crimes. There are clusters of criminal organizations around virtual spacesassociated with DPIEs.DPIEs have underdeveloped IT industries and lack con artists or super hacker skills as found incybercrime hotspots such as Nigeria, Russia and other former Soviet economies. Some DPIEs,nonetheless, have bad international reputation and image due to cybercrimes associated withthem. Cheap and free domains appeal to scammers since they need to switch domains oftenbecause they are constantly being blacklisted. While some forms of cyber-offenses may notharm these economies, their role as instruments of such crimes may lead to rejection from andostracization by developed countries. Some domains such as .tk and .nu are stigmatized, whichare likely to face barriers to carry out legitimate e-commerce functions for businesses andgovernment.The potential downside associated with cyber-attacks can be large and costly to DPIEs.They need to incorporate lessons learned from their past mistakes, failures andexperiences in the development of cyber strategy. The associated costs might outweighthe benefits in the absence of proper regulations. In this regard, DPIEs such as Tokelau(.tk) and Niue (.nu) can learn from the experience of Pitcairn Island’s efforts to win backits TLD from a Channel Islands- based company in 2000 (Lincoln, 2007).While there have been many unfocused initiatives and piecemeal approaches todevelop cybercrime related institutions, what DPIEs really need are customizedprograms that directly support the exact needs of various categories of professionalsdealing with cybercrimes such as attorneys, judges and law enforcement agencies.Finally, it is especially important for DPIE youths to be exposed to the importance ofcybersecurity, which is likely to promote safe online practices.REFERENCESAhmadu, M. L. (2006). The Legal aspects of electronic government in pacific islandcountries: a reflection, journal of south pacific law, 10(1), Retrieved from〈http://www.paclii.org/journals/fJSPL/vol10/1.shtml〉Angelo, A H. (2009). Cyber security and legislation in the pacific, telecommunicationsdans le pacifique, 11-26, Retrieved from 〈http://www.upf.pf/IMG/pdf/06-TIC-Angelo-Cyber-Security.pdf 〉APNIC. (2004, August 11) Internet in the Pacific Islands, - Addressing the challenge ofresponsible Internet resource distribution in the Asia Pacific region, Retrieved from〈http://www.apnic.net/__data/assets/pdf_file/0010/27928/apster11-200409.pdf〉Arrow, K. J. (1962). The economic implications of learning by doing. Review ofPage 16 of 21

PTC’12 ProceedingsEconomic Studies, 29, 155–173.Arthur, B. W. (1988). Self-reinforcing mechanisms in economics. In Anderson, P.W.etal. (Eds). The economy as an evolving complex system, New York, NY: PerseusPress.AusCERT (2008). Study to ascertain the readiness of Pacific Island nations to establisha regional Pacific Island CERT capability. Retrieved from〈http://www.docstoc.com/docs/10152875/Draft-Feasibility-Study〉Baumol, W. J. 〈1990〉 Entrepreneurship: Productive, unproductive, and destructive.Journal of Political Economy, 98(5), 893–921.Becker, G. S. (1995, fall). The economics of crime. Cross Sections, 8–15.Besler, P. 2005. Forced Labour and Human Trafficking: Estimating the Profits, workingpaper (Geneva, International Labour Office, 2005)Brennan, L (2009, October 6). Interpol and Fiji team up against cybercrime, Retrievedfrom 〈http://www.fijisun.com.fj/main_page/view.asp?id=27625〉Bun, M. J. G., & Makhloufi, A. E. (2007). Dynamic externalities, local industrial structureand economic development: Panel data evidence for morocco. Regional Studies, 41(6),823–837.Cohen, L.E. & M. Felson (1979). Social change and crime rate trends: A routine activityapproach American sociological review, 44:588-608cso.com.au. (2011, September 16). Cybercrime risk a perfect storm brewing, warnsAVG report, Retrieved from〈http://www.cso.com.au/mediareleases/13031/cybercrime-risk-a-perfect-stormbrewing-warns-avg/#closeme〉Demsetz, H. (1967). Toward a Theory of Property Rights. The American EconomicReview, 57, 2, 347-359.Field, M. (2011, April 28). New Zealand territory world leader in cybercrime, Retrievedfrom http://www.stuff.co.nz/technology/digital-living/4936881/New-Zealand-territoryworld-leader-in-cybercrimeFife-Yeomans, J. (2011, April 15) Card skim scams steal $170m The Daily Telegraph,〈http://www.news.com.au/money/money-matters/card-skim-scams-steal-170m/storye6frfmd9-1226039500227〉Fiji Times (2009, November 30) Former Fiji high court judge critical of cyber crime.Retrieved from 〈 http://www.pacificbusinessonline.com/fiji/story/14468/former-fijihigh-court-judge-critical-cyber-crime〉fijilive.com. (2010, April 07) ANZ launches improved internet banking, Retrieved from〈http://www.fijilive.com/news/2010/04/07/24934.Fijilive. 〉Fonua, S (2002) Networking and Security, UNESCO, Retrieved from〈webworld.unesco.org/publications/it/Security/security3.ppt 〉Frischmann, B. M., and Lemley, M. A.(2007) Spillovers. Columbia Law Review, 107, 1,257-301.Gady, F. S. (2010.) Africa's Cyber WMD, March 24. Retrieved from〈http://www.foreignpolicy.com/articles/2010/03/24/africas_cyber_wmd?page=0,0〉Garfinkel, S. (2002). Leaky cyber borders: The net effect. Technology Review.Retrieved from 〈http://www.technologyreview.com/articles/garfinkel0602.asp〉Gaviria, A. (2000). Increasing returns and the evolution of violent crime: The case ofColombia. Journal of Development Economics, 61(1), 1.Page 17 of 21

PTC’12 ProceedingsGranovetter, M. (1985) Economic action and social structure: The problem ofembeddedness. American Journal of Sociology, 91(3), 481–510.Healey, J (2002, November 26). From Vanuatu to L.A.: a court test for kazaaHitt, J. (2000, December 10) The Billion-Dollar Shack, Retrieved from〈http://www.nytimes.com/2000/12/10/magazine/the-billion-dollar-shack.html〉internetblog.org.uk.( 2009,May 11) 15 Millionth .TK Domain Registered, Retrieved from〈http://www.internetblog.org.uk/post/41/15-millionth-tk-domain-registered/〉itsecurity.com (2008 March 12th) Pacific Islands Infested with Spam, Retrieved from〈http://www.itsecurity.com/blog/category/malware/〉Jacobs, J. (1969). The economy of cities. New York: VintageJones, B. R. (2007) Comment: Virtual neighborhood watch: Open source software andcommunity policing against cybercrime. Journal of Criminal Law & Criminology,97(2), 601–629.Katz, I. (2005, February 5) Suit against bank of America to highlight cybercriminalissues. Knight Ridder Tribune Business News, 1,Keith-Reid, R. (2004, 9 June) ‘Police raid huge meth lab in Fiji’, Seattle Post-Intelligencer.Koop, B.J., Miriam, L., Corien P., Maurice S. (2006). Starting points for ICT regulations,deconstructing prevalent policy one-liners, Cambridge University Press,Cambridge:81, Series Information technology and law (9)Scheiche, R. J. (2011, August 12). Cops Probe Cyber Crime, Retrieved from〈http://news.officialwire.com/main.php?action=posted_news&rid=86143 〉Kshetri, N.(2006) The simple economics of cybercrimes, IEEE Security andPrivacy,4(1),33–39.Kshetri, N. (2009). Positive externality, increasing returns and the rise in cybercrimes.communications of the ACM, 52(12).Levinson, D (2002) Encyclopedia of crime and punishment, Volume 4, 1 edition,Thousand Oaks, Ca: SageLincoln, A. (2007, 19 March) New Zealand: Trouble in paradise, Retrieved from〈http://www.ebusinessforum.com/index.asp?layout=rich_story&doc_id=10338&title=New+Zealand%3A+Trouble+in+paradise&channelid=4&categoryid=30 〉Marshall, A. (1890). Principles of economics. London: MacmillanMarshall, A. (1920). Principles of economics (8th ed.). London: Macmillan.McAfee (2008) Mapping the Mal Web: The Web’s Riskiest Domains, Retrieved from〈http://us.mcafee.com/en-us/local/docs/Mapping_Mal_Web_Summary.pdf 〉Menon, V (2008, December 4) Cybercriminals still targeting UAE Ministry, Retrievedfrom 〈http://www.arabianbusiness.com/cybercriminals-still-targeting-uae-ministry-81785.html?parentID=330956〉MIC (Ministry of Information & Communications). (2011, April 27). Pacific tacklescybercrime laws and protection in key workshop, Retrieved from〈http://www.mic.gov.to/press-releases/2439-pacific-tackles-cybercrime-laws-andprotection-in-key-workshop〉Murph, D. (2011, April 14) South Pacific's Vanuatu grabbing fiber internet connection,sidesteps 'remote' stereotype, Retrieved from〈http://www.engadget.com/2011/04/14/south-pacifics-vanuatu-grabbing-fiberinternet-connection-side/〉Page 18 of 21

PTC’12 Proceedingsnbs.ws. (2011, June), Security Alerts, Retrieved from〈http://www.nbs.ws/SecurityAlert/tabid/6493/language/en-US/Default.aspx〉Network Strategies. (2010, 11 June). Final report for the Pacific Islands forumsecretariat: Review of Pacific Regional Digital Strategy, Part A: TechnologicalCapacity, Network Strategies Report Number 29029. Retrieved from〈http://www.forumsec.org.fj/resources/uploads/attachments/documents/Review%20of%20Digital%20Strategy_PartA.pdf 〉newslinkservices.com (2009, November 29) Fiji Wary of Increased Cybercrime, 8,214H,Retrieved from 〈http://www.newslinkservices.com/edition/spip1sun.htm〉North, D. C. (1990). Institutions, institutional change and economic performance.Cambridge, UK: Cambridge University Press.Olson, E. (2002, April 19). As Tax Havens Go, its Not Easy Being Liechtenstein, April19, 2002, Retrieved from 〈 http://www.nytimes.com/2002/04/19/business/as-taxhavens-go-it-s-not-easy-being-liechtenstein.html?ref=vanuatu〉ORDIG. (2005, June) Voices from Asia-Pacific: Internet Governance Priorities andRecommendations, An ORDIG Input Paper for the UN Working Group on InternetGovernance and the World Summit on the Information Society, Open RegionalDialogue on Internet Governance (ORDIG),〈http://www.apdip.net/projects/igov/ORDIG-InputPaper.pdf 〉Otis, C., Evans, P. (2003) The Internet and Asia-Pacific security: Old conflicts and newbehavior. Pacific Review, 16(4), 549–550.Parto, S. (2005) Economic activity and institutions: Taking stock. Journal of EconomicIssues, 39(1), 21–52.Patrizio, A. (2007, March 14) Vikings Best, Polynesians Worst in Domain Safety,Retrieved from 〈 http://www.internetnews.com/xSP/article.php/3665441 〉Pauli, D.( 2011 April 27th) Pacific atoll a phishing haven, ZDNet.com.au, Retrievedfrom 〈http://www.zdnet.com.au/pacific-atoll-a-phishing-haven-339313909.htm〉Phair, N. (2008) Pacific Islands computer crime & security survey, Kambah, A.C.T.:esecurity publishing, Retrieved from〈http://www.esecurity.net.au/PICCSS08_survey.pdf 〉pita.org.fj. (2009) Invitation to participate in raising awareness of cybercrime and cybersecurity, Pacific Islands Telecommunications Association, Retrieved from〈http://www.pita.org.fj/_resources/files/Cybercrime%20seminar%20invitation%20_5_.pdf 〉radiofiji.com.fj. (2011, August 17) Facebook 'hate speech' profiles tracked, Retrievedfrom, 〈http://www.radiofiji.com.fj/fullstory.php?id=39125 〉Ranmuthugala, D. (2001) Security in the South Pacific: The Law EnforcementDimension, Revue Juridique Polynesienne ,171-189.Rashid, F. Y. (2011 April 27) Cyber-criminals register free domains and subdomains forphishing attacks, Retrieved from-〈http://www.eweek.com/c/a/Security/CyberCriminals-Register-Free-Domains-and-SubDomains-for-Phishing-Attacks-470147/〉Reid, G., Devaney, M. L.; Baldwin, S. (2006) Drug production, trafficking and trade inAsia and pacific island countries. Drug & alcohol review, 25(6), 647-650Retrieved from 〈http://articles.latimes.com/2002/nov/26/business/fi-kazaa26 〉Page 19 of 21

PTC’12 Proceedingsrich.frb.org/pubs/cross/crime/crime.pdf. Accessed 1 October 2006.nan, L (2009,October 6).Romer, P. M. (1986). Increasing return and long-run growth. Journal of PoliticalEconomy, 94,1002–1037.Rufino, P. (2011, 6 April) Govt to connect rural Solomon Islands, Retrieved from〈http://www.futuregov.asia/articles/2011/apr/06/govt-connect-rural-solomon-islands/〉Sager, I., Elgin, B., Elstrom, P., Keenan, F., Gogoi, P. (2002, September 2). The UnderGround Web Business Week, Issue 3797, 66-74.Sah, R. (1991) Social osmosis and patterns of crime. Journal of Political Economy,99(6), 169–217.Seneviratne, K. (2000) (visited 29 March 2001). Pressure on Pacific to Stop MoneyLaundering. Asia Times Online, 29 June. Retrieved from〈http://www.atimes.com/oceania/BF29Ah01.html (visited 29 March 2001)〉Sharman, J (2010, February). Offshore and the new international political economy.Review of International Political Economy, 17 (1), 1-19SPAM fighter News (2007, July 3). Fiji Police Determined to Fight Cyber Crime,Retrieved from-〈http://www.spamfighter.com/News-7866-Fiji-Police-Determined-To-Fight-Cyber-Crime.htm〉Stephens, G.(2010) Youth at Risk: A New Plan for Saving the World's Most PreciousResource. Futurist, 44(4), 16-21.Tabureguci, D. (2007) Cover Story: The Net & Children: How safe are they online?Retrieved from〈http://www.islandsbusiness.com/islands_business/index_dynamic/containerNameToReplace=MiddleMiddle/focusModuleID=17659/overideSkinName=issueArticlefull.tpl〉Tabureguci, D. (2009) PITA News: 'Phising' A Concern: Awareness Needed On InternetCrimes, Retrieved from〈http://www.islandsbusiness.com/islands_business/index_dynamic/containerNameToReplace=MiddleMiddle/focusModuleID=18507/overideSkinName=issueArticlefull.tpl〉Tabureguci, D. (2010). Telecommunications: Booting Cyber Crimes, PITA News 1Retrievedfrom〈 http://www.islandsbusiness.com/islands_business/index_dynamic/containerNameToReplace=MiddleMiddle/focusModuleID=19140/overideSkinName=issueArticlefull.tpl〉The Chronicle of Higher Education. (2007, January 5). We must educate young peopleabout cybercrime before they start college. 53(18), B.29.The Sydney Morning Herald. (2011, April 28) Tiny Tokelau is the giant of cyber crimehavens, Retrieved from,〈 http://www.smh.com.au/technology/technology-news/tinytokelau-is-the-giant-of-cyber-crime-havens-20110428-1dy44.html〉UN (United Nations). (2004) Studies in Trade and Investment, HarmonizedDevelopment of Legal and Regulatory Systems for E-Commerce in Asia and thePacific: Current Challenges And Capacity-Building Needs, Economic and SocialCommission for Asia and the pacific, Retrieved from〈http://www.unescap.org/tid/publication/tipub2348.pdf 〉Page 20 of 21

PTC’12 Proceedingsvanuatunews.com. (2011, March 15). National policy to address cyber crime, Retrievedfrom 〈http://www.vanuatunews.com/vanuatu-news/586-110315-national-policy-toaddress-cyber-crime〉Vitzthum, S; Konsynski, B (2009). EBAY's Acquisition of Skype SA: Valuing the Voice ofthe Buyer, Communications of AIS, 24, 89-104Wasserman, M. (2002) Dirty money, Regional Review, 12(1), 14-21.Wechsler, W. F. (2001). Follow the money. foreign affairs, 80(4), 40-57.WHO Drug Information (2001), Regulatory information, 15, (3 & 4)Zwimpfer, L. (2004, September 30) ICTs for Development: Towards a ConnectedPacific, Retrieved from〈 http://portal.unesco.org/ci/en/ev.phpURL_ID=13258&URL_DO=DO_TOPIC&URL_SECTION=201.html 〉ENDNOTES1According to the UN’s estimate, the illegal drug industry is worth some $320 billion ayear (economist.com Mar 5, 2009). Likewise, it is estimated that global annual profitsfrom the exploitation of all trafficked forced labor are US$ 31.6 billion (Besler, 2005,cited in UN.GIFT, 2010).2 This figure has been quoted by U.S. president Obama (Economist, 7/3/2010), SitaMasamba, the Director and Head of Mission of the United Nations African Institute forthe Prevention of Crime and the Treatment of Offenders (UNAFRI).3Not long ago, for small cybercrime cases, it was difficult to find an attorney even in theU.S. (Katz, 2005).4 These are different from MAR externalities, which are related to spillover effects infirms in the same industry (Marshall, 1890; Arrow, 1962; Romer, 1986). MARexternalities represent the positive role of specialization on growth through knowledgespillovers (Bun & Makhloufi, 2007).Page 21 of 21