1

Australian High Tech Crime Conference

Communications Law Centre

University of Technology, Sydney

9-11 June 2009

Turning the Tables

Professor Michael Fraser

Faculty of Law, UTS

Director

Communications Law Centre, UTS

9 June 2009

2

The Honourable John Hatzistergos, Attorney General of NSW, Deputy

Commissioner of the Australian Federal Police Tony Negus,

distinguished members of the judiciary, Professor Jill McKeough Dean of

the Faculty of Law here at UTS, professors and academics, law

enforcement officers, distinguished speakers and visitors, our guests from

abroad, colleagues, welcome. On behalf of the Communications Law

Centre, we are proud to welcome you. This is the first conference of its

type where members of the judiciary, the legal profession, law

enforcement agencies, the Australian Institute of Criminology and

academics, have all come together to talk about high-tech crime.

A Challenge

Cybercrime is a challenge to our society.

Cybercrimes are attacking individual citizens, businesses, commerce,

finance, communications, our community, our economies, our security

and our culture.

Cybercrime is increasing.

And it is an asymmetric threat.

Will We Control the Technology?

This is the age of science. Our forebears, and now we, have developed

and built up a society based on science that has produced advanced

technologies.

The question of our times is this. Will we control the technology or will

the technology control us?

Our economies produce elaborately transformed manufactures and

services to meet consumer demands. Both products and services are

produced by sophisticated research and development, innovation and

specialised management and production processes and systems which are

linked to global physical and virtual supply chains and communications

networks.

3

With advancements in transportation and communications the

globalisation of our economies will only increase. With increasing

globalisation, the interconnections and contingent interdependence of our

production and service information and communications systems will

also increase.

These networked systems of production and services function across

every sphere of our lives; in:

- the public sphere of government services, non government

organisations and public interest groups:

- the commercial sphere of business, finance, communications and

the media; and

- the private sphere of citizens and consumers.

All these products and services depend on the reliability and robustness

of the design, implementation and operation of the networked systems.

The material wellbeing and wealth of our society and economy depends

more and more on long virtual supply chains of information in complex

interconnected distributed networks, built in broadband communications

infrastructures.

Digital communications are remarkable for their rapid uptake and

ubiquity in the fabric of our society and our economy.

This information society or knowledge economy is the highest expression

of our technological civilisation, in this the age of science.

It is the expression of advanced technical, social and legal systems and

institutions, and it is driven by technical progress, innovation, market

entrepreneurship and hard work.

This information society, the knowledge economy, is the flower of our

civilisation and our greatest strength.

And it is our greatest weakness.

Asymmetric Threats

As we come to depend more on powerful, sophisticated and distributed

communications and information networks to function, we become the

more vulnerable to attacks in the networked system itself. The society

based on this system is vulnerable.

4

We are vulnerable not simply because the system, as it grows, becomes

more attenuated and more difficult to protect securely. That is a problem,

but it is not the problem I am talking about.

We are vulnerable to attacks on the system which turn the tremendous

organised power of the networked system against itself.

We are vulnerable to asymmetric attack.

Let me give an analogous physical example of our vulnerability to

asymmetric attack in organised networked systems.

On September the 11th 2001, nineteen men carrying box cutters turned

four commercial passenger aircraft into missiles that struck the World

Trade Centre Tower 1, the World Trade Centre Tower 2, the Pentagon

and (because of the action of the passengers who, by then had learned of

the true nature of their situation) a field in Pennsylvania. The attackers

managed by a simple low tech tactical intervention at an inflection point

to turn one of the highest and most sophisticated expressions of our

technological civilisation against us. Commercial passenger jets were

turned by a few men armed with box cutters into powerful weapons

aimed at the lives of thousands of innocent people and at global centres of

public and commercial life.

The entire highly elaborated and regulated civil aviation system, built up

over a hundred years of enterprise was simply flipped and turned against

the whole society.

Just so, in cyberspace. The ubiquitous distributed networks on which a

functioning knowledge based society depends to operate, are more

vulnerable to asymmetric attacks and the consequences may be even

more damaging and more widespread.

It is the very sophistication of our systems which make them vulnerable

and their power which makes them extremely dangerous when they are

turned against us.

The information and communications technology networks are

themselves vulnerable. More dangerous, all the critical public,

commercial and social functions that are now managed and controlled

and delivered through information and communications technology (ICT)

are vulnerable. The operation of defence, security, public services,

5

utilities: water, dams, electricity, public transport, sewage; banking and

finance, e-commerce and personal communications and the rest.

By attacking essential public, commercial and communications services

online, cybercriminals use our open distributed networks to attack

civilisation itself on a global scale. They have turned the tables on us.

The cybercriminals turn the tables on us using the highest expression of

our technology against us.

And in the case of cybercrime the criminals don’t even need to show up.

The open nature and the anonymity of the web enables criminals to act

effectively to overturn the distributed network systems from anywhere in

the world, from Carlingford, Kazakhstan or the next cubicle.

Information and communications technology has increased the power of

the individual. An entire institution can be taken down in one fell swoop.

It may be a malicious savvy youngster sitting at his screen in his bedroom

hacking into systems to show off or, more likely now, anonymous highly

organised international cybercrime enterprises. In either case their

anonymity and unknown location and the difficulty of tracing their modus

operandi through the networks makes us all the more vulnerable to

serious attacks through the distributed networks which we have built to

serve us.

Social Infrastructure

These networked systems, like all our functional social and commercial

systems, are embedded in our social contract which is expressed as the

rule of law.

In the common law countries, for example we have a thousand year old

tradition of common law based on precedent. In Europe the civil law is

based on the Roman law. The law protects our rights and our liberty and

freedoms, our safety and property as well as it establishes our duties and

obligations, which give our rights real meaning and effect.

Ultimately law enforcement is the guarantor of those rights and duties.

The law helps us all to get along.

6

All our social and economic relationships of course depend on a

sufficient degree of individual morality, integrity and law that support the

necessary mutual trust and confidence for us to engage in personal, social

and economic relations with each other individually and through our

institutions of government and commerce and culture.

Ultimately it is the law and law enforcement on which we depend to

protect us, by maintaining the fairness and the justice that ensure

dependable social and commercial relations can be maintained.

Confidence and trust based in the law are important elements in everyday

face to face social and commercial transactions.

But mutual confidence and trust based in the law are essential elements in

digitally mediated transactions conducted through global distributed

networks.

That is because in the relations and transactions we conduct in person we

can see who we are talking to. They are present and we can look them in

the eye and make a personal assessment of whom we want to deal with.

Online we can’t always look the others in the eye. We may not be sure

we are talking to the person they say they are. They may not be where

they say they are. We may not be able to tell. We cannot look into their

faces and see into their eyes.

There are others who commit crimes against us online and we do not

know of it. We may not even know that they are there.

So we depend much more on the reliability of the social contract, the rule

of law and the effectiveness of regulation and law enforcement in

cyberspace than in direct face to face dealings.

Without sufficient confidence in our security online, our online society

will break down.

Cybercrime Prevention

At present cyberspace is still a bit of a free for all, full of anonymous

actors and agents, like the symbolic battleground of a wild west town.

The gunslingers ride in, anything goes. It’s a free for all that strikes fear

into the hearts of the law abiding citizens. People are worried that it’s

open slather, they want something done. Then the Mayor talks tough,

7

says that he will bring in the law. Clean up the town. Then the sheriff

rides in to town, takes on the bad men, has a show down, runs the bad

men out of town and restores order, Then he waves goodbye and rides off

into the sunset. Doesn’t need to be thanked. Just doing his job.

That’s the kind of approach we have been taking to reign in the free for

all that cybercriminals have been running online. Law enforcement

coming in to clean up a situation that is out of control.

There have been notable successful investigations and prosecutions.

But cybercrime is continuing to proliferate and get organised on a vast

global scale.

The open web, the internet and its linked intranets, full of power and

value, afford the cybercriminals ample motivation and opportunity.

We now need to go to the next level of cybercrime law enforcement to

restore integrity, responsibility, trust, and accountability online.

Law enforcement efforts to give us confidence and security must now

give greater emphasis on strengthening civic society in the distributed

networks information and communications environment.

You could say, sort of like a neighbourhood watch programme, but high-

tech and on an international scale.

Customer Relations Management

The law enforcement response to the proliferation of cybercrime has for

the most part worked to manage down cybercrime by surveillance,

interception, gathering forensic evidence, both static and dynamic

evidence from the web, and prosecution of cybercrime.

This type of high-tech policing and prosecution is of course necessary

and indispensable. The community is grateful for it, and we need to give

that policing and prosecution more support.

We shall be spending the next days discussing how we can continue to

improve it.

8

However the strategies that law enforcement uses to deal with radical

asymmetric threat should also be regarded as a strategic management

issue for law enforcement.

In addition to the thorough police work that leads to successful

prosecutions and convictions of cybercriminals, successful law

enforcement, faced with our vulnerability to asymmetric threats by

cybercriminals needs to place more emphasis on a co-ordinated and co-

operative strategy of structural cybercrime prevention.

We must further develop ways to systemically reduce the opportunities

for cybercrime and increase the online protection for our societies’ most

valuable forces and assets.

Policing policy for preventing asymmetric high tech crimes should be

symmetric.

Law enforcement needs to adopt a thoroughgoing customer relations

management policy for high-tech law enforcement.

Law enforcement agencies must work to provide a service that delivers

value, security and innovation by working more closely with your

customers to reduce the systemic opportunity and incentive for

cybercrime.

A customer relations management policy by law enforcement with an

advanced consumer consultation focus is the practical way to develop the

technical, social and legal infrastructure to build a reliable operating civic

society online.

This form of high tech policing means working together with your main

customers to develop better services, that is, better security. This means

deeply informing your services and using this feedback to generate better

policies, better services, crime prevention design and enforcement to

protect us, from the weak, the children, tothe powerful, business and

industry.

Your customers in this sense are:

IT security companies

business and industry

business and industry associations

banks and the financial sector

9

IT software and hardware companies

online citizens and citizens interest groups and

consumers and consumer groups, especially certain demographics

such as youth online

who want your services.

Citizens concerned to protect our rights, liberties and freedoms and our

privacy, are also concerned about our safety and security. Often citizens

have these different concerns at different times and in different

circumstances and with different sense of urgency.

In addition to your customers, law enforcement must have regard to the

public interest in general and politicians in particular. The politicians

protect and foster the interests of the voters.

These are markets for high-tech law enforcement to collaborate with.

To execute a customer relations management strategy for law

enforcement, law enforcement agencies must engage directly with your

customers, jointly to develop service packages that meet your customers’

needs and manage their expectations for macroscopic systemic online

security.

It requires law enforcement to create and support standing structural

mechanisms for co-operation within which your customers can operate

with law enforcement to develop safety and security for the web as a

whole. This collaboration with you customers should not be merely

market research, but collaborative development work: the development of

industry standards, industry codes, proposals for regulation and that

extends to experimentation and innovation.

It is a practical horizontal management approach with your customers;

not managing down.

External engagement with customers: security companies, business,

industry, citizens, consumers and the online community, on a trusted

reciprocal basis is of critical importance to law enforcement for systemic

cybercrime prevention. And consumer-centric consultations will result in

better law enforcement.

Collaboration with customers should become the primary source of

innovation for online, whole of system cybercrime prevention.

10

Law enforcement agencies that adopt a customer relations management

strategy will foster practical work with their customers to establish the

frameworks for a secure online environment, with them.

Together, we can develop effective standards and norms, processes and

systems, joint recommendations for law reform and regulation in

communications, new media and e-commerce to make a reliable

framework for a more secure online environment. That will push

cybercrime to the margins where it belongs.

Dialogue and real collaboration will develop and improve police services

by strengthening prevention of cybercrimes. Practical collaborative

development of data protection, information, telecoms, e-commerce and

e-procurement security, copyright protection and interoperability will

improve online security. But this work with customers must not only

make policy and regulatory recommendations but do the detailed

practical development and implementation of standards and norms,

including:

standard interoperable identifiers for online agents

standard interoperable identifiers for content

standard interoperable content metadata

secure directories

more secure frameworks for e-commerce

reliable systems for e-commerce online transactions

interoperable standards for online communications systems

content regulation and security

telecommunications regulation and security

broadcast regulation and security

internet regulation and security

electronic financial and banking regulation standards

taxation of online products and services standards

online copyright regulations and digital rights management

security standards for software, hardware and devices

security standards for personal data protection

to establish a safe environment throughout communications, e-commerce,

online content and social networks.

11

In other words, we need together to develop a comprehensive group

approach to the ongoing work of writing the rules of the road and

implementing them on the information superhighway.

Put another way, we need to make something like an online environment,

health and safety management system which requires all the actors of

online life to work together with law enforcement to put an online health

and safety system into the structures and functions of the web.

The customer service management process will facilitate the construction

and adoption of appropriate and practical security solutions to suit the

activities and the level of risk within each area of concern, rather than

imposing a "one-size-fits-all" solution.

When I refer to standards for the online environment, such as standard

interoperable identifiers, I do not of course mean to say that a standard

should be selected from among competing commercial standards and

imposed on others by law, but that the architecture of any standards

themselves comply with agreed structural and systemic security

benchmarks.

The fact that everything is of course changing very rapidly makes the

need for this collaborative work more important, so that all the players

can work together to keep track of what’s actually happening and then

work together to strengthen the online technical, legal and social

infrastructures to resist crime, while still remaining as flexible as

possible, to serve the demands of the customers and society as a whole.

Some may say that the major corporations in the online environment or

the IT security companies already fulfil this role of developing the online

security infrastructure themselves; that the collaborative work I am

speaking of will be done by Google or Microsoft or by IT security

companies who work to make their clients’ business more secure. But the

corporate interests are necessarily proprietary and particular interests.

They will work to make their own products and services more secure, but

only in ways that serve their competitive advantage. They cannot by

themselves have the perspective, the motivation or the scope and the

capacity to secure the web.

There are long and complex value chains and virtual supply chains that

are vulnerable without open interoperable standards to secure the links in

the virtual supply chains.

12

Under the aegis of constructive engagement by high-tech law

enforcement agencies with their customers, the actors in the online

economy can collaborate to work out and implement security in the very

infrastructure and processes of the web, with the support of government

legislation and regulation which is informed by this collaborative process.

The law enforcement agencies have the opportunity to harness the

unorganised diverse security initiatives in the online space.

High-tech law enforcement should not avoid taking a lead role, as

customer service organisations, to initiate and lead this collaboration by

consulting with your customers and initiating the co-operation to achieve

effective security results.

The Web and an Australian Communications and Media Time Line1

The Web

The internet had its origins2 in 1960. In the USA, ARPANet, (the

Advanced Research Projects Network of the US Department of Defence)

used the NCP (the Network Control Protocol). The Network expanded to

other networks in 1976, because of fears that it could be destroyed in a

nuclear strike. The TCP/IP developed by Vincent Cerf and others was

adopted as a standard protocol which allowed ARPANET to connect to

other networks. The TCP is the Transmission Control Protocol, which

tracks data packets, and it includes the IP which identifies the computers

attached to the network, so you can send messages to a machine and all

the bits of the message are delivered to the same machine.

The network spread from ARPANet to BITNet and UseNet, two (non IP

based) academic networks.

In 1983 all machines using ARPANET used TCP/IP and the Domain

Names were initiated to identify the IP numbers.

In 1985 The US National Service Foundation had set up NSFNet for

designated higher education researchers to access a number of shared

supercomputers. The NSFNet was so robust that it replaced ARPANet as

the main part of the US national network around 1988. NSFNet policy

did not allow commercial activity, only research. This policy was

designed to encourage commercial interests to build local networks to

build up the wider US network. The NSFNet then allowed commercial 1 From Australian Communications and Media Authority.

2 See Henninger M. The Hidden Web 2

nd edition. University of New South Wales Press.

13

activity from 1991. In 1995 private networks became the US

infrastructure and NSFNet went back to being a research network.

Businesses began connecting to the internet.

In 1989 the World Wide Web, developed by Tim Berners-Lee and others

at CERN (Conseil Europeen pour la Recherche Nucleaire), in Geneva

began as a networked system for collaboration for research physicists.

The Web was released in1991. It is an internet application that uses the

HTTP protocol (Hypertext Transfer Protocol) for exchanging files and

uses HTML (Hypertext Markup Language) as the formatting language for

displaying documents. The documents contain links to other documents.

The URL (the Uniform Resource Locator) is the naming scheme, or

address for the HTML to link to other documents. The web uses the

network to link one document to other related documents. You access this

web by using your browser, that is a piece of software that sits on your

computer and it locates URLs and displays documents.

In 1991 the Internet Society was formed, directed by Vinton Cerf at

CNRI (the Corporation for National Research Initiatives) because it was

clear that the Net was no longer a closed research network.

In 1991 the first browser, Mosaic was introduced.

In 1993 The NCSA (National Centre for Supercomputing Applications)

made the first “point and click” browser and the Web became easy for

everyone.

The mass commercialisation of the Web for communications, finance,

publishing, e-commerce and marketing that we now take for granted

began to grow at an exponential rate.

The Internet 2 consortium now oversees the development of the global

network interoperability and expansion.

In Australia during the 1980s universities and the CSIRO (the

Commonwealth Scientific Research Organisation) accessed ARPANet.

In 1989 the University of Melbourne established a link with the

University of Hawaii and NASA and this was the foundation of AARNet

(the Australian Academic and Research Network) among the universities,

the National Library and the CSIRO and this became the basis for the

internet in Australia.

14

I have run through this brief history of the Web for three main reasons.

One is again to celebrate it as a superb construction made by our

societies.

Secondly, to show the contingent nature of the way the Web happens to

function, so that we can underline the obvious point that it is a very

recent, complex construct and there is no necessity that it function as it

does. That function is an expression of the circumstances of its history. It

is not a fact of nature, and it is possible to reform it in its structure,

function and regulation.

Third is to note that the nature or the culture of the Web is a function of

its history. It was initially devised as a tool for research and for

academics. It was built by volunteers whose purpose and ethos are rightly

influential: Tim Berners-Lee, Bob Kahn, John Gage, Brewster Kahle,

Clifford Lynch and many others. The ethos that the net should be open

and unregulated, a place of freedom of creativity and expression is in the

DNA of the Web. This philosophy is exemplified by the views of John

Perry Barlow and the Electronic Frontiers Foundation. Many consider

that to fulfil its goal as a global resource of information and knowledge

the Web must remain as free as possible from laws and regulations that

would constrain unfettered communication.

I do not agree. The internet has outgrown the founding ethos. Attractive

though “anything goes” may be when it applied to a community of

researchers and academics and even when it widened to online

enthusiasts; it is no longer a productive ideal for the Web.

It is naive to think that the Web, which is now a mainstream channel of

commerce, communications, telecommunications and media should not

be regulated and subject to law in the same way as the rest of our society.

The Web is very much part of the world and it too must be made a lawful

place, or cybercriminals will make it useless. Naturally the law should be

adequate to the task of providing security online. But law and regulation

should restrict citizens’ use as little as possible and disturb the smooth

working of the web as little as is possible, in achieving the aim of

reasonable security and confidence online.

The promise of convergence of communications technologies and media

in one platform, accessing this World Wide Web is now real. This

15

convergence is the result of equally rapid development of technologies

and consumer practices

Australian Communications and Media Time Line

Along with the introduction of the internet and the Web; in Australia we

have seen introduced in short order in:

1991 Mobile telephones.

There were 100,000 mobiles in 1991.

It was thought that they would be useful for tradesmen

contractors.

1991 Subscription service television.

Pay TV started.

1993 E-mail became popular. Internet Service Providers started.

1994 The web started to become popular. Data that was previously

held physically on paper and on cards or local workstations

became available on line at an accelerating pace.

(It was only fifteen years ago that telcos were entirely separate

from broadcast).

The telcos were all monopolistic and each was vertically

integrated.

Broadcast was also vertically integrated.

1995 Coaxial cable rolled out by Telstra, Optus and their partners.

1995 Satellite platform introduced.

1997 Offline content now was being uploaded and became international

on the web. Established media companies were buying online

companies.

Consumer generated content populating the web.

Voice by wireless introduced

1998 E- commerce took off.

16

2000 Broadband DSL

2001 Digital TV

2002 SMS across networks

SMS revenues driven up by voting for commercial media shows

and survey cross marketing tie ups.

Wireless broadband.

Podcasts.

2004 Voice Over Internet, VOIP.

2004-5 3G mobile content.

So the Australian Communications and Media Authority was

formed.

2006 Web 2 social networking phenomenon took off.

2009 Digital Radio.

Smart devices. The major recent development is the connection of

the internet and international services with mobile phones to make

powerful mobile networked devices.

IPTV Internet Protocol Television (IPTV) is broadcast television

that is delivered over a broadband connection. Projections for

global growth from 3.7 million subscribers in 2005 are for 36.9

million in 2009.

Twitter Mobile social networking becomes popular.

Google Wave. Email is being transformed as we speak, with

Google Wave which was developed in Australia. While email was

basically begun in the 1960s, the current design of e-mail was

developed in 1982. This means of communication has been

complemented by the collaborative communication that we see on

social networking sites like the Facebook wall. Now Google Wave

uses cloud computing to introduce mainstream collaborative instant

messaging and content sharing.

17

200? The Semantic Web that will enable the computers themselves to

analyse all of the data and the connections between data on the

web themselves.

There is a proliferation of different platforms.

There are new services and there are the same services now available to

consumers in different ways on various platforms.

Now physical objects include intelligent chips. Devices can

communicate directly with other devices. Physical objects can talk

directly to other things.

So we have an environment where we have objects and devices with:

new applications, and

new platforms

intermediated by a web network,

middleware and

a new fibre network

that for many people will facilitate many of the important activities and

needs and services of their daily lives including communications, finance,

e-commerce, government and health services as well as education

entertainment and daily tasks.

All the institutions concerned are vitally concerned with security, none

more than the finance and banking sector. Even so, I do not believe that

the whole issue of security can be left to them to drive.

This is a complex landscape of convergence. Not everything links up, not

everything is available on your new powerful mobile phone device, but

telecomputing is now available and social networking is becoming

ubiquitous. The devices are rapidly changing. There are new business

models with a shift to applications. Content and applications will be

international, not located with the consumer. All this is boosted as a boon

to our societies. It is, but not enough attention has been paid to safety, to

engineering in high-tech crime prevention and enforcement. It is time to

do so.

18

Growth of Internet

- According to the Australian Bureau of Statistics, the total number

Internet Service Provider subscribers (household, business &

government) for the December 2008 quarter was 7,996,000.

- 20,783,419 people in the Oceania/Australia region (60.4 % of the

population) use the Internet (Miniwatts Market Groups Internet

World Statistics).

- Between 2000 and 2008, there was a 172.7 % growth in internet

usage in the region (Miniwatts Market Groups Internet World

Statistics).

Growth of the internet since 1995:

- In December, 1995 16 million people used the internet, comprising

just 0.4 % of the world’s population (IDC).

-

- By March, 2009, 1,596 million people were using the internet, which

is 23.8 % of the world’s population (Miniwatts Market Groups

Internet World Statistics).

-

- The growth in internet users between 2000 and 2008 was 342.2 %

(Miniwatts Market Groups Internet World Statistics).

19

20

Strategic inflection point

With the increasing growth, sophistication and integration of information

technologies and systems, an entire high tech world has now been

created. The more inter-connected and well-distributed, the more

vulnerable this system is to low-grade and high-grade asymmetric attacks,

which can be instigated from any point on the globe. As perpetrators of

high-tech crime have turned the tables on us with what is to them the

ready-made weapon of the web, so law enforcement should collaborate

with its customers in re-engineering the way the web works, to turn the

tables back.

Different types of cybercrime:

Convergence means new forms of high tech crime proliferate and mutate

as quickly as new technology, new platforms, new consumer behaviour

and business models.

The customers want basic public safety online. Do we have it?

The AIC has broadly categorised offences into crimes which damage the

ICT infrastructure itself such as malware and crimes that use ICT as a

means to an end, such as fraud.

Some of the main forms of cybercrime include;

Cyber warfare

Espionage

Terrorism/proliferation of hate speech

Corporate espionage

Illegal interception of communications

Download and distribution of child pornography/grooming

Child exploitation

Obscenity offences

Malware (malicious software designed to infiltrate and damage

computer systems)

Money laundering

Electronic funds transfer crimes

Identity theft

Skimming

Phishing

Spam

Warez (software piracy)

21

Hacking and

Selling of confidential information

Fraud

Copyright offences, including peer to peer file sharing and piracy (for

example, Napster and Pirate Bay)

Creation and spreading of viruses, trojans, worms, spyware

Auction fraud

Online stalking, harassment and bullying

For example in Australia the Sasser worm (2004), created by an 18 year

old, caused widespread failure of critical communications systems in both

the private and public sectors, including the railways.

In the USA (in 1998) a 12 year old hacked into the Roosevelt Dam

control system, potentially endangering 1 million people.

There have been breaches of the US electricity grid, the F-35 fighter jet

program, and the computer hub for the Obama 2008 presidential

campaign.

It is easy to gain access online to malicious software.

There are disgruntled employee attacks on company systems. For

example the Fannie Mae ‘logic bomb’, which (if not discovered), would

have shut down the bank for ‘at least a week’ (FBI agent J. Nye).

McAfee Corporation estimates that disgruntled employees wreak US$1

trillion of damage a year, globally.

Step Change

But these kinds of examples, though the damage done is acute, risk giving

a misleading picture.

The reason we are here, no doubt, is that in the last few years there has

been a step change in the nature and extent of cybercrime. In addition to

these types of crimes, cybercrime has in aggregate now become a

tremendous global criminal enterprise undertaken not only by teenagers

with narcissistic motives, but by highly organized professional criminal

enterprises, with strong financial motives, operating in a US $100 billion3

3 http://www.bluecoat.com/doc/7993; http://www.crn.com.au/News/141111,cyber-crime-profits-

running-into-trillions-of-dollars.aspx, VNUnet, (29/03/09).

22

online criminal economy4. Revenues now exceed those of drugs crime.

And the damage done is lasting.

That is why we need to avoid simply being reactive. In addition to our

current law enforcement measures we need to adopt a high tech law

enforcement customer relations management policy to lead a co-ordinated

and cooperative strategy of structural reform, to systemically reduce the

opportunities for cybercrime. This will add a combined, symmetric

approach to deal with asymmetric cybercrime.

The Cybercrime Economy

In the current business model of cybercrime there are C2C (Criminal to

Criminal) cybercrime hacking, phishing and malware business models

which are hierarchical in structure. There are creators at the top,

distributors and end user criminals.

Creators distribute ‘toolkits’, software packages of malicious code, used

to compromise information systems to glean valuable data such as

passwords, CC numbers and PINs. Many threats may be blended into

one package.

Criminals buy one of these toolkits, and let it do its work. They even auto

update. The toolkits crawl the web, exploiting vulnerabilities in websites

and programs. Some ‘inject’ malicious code and use infected machines or

websites as ‘bots’ to propagate even further, infecting millions of

machines,5 often without the victims’ knowledge. Some target mobile

devices.

Toolkits are traded online on IRC (Internet Relay Chat) and online

forums, where the illegally acquired data, such as compromised credit

cards, bank accounts, even identities are bought and sold.

The creators make the toolkits especially for the most profitable goods

and services and constantly update them to respond to new reactive

security measures6.

4 See Web Security Trends Report, Finjan Malicious Code Research Center, 2008.

5 ‘Web Security Trends Report: Q4 2008’, Finjan Malicious Code Research Center.

http://www.finjan.com/Content.aspx?id=827 6 ‘Crimeware Toolkits Make Masters Out Of Average Joes’, Gaudin, S, Information Week, (5/10/07).

http://www.informationweek.com/news/internet/showArticle.jhtml?articleID=201804277

23

Consequences

Criminals achieve great leverage with these highly automated systems. A

move away from traditional, more labour intensive crimes such as spam,

trackware, adware, and keyloggers.7

These now more sophisticated cybercrimes are growing at 45%8

The criminals use the web as a distribution channel and target individuals.

63% of vulnerabilities are web specific.9 70% of web based infections are

on legitimate websites10

. Automation does not discriminate. Nowhere is

safe.

The Russian Business Network (RBN), credited with creating

approximately half of all phishing incidents in 200711

specializes in the

technologically efficient distribution of malicious code and hosting of

malicious websites. It provides a complete web hosting service for the

cybercriminal.

Foreign intelligence services, industrial spies and hackers prey on the

networks.

We have seen recently, examples of how national governments are

running cyber warfare programs.

While law enforcement has had notable successes, we can make the

internet safer. But it takes more than single actors, more than government,

more than law enforcement, more than security companies, or

corporations, more than individuals doing their part, more than a

community of interest and more than police and other agencies working

with reference groups to prevent cybercrimes. That is why it needs a

strategic commitment by law enforcement to a coordinated customer

7 ‘Cybercriminals Reinventing attack methods’, CIOL, (8/7/08); ‘Trend Micro: Cyber crime attacks

more insidious than we think’, Clarke, T, 02/05/09.

http://www.arnnet.com.au/article/301464/trend_micro_cyber_crime_attacks_more_insidious_than_we_

think 8 Spamfighter News, 27?05/09. http://www.spamfighter.com/News-12446-Cyber-Crimes-Now-More-

Sophisticated-and-Growing-by-45.htm 9 ‘Symantec Global Internet Security Threat Report: Trends for 2008 (Volume XIV April 2009)’ ,

Symantec Corporation. http://www4.symantec.com/Vrt/wl?tu_id=gCGG123913789453640802,

‘Symantec Report on The Underground Economy: July 2007-June 2008’ , Symantec Corporation.

http://eval.symantec.com/mktginfo/enterprise/white_papers/b-

whitepaper_underground_economy_report_11-2008-14525717.en-us.pdf 10See http://www.usenix.org/events/hotbots07/tech/full_papers/provos/provos.pdf 11

‘Symantec Report on The Underground Economy: July 2007-June 2008, Symantec Corporation.

24

service strategy. It takes co-ordinated 12

working groups led by law

enforcement with all their customers to design and implement security,

safety and confidence into the web architecture, systems and services13

.

Of course the results must not add undue friction into online services.

Web network infrastructure in the broad sense needs reform to be made

secure and to defend against attacks. Not to stifle our freedoms, but to

protect them.

Foundations for Co-operation

International instruments

We have some foundations or bases on which to build the customer

service management approach to reducing cybercrime.

The Council of Europe, Convention on Cybercrime, 2001 calls for a

common criminal policy aimed at the protection of society against

cybercrime, by adopting appropriate legislation and fostering

international co-operation. It recognises the need for co-operation

between states and private industry in combating cybercrime.

A Memorandum of Understanding on cybercrime is being developed by

the International Telecommunications Union (the Geneva Protocol).

There are initiatives by the OECD14

and APEC15

, G816

and the European

Commission17

.

Australia

In Australia the Cybercrime Act, 2001 (Cth) provides some certainty

concerning some high tech crimes. State and territory Crimes Acts now

deal with some cybercrimes. Telecommunications and media regulation

also applies.

12

http://ajax.sys-con.com/node/986955 ‘Computer Hackers Offer Free Advice On Twitter’ ,Deniz, Y,

Ajax World Magazine, 02/06/09. LIGATT's Hacker for Hire service is using Twitter, a popular social

networking service, to answer cyber crime questions and concerns around-the-clock 13

cf Kaspersky, E, ‘The Cybercrime Ecosystem’(2008) , White paper

http://www.kasperskyusa.com/partners/pdf/The_Cybercrime_Ecosystem.pdf 14

OECD Guielines for the security of information systems and networks: towards a culture of

security(2002) 15

Global Forum; Policy Frameworks for the Digital Economy; OECD Experts Group on Global

Information and Security 16

G8 Sub Group on High Tech Crime. 17

European Commission, Council Framework Decision on Attacks against Information Systems, 2003.

25

Other jurisdictions have Cybercrime Acts.

Education

In Australia as in many jurisdictions there are concerted efforts to educate

the community at large. Yet most cybercrime is unreported.

Governments are upgrading on-line safety and advice websites.

The US Internet Crime Complaint Centre (IC3) has set an example for

improving the reporting of cybercrimes.

Industry co-operation: Conficker malware

Here is an example of an industry co-operative, designed to combat a

particular cybercrime. The industry initiative is excellent but it can only

be a part solution. Nevertheless it is an initiative well worth examining

when considering a law enforcement customer service management

approach to systemic crime prevention.

Conficker is a computer worm targeting the Microsoft Windows

operating system that was first detected in November 2008. The worm

uses a combination of advanced malware techniques which has made it

difficult to counter, and has since spread rapidly into what is now

believed to be the largest computer worm infection since the 2003 SQL

Slammer.

On 12 February 2009 Microsoft announced the formation of a technology

industry collaboration to combat the effects of Conficker. Organizations

involved in this collaborative effort include Microsoft, Afilias, ICANN,

Neustar, Verisign, China Internet Network Information Center, Public

Internet Registry, Global Domains International, Inc., M1D Global,

America Online, Symantec, F-Secure, ISC, researchers from Georgia

Tech, The Shadowserver Foundation, Arbor Networks, and Support

Intelligence.

Since 13 February 2009, Microsoft is offering a US$250,000 reward for

information leading to the arrest and conviction of the individuals behind

the creation and/or distribution of Conficker.

26

International Co-operation

There is growing global cooperation on cyber crime18

For example the FBI’s 24/7 computer intrusion investigation team,

already has 55 member states contributing resources.

I hope that the relationships that grow from this conference will result in

greater cooperation among us.

Now

Convened by the Australian Federal Police with the Communications

Law Centre here in the UTS Faculty of Law and the Australian Institute

of Criminology, the conference will consider over the next days the

emerging issues in cybercrime and mutual cooperation among agencies

and across borders.

Cybercrime is no longer the domain of lone hackers – it is now

dominated by organised syndicates involved in a range of crimes

perpetrated under the screen of internet anonymity. There is a vast high-

tech crime economy.

We are honoured by the presence of our Commonwealth and State

ministers and members of the judiciary and our distinguished speakers

and distinguished participants. The dialogue and discussion in this

conference is intended to help us all understand the issues across the

justice system and across jurisdictions, to exchange effective information

among practitioners and to share methodologies between agencies.

We need to think through the problems we confront together and work

out our strategies.

We should:

determine our principles

collaborate with our customers

identify their needs and views

find out their proposals

identify the problems

18

Thompson,I , Vnunet, 15/01/09 http://www.securecomputing.net.au/News/133115,fbi-calls-for-

global-cooperation-on-cyber-crime.aspx

27

decide on the priority problems

see what facts we have

see what facts we need

gather information and analysis

choose our aims

decide our policies

resolve what methods to use and

decide what interventions to make

We should decide now, five years out:

What is a robust online environment?

What role should law enforcement play?

Who regulates the internet?

What is a citizen in full possession of his or her rights and

liberties?

There is a lot of work to be done to address ingenious and fast moving

cybercrimes and maintain the health of the web. Gathering dynamic and

static data, surveillance, interception, proper manipulation and

presentation of data as forensically probative evidence of cybercrimes,

while respecting privacy, is challenging.

Cooperation and coordination is of the essence for prevention and for

deterrence of high-tech crime.

We must address the active tension between our liberties and freedoms

and effective law enforcement. While the community must be protected,

our valuable liberties and rights must also be fully respected. It is obvious

that we must do both. Provide security and protect citizens rights under

the law.

I believe that our discussions will lead to work which will be of benefit to

our communities.

We live in a connected world. We had better get connected.

End

28