australian high tech crime conference communications · pdf file1 australian high tech crime...
TRANSCRIPT
1
Australian High Tech Crime Conference
Communications Law Centre
University of Technology, Sydney
9-11 June 2009
Turning the Tables
Professor Michael Fraser
Faculty of Law, UTS
Director
Communications Law Centre, UTS
9 June 2009
2
The Honourable John Hatzistergos, Attorney General of NSW, Deputy
Commissioner of the Australian Federal Police Tony Negus,
distinguished members of the judiciary, Professor Jill McKeough Dean of
the Faculty of Law here at UTS, professors and academics, law
enforcement officers, distinguished speakers and visitors, our guests from
abroad, colleagues, welcome. On behalf of the Communications Law
Centre, we are proud to welcome you. This is the first conference of its
type where members of the judiciary, the legal profession, law
enforcement agencies, the Australian Institute of Criminology and
academics, have all come together to talk about high-tech crime.
A Challenge
Cybercrime is a challenge to our society.
Cybercrimes are attacking individual citizens, businesses, commerce,
finance, communications, our community, our economies, our security
and our culture.
Cybercrime is increasing.
And it is an asymmetric threat.
Will We Control the Technology?
This is the age of science. Our forebears, and now we, have developed
and built up a society based on science that has produced advanced
technologies.
The question of our times is this. Will we control the technology or will
the technology control us?
Our economies produce elaborately transformed manufactures and
services to meet consumer demands. Both products and services are
produced by sophisticated research and development, innovation and
specialised management and production processes and systems which are
linked to global physical and virtual supply chains and communications
networks.
3
With advancements in transportation and communications the
globalisation of our economies will only increase. With increasing
globalisation, the interconnections and contingent interdependence of our
production and service information and communications systems will
also increase.
These networked systems of production and services function across
every sphere of our lives; in:
- the public sphere of government services, non government
organisations and public interest groups:
- the commercial sphere of business, finance, communications and
the media; and
- the private sphere of citizens and consumers.
All these products and services depend on the reliability and robustness
of the design, implementation and operation of the networked systems.
The material wellbeing and wealth of our society and economy depends
more and more on long virtual supply chains of information in complex
interconnected distributed networks, built in broadband communications
infrastructures.
Digital communications are remarkable for their rapid uptake and
ubiquity in the fabric of our society and our economy.
This information society or knowledge economy is the highest expression
of our technological civilisation, in this the age of science.
It is the expression of advanced technical, social and legal systems and
institutions, and it is driven by technical progress, innovation, market
entrepreneurship and hard work.
This information society, the knowledge economy, is the flower of our
civilisation and our greatest strength.
And it is our greatest weakness.
Asymmetric Threats
As we come to depend more on powerful, sophisticated and distributed
communications and information networks to function, we become the
more vulnerable to attacks in the networked system itself. The society
based on this system is vulnerable.
4
We are vulnerable not simply because the system, as it grows, becomes
more attenuated and more difficult to protect securely. That is a problem,
but it is not the problem I am talking about.
We are vulnerable to attacks on the system which turn the tremendous
organised power of the networked system against itself.
We are vulnerable to asymmetric attack.
Let me give an analogous physical example of our vulnerability to
asymmetric attack in organised networked systems.
On September the 11th 2001, nineteen men carrying box cutters turned
four commercial passenger aircraft into missiles that struck the World
Trade Centre Tower 1, the World Trade Centre Tower 2, the Pentagon
and (because of the action of the passengers who, by then had learned of
the true nature of their situation) a field in Pennsylvania. The attackers
managed by a simple low tech tactical intervention at an inflection point
to turn one of the highest and most sophisticated expressions of our
technological civilisation against us. Commercial passenger jets were
turned by a few men armed with box cutters into powerful weapons
aimed at the lives of thousands of innocent people and at global centres of
public and commercial life.
The entire highly elaborated and regulated civil aviation system, built up
over a hundred years of enterprise was simply flipped and turned against
the whole society.
Just so, in cyberspace. The ubiquitous distributed networks on which a
functioning knowledge based society depends to operate, are more
vulnerable to asymmetric attacks and the consequences may be even
more damaging and more widespread.
It is the very sophistication of our systems which make them vulnerable
and their power which makes them extremely dangerous when they are
turned against us.
The information and communications technology networks are
themselves vulnerable. More dangerous, all the critical public,
commercial and social functions that are now managed and controlled
and delivered through information and communications technology (ICT)
are vulnerable. The operation of defence, security, public services,
5
utilities: water, dams, electricity, public transport, sewage; banking and
finance, e-commerce and personal communications and the rest.
By attacking essential public, commercial and communications services
online, cybercriminals use our open distributed networks to attack
civilisation itself on a global scale. They have turned the tables on us.
The cybercriminals turn the tables on us using the highest expression of
our technology against us.
And in the case of cybercrime the criminals don’t even need to show up.
The open nature and the anonymity of the web enables criminals to act
effectively to overturn the distributed network systems from anywhere in
the world, from Carlingford, Kazakhstan or the next cubicle.
Information and communications technology has increased the power of
the individual. An entire institution can be taken down in one fell swoop.
It may be a malicious savvy youngster sitting at his screen in his bedroom
hacking into systems to show off or, more likely now, anonymous highly
organised international cybercrime enterprises. In either case their
anonymity and unknown location and the difficulty of tracing their modus
operandi through the networks makes us all the more vulnerable to
serious attacks through the distributed networks which we have built to
serve us.
Social Infrastructure
These networked systems, like all our functional social and commercial
systems, are embedded in our social contract which is expressed as the
rule of law.
In the common law countries, for example we have a thousand year old
tradition of common law based on precedent. In Europe the civil law is
based on the Roman law. The law protects our rights and our liberty and
freedoms, our safety and property as well as it establishes our duties and
obligations, which give our rights real meaning and effect.
Ultimately law enforcement is the guarantor of those rights and duties.
The law helps us all to get along.
6
All our social and economic relationships of course depend on a
sufficient degree of individual morality, integrity and law that support the
necessary mutual trust and confidence for us to engage in personal, social
and economic relations with each other individually and through our
institutions of government and commerce and culture.
Ultimately it is the law and law enforcement on which we depend to
protect us, by maintaining the fairness and the justice that ensure
dependable social and commercial relations can be maintained.
Confidence and trust based in the law are important elements in everyday
face to face social and commercial transactions.
But mutual confidence and trust based in the law are essential elements in
digitally mediated transactions conducted through global distributed
networks.
That is because in the relations and transactions we conduct in person we
can see who we are talking to. They are present and we can look them in
the eye and make a personal assessment of whom we want to deal with.
Online we can’t always look the others in the eye. We may not be sure
we are talking to the person they say they are. They may not be where
they say they are. We may not be able to tell. We cannot look into their
faces and see into their eyes.
There are others who commit crimes against us online and we do not
know of it. We may not even know that they are there.
So we depend much more on the reliability of the social contract, the rule
of law and the effectiveness of regulation and law enforcement in
cyberspace than in direct face to face dealings.
Without sufficient confidence in our security online, our online society
will break down.
Cybercrime Prevention
At present cyberspace is still a bit of a free for all, full of anonymous
actors and agents, like the symbolic battleground of a wild west town.
The gunslingers ride in, anything goes. It’s a free for all that strikes fear
into the hearts of the law abiding citizens. People are worried that it’s
open slather, they want something done. Then the Mayor talks tough,
7
says that he will bring in the law. Clean up the town. Then the sheriff
rides in to town, takes on the bad men, has a show down, runs the bad
men out of town and restores order, Then he waves goodbye and rides off
into the sunset. Doesn’t need to be thanked. Just doing his job.
That’s the kind of approach we have been taking to reign in the free for
all that cybercriminals have been running online. Law enforcement
coming in to clean up a situation that is out of control.
There have been notable successful investigations and prosecutions.
But cybercrime is continuing to proliferate and get organised on a vast
global scale.
The open web, the internet and its linked intranets, full of power and
value, afford the cybercriminals ample motivation and opportunity.
We now need to go to the next level of cybercrime law enforcement to
restore integrity, responsibility, trust, and accountability online.
Law enforcement efforts to give us confidence and security must now
give greater emphasis on strengthening civic society in the distributed
networks information and communications environment.
You could say, sort of like a neighbourhood watch programme, but high-
tech and on an international scale.
Customer Relations Management
The law enforcement response to the proliferation of cybercrime has for
the most part worked to manage down cybercrime by surveillance,
interception, gathering forensic evidence, both static and dynamic
evidence from the web, and prosecution of cybercrime.
This type of high-tech policing and prosecution is of course necessary
and indispensable. The community is grateful for it, and we need to give
that policing and prosecution more support.
We shall be spending the next days discussing how we can continue to
improve it.
8
However the strategies that law enforcement uses to deal with radical
asymmetric threat should also be regarded as a strategic management
issue for law enforcement.
In addition to the thorough police work that leads to successful
prosecutions and convictions of cybercriminals, successful law
enforcement, faced with our vulnerability to asymmetric threats by
cybercriminals needs to place more emphasis on a co-ordinated and co-
operative strategy of structural cybercrime prevention.
We must further develop ways to systemically reduce the opportunities
for cybercrime and increase the online protection for our societies’ most
valuable forces and assets.
Policing policy for preventing asymmetric high tech crimes should be
symmetric.
Law enforcement needs to adopt a thoroughgoing customer relations
management policy for high-tech law enforcement.
Law enforcement agencies must work to provide a service that delivers
value, security and innovation by working more closely with your
customers to reduce the systemic opportunity and incentive for
cybercrime.
A customer relations management policy by law enforcement with an
advanced consumer consultation focus is the practical way to develop the
technical, social and legal infrastructure to build a reliable operating civic
society online.
This form of high tech policing means working together with your main
customers to develop better services, that is, better security. This means
deeply informing your services and using this feedback to generate better
policies, better services, crime prevention design and enforcement to
protect us, from the weak, the children, tothe powerful, business and
industry.
Your customers in this sense are:
IT security companies
business and industry
business and industry associations
banks and the financial sector
9
IT software and hardware companies
online citizens and citizens interest groups and
consumers and consumer groups, especially certain demographics
such as youth online
who want your services.
Citizens concerned to protect our rights, liberties and freedoms and our
privacy, are also concerned about our safety and security. Often citizens
have these different concerns at different times and in different
circumstances and with different sense of urgency.
In addition to your customers, law enforcement must have regard to the
public interest in general and politicians in particular. The politicians
protect and foster the interests of the voters.
These are markets for high-tech law enforcement to collaborate with.
To execute a customer relations management strategy for law
enforcement, law enforcement agencies must engage directly with your
customers, jointly to develop service packages that meet your customers’
needs and manage their expectations for macroscopic systemic online
security.
It requires law enforcement to create and support standing structural
mechanisms for co-operation within which your customers can operate
with law enforcement to develop safety and security for the web as a
whole. This collaboration with you customers should not be merely
market research, but collaborative development work: the development of
industry standards, industry codes, proposals for regulation and that
extends to experimentation and innovation.
It is a practical horizontal management approach with your customers;
not managing down.
External engagement with customers: security companies, business,
industry, citizens, consumers and the online community, on a trusted
reciprocal basis is of critical importance to law enforcement for systemic
cybercrime prevention. And consumer-centric consultations will result in
better law enforcement.
Collaboration with customers should become the primary source of
innovation for online, whole of system cybercrime prevention.
10
Law enforcement agencies that adopt a customer relations management
strategy will foster practical work with their customers to establish the
frameworks for a secure online environment, with them.
Together, we can develop effective standards and norms, processes and
systems, joint recommendations for law reform and regulation in
communications, new media and e-commerce to make a reliable
framework for a more secure online environment. That will push
cybercrime to the margins where it belongs.
Dialogue and real collaboration will develop and improve police services
by strengthening prevention of cybercrimes. Practical collaborative
development of data protection, information, telecoms, e-commerce and
e-procurement security, copyright protection and interoperability will
improve online security. But this work with customers must not only
make policy and regulatory recommendations but do the detailed
practical development and implementation of standards and norms,
including:
standard interoperable identifiers for online agents
standard interoperable identifiers for content
standard interoperable content metadata
secure directories
more secure frameworks for e-commerce
reliable systems for e-commerce online transactions
interoperable standards for online communications systems
content regulation and security
telecommunications regulation and security
broadcast regulation and security
internet regulation and security
electronic financial and banking regulation standards
taxation of online products and services standards
online copyright regulations and digital rights management
security standards for software, hardware and devices
security standards for personal data protection
to establish a safe environment throughout communications, e-commerce,
online content and social networks.
11
In other words, we need together to develop a comprehensive group
approach to the ongoing work of writing the rules of the road and
implementing them on the information superhighway.
Put another way, we need to make something like an online environment,
health and safety management system which requires all the actors of
online life to work together with law enforcement to put an online health
and safety system into the structures and functions of the web.
The customer service management process will facilitate the construction
and adoption of appropriate and practical security solutions to suit the
activities and the level of risk within each area of concern, rather than
imposing a "one-size-fits-all" solution.
When I refer to standards for the online environment, such as standard
interoperable identifiers, I do not of course mean to say that a standard
should be selected from among competing commercial standards and
imposed on others by law, but that the architecture of any standards
themselves comply with agreed structural and systemic security
benchmarks.
The fact that everything is of course changing very rapidly makes the
need for this collaborative work more important, so that all the players
can work together to keep track of what’s actually happening and then
work together to strengthen the online technical, legal and social
infrastructures to resist crime, while still remaining as flexible as
possible, to serve the demands of the customers and society as a whole.
Some may say that the major corporations in the online environment or
the IT security companies already fulfil this role of developing the online
security infrastructure themselves; that the collaborative work I am
speaking of will be done by Google or Microsoft or by IT security
companies who work to make their clients’ business more secure. But the
corporate interests are necessarily proprietary and particular interests.
They will work to make their own products and services more secure, but
only in ways that serve their competitive advantage. They cannot by
themselves have the perspective, the motivation or the scope and the
capacity to secure the web.
There are long and complex value chains and virtual supply chains that
are vulnerable without open interoperable standards to secure the links in
the virtual supply chains.
12
Under the aegis of constructive engagement by high-tech law
enforcement agencies with their customers, the actors in the online
economy can collaborate to work out and implement security in the very
infrastructure and processes of the web, with the support of government
legislation and regulation which is informed by this collaborative process.
The law enforcement agencies have the opportunity to harness the
unorganised diverse security initiatives in the online space.
High-tech law enforcement should not avoid taking a lead role, as
customer service organisations, to initiate and lead this collaboration by
consulting with your customers and initiating the co-operation to achieve
effective security results.
The Web and an Australian Communications and Media Time Line1
The Web
The internet had its origins2 in 1960. In the USA, ARPANet, (the
Advanced Research Projects Network of the US Department of Defence)
used the NCP (the Network Control Protocol). The Network expanded to
other networks in 1976, because of fears that it could be destroyed in a
nuclear strike. The TCP/IP developed by Vincent Cerf and others was
adopted as a standard protocol which allowed ARPANET to connect to
other networks. The TCP is the Transmission Control Protocol, which
tracks data packets, and it includes the IP which identifies the computers
attached to the network, so you can send messages to a machine and all
the bits of the message are delivered to the same machine.
The network spread from ARPANet to BITNet and UseNet, two (non IP
based) academic networks.
In 1983 all machines using ARPANET used TCP/IP and the Domain
Names were initiated to identify the IP numbers.
In 1985 The US National Service Foundation had set up NSFNet for
designated higher education researchers to access a number of shared
supercomputers. The NSFNet was so robust that it replaced ARPANet as
the main part of the US national network around 1988. NSFNet policy
did not allow commercial activity, only research. This policy was
designed to encourage commercial interests to build local networks to
build up the wider US network. The NSFNet then allowed commercial 1 From Australian Communications and Media Authority.
2 See Henninger M. The Hidden Web 2
nd edition. University of New South Wales Press.
13
activity from 1991. In 1995 private networks became the US
infrastructure and NSFNet went back to being a research network.
Businesses began connecting to the internet.
In 1989 the World Wide Web, developed by Tim Berners-Lee and others
at CERN (Conseil Europeen pour la Recherche Nucleaire), in Geneva
began as a networked system for collaboration for research physicists.
The Web was released in1991. It is an internet application that uses the
HTTP protocol (Hypertext Transfer Protocol) for exchanging files and
uses HTML (Hypertext Markup Language) as the formatting language for
displaying documents. The documents contain links to other documents.
The URL (the Uniform Resource Locator) is the naming scheme, or
address for the HTML to link to other documents. The web uses the
network to link one document to other related documents. You access this
web by using your browser, that is a piece of software that sits on your
computer and it locates URLs and displays documents.
In 1991 the Internet Society was formed, directed by Vinton Cerf at
CNRI (the Corporation for National Research Initiatives) because it was
clear that the Net was no longer a closed research network.
In 1991 the first browser, Mosaic was introduced.
In 1993 The NCSA (National Centre for Supercomputing Applications)
made the first “point and click” browser and the Web became easy for
everyone.
The mass commercialisation of the Web for communications, finance,
publishing, e-commerce and marketing that we now take for granted
began to grow at an exponential rate.
The Internet 2 consortium now oversees the development of the global
network interoperability and expansion.
In Australia during the 1980s universities and the CSIRO (the
Commonwealth Scientific Research Organisation) accessed ARPANet.
In 1989 the University of Melbourne established a link with the
University of Hawaii and NASA and this was the foundation of AARNet
(the Australian Academic and Research Network) among the universities,
the National Library and the CSIRO and this became the basis for the
internet in Australia.
14
I have run through this brief history of the Web for three main reasons.
One is again to celebrate it as a superb construction made by our
societies.
Secondly, to show the contingent nature of the way the Web happens to
function, so that we can underline the obvious point that it is a very
recent, complex construct and there is no necessity that it function as it
does. That function is an expression of the circumstances of its history. It
is not a fact of nature, and it is possible to reform it in its structure,
function and regulation.
Third is to note that the nature or the culture of the Web is a function of
its history. It was initially devised as a tool for research and for
academics. It was built by volunteers whose purpose and ethos are rightly
influential: Tim Berners-Lee, Bob Kahn, John Gage, Brewster Kahle,
Clifford Lynch and many others. The ethos that the net should be open
and unregulated, a place of freedom of creativity and expression is in the
DNA of the Web. This philosophy is exemplified by the views of John
Perry Barlow and the Electronic Frontiers Foundation. Many consider
that to fulfil its goal as a global resource of information and knowledge
the Web must remain as free as possible from laws and regulations that
would constrain unfettered communication.
I do not agree. The internet has outgrown the founding ethos. Attractive
though “anything goes” may be when it applied to a community of
researchers and academics and even when it widened to online
enthusiasts; it is no longer a productive ideal for the Web.
It is naive to think that the Web, which is now a mainstream channel of
commerce, communications, telecommunications and media should not
be regulated and subject to law in the same way as the rest of our society.
The Web is very much part of the world and it too must be made a lawful
place, or cybercriminals will make it useless. Naturally the law should be
adequate to the task of providing security online. But law and regulation
should restrict citizens’ use as little as possible and disturb the smooth
working of the web as little as is possible, in achieving the aim of
reasonable security and confidence online.
The promise of convergence of communications technologies and media
in one platform, accessing this World Wide Web is now real. This
15
convergence is the result of equally rapid development of technologies
and consumer practices
Australian Communications and Media Time Line
Along with the introduction of the internet and the Web; in Australia we
have seen introduced in short order in:
1991 Mobile telephones.
There were 100,000 mobiles in 1991.
It was thought that they would be useful for tradesmen
contractors.
1991 Subscription service television.
Pay TV started.
1993 E-mail became popular. Internet Service Providers started.
1994 The web started to become popular. Data that was previously
held physically on paper and on cards or local workstations
became available on line at an accelerating pace.
(It was only fifteen years ago that telcos were entirely separate
from broadcast).
The telcos were all monopolistic and each was vertically
integrated.
Broadcast was also vertically integrated.
1995 Coaxial cable rolled out by Telstra, Optus and their partners.
1995 Satellite platform introduced.
1997 Offline content now was being uploaded and became international
on the web. Established media companies were buying online
companies.
Consumer generated content populating the web.
Voice by wireless introduced
1998 E- commerce took off.
16
2000 Broadband DSL
2001 Digital TV
2002 SMS across networks
SMS revenues driven up by voting for commercial media shows
and survey cross marketing tie ups.
Wireless broadband.
Podcasts.
2004 Voice Over Internet, VOIP.
2004-5 3G mobile content.
So the Australian Communications and Media Authority was
formed.
2006 Web 2 social networking phenomenon took off.
2009 Digital Radio.
Smart devices. The major recent development is the connection of
the internet and international services with mobile phones to make
powerful mobile networked devices.
IPTV Internet Protocol Television (IPTV) is broadcast television
that is delivered over a broadband connection. Projections for
global growth from 3.7 million subscribers in 2005 are for 36.9
million in 2009.
Twitter Mobile social networking becomes popular.
Google Wave. Email is being transformed as we speak, with
Google Wave which was developed in Australia. While email was
basically begun in the 1960s, the current design of e-mail was
developed in 1982. This means of communication has been
complemented by the collaborative communication that we see on
social networking sites like the Facebook wall. Now Google Wave
uses cloud computing to introduce mainstream collaborative instant
messaging and content sharing.
17
200? The Semantic Web that will enable the computers themselves to
analyse all of the data and the connections between data on the
web themselves.
There is a proliferation of different platforms.
There are new services and there are the same services now available to
consumers in different ways on various platforms.
Now physical objects include intelligent chips. Devices can
communicate directly with other devices. Physical objects can talk
directly to other things.
So we have an environment where we have objects and devices with:
new applications, and
new platforms
intermediated by a web network,
middleware and
a new fibre network
that for many people will facilitate many of the important activities and
needs and services of their daily lives including communications, finance,
e-commerce, government and health services as well as education
entertainment and daily tasks.
All the institutions concerned are vitally concerned with security, none
more than the finance and banking sector. Even so, I do not believe that
the whole issue of security can be left to them to drive.
This is a complex landscape of convergence. Not everything links up, not
everything is available on your new powerful mobile phone device, but
telecomputing is now available and social networking is becoming
ubiquitous. The devices are rapidly changing. There are new business
models with a shift to applications. Content and applications will be
international, not located with the consumer. All this is boosted as a boon
to our societies. It is, but not enough attention has been paid to safety, to
engineering in high-tech crime prevention and enforcement. It is time to
do so.
18
Growth of Internet
- According to the Australian Bureau of Statistics, the total number
Internet Service Provider subscribers (household, business &
government) for the December 2008 quarter was 7,996,000.
- 20,783,419 people in the Oceania/Australia region (60.4 % of the
population) use the Internet (Miniwatts Market Groups Internet
World Statistics).
- Between 2000 and 2008, there was a 172.7 % growth in internet
usage in the region (Miniwatts Market Groups Internet World
Statistics).
Growth of the internet since 1995:
- In December, 1995 16 million people used the internet, comprising
just 0.4 % of the world’s population (IDC).
-
- By March, 2009, 1,596 million people were using the internet, which
is 23.8 % of the world’s population (Miniwatts Market Groups
Internet World Statistics).
-
- The growth in internet users between 2000 and 2008 was 342.2 %
(Miniwatts Market Groups Internet World Statistics).
19
20
Strategic inflection point
With the increasing growth, sophistication and integration of information
technologies and systems, an entire high tech world has now been
created. The more inter-connected and well-distributed, the more
vulnerable this system is to low-grade and high-grade asymmetric attacks,
which can be instigated from any point on the globe. As perpetrators of
high-tech crime have turned the tables on us with what is to them the
ready-made weapon of the web, so law enforcement should collaborate
with its customers in re-engineering the way the web works, to turn the
tables back.
Different types of cybercrime:
Convergence means new forms of high tech crime proliferate and mutate
as quickly as new technology, new platforms, new consumer behaviour
and business models.
The customers want basic public safety online. Do we have it?
The AIC has broadly categorised offences into crimes which damage the
ICT infrastructure itself such as malware and crimes that use ICT as a
means to an end, such as fraud.
Some of the main forms of cybercrime include;
Cyber warfare
Espionage
Terrorism/proliferation of hate speech
Corporate espionage
Illegal interception of communications
Download and distribution of child pornography/grooming
Child exploitation
Obscenity offences
Malware (malicious software designed to infiltrate and damage
computer systems)
Money laundering
Electronic funds transfer crimes
Identity theft
Skimming
Phishing
Spam
Warez (software piracy)
21
Hacking and
Selling of confidential information
Fraud
Copyright offences, including peer to peer file sharing and piracy (for
example, Napster and Pirate Bay)
Creation and spreading of viruses, trojans, worms, spyware
Auction fraud
Online stalking, harassment and bullying
For example in Australia the Sasser worm (2004), created by an 18 year
old, caused widespread failure of critical communications systems in both
the private and public sectors, including the railways.
In the USA (in 1998) a 12 year old hacked into the Roosevelt Dam
control system, potentially endangering 1 million people.
There have been breaches of the US electricity grid, the F-35 fighter jet
program, and the computer hub for the Obama 2008 presidential
campaign.
It is easy to gain access online to malicious software.
There are disgruntled employee attacks on company systems. For
example the Fannie Mae ‘logic bomb’, which (if not discovered), would
have shut down the bank for ‘at least a week’ (FBI agent J. Nye).
McAfee Corporation estimates that disgruntled employees wreak US$1
trillion of damage a year, globally.
Step Change
But these kinds of examples, though the damage done is acute, risk giving
a misleading picture.
The reason we are here, no doubt, is that in the last few years there has
been a step change in the nature and extent of cybercrime. In addition to
these types of crimes, cybercrime has in aggregate now become a
tremendous global criminal enterprise undertaken not only by teenagers
with narcissistic motives, but by highly organized professional criminal
enterprises, with strong financial motives, operating in a US $100 billion3
3 http://www.bluecoat.com/doc/7993; http://www.crn.com.au/News/141111,cyber-crime-profits-
running-into-trillions-of-dollars.aspx, VNUnet, (29/03/09).
22
online criminal economy4. Revenues now exceed those of drugs crime.
And the damage done is lasting.
That is why we need to avoid simply being reactive. In addition to our
current law enforcement measures we need to adopt a high tech law
enforcement customer relations management policy to lead a co-ordinated
and cooperative strategy of structural reform, to systemically reduce the
opportunities for cybercrime. This will add a combined, symmetric
approach to deal with asymmetric cybercrime.
The Cybercrime Economy
In the current business model of cybercrime there are C2C (Criminal to
Criminal) cybercrime hacking, phishing and malware business models
which are hierarchical in structure. There are creators at the top,
distributors and end user criminals.
Creators distribute ‘toolkits’, software packages of malicious code, used
to compromise information systems to glean valuable data such as
passwords, CC numbers and PINs. Many threats may be blended into
one package.
Criminals buy one of these toolkits, and let it do its work. They even auto
update. The toolkits crawl the web, exploiting vulnerabilities in websites
and programs. Some ‘inject’ malicious code and use infected machines or
websites as ‘bots’ to propagate even further, infecting millions of
machines,5 often without the victims’ knowledge. Some target mobile
devices.
Toolkits are traded online on IRC (Internet Relay Chat) and online
forums, where the illegally acquired data, such as compromised credit
cards, bank accounts, even identities are bought and sold.
The creators make the toolkits especially for the most profitable goods
and services and constantly update them to respond to new reactive
security measures6.
4 See Web Security Trends Report, Finjan Malicious Code Research Center, 2008.
5 ‘Web Security Trends Report: Q4 2008’, Finjan Malicious Code Research Center.
http://www.finjan.com/Content.aspx?id=827 6 ‘Crimeware Toolkits Make Masters Out Of Average Joes’, Gaudin, S, Information Week, (5/10/07).
http://www.informationweek.com/news/internet/showArticle.jhtml?articleID=201804277
23
Consequences
Criminals achieve great leverage with these highly automated systems. A
move away from traditional, more labour intensive crimes such as spam,
trackware, adware, and keyloggers.7
These now more sophisticated cybercrimes are growing at 45%8
The criminals use the web as a distribution channel and target individuals.
63% of vulnerabilities are web specific.9 70% of web based infections are
on legitimate websites10
. Automation does not discriminate. Nowhere is
safe.
The Russian Business Network (RBN), credited with creating
approximately half of all phishing incidents in 200711
specializes in the
technologically efficient distribution of malicious code and hosting of
malicious websites. It provides a complete web hosting service for the
cybercriminal.
Foreign intelligence services, industrial spies and hackers prey on the
networks.
We have seen recently, examples of how national governments are
running cyber warfare programs.
While law enforcement has had notable successes, we can make the
internet safer. But it takes more than single actors, more than government,
more than law enforcement, more than security companies, or
corporations, more than individuals doing their part, more than a
community of interest and more than police and other agencies working
with reference groups to prevent cybercrimes. That is why it needs a
strategic commitment by law enforcement to a coordinated customer
7 ‘Cybercriminals Reinventing attack methods’, CIOL, (8/7/08); ‘Trend Micro: Cyber crime attacks
more insidious than we think’, Clarke, T, 02/05/09.
http://www.arnnet.com.au/article/301464/trend_micro_cyber_crime_attacks_more_insidious_than_we_
think 8 Spamfighter News, 27?05/09. http://www.spamfighter.com/News-12446-Cyber-Crimes-Now-More-
Sophisticated-and-Growing-by-45.htm 9 ‘Symantec Global Internet Security Threat Report: Trends for 2008 (Volume XIV April 2009)’ ,
Symantec Corporation. http://www4.symantec.com/Vrt/wl?tu_id=gCGG123913789453640802,
‘Symantec Report on The Underground Economy: July 2007-June 2008’ , Symantec Corporation.
http://eval.symantec.com/mktginfo/enterprise/white_papers/b-
whitepaper_underground_economy_report_11-2008-14525717.en-us.pdf 10See http://www.usenix.org/events/hotbots07/tech/full_papers/provos/provos.pdf 11
‘Symantec Report on The Underground Economy: July 2007-June 2008, Symantec Corporation.
24
service strategy. It takes co-ordinated 12
working groups led by law
enforcement with all their customers to design and implement security,
safety and confidence into the web architecture, systems and services13
.
Of course the results must not add undue friction into online services.
Web network infrastructure in the broad sense needs reform to be made
secure and to defend against attacks. Not to stifle our freedoms, but to
protect them.
Foundations for Co-operation
International instruments
We have some foundations or bases on which to build the customer
service management approach to reducing cybercrime.
The Council of Europe, Convention on Cybercrime, 2001 calls for a
common criminal policy aimed at the protection of society against
cybercrime, by adopting appropriate legislation and fostering
international co-operation. It recognises the need for co-operation
between states and private industry in combating cybercrime.
A Memorandum of Understanding on cybercrime is being developed by
the International Telecommunications Union (the Geneva Protocol).
There are initiatives by the OECD14
and APEC15
, G816
and the European
Commission17
.
Australia
In Australia the Cybercrime Act, 2001 (Cth) provides some certainty
concerning some high tech crimes. State and territory Crimes Acts now
deal with some cybercrimes. Telecommunications and media regulation
also applies.
12
http://ajax.sys-con.com/node/986955 ‘Computer Hackers Offer Free Advice On Twitter’ ,Deniz, Y,
Ajax World Magazine, 02/06/09. LIGATT's Hacker for Hire service is using Twitter, a popular social
networking service, to answer cyber crime questions and concerns around-the-clock 13
cf Kaspersky, E, ‘The Cybercrime Ecosystem’(2008) , White paper
http://www.kasperskyusa.com/partners/pdf/The_Cybercrime_Ecosystem.pdf 14
OECD Guielines for the security of information systems and networks: towards a culture of
security(2002) 15
Global Forum; Policy Frameworks for the Digital Economy; OECD Experts Group on Global
Information and Security 16
G8 Sub Group on High Tech Crime. 17
European Commission, Council Framework Decision on Attacks against Information Systems, 2003.
25
Other jurisdictions have Cybercrime Acts.
Education
In Australia as in many jurisdictions there are concerted efforts to educate
the community at large. Yet most cybercrime is unreported.
Governments are upgrading on-line safety and advice websites.
The US Internet Crime Complaint Centre (IC3) has set an example for
improving the reporting of cybercrimes.
Industry co-operation: Conficker malware
Here is an example of an industry co-operative, designed to combat a
particular cybercrime. The industry initiative is excellent but it can only
be a part solution. Nevertheless it is an initiative well worth examining
when considering a law enforcement customer service management
approach to systemic crime prevention.
Conficker is a computer worm targeting the Microsoft Windows
operating system that was first detected in November 2008. The worm
uses a combination of advanced malware techniques which has made it
difficult to counter, and has since spread rapidly into what is now
believed to be the largest computer worm infection since the 2003 SQL
Slammer.
On 12 February 2009 Microsoft announced the formation of a technology
industry collaboration to combat the effects of Conficker. Organizations
involved in this collaborative effort include Microsoft, Afilias, ICANN,
Neustar, Verisign, China Internet Network Information Center, Public
Internet Registry, Global Domains International, Inc., M1D Global,
America Online, Symantec, F-Secure, ISC, researchers from Georgia
Tech, The Shadowserver Foundation, Arbor Networks, and Support
Intelligence.
Since 13 February 2009, Microsoft is offering a US$250,000 reward for
information leading to the arrest and conviction of the individuals behind
the creation and/or distribution of Conficker.
26
International Co-operation
There is growing global cooperation on cyber crime18
For example the FBI’s 24/7 computer intrusion investigation team,
already has 55 member states contributing resources.
I hope that the relationships that grow from this conference will result in
greater cooperation among us.
Now
Convened by the Australian Federal Police with the Communications
Law Centre here in the UTS Faculty of Law and the Australian Institute
of Criminology, the conference will consider over the next days the
emerging issues in cybercrime and mutual cooperation among agencies
and across borders.
Cybercrime is no longer the domain of lone hackers – it is now
dominated by organised syndicates involved in a range of crimes
perpetrated under the screen of internet anonymity. There is a vast high-
tech crime economy.
We are honoured by the presence of our Commonwealth and State
ministers and members of the judiciary and our distinguished speakers
and distinguished participants. The dialogue and discussion in this
conference is intended to help us all understand the issues across the
justice system and across jurisdictions, to exchange effective information
among practitioners and to share methodologies between agencies.
We need to think through the problems we confront together and work
out our strategies.
We should:
determine our principles
collaborate with our customers
identify their needs and views
find out their proposals
identify the problems
18
Thompson,I , Vnunet, 15/01/09 http://www.securecomputing.net.au/News/133115,fbi-calls-for-
global-cooperation-on-cyber-crime.aspx
27
decide on the priority problems
see what facts we have
see what facts we need
gather information and analysis
choose our aims
decide our policies
resolve what methods to use and
decide what interventions to make
We should decide now, five years out:
What is a robust online environment?
What role should law enforcement play?
Who regulates the internet?
What is a citizen in full possession of his or her rights and
liberties?
There is a lot of work to be done to address ingenious and fast moving
cybercrimes and maintain the health of the web. Gathering dynamic and
static data, surveillance, interception, proper manipulation and
presentation of data as forensically probative evidence of cybercrimes,
while respecting privacy, is challenging.
Cooperation and coordination is of the essence for prevention and for
deterrence of high-tech crime.
We must address the active tension between our liberties and freedoms
and effective law enforcement. While the community must be protected,
our valuable liberties and rights must also be fully respected. It is obvious
that we must do both. Provide security and protect citizens rights under
the law.
I believe that our discussions will lead to work which will be of benefit to
our communities.
We live in a connected world. We had better get connected.
End
28