After a 15-year stint with the Australian Federal Police, Australian High Tech Crime Centre director Alastair MacGibbon is trading in his federal badge to go to eBay. Here he talks candidly and frankly about why he's on the move, the state of Australian cyber policing and the risks of joint ventures with the private sector.
So you’re off to eBay as the director of trust and safety. What prompted the move after such a long and established career in policing?
It was a personal decision that involved myself and my family. It seemed to be an appropriate time to go. We have established the [Australian] High Tech Crime Centre (AHTCC) with a pretty good and firm foundation.
It’s, I think, a healthy thing for the centre. My replacement is a bloke called Kevin Zuccato and he’s currently our [Australian Federal Police’s] senior person in the Washington DC office. He has got an extensive policing career, is a well-established detective and understands transnational crime among other things.
I guess what I’m trying to say is it’s not an easy decision to go. The AFP has been my life. The AFP has been my sole long-term employer. It’s not an easy decision, but it was a rational decision primarily for family reasons. I’m more comfortable in leaving, because I know that the next guy is going to keep taking it to the next level – that’s an important thing. July 2 is [first anniversary of] when the centre was founded, but in truth it’s 18 months.
Recently the banks have dipped into their own pockets and seconded staff over to the AHTCC. How’s that progressing and what were the challenges in orchestrating that?
It’s known as the Joint Banking and Finance Sector Investigation Team. From the AHTCC point of view, we take a [sector-based approach] to how we try to engage industries. One of our roles is the protection of the National Information Infrastructure, and banking and finance is one of those critical industries – so we established a [rapport] there.
The rise of phishing, which first occurred in Australia of any note against a bank in Easter last year, saw us concentrating quite heavily upon developing better relations with [financial] institutions and trying to work on better ways to investigate and prevent crime.
It came about through a lot of discussions and working out how to better legally share data. As to how it’s working it’s very early days, but I hold out great hopes. In government work we talk about public private partnerships (PPPs), working with industry and the way that industry feels. This is an actual physical manifestation of that rhetoric. It’s an actual real investment on the part of the government and the private sector to see if this type of policing can deliver dividends beyond what we can achieve in other ways. It will be some time, I believe, before we’ll actually know if it’s a more successful model.
Some have criticised the AHTCC because there haven’t been any noticeable prosecutions to date. How come?
These things take time. The way I would describe our investigative policy to date is that, in the last year since we opened the doors, we needed to know what the criminal environment was. We had some idea based on a pre-existing AFP team and our relationships with other law enforcement agencies in Australia and internationally. But we needed to go out there and say OK, if we’re going to investigate a denial of service attack, how are we going to do it and what are the evidential issues? Nobody has ever used the cybercrime amendments to the criminal code before, so what are the pitfalls for us in investigating it?
We have three of four people before the courts in relation to cybercrime offences – and they are still before the courts. Part of that is because this is new ground for a range of people. It’s new ground for us, the prosecutors, the defence and for the court system itself.
Is it important to pick your initial prosecution mark carefully in terms of precedent?
My philosophy has not been that. It’s been let’s take matters before the court because they will ultimately interpret the legislation and decide what’s right or wrong, or what we gathered was sufficient or insufficient so we can learn for the future. We can always go back to government and argue for changes to laws. But if we wait too long we run the risk of never starting. [In] relation to the lack of high profile, you need to cut your teeth and develop a reputation of being helpful to industry and taking on complaints. We’ve started doing that, but this is a long, long road to hoe.
What was the hardest thing you’ve had to manage at the AHTCC?
It was taking on the perspective on how we deal with industry and understanding industry’s motivation. Not falling into the trap of doing just what industry wants and yet also not going in as police officers and saying ’allo, ‘allo, what’s all this then”.
It’s not a relationship of us dictating to [industry]. It needs to be a relationship where we understand how the banks respond and why they respond in a certain way to incidents. How we would normally respond to incidents in the physical world may not be the way we respond in the electronic world.
The sheer volume of relationships [is also a challenge].
There was some criticism on a recent ABC Four Corners program that Australia started out very well in the electronic policing game and then dropped the ball. Do you think that was valid?
I think Australian law enforcement is pretty well placed. There is no silver bullet for these things - there is no [outright] solution to this sort of crime, just as there isn’t for other types of crime in the community.
I think we are very well placed here in Australia with the formation of the AHTCC, and the relationships that come from that. The board of management includes all of the police commissioners who meet on a regular basis and talk about [e-crime] issues.
When you have the CEOs of the country's police agencies talking specifically about high-tech crime, that in itself is indicative of where it sits in terms of institutional support that they give to it. We can always want more police and larger budgets, but for me that is not the solution. The lag between the introduction of technology and the bad bits that come from it means that there will always be an element of [catch-up].
What do you see as your biggest challenge at eBay?
I can't say because I'm not there yet… But to me the biggest problem for high-tech crime at the moment is end-user compromise. It's reaching out to the public and trying to get them to behave in a manner that protects themselves. You can't afford to be paternalistic about [end users], you can't do it for them, they have to do it for themselves. You need to give them the tools and the motivation to do it.
With policing being a part of society, I very much see this as a natural continuation of what I've done. I'm sure it will bring some unique challenges.
Is there a strong enough push for smaller organizations that handle sensitive data or transactions to have decent IT security standards? How much work needs to be done for the smaller issues?
It's an enormous issue. Even when you spend more money, even in big institutions, you will always be behind the pace because of the sheer nature of the crime and the vulnerabilities. Regulation is for other people to comment on.
[Organizations should] ask [their] ISP what security procedures are in place, how secure [they] and then independently verify it if need be. In the electronic world your Web site is your image and users have to know to protect themselves.
The conundrum is that there are so many different points of compromise - that's the million-dollar question.