Cybercrime: Government vs business

Just as the players in the Internet economy are poised to harvest the benefits of surging interest in online shopping, the underworld of cybercrime sparks renewed cries for controls and regulations. While business wants the safeguards of regulatory controls, it is wary of any clampdown that might hinder the growth of, or turn customers away from, online deals. Sandra Van Dijk looks at the progress While business and government struggle to reach agreement on the most effective solutions to the exponential growth in computer-related crime, all parties agree it is the greatest problem confronting the information technology landscape worldwide.

Finding the right mix of law enforcement, technological applications and market-based solutions is proving extremely difficult as fears continue to rise that state intervention is stifling commercial development.

Increasingly, law enforcement agencies look to markets to provide solutions while they continue to plead for extending the legislative powerbase, which is often contrary to business interests.

There are a number of issues that place government and business at loggerheads, a prime example of which is the regulation and use of encryption.

Another is a complaint by law enforcement agencies that business is unwilling to report computer crime for fear of losing public confidence in their products or being exposed for poor systems management procedures.

Speaking to the 10th United Nations Congress on the prevention of crime last month, Australian Institute of Criminology research director Peter Grabosky said governments may be forced to choose between paternalistic imperatives and those of commercial development and economic growth.

He identified a fundamental tension between the deregulatory imperative, which characterises the world's advanced economies, and the desire to control some of the darker corners of cyberspace.

"There is a significant danger that premature regulatory interventions may not only fail to achieve the desired effect, but have a negative impact on the development of technology for the benefit of all," Grabosky warned.

"Over-regulation, or premature regulatory intervention, may run the risk of chilling investment and innovation.

"The challenge facing those who would minimise computer-related crime is to seek a balance which would allow a tolerable degree of illegality in return for creative exploitation of digital technology."

In recognition of the recent formation of national government and industry working groups to co-regulate cybercrime, Grabosky said individuals, government and interest groups need to make their preferences known.

"Markets may be able to provide more efficient solutions than state interventions," he said.

"The pursuit of a strict enforcement agenda is, in most cases not feasible because of the limited capacity of the state."

Cyber West

In a world where offenders can hide their identities and there are no jurisdictional borders, cyberspace has been labelled the digital equivalent of the Wild West.

Investigative procedures and the ability to source evidence are severely hindered, which is why law enforcement authorities favour strict control of encryption technology while business wants access to sophisticated encryption to protect information stored electronically or transmitted over public networks.

Public key cryptography is the best way to implement trustworthy digital signatures, which are an essential element in formulating contracts andauthenticated communication online - the Internet equivalent of registered mail.

While Australia has no domestic restrictions on encryption, export control by both the Australian and US governments is frequently mentioned as an impediment to business.

This means all software from the US is crippled by legislative restrictions, although the government did relax export controls for companies that agreed to incorporate key recovery which allows a back door for governments to retrieve data.

According to industry pundits these regulatory precautions undermine computer security rather than enhance it.

Electronic Frontiers Australia (EFA) warns such features can be potentially exploited by hackers and are generally considered insecure anyway.

"Key escrow or key recovery concepts are fundamentally unworkable and a risk to data security," EFA executive director Peter Upton said.

"Current regulations impose unnecessary constraints and costs on business while doing little to achieve the government's aim of restricting availability of cryptographic software."

Grabosky believes the use of encryption technology may place criminal communications beyond the reach of law enforcement. This fear ultimately led to the introduction of the Australian Security Intelligence Organisation Legislation Amendment Bill which lets the government authorise legal hacking into private computer systems and to copy or alter data if it is a relevant security matter.

Industry is clearly aware of the sensitivity of this issue when competing for business.

Consumers are already reticent to provide personal information if there are fears it is not protected or it will be used for a secondary purpose, particularly if there is government access to that data.

When the authorities seize data to use as evidence it's not as simple as pulling some documents out of the filing cabinet.

According to Australian Federal Police statistics the average capacity of data storage seized for analysis has risen from 35Mbytes in 1991 to 3.4Gbytes in 1999 challenging limited time and financial resources.

Biometrics

AFP commissioner Michael Palmer believes forensic science will play an increasingly important part in the new world of cybercrime. CrimTrac is a move in this direction with its combination of a DNA database and a national automated fingerprint system.

"DNA has revolutionised forensic science and is the most exciting event to hit law enforcement since the advent of fingerprints," Palmer said. When sourcing evidence and tracing a hack attack or other computer-related crime, forensics will play an important part when assessing the crime scene or launch point of attack.

While biometrics is becoming a more widely used option for business to monitor access to data there are considerations affecting government and business.

Not only is it a costly option for business, it raises serious privacy concerns about the use of biometrics in the workplace.

Privacy advocates fear governments and business may potentially have access to the biometric database of employees and that information could be misused.

Borderland

Establishing regulations across international borders can be complicated and this is one area where business is operating at a much faster pace than legislation.

Any business engaging in B2B commerce needs to be aware of the various local laws relating to computer crime when dealing with an overseas company, especially when delivering goods or providing credit card information.

KPMG consulting managing director for commerce Thomas Patterson believes it is extremely hard for the average business to determine whether a company in, say, Uganda will trade responsibly.

He said this has led to a whole new burgeoning business of certification authorities.

"These are people who hold the keys to transactions, setting up in offshore, small-island nations that don't have {good standards}," Patterson said.

"But they have a rule of law that says that Janet Reno (head of the US Department of Justice) cannot come in and get the keys.

"So you keep your data in the US or you keep it in France, but the keys to unlock that data are going to be offshore.

"It's a whole little cottage industry growing up as [some] people try to skirt those exact laws," Patterson said.

Only last week at an Internet Summit in the US, with governments and law enforcement agencies in attendance, delegates made it clear that the onus is on the private sector to solve the cybercrime problem.

Interpol's secretary general, Raymond Kendall, called on the private sector to flex its research and development budgets to come up with ways to protect networks against computer crimes.

He said companies need to make investments for the future by installing effective security equipment on their networks today.

"Prepare for the worst, with the necessary contingency programs in place to see that damage is limited," he said.

Kendall said governments have a responsibility to create the right legal conditions but do not have the funds necessary to develop the technology and rapid solutions necessary to deal with this phenomenon.

"It takes a long time to get legislation adopted nationally and it takes an even longer time to get international conventions adopted which can help deal with these problems and be used as a legal basis," he said.

While the computer security industry is providing technological solutions and support to stem computer-related crime, the AFP is keen to emphasise the responsibility of the private sector to report attacks and to pass on referrals for investigation.

Federal agent John Geurts said police survey results estimate more than 90 per cent of all detected computer fraud goes unreported.

"Commercial considerations such as the availability of technical solutions and possible negative commercial effects are considered the primary reason for the lack of reporting," he said.

"A further reason could be a general lack of confidence in law enforcement ability to overcome the challenges computer-related crime poses.

"This lack of confidence in law enforcement is often perpetuated by the private sector in an effort to further commercial interests," Geurts said.

Agent Geurts said law enforcement and computer security communities have interdependencies with respect to computer security and reported incidents.

"I repeat my call for those who encounter Internet crime to ensure it is reported to the appropriate authorities, be they state or federal," Geurts said.

"We simply cannot provide support if the full extent of the Internet crime problem remains hidden."

Not a single business reported the high-profile and devastating "ILoveYou" virus to the NSW Police recently.

This led to a statement from Computer Crime Unit detective sergeant Philip Kaufmann calling on the public to start reporting cybercrime.

"People tell us that there is a lot of crime out there on the Internet, but it certainly has not been reported to the police. So it's not being investigated either," Kaufman said.

How much money companies lose to computer theft and extortion is impossible to calculate because no one is talking, But cases published by the US Federal Bureau of Investigations (FBI) are a horrifying indicator of the money companies are willing to handover to avoid unfavourable publicity.

The London Times has published estimates of UK-based financial institutions paying more than $400 million in a single year to fend off extortionists but this is impossible to verify because it is a subject not open to discussion.

In response, the British government is planning a £69 million ($181 million) spy centre capable of tracking every e-mail and Internet hit in the country, a move which has outraged civil libertarians.

To be housed in the M15 headquarters, the Government Technical Assistance Centre will be established as part of the Regulation of Investigatory Powers Bill.

The bill gives law enforcement the power to demand keys to decode encrypted messages and forces Internet service provider (ISP) groups to establish secure channels to transmit information about Internet traffic to the government cyber-centre.

The government has already established the encryption coordination unit to oversee the centre.

Further highlighting the competing conflicts of business and government is the concern of ISP groups in Britain about the cost of complying with the new regulations and their predictions the legislation will scare Internet users away from encryption technology, dealing a blow to the government's stated aim of making Britain a hotbed of e-commerce.

Global practice manager for high-tech investigations at Knoll Associates Alan Brill said business recognises that to be successful on the Internet it has to take responsibility for security.

"Internet technology seems to evolve at the speed of light, but law evolves at the speed of legislatures," Brill said.

"For that reason, I think we need to, as an industry, make our voice heard as to the kinds of laws and regulations we need to do the job."

First assistant secretary of the Federal Attorney General's law division Peter Ford said the National Office of the Information Economy (NOIE), which covers a wide range of IT issues, is an example of the mounting range of resources being allocated to cybercrime in Australia and the government's commitment to liaising with industry in policy development.

While not everyone may agree on the solutions, the financial opportunities the Internet offers are plain to see.

In fact, the Computer Security Institute estimates the total value of goods and services traded on the Internet will reach more than $325 billion by the year 2002.

With this in mind, regulatory debate is sure to remain lively in the foreseeable future.

Join the newsletter!

Error: Please check your email address.

More about ADVENTAustralian Federal PoliceComputer Security InstituteDepartment of JusticeEFAElectronic Frontiers AustraliaEvolveFBIFederal PoliceFinancial InstitutionsInterpolIslandKPMGNOIENSW PoliceUnited NationsUS Department of Justice

Show Comments

Market Place