McAfee Annual Security Report: Three Major Global Challenges Emerged

First, cybercrime isn’t yet enough of a priority for governments around the world to allow the fight against it to make real headway worldwide. Added to that, the physical threat of terrorism and economic collapse is diverting political attention elsewhere.

In contrast, cybercriminals are sharpening their focus. Recession is fertile ground for criminal activity as fraudsters clamour to capitalize on rising use of the Internet and the climate of fear and anxiety. Are we in danger of irrevocably damaging consumer trust and, in effect, limiting the chances of economic recovery?

Second, cross border law enforcement remains a long-standing hurdle to fighting cybercrime. Local issues mean laws are difficult to enforce transnationally.

Cybercriminals will therefore always retain the edge unless serious resources are allocated to international efforts.

Third, law enforcement at every level remains ad hoc and ill-equipped to cope. While there has been progress, there is still a significant lack of training and understanding in digital forensics and evidence collection as well as in the law courts around the world.

The cyberkingpins remain at large while the minor mules are caught and brought to justice. Some governments are guilty of protecting their in-country offenders. The findings suggest there is an ever greater need to harmonize priorities and coordinate police forces across physical boundaries.

The report concludes with a look at suggested steps at both the local and international level to make the fight against cybercrime more effective.

How Countries of the World Are Responding to Cybercrime

There are many regional and international organizations, with a narrow or broad coverage of states, more or less making efforts to maintain cybersecurity and harmonize international measures to combat cybercrime. This section will introduce only four of these organizations, which have taken typical actions in combating cybercrime

United State of America

US spends the most amount of money on cybersecurity and has the most sophisticated technical staff and researchers working on these problems – at universities, in the commercial world and in government – of any country in the world. In 2008, the Department of Homeland Security has budgeted $155 million for cybersecurity and is gunning for $200 million in fiscal 2009. President Bush also looked for $17 billion from Congress for a cybersecurity initiative.

However, the National Cybersecurity Initiative has been criticized for spending billions on “unproven, embryonic technology, and possibly illegal or ill-advised projects,” and it has been said that it focuses too much on internal surveillance rather than actively defending against attacks.

The new Obama administration has pledged to appoint a national cyberadvisor to synchronise activity, reporting directly to him (rather than three steps away as per the Bush administration). He views cybersecurity as a “top priority” in the twenty-first century. Yet the details of his plans remain vague.

The Organization of American States

In 2004, the Fourth Plenary Session of the Organization of American States General Assembly passed the resolution on “Adoption of a Comprehensive Inter-American Strategy to Combat Threats to Cybersecurity: A Multidimensional and Multidisciplinary Approach to Creating a Culture of Cybersecurity, ” proposing that “An effective cybersecurity strategy must recognize that the security of the network of information systems that comprise the Internet requires a partnership between government and industry.

Brazil

Classed as one of the top three most infected countries in the world for zombie machines and botnet activity, Brazil was also victim to 166,987 attempted cyberattacks in 2008, the third highest in the world. But Brazil is fighting back, and is revisiting the ratification of the Council of Europe’s Convention on Cybercrime by means of bills consistent with this Convention.

However, there is significant disagreement between the bills being processed in the Brazilian legislative houses. There is even a bill that, in practice, represents a stepback in the investigatory advancements achieved so far.

United Kingdom

In September 2008, £7 million was granted towards the formation of a new police unit dedicated to tackling electronic crime and Internet fraud. The new Police Central e-crime Unit (PCeU) will provide specialist officer training and coordinate cross-force initiatives to crack down on online offenses. It will also provide support to the National Fraud Reporting Centre when it comes into operation in 2009. It will work closely with other crime-fighting agencies to tackle international and serious organized crime groups operating on the Internet.

However, the UK government has been criticized for its decision in 2006 to dissolve the dedicated National Hi-Tech Crime Unit, and for the fact that funds for the new agency are so limited. The amount granted is almost comparable to the £6.2 million the UK Ministry of Defence is reported to have spent on parties in 2007 Across the globe there is evidence of cybersecurity initiatives, but given the billions lost to cybercrime every year, is it a case of too little, too late?

EUROPE

The European Network and Information Security Agency (ENISA) is a centre of expertise for the EU member states and EU institutions in network and information security. It contributes to modernizing Europe and securing the smooth functioning of the digital economy and the information society. In 2008, it had a budget of 8 million.

The Asia-Pacific Economic Cooperation (APEC)

In the Asia-Pacific region, the APEC coordinates its 21 member economies to promote cybersecurity and to tackle the risks brought about by cybercrime (APEC, 2003). The APEC has conducted a capacity-building project on cybercrime for member economies in relation to legal structures and investigative abilities, where the advanced APEC economies support other member-economies in training legislative and investigative personnel.

After the 9/11 attacks on the U. S., the APEC Leaders issued a Statement on Counter-Terrorism, condemning terrorist attacks and considering it urgent to reinforce collaboration at different layers to fight against terrorism. The Leaders called for reinforcing APEC activities to protect critical infrastructure.

The Telecommunications and Information Ministers of the APEC economies issued the Statement on the Security of Information and Communications Infrastructures and a Programme of Action in 2002, supporting measures taken by members to fight against misuse of information. The Senior Officials’ Meeting has made a recommendation which designates six areas that can serve as the foundation for the APEC’s endeavor for cybercrime prevention, comprising legal development, information sharing and cooperation, security and technical guidelines, public awareness, training and education, and wireless security.9 The Ministers and Leaders of APEC have made a commitment to “endeavour to enact a comprehensive set of laws relating to cybersecurity and cybercrime that are consistent with the provisions of international legal instruments, including the UN General Assembly Resolution 55/63 and Convention on Cybercrime by October 2003.”

In response to this call from the leaders, a survey of laws was carried out and a summary was made of the responses from member economies received in 2003 (see E-Security Task Group, 2003). The economies proposed corresponding projects in information-security task groups. For example, the U.S. proposed a project in the E-Security Task Group of the Telecommunications and Information Working Group.

The first phase of this project was a meeting of cybercrime experts from around the region. The meeting was held from 21-25 July, 2003 in Bangkok, Thailand, and was attended by over 120 delegates from 17 economies. The objectives of the meeting were to assist the economies to develop the necessary legal frameworks; to promote the development of law-enforcement capacity; and to strengthen cooperation between private and public sectors in addressing the threat of cybercrime. In the conference, the experts present agreed that every economy needed a legal framework including one for substantive and procedural law, and for the law and policies of inter-economies cooperation. They confirmed the role of international instruments, particularly the Convention on Cybercrime. They also emphasized jurisdictional cooperation, law-enforcement construction, and the capacity building of the investigators.

In 2005, The sixth APEC Ministerial Meeting on the Telecommunications and Information Industry passed the Lima Declaration, “encouraging all economies to study the Convention on Cybercrime (2001) and to endeavour to enact a comprehensive set of laws relating to cybersecurity and cybercrime that are consistent with international legal instruments, including UN General Assembly Resolution 55/63 (2000) and the Convention on Cybercrime (2001).”

However, due to the great difference between member economies within the APEC, the development toward unified legal instruments has not been too satisfactory. Although some economies have claimed that their laws have been completely consistent with the Convention, and some other economies were taking actions to implement provisions similar to the Convention, many other countries have quite different legal systems or have no law criminalizing cybercrime.

Efforts are still to be made in the forum of the APEC to address cybercrime.

JAPAN

Japan has implemented the fastest and most advanced next-generation communications networks in the world. It has also been exposed to a series of damaging malware attacks and data breaches in recent years, particularly via Winny Peer-to-Peer (P2P) worms. Japan has fought back in an unusual way by prosecuting the inventor of the Winny P2P system for assisting in copyright infringement.

This unconventional approach was used because Japan lacks adequate laws criminalizing the writing of viruses. Japan’s ISPs are also playing an active role in stopping malware – four of the country’s major ISPs have launched a collective plan to forcibly terminate Internet access of users caught using Winny-style P2P technology. However, the government’s slow implementation of the provisions of the 2003 Act on the Protection of Personal Information does not encourage the public or privatesectors to treat security issues as seriously as they should.

ESTONIA

Cyberattacks on Estonia (also known as the Estonian Cyberwar) refers to a series of cyber attacks that began April 27, 2007 and swamped websites of Estonian organizations, including Estonian parliament, banks, ministries, newspapers and broadcasters, amid the country’s row with Russia about the relocation of the Bronze Soldier of Tallinn, a Soviet-era memorial to fallen soldiers, as well as war graves in Tallinn.

Most of the attacks that had any influence on general public were distributed denial of service type attacks ranging from single individuals using various low-tech methods like ping floods to expensive rentals of botnets usually used for spam distribution. Spamming of bigger news portals commentaries and defacements including that of the Estonian Reform Party website also occurred.

Some observers reckoned that the onslaught on Estonia was of a sophistication not seen before. The case is studied intensively by many countries and military planners as, at the time it occurred, it may have been the second-largest instance of state-sponsored cyberwarfare, following Titan Rain.

Although small country, Estonia is regarded as one of the most technologically capable countries in Europe in the cybersecurity and anti-cyberterrorism stakes. This proactivity has been prompted by the high-profile and repeated DDoS attacks on its government, news and bank servers in April 2007. In May 2008, Estonia established a top secret cybersecurity hub, operational as of August 2008 and backed by NATO and seven EU countries (Estonia, Germany, Italy, Latvia, Lithuania, Slovakia and Spain). Estonia has also pledged 50,000 to back the Council of Europe Convention on Cybercrime

RUSSIA

Russian Interior Minister Rashid Nurgaliyev on April 19 called on the world to join forces against criminal groups and international scammers operating via the Internet. Speaking at a two-day conference on cybercrime and cyberterrorism, Nurgaliyev also voiced concern over the unimpeded circulation of extremist, racist, and pornographic material on the Internet. His remarks come amid renewed efforts by Russia’s parliament to draft legislation aimed at tightening control over the Internet.

MOSCOW, April 20, 2006 (RFE/RL) – The conference brought together some 200 experts from over 50 countries to discuss ways of jointly fighting web crimes and regulating Internet content.

Opening the conference Nurgaliyev said that online criminals could cause as much harm as weapons of mass destruction, and called on the international community to join forces against cybercrime. No government, he said, can combat this type of crime single-handedly.

Today, Russia and former Soviet countries provide a large proportion of the world’s hackers. A number of damaging computer viruses are believed to have originated in Russia.

Russian hackers have been blamed for a series of high-profile online extortion schemes over the past few years in which big businesses were threatened with the loss of their website unless they handed over protection money

In 2004, a group of Russian and British hackers was busted after swindling $70 million from British gaming firms.Boris Miroshnikov, the head of the Russian Interior Ministry’s Bureau for Counteracting High-Tech Crimes, told the Moscow conference that the number of registered Internet crimes in Russia has increased tenfold over the past five years. In 2005, Russian authorities recorded 14,810 such crimes.

Online scammers also extort billions of dollars globally every year by posing as banks to hack into databases and con web surfers out of their money. According to Nurgaliyev, Russian banks are under growing attack from hackers.

The problem is compounded by the explosion of Internet use in Russia. While an estimated 2 million Russians had Internet access in the mid-1990s, Russia’s online community today represents roughly 16 percent of the population, or nearly 24 million people.

Internet use in Russia, however, is still limited compared to Europe, where almost 50 percent of the population has Internet access.

ROMANIA

Romania has been taking major steps to crack down on cybercrime by adding new hacking laws and strengthening its ability to fight cybercrime. This was prompted by timely phishing attacks by Romanian crime gangs that were hurting US banks to the point where some companies were blocking all Internet traffic from Romania. This coincided with official efforts to strengthen ties with the West and attain NATO membership, so clamping down on cybercrime became a focus. In 2008, Romania again cooperated with the FBI to arrest dozens more Romanians in an online fraud gang

Existing and Emerging Global Cooperation – How Possible?

Currently the Council of Europe Convention on Cybercrime is the only international agreement that covers all relevant areas of cybercrime legislation (Substantive Criminal Law, Procedural Law and International Cooperation). Adopted by the Committee of Ministers of the Council of Europe at its 109th Session on 8 November 2001, it was opened for signature in Budapest, on 23 November 2001 and it entered into force on 1 July 2004.

The Gulf States meanwhile have chosen to go the route of preparing their own law, with the Cybercrime Convention as a model.

The UAE was the first country that enacted a comprehensive cyberlaw among the Gulf States. It has been working well against cybercrime in the country, but plans are underway to extend the law into other Gulf Cooperation Council (GCC) States.

There is considerable activity being undertaken in Latin America to come into line with the Cybercrime Convention but there are problems surrounding the lack of procedural law.

Most countries cover child porn and system attacks but it remains unclear as to whether botnets are illegal. Costa Rica and Mexico have been asked to accede to the Cybercrime Convention while Argentina and Dominican Republic already have working legislation. Brazil is drafting cybercrime legislation which isunder debate but alleged to be “very tough.”

Multi-national efforts and The Cybercrime Convention at Regional Levels

Regional approaches also play an important role. This is especially relevant with regard to the criminalisation of illegal content where you find more similarities on a regional than on a global level. Examples for current regional approaches are: the European Union (EU), the Common Market for Eastern and Southern Africa (COMESA) states, Asia-Pacific Economic Cooperation (APEC), Organisation of American States (OAS) and the Gulf Cooperation Council (GCC).

1. Council of Europe
   EC, the Council Framework Decision 2005/222/JHA on attacks against information systems, was adopted by the Council of the European Union on 17 January 2005. The Framework Decision will ensure a common minimum level of approximation of criminal law for the most significant forms of criminal activity against information systems, such as illegal access, illegal system, and data interference. This includes the so-called “hacking” and “denial-of-service attacks” as well as the spreading of malicious code, spyware and malware and viruses. This approximation is desirable in order to avoid any gaps in Member States’ laws that could hamper the response of law enforcement and judicial authorities at national level to these growing threats.  

   European Program for Critical Infrastructure Protection (DG JLS) – The Directive has been drafted, while the criteria and guidelines are under development until year-end 2008.

2. The Commonwealth of Nations
   The Commonwealth of Nations took a direct and timely action in the harmonizing laws of its member states. In October 2002, the Commonwealth Secretariat prepared the “Model Law on Computer and Computer Related Crime”. Within the Commonwealth’s 53 member countries, the “Model Law” has had a wide influence on domestic legislation. Through this model law, the Convention on Cybercrime has become one of the legislative choices in substantive criminal law, covering the offences of illegal access, interfering with data, interfering with computer systems, illegal interception of data, illegal data, and child pornography.  

   Compared with the Convention on Cybercrime, the Model Law expanded criminal liability –so as to include reckless liability- for the offences of interfering with data, interfering with computer systems, and using illegal devices. The Model Law also covered the problem of dual criminality by stating that the act applied to an act done or an omission made by a national of a state outside its territory, if the person’s conduct would also constitute an offence under a law of the country where the offence was committed. This may lead to prosecution or extradition based on dual criminality, but not extradition as it is provided in the Convention on Cybercrime.

   Besides impelling legislation within the forum, another focus of the Commonwealth is on mutual assistance in law enforcement between Commonwealth member states and between Commonwealth member states and non-Commonwealth states.

3. The Group of Eight (G8)
   The Group of Eight repeatedly expressed their concern about cybercriminality. At the Okinawa Summit, the Okinawa Charter on Global Information Society adopted the principle of international collaboration and harmonization of cybercrime. “In order to maximize the social and economic benefits of the information society”, the Group of Eight agreed on principles and approaches for the protection of privacy, the free flow of information, and the security of transactions. The Charter recognized that the security of the information society necessitated coordinated action and effective policy responses.
4. The Organization for Economic Cooperation and Development (OECD)
   The OECD adopted Guidelines for the Security of Information Systems and Networks in July 2002, calling on member governments to “establish a heightened priority for security planning and management”, and to “promote a culture of security among all participants as a means of protecting information systems and networks” (OECD, 2002a, Part I).  

   The Guidelines established nine principles, including awareness, responsibility, response, ethics, democracy, risk assessment, security design and implementation, security management, and reassessment (OECD, 2002a, Part III). Because of the nature of the guidelines and the distance from the legal actions, practical endeavors were left to the member countries to make.

5. Global international efforts by the United Nations (UN)
   At a recent United Nations-backed conference held in 5th October,2007 in Geneva, Experts have agreed to jointly take action to combat the constantly evolving and increasingly sophisticated challenges posed by cybercrime.  

   The legal, moral, technical and institutional challenges posed by cyber-threats and cybercrime are global and far-reaching, and can only be addressed through an articulate plan of action taking into account the role of different stakeholders and existing initiatives, within a framework of global and National cooperation.

   ‘‘In resolution 57/239 on the Creation of a global culture of cybersecurity, the United Nations General Assembly recognized “that, in a manner appropriate to their roles, government, business, other organizations and individual owners and users of information technologies must be aware of relevant cybersecurity risks and preventive measures and must assume responsibility for and take steps to enhance the security of these information technologies.”

   This view was reaffirmed by the World Summit on the Information Society (WSIS) in the Tunis Agenda for the Information Society, the Geneva Declaration of Principles and Plan of Action, and in the 2005 World Telecommunications Development Conference (WTDC) (Doha).

   The necessity for global interconnectivity of information networks and systems means that no single nation can successfully secure itself in isolation. Cybersecurity is a problem common to all nations and each nation’s security is limited by that of the weakest link in the global infrastructure.’’

Other European group initiatives

• G8 High-Tech Crime Sub Group
• EuroSCADA Group
• European Governmental CERT Group
• Forum of Incident Response and Security Teams

The Virtual Global Taskforce (VGT) (http://www.virtualglobaltaskforce.com/) is made up of police forces from around the world working together to fight online child abuse.

Countries that are ratified with the Cybercrime Convention Countries that are signed with the Cybercrime Convention Countries who have yet to participate with the Cybercrime Convention.