Police, Security Officials Meet on Cybercrime Strategies

When the “ILOVEYOU” worm crippled computer systems worldwide 10 years ago this spring, authorities in the Philippines didn’t even have a law to properly charge its author.

Since that time, many countries have developed computer crime laws in part due to the 2001 Convention on Cybercrime, an international treaty that lays out legal guidelines for high-tech crime legislation.

This week, more than 300 experts met at the Council of Europe’s conference on cybercrime to discuss the treaty and better cooperation in a fast-changing landscape where criminals clearly still have the upper hand.

From advance fee frauds to spam to malicious software, the Internet has become a wild west-style frontier where law enforcement officials have had notable successes in recent years but where most cybercriminals operate with near impunity.

“Criminal actors know that law enforcement investigations take time,” said Kauto Huopio, senior information security adviser at the Finnish Communications Regulatory Authority. “They are looking for areas where they are less likely to get caught and where there are challenges in international cooperation.”

Much of the effort at the Council’s conference is focused on uniting various Internet stakeholders that have only a recent history of tenuous cooperation, such as Internet governance groups, network providers,domain-name registries, law enforcement and commercial enterprises.

Close ties between law enforcement and private companies is sometimes viewed as a sign of corruption, said Bernard Otupol, assistant director for the financial and high-tech crime sub-directorate at Interpol. In some developing countries cybercriminals have co-opted network infrastructures where police don’t have many resources.

“A lot of countries have a lot of problems,” Otupol said.

The London Action Plan is one organization that works to foster ties between industry and government on antispam and spyware enforcement and improve information sharing, said Shaundra Watson, counsel for International Consumer Protection at the U.S. Federal Trade Commission.

But that cooperation is “not a given in many places in the world,” she said.

Law enforcement officials are seeking ways to make it easier to get information from other countries during breaking cybercrime cases. They need quick information from other police agencies as well as contacts at ISPs (Internet service providers), which can help preserve electronic evidence that might quickly disappear, hampering cases.

“It’s safe to say law enforcement successes have been in spite of the landscape rather than because of it,” said Paul Hoare, senior manager and head of e-crime operations for the U.K.’s Serious Organised Crime Agency (SOCA).

SOCA and the U.S. Federal Bureau of Investigation have proposed stronger verification checks for people registering domain names and a revamp of privacy services that make it hard for investigators to find out who is running a domain.

“We actually can’t expect a lot to change on the Internet to catch criminals if we as law enforcement really can’t do our job,” said Robert Flaim, supervisory special agent with the operational technical branch of the FBI. “Right now we are fighting a ground battle, but what I propose is that we start an air war.”

Part of that effort involves looking for choke points where potential criminal activity could be blunted. Law enforcement have had increasing contacts with the five regional Internet registries (RIRs), which are entities that assign IP (Internet protocol) addresses to network providers, Flaim said.

Cybercriminals have been able to build their own networks, pretending to be legitimate businesses. The Russian Business Network (RBN), a well-known group linked to malicious software, received an IP (Internet protocol) address allocation so it could essentially act as its own ISP.

The five RIRs either already have or are close to establishing law enforcement working groups. “We are on our way to establishing good relationships with the RIRs but we have to follow through,” Flaim said.

The RIPE Network Coordination Centre, a RIR that covers Europe, the Middle East and parts of Asia, has had increased contact with law enforcement over the last few years, said Roland Perry, RIPE NCC’s public affairs officer.

“We’ve had more requests for information about how we operate,” Perry said. “We’ve had more requests for information about ‘This member of yours seems to be misbehaving can you tell me a bit more about him please’.”

Meanwhile, efforts have been underway to educate judges and prosecutors cybercrime, which can be highly technical.

Esther George, senior policy advisor for the U.K.’s Crown Prosecution Service, designed a training program for prosecutors, which is now used for the Global Prosecutors E-Crime Network (GPEN) initiative. In the U.K., some 120 prosecutors and 45 case workers now have e-crime training, she said.

But prosecuting e-crime also requires that juries understand the evidence as well. Plans are underway for videos that could be used in court that can explain, for example, how a Trojan horse works in a way that doesn’t overwhelm jurors with complicated technical concepts.

“The problem is developing this type of material is very, very expensive,” George said.