Security in the Network Age: Cybercrime and Information Security
Tuesday,
December 14, 2004
Overview
As with almost all of the issues we
will tackle this week, cybercrime and information security cuts hard in two
directions and poses a continuous series of challenges to those concerned with
public policy. The need to maintain national security is frequently in tension
with the need to uphold civil liberties. The use of ICTs has given rise to a
series of risks to the information infrastructure on a national as well as
global basis. ICTs are also used extensively to achieve unlawful, as well as
lawful, ends, and law enforcement officers need the ability to track criminal
behavior using the Internet. But Internet-based tools can also be used to
limit individual liberties sharply, in ways that are both consistent and
inconsistent with past threats to civil liberties, such as speech and privacy. The
challenge of reconciling these apparently conflicting interests is an
extraordinarily difficult policy question. These sessions will focus on issues
of information and cybersecurity, cybercrime, the lawful and unlawful intercept
of information flowing over the Internet, profiling, and information privacy
concerns.
1. Information Security.
Internet-based communications,
based historically on open and interoperable standards, offer opportunity both
for innovation and creativity on the one hand and massive, widespread
wrongdoing on the other. The openness of the network provides opportunity for
innovation and creativity, but the same attributes of the network can leave computers
connected to it prone to cyber-attacks, infiltration, and various other
malicious acts. Critical systems, such as air navigation, energy and
electricity management facilities, in a networked state are perceived to be vulnerable
to intrusion and manipulation from outside. Many such threats are
decentralized in nature and hard, in the first instance, to track and to stop ex
ante from occurring.
Information security threats range
from what some consider political activism to what most would consider
terrorism. The concept of “netwars” embodies the conflicts in a networked
society. A group of activists using the methods of coordination and data
distribution in a networked world gaining mostly unauthorized access to end
users through potentially subversive computer programs and tools to manifest
their political positions and expectations are often called “hacktivists,”[1]
whose actions are sometimes celebrated and sometimes reviled. The more
troublesome category of activity comprises acts facilitating the use of
software, technology, and Internet infrastructure to engage in otherwise illegal
activities in cyberspace or in real space, known collectively as “cybercrime’.[2]
Cybercrime. Cybercrime
describes those criminal acts either committed entirely in cyberspace, such as
various forms of identity theft and bank fraud, or acts that have a physical
component and are simply facilitated through the use of Internet-based tools. Such
acts commonly include unauthorized access to computer files and/or theft of
proprietary information, disruption of information housed in a remote computer
with viruses, Trojans, worms, logic bombs and distributed denial of service (DDOS)
attacks, distribution of child pornography on the Internet, selling illegal
objects and substances over Internet, and the theft and forgery of identity. Other,
less common crimes are more institutionally targeted, such as organized
assaults on a nation’s network infrastructure; the hacking of government,
commercial, or non-profit web-sites; or attacks on critical infrastructure.
The tools needed to commit
cybercrime are very cheap, since a potential criminal often needs only access
to the Internet and some free online tools to ply her illegal trade, but the
costs can be extremely high. The effects of cybercrime can also be felt far
from the place where the crime is committed. In the case of US v. Ivanov,
the acts of computer and credit card fraud carried out by two residents of Chelyabinsk resulted in total losses amounting to $25 million USD. The cost of the
damage caused by the spread of a single virus – called Mellissa – is believed
to have been $55 million USD in the United States, according to CSI/FBI
Computer Crime and Computer Security Survey,[3]
and over $800 million USD worldwide.[4]
Cybersecurity. Governments,
corporations, and other large institutions establish Internet security (or
“cybersecurity”) strategies in response to these perceived threats against and
through the Internet. At the technology level, such a strategy involves
employment of software for access control (through firewalls, content control),
authentication (use of biometrics and smart tokens), authorization (defining
the user rights and privileges), provision of system integrity (antivirus and
integrity checking software), cryptography (digital signatures), constant
auditing and monitoring (use of intrusion detection and prevention systems,
computer forensics), configuration management and assistance (managing
networks, security patches, etc.).
At the policy level, governments have
enacted a range of relevant laws and policies in an effort to promote
cybersecurity. These policies commonly start with protections geared toward
“critical infrastructures,” such as defense, energy, food distribution,
financial services and healthcare facilities. Other policies include research
of actual and potential security threats and the development of adequate
methods of response, information sharing, policy actions through enforcement
of laws and regulations, surveillance and data retention and data protection.
Frequently, these responses to the threat of cybercrime involve granting law
enforcement authorities stronger policing powers with respect to online information
and activity. In particular, law enforcement authorities have sought to ensure
the ability to intercept online communications, whether in the form of data or
voice.
Research and development.
Research and development strategies are geared toward the study of vulnerabilities
in IT infrastructure and delivery of meaningful advice, design of efficient
implementation of governmental security systems, and development of standards
for security measures applicable to government agencies. These research findings
are often translated into policy reforms or requirements passed on to those who
build hardware and software, provide Internet access to citizens, or control
gateways to networks in other parts of the world.
Information sharing.
Governments, as well as non-profits and businesses, frequently facilitate information
sharing and “tech transfer” about recent vulnerabilities in systems, security
threats, and recommendations on best practices. For instance, Computer
Emergency Response Team (CERT) centers have been established in the US, Japan, Australia, Korea, Malaysia, Germany and elsewhere are engaged in conducting the research
on modern techniques of cyber intrusion and network security, security alerts
and advocacy in protecting the Internet infrastructure around the globe. The
European Commission recently established the European Network and Information
Security Agency[5]
to coordinate the national efforts on cybersecurity and to serve as an advisory
unit to the Commission and its component parts. Alternatively, governments may
promote privately-funded information sharing agencies, both for work related to
overall network concerns and for specific sector-based needs. For instance, the
UK is handling the Warning, Advice and Reporting Point (WARP) work to
establish an interdisciplinary network to share critical security information.
Other countries (the US, Canada, Japan, Germany, and Netherlands) have
established industry-specific information sharing and analysis centers (ISAC)
to serve a similar purpose.
Policy actions. Cybercrime
is also addressed through criminal law and procedure, at the national, regional
and international levels. International organizations often urge domestic
legislators to implement specific provisions into the criminal law dealing with
cybercrime and procedural reforms related to the search and seizure of
particular high-tech evidence. The United Nations General Assembly adopted
several resolutions recommending that states take appropriate measures
concerning combating misuse of information technologies with criminal purposes,
sharing important technology evidence and data.[6]
In 2003, the Council of Europe
adopted a Convention on Cybercrime, which took force on July 1st,
2004. The Cybercrime Convention is aimed at pursuing a common criminal policy
on protection of Internet infrastructure. It provides for domestic criminal
law procedures necessary for prosecution of Internet-related offences. It also
provides for the provision of evidence in electronic form. It establishes a
framework for co-operation among the member states in preventing and
prosecuting cybercrimes.
The Title 1 of the Convention
establishes certain acts to be defined as criminal offenses in national laws of
countries-participants according to the degree and nature of use of computer
technologies. In the cyberspace context, such crimes evolve within the
following types of common misdeeds: data interception (intentional unauthorized
interception of non-public information, i.e., intercepting someone’s emails), data
interference (intentional damage to another person’s computers, i.e., through
sending viruses), system interference (intentional unauthorized access causing
the computers to malfunction seriously by damaging, deteriorating, transmitting
or suppressing the computer data, i.e., distributed DOS attacks), illegal
access (intentional unauthorized access of someone’s computer system, i.e.,
unauthorized access of confidential files, reports, etc), and misuse of devices
(use of hacking tools). Computer-related criminal offences, such as computer-related
forgery and fraud, acts of online child pornography distribution, infringement
of intellectual property rights, attempts, aiding and abetting, are included in
separate categories of crime definitions.
Consider the first part of Article
550 (b) of the Belgian criminal law, which came into force in 2001 and which provides
for criminal liability for computer hacking and sabotage, including intentional
access to the computer system. The second part of the Article stipulates
sanctions of up to 2 years of imprisonment for so-called illegal insider access
to the computer system by the person with the intention to defraud. Similarly,
German laws provide criminal liability for illegal acquisition of the information
stored on digital media, alteration of digital data, creation of viruses, and
DNS attacks.
In the CIS, many countries are
following the similar routes by stipulating that certain Internet or
computer-based offences constitute criminal acts. These laws also include measures
to help law enforcement to counteract these malicious acts. For example, the
Russian criminal code establishes criminal liability for unauthorized access to
computer information, production, use and spread of detrimental electronic computer
programs and violation of computer, system, network operation rules. Ukrainian
criminal law deals with such offences as illegal interference in computer
networks, theft of computer information by fraud, and violation of computer
network operation rules.
Surveillance and data
retention. Anti-cybercrime reforms almost invariably include some
provisions that make surveillance of activity online easier for law enforcement
and setting more stringent rules related to data retention. These provisions
usually include statutory support for lawful intercept, effectively wiretapping
of ICT-based communications. For instance, after the events of 9/11, the United States enacted the widely discussed PATRIOT Act, which increased the powers of law
enforcement agencies to intercept IP-based communications and expanded the
scope of traditional surveillance laws to cover communications providers,
requiring them in turn to comply with the newly adopted provisions. Similarly,
German and British governments have adopted their versions of lawful intercept
laws, which give their government agencies the right to enforce surveillance
and compelling the commercial ISPs to maintain compliance standards. A
directive of the Council of Europe requires participating countries to enact
laws compelling local ISPs to maintain the ability to carry out real-time
interception of data transmitted over their telecommunications and provide such
data to the party-signatory of the convention. These controls are also
exercised over those who implement switching equipment, purchased from
companies like Cisco, which entities might not look like traditional ISPs.
Many governments also use special types of technology and software to implement
various data intercept techniques, some of which we will discuss during the day.
2. Data protection, privacy,
ISPs, and trust.
The broad new application of often
quickly-enacted laws that permit greater surveillance and data intercept, and which
require further data retention, logically prompts questions about the impact of
these changes on individual privacy and speech rights. These concerns involve
both the government’s potential invasion of privacy as well as the impact of
increased data collection and surveillance by private parties. In the worst scenarios,
civil libertarians fear a collusion between governments and private entities
that combine personally-identifiable information and use their combined data
sets to facilitate monitoring and searching that was impossible before the
advent of the Internet.
The privacy of citizens (as against
their governments) and consumers (as against businesses) is the right of
individuals to control the information being collected about them and the use
of that information thereafter. A variety of other definitions attach in
different jurisdictions, but common threads remain. In Europe, consumer
privacy protection is based on notice and consent (unless one of a few exclusions
apply), limitations on collection, disclosure, and retention, requirements of
accuracy, accessibility and security.
The European Union issued a landmark
1995 Data Protection Directive, requiring members to ensure that their national
privacy laws conform to its standards. This Directive, as implemented, treats
privacy as a basic human right, and accordingly limits information collection by
businesses to express and legitimate purposes. The Directive mandates an “opt-in”
approach, requires protections related to the accuracy of the information
stored, and requires private sector parties to provide access to the user to
check the correctness of information. The EU Data Protection Directive includes
substantial provisions related to the trans-border flow of data, of obvious
importance in the Internet era. Private parties, under these provisions, are
required to acquire the consent of an individual user before exporting the data
outside the European Union. A subsequent EU Privacy Directive (EU Directive on
Privacy Protection in the Electronic Communications Sector) further implements
the rules laid out in 1995 EU Directive and clarifies policies on spamming,
electronic data collection and retention by requiring the member countries to
adopt the legislation providing the data confidentiality, limiting the traffic
data storage, and maintaining national security exception.
The role of ISPs is critical to the
cybersecurity, cybercrime, and online privacy discussion. As one of very few
online “points of control” to which law enforcement and others can turn to
track activity online, ISPs function as a linchpin to virtually any system of
surveillance and searching of data. The relationships between these ISPs and
their consumers on the one hand, and ISPs and the government on the other, are
essential to understanding where the complex balance between security and
privacy (as well as speech, as discussed in Thursday’s content control context)
lies.
We will also take up the issue of
the role of trust, between various parties in the online context. Trust –
whether in the sense of “trusted computing” as Microsoft and HP use the term or
as between individuals or networks of individuals – often greatly affects the
balance between security and privacy in ways that traditional forms of law
cannot reach, but are often not adequately factored into the analysis of
relevant policy issues.
CASE STUDIES
Data Protection in Russia.
The Constitution of the Russian Federation sets up basic legal provisions concerning privacy that guarantee privacy
rights for aspects of a citizen’s personal life, phone conversations, mail, and
other forms of communications. These provisions state that the private collection,
maintenance and use of personal information are prohibited unless the citizen
consents.
The criminal and administrative
codes contain sanctions for unlawful collection, maintenance and distribution
of data concerning the matters of one’s privacy and personal information. The law
does not provide detailed reference as to what constitutes personal
information.
The Information, Informatization
and Protection of Information Act includes a rather flexible definition of
personal information: “the information about citizens is information about
facts, events and circumstances in the life of a citizen which establish
his/her identity.” In addition, the Federal Information Act refers to personal
information as “confidential data”, which in turn limits access to that
information.
Neither the data protection laws
nor the legislative history precisely state what should be protected as
“personal information.” Courts are left to make decisions in a relative vacuum.
The Internet presents further complications. For example, is information
received during an online interaction with the user of a particular Web-based
application, such as cookies, considered personal information and therefore is
protected? Occasionally, such issues are additionally covered by privacy and
disclosure policies on company web sites, including commitments to refrain from
disclosing and distributing the data. The law gives limited answers.
Some particular regulations in the
Russian code include specific definitions as to what “personal information”
covers. The concept of a taxpayer’s identification number, as identified in
the article 84 of Russian Tax Code, refers to a certain set of records that can
be considered as personal information (including, for instance, name, gender, and
location address). The Labor Code also introduces a definition of private information
of an employee as information concerning an employee and needed by employer incidental
by labor duties of that employee. Still, while article 86 of the Code requires
the employer to limit processing and distribution of the information acquired
from an employee, the next paragraph in the same article contains a loose
cross-reference to the Constitution and laws with regard to governance on
determination of the amount of information to be processed, thus leaving
legislative gaps.
To some extent, the law amending
the Federal Communications Act protects information related to subscribers to
ISPs obtained incidentally and gives communications operators the right to use
internal subscribers’ databases to provide directory services. The subscriber’s
information includes the names and addresses of subscribers, login names,
passwords and other sensitive information. On the other hand, the law does not
expressly regulate information already posted on the Internet. To what extent can
personal names and e-mail addresses posted on public forums be acquired by
third parties and used thereupon?
On the government side of the
equation, the story is much simpler. Through the system of ensuring the integrity
of investigation activities (SORM, SORM-2), national law enforcement agencies
have the right of direct access and interception of all communications and
information transmitted over the Internet. ISPs are compelled to install the
surveillance equipment at their own expenses and to cooperate with law
enforcement’s efforts related to accumulation of Internet-based data about
citizens and non-citizens.
This scenario in Russia, of clear rights of intercept on the part of government and unclear rights of the
consumer as against businesses, presents a complex picture. Should privacy be
defined in broad terms to give government agencies more discretion and powers
to ensure security in a democratic society? Or should the privacy rights and
criminal procedures rules be amended to clarify the rights of citizens and to
limit the reach of law enforcement, as more and more activities shift online?
Background Reading
Mark G. Milone, HACKTIVISM : Securing the National
Infrastructure, 58 Bus. Law. 383 (2002):
http://www.abanet.org/buslaw/newsletter/0007/materials/hack.pdf
Information warfare:
http://swissnet.ai.mit.edu/6805/articles/iwdmain.htm
ECHELON Watch:
http://archive.aclu.org/echelonwatch/highlights.html
EU Convention on Cybercrime:
http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm
Explanatory memorandum on final draft of the EU Convention
on Cybercrime:
http://www.privacyinternational.org/issues/cybercrime/coe/cybercrimememo-final.html
The US Department of Justice Criminal Division Computer Crime
and Intellectual Property Section:
http://www.cybercrime.gov/
CERT Coordination Center Report on Trends in DOS Attack
Technology:
http://www.cert.org/archive/pdf/DoS_trends.pdf
The Crime Research Center (Russia):
http://www.crime-research.ru/
The EU Data Protection Directives and other related
documents:
http://europa.eu.int/comm/internal_market/privacy/law_en.htm
[1]
See http://www.abanet.org/buslaw/newsletter/0007/materials/hack.pdf.
[2]
See, e.g., www.cybercrime.gov.
[3]
http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2004.pdf
[4]
http://www.computerweekly.com/Article112128.htm
[5]
See http://europa.eu.int/agencies/enisa/index_en.htm.
[6]
UN General Assembly Resolutions 55/63, 56/121 on Combating the Criminal Misuse
of Information Technologies