Transcript Fighting Cybercrime Technical, Juridical, and Ethical Challenges VB Conference, Sep. 2009 Guillaume Lovet Sr Manager, Threat Response.

Fighting Cybercrime
Technical, Juridical, and Ethical Challenges
VB Conference, Sep. 2009
Guillaume Lovet
Sr Manager, Threat Response
Presentation Objectives
•
Scare the brains out of everybody
•
J/k: actually not spreading unwarranted FUD was a goal
•
Recognize the challenges involved in fighting Cybercrime, at technical, juridical,
sociological and ethical interleaved levels
•
Make the description accessible to audiences with varied backgrounds
(Technical, Laws, Politics, Business, Grand'Ma...)
•
Hint at means to address those challenges
•
Collect feedback
•
Ultimately, foster action
2
Paper Reviewed By
•
Myriam Quemener
General attorney substitute at the Court of Versailles, France and author of
Cybercriminalité (2007)
•
Andrea Monti
Lawyer in Milan, Italy, and author of “Digital Thought”
(http://blog.andreamonti.eu/)
•
Bernhard Otupal, Jaime Ansieta
INTERPOL- Financial and High Tech Crime Sub-Directorate
•
Joep Gommers
Director of Operations Europe, iSight Partners (private intelligence)
3
Agenda
4
1
Cybercrime 101: Brace for Impact
2
Technical Challenges
3
Juridical Challenges and Beyond
4
Ethical Challenges
Cybercrime Impact
•
First and Foremost Challenge: Cybercrime is poorly
understood by the public – Especially its impact!
•
Further blurred by:
–
–
–
•
Criminalization of average users
Lack of consensus on Cybercrime numbers
Suspiction of FUD spreading for business purpose
Problem: Lack of public awareness limits political/governance
action
5
Cybercrime Tree (snip.)
6
Laundering...
•
Similar trees can be constructed for companies,
organizations, and even countries (DDoS, SCADA hack...)
•
Loss of market stability, or even economic stability in a
country are documented in literature on money laundering
•
Ties between Cybercrime and Money Laundering (VoIP
schemes, online casinos, etc...)
•
Unlike traditional crime, Cybercrime does not kill people?
7
...And Terrorism
•
in a Written Statement for the U.S. House Comittee on
Homeland Security, counterterrorism expert Andrew R. Cochran
recalls that:
“The terrorists who executed the devastating 2004 Madrid train bombings,
which killed almost 200 people, and who carried out the deadly July
7, 2005, attacks on the transportation system in London were selffinanced, in part through credit card fraud”
8
Agenda
9
1
Cybercrime 101: Brace for Impact
2
Technical Challenges
3
Juridical Challenges and Beyond
4
Ethical Challenges
Untraceable?
•
Hard to backtrace the IP of a cybercriminal over the
network (proxy chaining, onion routing...)
•
Hard to collect proof upon computer seizure (Encryption,
deniable encryption)
•
Hard to shut down main weapon of cybercriminals (robust
botnets)
10
Agenda
11
1
Cybercrime 101: Brace for Impact
2
Technical Challenges
3
Juridical Challenges and Beyond
4
Ethical Challenges
Theoretical problem: solved centuries ago?
•
Legal and repressive systems in the World based on
sovereign jurisdictions with borders
•
Cybercrime is mostly transnational => Pb: Jurisdiction and
prosecution?
•
Radical solution: supra-national jurisdiction for
Cybercrime?
•
In fact, transnational crime is a classical problem in Laws:
studied and solved centuries ago (eg: Gun duel at the
border)
12
The slow arm of Justice
•
Legal systems must be adapted to specificities of
Cybercrime (investigation and prosecution)
•
Ack'ed for long: OECD issued recommendations to
harmonize cybercrime qualifications in 1983
•
G8 created a Contact Points Network in 1997: reference
directory for international cooperation on cybercrime.
•
November 2001's Convention on Cybercrime of the
Council of Europe
13
Convention on Cybercrime
•
Defines provisions that ratifying parties must implement:
–
Harmonizing cybercriminal offenses in domestic
legislations (illegal access, illegal interception, data
interference, etc...)
–
Empowering domestic authorities with cybercrime
investigative abilities (Expedited preservation of data,
production order, search and seizure...)
–
Enabling international cooperation during investigation
and prosecution
–
Designation of a permanent point of contact for the
"24/7 Network"
14
Issues & Challenges
•
Current state of implementation
–
–
•
46 countries signed: all members of CoE (except Russia and
Turkey) + USA, Canada, Japan, South Africa
26 countries ratified so far but momentum exists (Germany,
Moldavia, Serbia in early 2009)
Scarce use of implemented tools
–
–
•
Eg: Romania gets a dozen of int. requests per year via 24/7 network
contact point. France gets 10, Estonia 0.
Only 4 countries have cyber-crime specific units
Operational issues
–
–
15
“My experience is that U.S. authorities are completely unable to deal
with the situation”
“we know of like 8 independant government agencies investigating
against this fraudspace. Nobody is working together”
Issues & Challenges (II)
•
Domestic hurdles
–
–
•
Provisions are flexible to foster signature
"within the limits of its domestic law" (Art. 26) "to the extent permitted
under their domestic laws" (Art. 34), etc...
Low report rate of offenses
–
–
16
Organizations: 27% (Computer Security Institute, 2008)
Ind. Users: 15% (IC3, 2008)
Cybercrime & Laundering
One agency to rule them all?
•
Provisions are all necessary, but oriented toward
backtracing Cybercriminals over the network...
•
Financial trace perhaps easier to follow
•
Cybercrime and money laundering increasingly mingle
(Online Casinos, VoIP fraud, Click fraud, Trading real/in-game money in
MMORPG, etc..)
•
Both transnational
•
Issue: Cybercrime allows tremendous “smurfing”
=> Need to see “the big picture”. INTERPOL role?
17
Beyond the juridical framework
Geopolitical and socio-economic considerations
•
Cybercrime scene is layered
some make tools, others host them, others buy and use them then sell the collected
data to those who turn it into money, etc...
•
Chain of richness creation (// laundering)
•
=> Undermines the will of local political power to repress
•
Emerging countries: Not a Laws problem, but a Governance one
“for the sociologist and the criminologist alike, it is not because there is a law
against corruption that corruption disappears” (Dupuis-Danon)
18
Beyond the juridical framework
Geopolitical and socio-economic considerations (II)
•
•
•
Therefore, in addition of a legal framework, a real political
volution is needed in emerging countries
Problem: if cybercrime profits the local economy, what's
the incent?
Solution 1: International pressure on Cyber Havens
More or less works for financial havens (see GAFI blacklist).
•
19
Solution 2: Offering greater benefits. Eg of Romania:
–
GDP of $7,773 per capita
–
900 cybercrime cases prosecuted per year, extensive legal
framework, cybercrime-specific police unit and cybercrime-specific
prosecution service
–
Ratified the Convention in 2004, the year it became an acceding
country to the EU (effective member in 2007)
Agenda
20
1
Cybercrime 101: Brace for Impact
2
Technical Challenges
3
Juridical Challenges and Beyond
4
Ethical Challenges
From Protection to Censorship
•
Nation-wide web censorship starts with the backing of consensual
causes (eg: blocking child-pornography, a form of cybercime)
•
Is it the role of a country's government to tell its residents what is
right or wrong to watch and access?
•
Some countries answer yes: Free-speech is not limitless in many
(eg: France and Germany have laws against Negationism)
•
But it's a judge who decides if the border was crossed, not a filtering
system that is:
–
Intent-blind
–
Secretely populated by the executive power
21
Leaked Secret Blacklists
•
Dec 2008, Thailand:
•
–
1203 sites labelled as “lese-majesté”
–
Includes Wikipedia pages, Youtube videos, discussion forums, blogs...
March 2009, Australia:
•
–
Half of the sites have nothing do with child pornography
–
Includes "traditional" pornographic sites, YouTube videos, Wikipedia pages,
gay sites, sites on euthanasia, sites of "marginal" religions, antiabortion sites...
January 2009, Finland:
•
–
Some sites not child-pornography,
–
Contains an anti-censorship site, created by an opposant of the law
May 2009, France: “Loppsi 2” law project. Press-kit contains “like other democracies
before us...”
22
Trojan-factory.gov
•
Gov Trojans
–
Back-up consensual cause: Terrorism
–
Spy on live data: screen display, keystrokes, microphone and
webcam
•
German “Bundestrojaner” mitigated in 2008 by the Federal Const.
Court: need “evidence of immediate danger” and a judge decision
•
France, Austria and Switzerland have similar projects in the pipe
•
Risk: global surveillance “a la 1984”? But how different is it from
(rather well accepted) traditional wire-tapping?
23
Differences with Wiretapping
•
No Scale Effect
•
Increased risk of backfire
•
Easeness of evidence tempering
•
Spread of Trojan-development skills
24
The Hadopi Case
How to solve the "an IP is not an individual" pitfall in the worst
possible way
•
Hadopi: Law bill in France to tackle illegal downloading (read:
preserve the traditional business model of the entert. industry
Majors)
•
Assermented agents paid by Majors collect IP addresses on P2P
networks and denounce them to the Hadopi administration
•
ISP are compelled to give out the corresponding subscribers
•
Subscribers have no other recourse than installing a surveillance
software (not free)
•
Otherwise, internet connection suspended for one year (but you still
pay for it)
25
Hadopi (2)
•
Law voted but censored by the Consitutional Council:
–
–
•
Stripped off Law put into force, waiting for an add-on:
–
–
•
26
Internet = fundemental right to access to information (1789);
thus only a justice court can impair it
Reversing the charge of the proof is against the Const.
Juridical trick (decision taken by a unique judge without trial)
Creation of a “Failure to secure computer system” crime
(1,500 euros fee + at least 1 month of Internet connection
cut off)
Problems:
–
–
Blurs public perception of the Cybercrime issue
Dangerous jurisprudence
The New Face of Cybercriminals
27
Conclusion
•
No Final Ultimate Solution to the Cybercrime Problem, but it can be
combatted (IRL crime is!)
•
Given its impact range, it must be combatted
•
First step may be a wider acceptance of the Convention on
Cybercrime
•
Not sufficient: governance will is also needed. We must create it
(internal or external incents)
•
Danger: Cybercrime used as a pretext for a drift toward a postpanoptic society
28