The rising tide of computer crime has forced the world’s most powerful nations into action to prevent lawless digital havens from springing up worldwide.
The Group of Eight (G8) nations – Britain, Canada, France, Italy, Germany, Japan and the United States, plus Russia – held a three-day cybercrime conference in Paris to work out a strategy to combat internet fraud.
The Global Internet Project (GIP) was attended by about 300 judges, police, diplomats and private, high-tech firms who looked at the means used by cybercriminals to launch virus attacks. The conference was designed to pull computer crime law into line around the world, to leave no haven for the lawbreaker, and its recommendations will go forward to a G8 summit in Okinawa, Japan, later this summer.
French Interior Minister Jean-Pierre Chevenement urged countries to harmonize their laws to crack down on hackers, virus writers, software pirates and other internet fraudsters.
According to a press release issued by the French Foreign Ministry: “Network intrusions and the spreading of malicious programs, which were previously perpetrated by students or computer experts, are now within the reach of the majority of internet users”.
French prime minister Lionel Jospin said in a message to the conference that “freedom is the most precious gift the Internet brings.” He said that all states should fight the digital divide between high-tech haves and have-nots, but “restrain the excesses of an unfettered freedom.”
The summit discussed the possibility of a high tech treaty with an international cyber police force to tackle computer crime which has been growing exponentially. Experts say high-profile attacks are likely to get worse as online services migrate to new platforms such as mobile phones.
The GIP has issued 13 recommendations for organizations to follow and nine measures for governments to consider. The recommendations were outlined in a press conference with Vint Cerf, senior VP for Internet Architecture and Technology at WorldCom, who says that hackers reach new levels of sophistication each time a new virus is written, creating a cottage industry of cyber criminals.
The recommendations were that organizations should:
• Identify and disseminate information about security holes in computer systems, through CERT and the FBI National Infrastructure Protection Center. (CERT is the Computer Emergency Response Team Coordination Center at Carnegie Mellon University, in Pittsburgh.)
• Cooperate with law enforcement and other agencies to alleviate attacks.
• Perform security audits and decide how to protect systems from external and internal threats, as many attacks come from users with authorized access.
• Improve physical security of critical systems, especially domain-name and root servers.
• Guarantee that security tools are installed properly, and encourage administrators and users to learn how to use them.
• Make sure that workers know that security is part of their normal duties.
• Establish regular updates of antivirus software, and require workers to use password-protection systems. Vendors, suppliers and professional associates should all be encouraged to use security technology.
• Advise governments on how to protect their computer systems and track down and arrest hackers.
• Invest in research on how to reduce Internet security vulnerabilities.
• Take steps to secure networks, such as filtering incorrect routing information and spam, and denying unauthorized access. Security alerts should be distributed, and customers should be educated about how to secure networks and offer security services.
• Support outreach programs that will convey a code of cyber ethics to youngsters.
• Encourage deployment of IPsec and IPv6 security-protocol standards.
• Encourage and develop better authentication systems.
The GIP said that governments should:
• Lead by example by ensuring that their computer systems and networks are secure and that the best information security measures are used.
• Arrest and prosecute computer criminals
• Encourage information sharing
• Promote open standards
• Remove remaining controls on civilian encryption technologies
• Provide better threat-assessment
• Support research on Internet security
• Fund education and training of information security experts.
• Encourage private-sector efforts to teach youngsters how to behave ethically in cyberspace.
Meantime, the news from Washington DC is that the Feds are to take on net frauds. The Federal Bureau of Investigation has set up a new Internet Fraud Complaint Center (IFCC), in conjunction with the Department of Justice and National White Collar Crime Center (NW3C), to will allow victims to report incidents of fraud online.
“The Internet Fraud Complaint Center allows consumers who suspect Internet fraud to share that information with law enforcement quickly and efficiently,” said attorney general Janet Reno. “Our ability to work with private citizens and industry is extremely important to our efforts to fight Internet crime, and the IFCC is a major step forward.”
FBI director Louis J. Freeh said, “The internet provides a boundless new medium for many traditional frauds investigated by the FBI. That there are real victims suffering significant losses remains unchanged. This center is another positive development as law enforcement responds to yet another facet of cybercrime.”
“The crucial difference in fraud committed over the Internet is that the perpetrator can ‘virtually' vanish, leaving consumers wondering where to turn for help,” said Glen Gainer, chairman of the board of directors for the NW3C. “This unique partnership gives victims of Internet fraud a way to fight back in this largely unregulated environment,” Gainer added.
The IFCC is in Morgantown, West Virginia, where a secure website provides a fast forum for victims. IFCC personnel log complaints, analyze them to determine the jurisdiction of the complaint, do any investigative work, and disseminate the information to the local or federal law enforcement agencies for action.
“The IFCC has been developed to identify, track, and assist in the prosecution of fraudulent schemes on the internet on a national and international level. This partnership will allow law enforcement and the private sector to address and eradicate this growing problem,” Freeh said, adding that without the tremendous contribution from the private sector the project would not have been possible.
Collaboration at a world level is long overdue, as the law has not kept pace with technology, but there are isolated examples where the arm of the law, working with industry, has had a long reach.
For instance, in March two 18-year-old men were arrested by the Dyfed-Powys Police Service in Wales for breaking into e-commerce websites, stealing information on 26,000 credit card accounts world-wide, and disclosing it on the internet. The men used the screen name ‘Curador’, and losses could exceed $3,000,000.
The men were arrested as a result of the FBI working in partnership with the Dyfed-Powys Police Service, the Royal Canadian Mounted Police, and internet security consultants. The international banking and credit card industry were also involved.
Already this spring, some of the most popular websites were swamped with bogus requests for information, and the Love Bug virus crippled computers around the world. Philippines police could not agree on which laws had been broken, and the Love Bug arrests were delayed. The Amazon and Yahoo hackers have not yet been caught.
The Council of Europe, working with the US, Canada, Japan and South Africa, is independently drafting a treaty which would require countries to pass laws against hacking, computer fraud and online child pornography.
“The Internet, which holds so much promise for e-commerce, entertainment and research, also has a dark side inhabited by child molesters, con men and hate mongers,” said Christine Gregoire, Washington state attorney general.
The Council of Europe would set penalties, preserve evidence and put in place methods for cooperation in international investigations. Other countries, like India and Thailand, are also discussing the law in relation to cybercriminals.
A recent survey showed total losses to US companies last year more than doubled to over $266 million.