Cooperation Grows in Fight Against Cybercrime

Last week in Strasbourg, France, the Council of Europe organized the Octopus Interface Conference 2010. More than 300 experts from all over the world, representing governments, law enforcement authorities, international organizations, and the Internet industry gathered to discuss the “Cooperation Against Cybercrime.”

On Tuesday, in the opening session, Maud de Boer Buquicchio, Deputy Secretary General of the Council, reminded the attendees that the international principles of human rights and the rule of law must apply online as well as offline. In this way, the Internet itself is now increasingly considered as a basic right. But in this new environment cybercrime is a greater concern than ever; it threatens those rights. Security and the protection of rights is the responsibility of both public authorities and private sector organizations. After a panel discussion run by countries engaged in the fight against cybercrime, Alexander Seger discussed the Budapest Convention on Cybercrime. Currently used by more than 100 countries around the world, it is the first international treaty on crimes committed via the Internet and other computer networks, dealing particularly with infringements of copyright, computer-related fraud, child pornography, and violations of network security.

Seger recommended the implementation of the convention worldwide to boost legislative reforms already underway in a large number of countries. Nations should consider adopting the policies to make use of the international cooperation provisions of this treaty. Increasing consensus on this treaty as a common framework of reference helps mobilize resources and create partnerships among public- and private-sector organizations. As a result, the ratification of the Budapest Convention by Azerbaijan, Montenegro, and Portugal prior and during the conference, and the expressions of interest from Argentina and other countries serve as examples to other countries.

In the afternoon, I joined a workshop on law enforcement responsibilities. Here, police units from various countries presented their services and discussed their local laws against cybercrime. I was particularly interested, as many of them discussed trends on this matter. In 2009, the Romanian National Police indexed 102 cases (indictments) with 766 offenses, 482 people charged, and 289 people arrested. In that country, 80 percent of IT fraud and phishing attacks are aimed at United States citizens, whereas 80 percent of credit card fraud (skimming) targets West European citizens. In Turkey, the the Organized Crime Department (KOM) made 2,871 arrests in 2009.

However, these figures represent only a small part of the fraud that is committed. In many cases, nobody files a complaint. After fraud is committed and reported, the bank refunds its conned client via their insurance company. The bank is well insured and the victim is compensated. As for the insurance company, its profit is barely affected. There is no need to alert the authorities.

In the second part of this workshop, people from the FBI and SOCA presented three objectives for law enforcement as well as recommendations for ICANN:

1. Due Diligence: ICANN needs to vet potential registrars and registries, through checks of international databases to ascertain an organization’s good standing. Registrars need to validate data received at the time of domain name registration and periodically thereafter.
2. WHOIS: Accurate and public WHOIS is essential. The proxy/privacy registrations have to be limited for private individuals for noncommercial purposes. Companies providing services should be accredited by ICANN.
3. Transparency and accountability: Domain name resellers and all third-party beneficiaries must be held to the same terms and conditions as registrars. ICANN should require all registrars, registries, proxy services, resellers, and all third-party beneficiaries of any contracts or policies of ICANN to publicly display ownership, parent companies, subsidiaries, and business associations.

On Wednesday, I participated in the mapping networks and initiatives workshop. Here, various organizations dealing with cybercrime presented their objectives and initiatives. Among them,the Inhope fight against illegal content (child sexual abuse images, extreme violence, racism and xenophobia, bestiality, online hate and xenophobia websites, adult pornography). Looking at their map representing countries saying “no” to illegal content, the audience realized that there is a long way to go:

In the next workshop, dedicated to technical assistance against cybercrime, two talks grabbed my attention. The first one exposed the situation in India. In this country, only about 10 percent of all cybercrimes committed are actually reported, and fewer than 2 percent result in a conviction. Nevertheless, 30 million judicial actions are pending. The Indian people purchase seven million mobile phones monthly. A large number do not have any traceability mechanism. This is a golden opportunity for terrorists who can use these phones without fear. 

The second talk was given by my colleague Greg Day, Director of Security Strategy for Europe, the Middle East, and Africa at McAfee. He presented various initiatives that industry can use to share intelligence and drive knowledge transfer. Besides training sessions and the direct line to McAfee Labs offered to various police crime units around the world, Day focused on the Industry Connections Security Group. This outfit gathers computer security entities to work on common goals and industry issues. Day sees that cybercriminals have leveraged the underground economy to gain economies of scale and access to specialist tools and services, whereas the security industry has generally responded to threats as individual entities. To tackle this problem, security professional established the ICSG, under the umbrella of the IEEE Standards Association, to pool their experiences and resources in response to the systematic and rapid rise in new malware being introduced to the market.

The last workshop I attended was on Thursday morning. We discussed cloud computing and the law enforcement challenges introduced by this new environment. Christian Aghroum, chief of the French National Unit for Countering Cybercrime, explained the threats facing data and services that are stored somewhere in the “Internet cloud.” His talk was a fitting conclusion for these three days in Strasbourg. Although there are no borders on the Net, the concept of national sovereignty keeps on confronting us. Human rights are acknowledged around the world, international maritime or air rights are usually respected, yet there is no universal right for the extra dimension that is the Internet. Unfortunately the Budapest Convention is far from accepted by all countries worldwide. In everyday police work, this produces a huge gap that greatly favors criminals. If a French neo-Nazi website is hosted in the United States, France really has little possibility of shutting it down. If a company leaves a foreign country after some diplomatic issues, there is no guarantee to ensure the security of its data stored in the cloud. Today, in some cases, we cannot maintain security in our country because of the start of cloud-based services. In one or two years, this will be worse in the “absolute cloud,” which will have no borders. If international laws are not rapidly created, based on the Budapest Convention, the problems will certainly become worse.  

Before ending this post, I have to mention the Nigerian delegation, which offered us a song made by famous Nigerian singers. “Maga No Need Pay!” denounces fraud. (Maga is the Nigerian word for victims of fraud.) To the Nigerian people, the song explains that fraud is not the right way toward a better life. To the rest of the world, it explains that Nigeria is a great country that should not be considered solely corrupt.

Cybercrime must be fought with laws and technology, but it can be also fought with music.

The clip is viewable here.