fighting cybercrime technical, juridical, and ethical challenges vb conference, sep. 2009

Fighting CybercrimeTechnical, Juridical, and Ethical Challenges

VB Conference, Sep. 2009

Guillaume LovetSr Manager, Threat Response

2

Presentation Objectives

• Scare the brains out of everybody

• J/k: actually not spreading unwarranted FUD was a goal

• Recognize the challenges involved in fighting Cybercrime, at technical, juridical, sociological and ethical interleaved levels

• Make the description accessible to audiences with varied backgrounds (Technical, Laws, Politics, Business, Grand'Ma...)

• Hint at means to address those challenges

• Collect feedback

• Ultimately, foster action

3

Paper Reviewed By

• Myriam Quemener

General attorney substitute at the Court of Versailles, France and author of Cybercriminalité (2007)

• Andrea MontiLawyer in Milan, Italy, and author of “Digital Thought” (

http://blog.andreamonti.eu/)

• Bernhard Otupal, Jaime AnsietaINTERPOL- Financial and High Tech Crime Sub-Directorate

• Joep GommersDirector of Operations Europe, iSight Partners (private intelligence)

4

Agenda

Technical Challenges

Cybercrime 101: Brace for Impact

2

1

3 Juridical Challenges and Beyond

4 Ethical Challenges

5

Cybercrime Impact

• First and Foremost Challenge: Cybercrime is poorly understood by the public – Especially its impact!

• Further blurred by:– Criminalization of average users– Lack of consensus on Cybercrime numbers– Suspiction of FUD spreading for business purpose

• Problem: Lack of public awareness limits political/governance action

6

Cybercrime Tree (snip.)

7

Laundering...

• Similar trees can be constructed for companies, organizations, and even countries (DDoS, SCADA hack...)

• Loss of market stability, or even economic stability in a country are documented in literature on money laundering

• Ties between Cybercrime and Money Laundering (VoIP schemes, online casinos, etc...)

• Unlike traditional crime, Cybercrime does not kill people?

8

...And Terrorism

• in a Written Statement for the U.S. House Comittee on Homeland Security, counterterrorism expert Andrew R. Cochran recalls that:

“The terrorists who executed the devastating 2004 Madrid train bombings, which killed almost 200 people, and who carried out the deadly July 7, 2005, attacks on the transportation system in London were self-financed, in part through credit card fraud”

9

Agenda



2

1



10

Untraceable?

• Hard to backtrace the IP of a cybercriminal over the network (proxy chaining, onion routing...)

• Hard to collect proof upon computer seizure (Encryption, deniable encryption)

• Hard to shut down main weapon of cybercriminals (robust botnets)

11

Agenda



2

1



12

Theoretical problem: solved centuries ago?

• Legal and repressive systems in the World based on sovereign jurisdictions with borders

• Cybercrime is mostly transnational => Pb: Jurisdiction and prosecution?

• Radical solution: supra-national jurisdiction for Cybercrime?

• In fact, transnational crime is a classical problem in Laws: studied and solved centuries ago (eg: Gun duel at the border)

13

The slow arm of Justice

• Legal systems must be adapted to specificities of Cybercrime (investigation and prosecution)

• Ack'ed for long: OECD issued recommendations to harmonize cybercrime qualifications in 1983

• G8 created a Contact Points Network in 1997: reference directory for international cooperation on cybercrime.

• November 2001's Convention on Cybercrime of the Council of Europe

14

Convention on Cybercrime

• Defines provisions that ratifying parties must implement:– Harmonizing cybercriminal offenses in domestic

legislations (illegal access, illegal interception, data interference, etc...)

– Empowering domestic authorities with cybercrime investigative abilities (Expedited preservation of data, production order, search and seizure...)

– Enabling international cooperation during investigation and prosecution

– Designation of a permanent point of contact for the "24/7 Network"

15

Issues & Challenges

• Current state of implementation– 46 countries signed: all members of CoE (except Russia and

Turkey) + USA, Canada, Japan, South Africa– 26 countries ratified so far but momentum exists (Germany,

Moldavia, Serbia in early 2009)

• Scarce use of implemented tools– Eg: Romania gets a dozen of int. requests per year via 24/7 network

contact point. France gets 10, Estonia 0.– Only 4 countries have cyber-crime specific units

• Operational issues– “My experience is that U.S. authorities are completely unable to deal

with the situation”– “we know of like 8 independant government agencies investigating

against this fraudspace. Nobody is working together”

16

Issues & Challenges (II)

• Domestic hurdles– Provisions are flexible to foster signature– "within the limits of its domestic law" (Art. 26) "to the extent permitted

under their domestic laws" (Art. 34), etc...

• Low report rate of offenses– Organizations: 27% (Computer Security Institute, 2008)– Ind. Users: 15% (IC3, 2008)

17

Cybercrime & LaunderingOne agency to rule them all?

• Provisions are all necessary, but oriented toward backtracing Cybercriminals over the network...

• Financial trace perhaps easier to follow

• Cybercrime and money laundering increasingly mingle(Online Casinos, VoIP fraud, Click fraud, Trading real/in-game money in

MMORPG, etc..)

• Both transnational

• Issue: Cybercrime allows tremendous “smurfing”

=> Need to see “the big picture”. INTERPOL role?

18

Beyond the juridical frameworkGeopolitical and socio-economic considerations

• Cybercrime scene is layeredsome make tools, others host them, others buy and use them then sell the collected

data to those who turn it into money, etc...

• Chain of richness creation (// laundering)

• => Undermines the will of local political power to repress

• Emerging countries: Not a Laws problem, but a Governance one“for the sociologist and the criminologist alike, it is not because there is a law

against corruption that corruption disappears” (Dupuis-Danon)

19

Beyond the juridical frameworkGeopolitical and socio-economic considerations (II)

• Therefore, in addition of a legal framework, a real political volution is needed in emerging countries

• Problem: if cybercrime profits the local economy, what's the incent?

• Solution 1: International pressure on Cyber HavensMore or less works for financial havens (see GAFI blacklist).

• Solution 2: Offering greater benefits. Eg of Romania:– GDP of $7,773 per capita

– 900 cybercrime cases prosecuted per year, extensive legal framework, cybercrime-specific police unit and cybercrime-specific prosecution service

– Ratified the Convention in 2004, the year it became an acceding country to the EU (effective member in 2007)

20

Agenda



2

1



21

From Protection to Censorship

• Nation-wide web censorship starts with the backing of consensual causes (eg: blocking child-pornography, a form of cybercime)

• Is it the role of a country's government to tell its residents what is right or wrong to watch and access?

• Some countries answer yes: Free-speech is not limitless in many (eg: France and Germany have laws against Negationism)

• But it's a judge who decides if the border was crossed, not a filtering system that is:– Intent-blind– Secretely populated by the executive power

22

Leaked Secret Blacklists• Dec 2008, Thailand:

– 1203 sites labelled as “lese-majesté”

– Includes Wikipedia pages, Youtube videos, discussion forums, blogs...

• March 2009, Australia:– Half of the sites have nothing do with child pornography

– Includes "traditional" pornographic sites, YouTube videos, Wikipedia pages, gay sites, sites on euthanasia, sites of "marginal" religions, anti-abortion sites...

• January 2009, Finland:– Some sites not child-pornography,

– Contains an anti-censorship site, created by an opposant of the law

• May 2009, France: “Loppsi 2” law project. Press-kit contains “like other democracies before us...”

23

Trojan-factory.gov• Gov Trojans

– Back-up consensual cause: Terrorism

– Spy on live data: screen display, keystrokes, microphone and webcam

• German “Bundestrojaner” mitigated in 2008 by the Federal Const. Court: need “evidence of immediate danger” and a judge decision

• France, Austria and Switzerland have similar projects in the pipe

• Risk: global surveillance “a la 1984”? But how different is it from (rather well accepted) traditional wire-tapping?

24

Differences with Wiretapping

• No Scale Effect

• Increased risk of backfire

• Easeness of evidence tempering

• Spread of Trojan-development skills

25

The Hadopi CaseHow to solve the "an IP is not an individual" pitfall in the worst

possible way

• Hadopi: Law bill in France to tackle illegal downloading (read: preserve the traditional business model of the entert. industry Majors)

• Assermented agents paid by Majors collect IP addresses on P2P networks and denounce them to the Hadopi administration

• ISP are compelled to give out the corresponding subscribers

• Subscribers have no other recourse than installing a surveillance software (not free)

• Otherwise, internet connection suspended for one year (but you still pay for it)

26

Hadopi (2)

• Law voted but censored by the Consitutional Council:– Internet = fundemental right to access to information (1789);

thus only a justice court can impair it– Reversing the charge of the proof is against the Const.

• Stripped off Law put into force, waiting for an add-on:– Juridical trick (decision taken by a unique judge without trial)– Creation of a “Failure to secure computer system” crime

(1,500 euros fee + at least 1 month of Internet connection cut off)

• Problems:– Blurs public perception of the Cybercrime issue– Dangerous jurisprudence

27

The New Face of Cybercriminals

28

Conclusion

• No Final Ultimate Solution to the Cybercrime Problem, but it can be combatted (IRL crime is!)

• Given its impact range, it must be combatted

• First step may be a wider acceptance of the Convention on Cybercrime

• Not sufficient: governance will is also needed. We must create it (internal or external incents)

• Danger: Cybercrime used as a pretext for a drift toward a post-panoptic society

fighting cybercrime technical, juridical, and ethical challenges vb conference, sep. 2009

Documents