Posts Tagged ‘Cybercrime’
The online world and the Internet are continuing to expand at exponential rates. As more and more users and more applications move into the online world with the expansion of broadband and mobile, concerns about online crimes and malicious threats to the Internet and to users also grow. This workshop was established to examine the range and scope of online crimes and malicious use of the Domain Name System. For instance, scam artists host websites with false information or a phisher registers a domain intended to resemble a famous brand. Consumers and businesses can be victims of abuse, and legitimate service providers are seeing crime and fraud in the network. The use of DNS security (DNSSEC) is part of a mitigation strategy.
Details of the session:
Every time an individual pulls up a webpage or website, the Domain Name System is used.
Moderators and industry leaders met at an IGF-USA 2010 workshop titled E-Crimes and Malicious Use in the DNS: Implications and Observations.
Panelists participating in the discussion noted that malicious use and criminal behavior in the DNS is not acceptable, but they did not come up with any clear conclusions regarding new ways to better control these problems.
The moderator of the event was Jim Galvin, director of strategic relationships and technical standards for Afilias. Panelists included Garth Bruen, founder of KnujOn; Doug Isenberg, attorney at law with GigaLaw Firm; Shaundra Watson, counsel for international consumer protection at the Federal Trade Commission; John Berryhill, intellectual property lawyer; Bobbie Flaim, special agent with the FBI; Margie Milam, senior policy advisor for ICANN; and Matt Serlin, senior director of domain management at MarkMonitor.
The panelists agreed the abuse of the DNS is not a regional issue nor is it confined to a particular sector of the Internet. The crimes occur across multiple jurisdictions and affect a variety of individuals.
Some shared anecdotes about incidents where collaboration with other entities gave way to resolving a major DNS violation.
-Anna Johnson, http://www.imaginingtheinternet.org
Cybersecurity is a multifaceted issue that requires attention to various strategic and operational efforts to make progress. Five overarching areas for focus are 1) development of a national strategy; 2) collaboration between government and industry; 3) cybercrime; 4) incident response; and 5) building a culture of cybersecurity/awareness. This session was scheduled to explore how the U.S. is addressing each of these, where there are opportunities for improvement and obstacles to progress, where the U.S. needs to work with international partners, and how cybersecurity contributes to Internet governance globally. Session moderators were Liesyl Franz, vice president for information security and global public policy at TechAmerica, and Audrey Plonk, global security and Internet policy specialist at Intel Corporation.
Details of the session:
Panelists and moderators discussed cybersecurity at one of the first morning workshops at the 2010 Internet Governance Forum-USA at Georgetown University Law Center. Co-moderator Liesyl Franz introduced the workshop and set the scene by presenting the session’s five overarching areas of focus, including national strategy, collaboration between government and industry to foster cybersecurity, combating cybercrime, incident response and building a culture of cybersecurity and awareness.
Developing a national strategy
The United States’ national strategy for cybersecurity has constantly evolved over the past 15 years. In the 1990s, the Critical Infrastructure Protection Board was created to address issues tied to cybersecurity. A few years later the United States created the Department of Homeland Security. These organizations worked to create the National Strategy to Secure Cyberspace, which was put into place in 2003.
“We’ve moved even beyond the 2003 strategy towards a more comprehensive strategy that is really trying to encompass all the departments and agencies in the United States federal government and deal with the international aspects,” said co-moderator Audrey Plonk, global security and Internet policy specialist at Intel Corporation. “Having a high level of strategy is very important.”
The Obama administration conducted a “clean-slate” review to assess U.S. policy, strategy and standards regarding security and operations in cyberspace in the summer of 2009. That report, aimed at addressing economic, national security, public safety and privacy interests can be found here: http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf
Collaboration between government and industry
The panelists noted that a national strategy is dependent on the collaboration of many people, including industry bodies and government agencies.
Cheri McGuire, director for critical infrastructure and cybersecurity at Microsoft and chair of the Information Technology Sector Coordinating Council, said that the public/private partnership relies on several key principles.
“One principle is trust,” McGuire said. “There is a long history of lack of trust between industry and government. This adds a unique factor to when government invited industry to the table to work collaboratively on cybersecurity issues.”
She noted that many public and private partnerships from the past can be used as a lesson on how to conduct successful partnerships today. “There is no one right model, there is no one right way to do this,” McGuire said. “There are a lot of lessons learned – that the many of us who are involved in the public and private debate have learned – that can be used to create the framework for these partnerships.”
The IT-SCC was established in 2006 to encourage cooperation between tech industry entities in addressing infrastructure protection, response and recovery. To read more, see http://www.it-scc.org/.
“Cybercrime runs the gamut of most of the bad things that humans do to each other,” said Don Codling, unit chief at the Federal Bureau of Investigation. “Think of everything from slavery, to human trafficking, to embezzlement, to fraud. You can even hire a hit man online.”
Codling said the domestic approach of the FBI regarding cybercrime almost instantly turns into a global effort. Due to the nature of the Internet, how records are stored and how financial transactions are performed, almost all major crimes become global instantly.
“We are members of the global community,” Codling said. “The global law enforcement community has coalesced rapidly and said we have similar problems. We need to work together.”
To read more about the FBI’s cyber mission, see: http://www.fbi.gov/cyberinvest/cyberhome.htm. For background from the U.S. Justice Department on international aspects of computer crime, see this page: http://www.justice.gov/criminal/cybercrime/intl.html
Incident response seen as vital
Scott Algeier, executive director of the IT Information Sharing and Analysis Center, said it is important for there to be open communication in order for people to share their expertise. He noted that when industry partners share information people are able to analyze the different trends that many different companies are experiencing.
“By sharing information, we give each other a larger capability,” Algeier said. “We are able to say ‘this is a neat trend we are seeing,’ and analyze all of the information that we are receiving.”
Computer emergency readiness teams work to assess attacks and vulnerabilities. The US-CERT site is http://www.justice.gov/criminal/cybercrime/intl.html.
Building a culture of cybersecurity and awareness
Franz said the five overarching elements covered in the session are all dependent on each other.
“I don’t want to focus on five elements and that they each do their own thing,” Franz said. “But instead emphasize that it is important to collaborate between these elements.”
“Cybersecurity means preserving this open, free Internet that we have learned to value so much,” said Greg Nojeim, senior counsel and director at the Project on Freedom, Security and Technology of the Center for Democracy and Technology (http://www.cdt.org/about). “We are only just beginning to realize what it would be like if it was all taken away. Security allows you to use the Internet freely.”
Nojeim said correctly balancing the needs for security and privacy online is important. He added that an increase in transparency could make people really understand the need for security.
“A lot of the cybersecurity efforts necessarily have to take place behind the scenes, but I think that openness is one key to a successful program,” Nojeim said. “It builds trust, it helps companies know what happens to the information that they share.”
All panelists agreed that there will never be a time where there is no cybercrime.
“I don’t think there is a perfect system – what we have to find is what is reasonable security and the proper balance between privacy and freedom of speech and safety and cybersecurity,” said Adam Palmer, Norton lead cybersecurity advisor for Symantec Corporation, a security systems company.
-Rebecca Smith, http://www.imaginingtheinternet.org
IGF-USA Scenario Discussion: Internet Islands – The Rise of Digital Fortresses and the End of the Digital Republic
IGF participants broke into three different rooms to discuss three different, possible potential-future scenarios for the Internet in 2020. In this session, the brief description given to the discussants was: By 2020 the Internet as we know it in 2010 is no more. Concerns over national security and cybercrime led to calls for “safe zones” on the Net. Governments taxed e-commerce as a way to address budget deficits and trade barriers were constructed, closing off markets for goods and information. Mega-companies constructed their own walls to keep criminals out and customers in. At the same time the digital divide grew quickly as poorer nations and smaller companies could not afford to keep up with new security requirements and the entry fees needed to access the secure parts of the Web. Large parts of the world have found themselves “outside the wall” and left to fend for themselves, facing a combination of rapacious criminals, radical groups and bottom-feeding enterprises. For those on an Internet Island, life goes on, but in a more limited way than before.
Details of the session:
A small group of telecommunications leaders and advocates of human rights and privacy met to discuss the Internet Islands potential-future scenario at the Internet Governance Forum-USA 2010 at Georgetown University Law Center. They were led by Garland McCoy, founder of the Technology Policy Institute, Andrew Mack, founder and principal of AMGlobal Consulting, and Iren Borissova, senior manager for international public policy at VeriSign.
This scenario sets up a closed-off future for the Internet. Metaphorical islands have crept in, developed by businesses and governments to limit the flow of outside information while keeping users on the islands secure. You can read the one-page PDF used to launch this discussion here: http://api.ning.com:80/files/OVKwetXFSDRrq4nfkx0duSjNpXJLGlyyKV0S4i2A1FVDA4WwNCN3fHRTtQr5eq7L286HdzHWVJjsf0uynsER71dCuDBn4G8M/InternetIslands.pdf
Scenario facilitators McCoy, Mack and Borissova and other discussants described the Internet of 2010 as a mainland with some islands and more continuing to bubble to the surface. They proposed that having multistakeholder conversations is the way to avoid a more fragmented future and prevent future islands from cutting off the rest of the digital world.
“One of the major antidotes we could take to fight against it is having multistakeholder dialogues like those that we are engaged in now,” said Leslie Martinkovics, director of international public policy and regulatory affairs for Verizon.
The group imagined four island types: totalitarian, culture, liberal and corporate. The totalitarian islands are the governments who limit access and regulate what users are viewing. In some cases government officials require users to identify themselves in order to oversee what is being viewed.
On the liberal islands, while there are good intentions, countries or groups set up virtual trade barriers to gain revenue. Some participants likened this to the fees on rental cars at airports, where visitors are taxed instead of the voters.
A corporate island is one where companies provide a safe haven for their customers while providing additional security measures to prevent criminal breaches. And the cultural islands are created by countries and groups who wish to preserve their culture. The French mandate to resist the incursion of other cultures and focus on local content was used as an example of a cultural island.
But are these really islands, asked McCoy, or are they peninsulas with chokeholds to the mainland’s information. And Courtney Radsch, senior program officer at Freedom House working on the Global Freedom of Expression Campaign and the Southeast Asia Human Rights Defender Initiative, reminded the group that increased access does not always mean increased information.
The scenario participants agreed that international groups like the IGF must continue to meet and bring experts and interested individuals together to discuss the future of the Internet to prevent these islands from continuing to surface.
-Anna Johnson, http://www.imaginingtheinternet.org
The blame goes to all parties involved. Every time a phishing scam succeeds, an account is broken into or money stolen right from a bank account, while it’s ultimately the fault of the perpetrator of the crime, those who created the security software, the regulators who are supposed to be on watch and the individual user who gives out their private information are all complicit in cybercrime. That was the viewpoint of participants in a cybercrime panel at IGF-USA Oct. 2, 2009, in Washington, D.C.
President Barack Obama has, both during the campaign and in the initial stages of his presidency, said that he is looking to make cybersecurity a major focus of his administration, and part of this effort has led to this month serving as cybersecurity awareness month, but where should that awareness be cultivated?
“Whatever the U.S. policy is, it’s inextricably intertwined with the global policy,” said Christopher Painter, acting senior director for cybersecurity at the National Security Council.
But how can that policy be enforced? Threats to the integrity of the world’s online networks can emerge from anywhere at any time, and are nearly impossible to both prevent and punish.
“There is no static cyber threat, there is no one place to focus,”said Jennifer Warren, vice president of technology policy and regulation and government and regulatory affairs at Lockheed Martin Global Telecommunications.
Don Blumenthal, the senior principal with Global Cyber Risk, stood firm by the need for landmark cases to serve as a disincentive for criminals who look at the history of online law enforcement and see that there are few punitive dangers waiting before them.
But if everyone on the panel can agree that there’s a need for more punitive measures, an acknowledgment that everyone, both individual, corporate, governmental and internationally needs to work together in preventing cybercrime and the critical need for more education in regard to teaching the public about the steps that they can take to try and staunch the flood of online security threats; why hasn’t anything been done yet?
Security professionals are good at making sure that nothing happens. – Ken Silva, chief technology officer at VeriSign.
At every step of the way, people on every rung of the online ladder point the finger at a group either beneath or above them. Teachers, saying they have too much on their plate, encourage students to engage with the Internet without teaching them any safety precautions, thinking that the technology will take care of it. The techies create their software, knowing full well, as Silva sternly said, that the static password system that serves as the predominant backbone of most citizens’ security measures, has been out of date since its inception years ago. And the government, who the techies look toward with hopes of enforcement, have their hands tied due to lacks of funds, manpower and the shifty international waters that impede progress in quickly catching and apprehending criminals.
Several ideas were floated during the panel’s discussion, including a newfound emphasis on the K-12 education on cybersecurity, a nationwide campaign to build up a public consciousness of the need for more active individual activism in maintaining cybersecurity similar to that of Smokey the Bear and putting together a universal set of standards as to what cybercrimes are so that some progress could be made in instituting some international laws to assist in tracking and apprehending international security threats (which comprise a majority of security breaches in the U.S.).
But all of the panelists involved in this discussion knew full well that to implement even one of these measures would require a degree of consensus and effort that, so far, has been remarkably difficult to come by.
-Morgan Little, http://www.imaginingtheinternet.org