12
‘Cybercrime – Now This Changes Everything!’
Presented by Commander Barbara Etter
Director, Australasian Centre for Policing Research, and
Chair, Australasian Police Commissioners’ Conference E-Crime Working Party
to the Growing Australia Online Conference
in Canberra 3 to 4 December 2002
ABSTRACT
The Internet is often described as a wonderful tool, an engaging place and a liberating experience … but for whom? There is the potential for many of us to become victims to the growing pool of criminals who skilfully navigate the Net, preying on the young, the trusting and commercial enterprises alike. Cyberspace is an environment that is intangible, dynamic and unlike any previously known. This is especially true in law enforcement. In some respects, the growth in the uptake of Information and Communications Technology (ICT), including the Internet, presents as great a challenge for policing as the introduction of the telephone and the motor vehicle. The paper argues that cybercrime or e-crime[1] presents as a new form of business that will require a fundamental paradigm shift in policing. This ‘new business’ will be characterised by new forms of crime, a far broader scope and scale of offending and victimisation, the need to respond in a much more timely way, and challenging technical and legal complexities.
Law enforcement agencies around the world are working together to develop new partnerships, new forensic methodologies and new responses to cybercrime in order to ensure safety and security on the Internet.
This paper explores some of the known risks and dangers of the Internet, discusses the continually emerging and changing nature of the problem, highlights the unique challenges and response issues, and outlines how the safety and security of our community is being protected by policing agencies in partnership with a range of key stakeholders.
INTRODUCTION
Policing the physical world, whilst challenging, is relatively well understood, generally localised and low-tech, and underpinned by many well-established practices and procedures. But Cybercrime – Now This Changes Everything!
The policing of cybercrime will be enormously challenging. As one of the Commissioners from the US Commission on Child Online Protection commented (Balkam 2000):
The Internet changes everything. It upsets our notions of how things should be, how countries should be governed, how companies should be run, how teachers teach and children learn. It mixes up our conceptual framework of what we think we know about the world, about each other and about ourselves. It is liberating, exciting, challenging and terrifying all at the same time … To a majority of the world’s people, the Internet remains mysterious, forbidding, incomprehensible and frightening.
The vision for Australasian policing, as stated in its strategic directions document for 2002 to 2005 (APMC 2002), is:
‘A safer and more secure community’
Given the ubiquitous nature of technology, and the fact that the Internet is now an integral part of most of our lives, ‘community’ in the vision statement must equally apply to the new and ethereal dimension of cyberspace. Police must ensure safety and security in various environments including the home, schools, business and the workplace, whether online or offline.
New and innovative responses are required to the issue of cybercrime or electronic crime, particularly given its global dimensions and borderless nature. In some respects, the growth in the uptake of ICT, including the Internet, presents as great a challenge for policing as the introduction of the telephone and the motor vehicle. Some argue that such crime is merely a case of the ‘same old wine in new bottles’. However, this paper argues that e-crime, and particularly ‘hi-tech crime’[2], presents as a new form of business that will require a fundamental paradigm shift in policing. This ‘new business’ will be resource-intensive and will be characterised by:
· new forms of crime;
· a far broader scope and scale of offending and victimisation;
· the need to respond in a much more timely way; and
· challenging technical and legal complexities.
The objectives of the paper are to:
· Discuss the risks and dangers of the Internet, as well as the nature of the cybercrime problem;
· Identify and discuss the new and unique challenges and response issues which may be encountered during the prevention, detection and investigation of such crime; and
· Outline in broad terms what Australasian policing is doing to prevent and reduce the incidence of this type of crime and enhance the safety and security of our communities.
KNOWN RISKS AND DANGERS OF THE INTERNET
There are enormous economic and social benefits to be gained from embracing ICT and the Internet. However, there clearly are a number of dangers or risks involved, for instance, in utilising the Internet. They include (Etter 2002):
· Invasions of privacy;
· Fraud and theft, including the potential use of your credit card details by others to purchase goods and services, and the possibility of identity theft, a fast growing crime;
· Harassment, including spamming, stalking etc;
· Exposure to material considered to be pornographic, violent, hate-filled, racist or generally offensive;
· Ready availability of information to assist people with bomb-making and other dangerous activities;
· Temptation and ability to participate in on-line gambling;
· Vulnerability to exploitation, such as the physical or emotional abuse of children;
· Loss of business and reputation, due to denial of service attacks, web graffiti etc.; and
· Loss of data and damage to systems, through malicious code, such as worms and viruses.
Recent research conducted by the Australian Broadcasting Authority (ABA 2001) found that most adults believed using the Internet involved some risk, with the main areas of perceived risk being (ABA 2001, p.6):
· Financial dangers e.g. fraud and credit card number theft (54%);
· Personal data misuse and privacy issues (45%);
· Content exposure concerns (39%); and
· Viruses (21%).
The most common content concern was the perceived risk of children accessing unsuitable content (27%). Access to pornographic material, and the receipt of such content through unsolicited emails or accidental discovery, were the key concerns. The difference in the level of regulation of the Internet compared with other media was the most common theme raised by parents, when asked why they were concerned about access on the Internet (ABA 2001, p.43). The core differences between the Internet and other media, perceived by parents who were more concerned with Internet content, were:
· Regulatory differences;
· Monitoring difficulty – individual versus group nature of the viewing;
· The unwanted, unexpected nature of access to unsuitable content; and
· The interactive nature of the medium and the human dimension.
When considering the safety of the Internet, an interesting analogy is that of what is in place to ensure safety on our roads. Whilst the roads can certainly be a dangerous place, there are a myriad of established mechanisms to enhance safety and minimise trauma. These include (Etter 2002):
· A system of licensing drivers and registering cars to ensure driver competence and vehicle roadworthiness;
· A complex legislative and regulatory regime which outlines the type of driver behaviour expected on the roads;
· Careful attention to standards, road design and construction, as well as vehicle design, including the provision of air bags, seat belts etc.;
· Regular patrolling of our roads by police officers, including practices such as random breath testing;
· Technological checks and safeguards such as radars, speed cameras, red light cameras and video surveillance;
· Availability of maps, weather forecasts, advisory signs etc. to assist in planning and/or executing journeys; and
· Regular and high profile prosecutions of offenders.
When you compare this to what is currently in place to ensure safety on the Internet, where admittedly the risk of immediate physical injury or death is much lower, the situation is quite alarming, particularly when one considers the ease with which one can become a victim. Policing at the moment does not have the physical presence or degree of visibility in cyberspace that it has in the physical world. There simply isn’t, and never will be, a ‘bobby’ standing at every ‘cybercorner’.
Criminal behaviour on the Internet, or cybercrime, presents as one of the major challenges of the future to Australasian and international law enforcement. As ICT becomes even more pervasive, aspects of electronic crime will feature in all forms of criminal behaviour, even those matters currently regarded as more ‘traditional’ offences. It already features in many transnational crimes involving drug trafficking, people smuggling, terrorism and money laundering. Digital evidence will become more commonplace, even in traditional crimes, and we must be prepared to deal with this new challenge.
THE NATURE OF THE E-CRIME PROBLEM
The computer has become an integral part of our way of life. However, as our connectivity and dependency on ICT increases, so too does our vulnerability. This vulnerability was clearly demonstrated in recent times with:
· The distributed denial of service attacks on Yahoo, eBay and other major Internet players during February 2000;
· The ‘Love Bug’ virus (or ILOVEYOU worm), SirCam, Code Red and ‘Bugbear’ (and others), with the cost of virus attacks in 2001 said to be $US10.7 billion ($A20.5 billion) (Gengler 2001, p.36);
· The reported denial of service attacks on the St George Bank in Sydney in September 2000 (Kaye 2000, p.1; Spencer & O’Brien 2000, p.29);
· The hacking of Microsoft where an attacker apparently gained access to the source code for a future product (Gliddon 2000; Weiss 2000);
· The large scale theft of over a million credit card details from various US e-commerce sites by Russian and Ukrainian crime gangs (Hellaby 2001);
· Attacks on government websites in the US, UK and Australia by Pentaguard in January 2001, said to be one of the largest most systematic defacements of worldwide government servers on the web (Legard 2001);
· The largest identity theft case in Internet history involving 200 of the 400 richest people in America listed in Forbes magazine (Weiss 2001);
· The recent arrest of an identity theft ring in the US involving the theft of more than 30,000 people’s identities through the acquisition of data from credit reporting agencies, with losses to date at $A4.8 million (Festa 2002; Sullivan 2002; The Australian 2002);
· An international Internet ticketing scam involving a cloned website of the Sydney Opera House whereby people ordered expensive non-existent tickets with their credit cards – the investigation has involved the FBI, US Secret Service, Scotland Yard, the ACCC here in Australia, as well as bank and credit card fraud investigators (Lamont 2002);
· The theft of telephone services by tapping into the telephone switchboards of 12 of Australia’s largest corporations and the running up of untraceable calls costing around $2 million (The Australian IT Section 2001);
· The Nimda or ‘swiss army-knife’ worm which impacted on the operations of the National Australia Bank, Parliament House in Canberra, SA Government agencies and others (Bryan & Lekakis 2001; Field 2001); and
· The hijacking or hacking of the account details of 400,000 Optus Internet dial-up customers, said to have launched the biggest computer crime investigation undertaken by the New South Wales Police (Rossi 2002).
Some of these incidents also demonstrate the capacity for a single individual to perpetrate major and widespread criminal harm (with a young Canadian named ‘Mafia Boy’, the offender in the February 2000 denial of service attacks, a New York bus boy and high school drop-out allegedly responsible for the large scale Forbes ID theft scam and a university student from the Philippines the offender in the Love Bug incident). One can only wonder about the extent of damage that could occur in the case of highly skilled, well orchestrated and maliciously motivated attacks.
Global connectivity means that havoc can occur, in a very short timeframe, throughout the world. The abuse of computer technology may threaten national security, public safety and community well-being, and devastate the lives of affected individuals. There is also the spectre of cyberterrorism or a cyber dimension to a terrorist attack (Gellman 2002; Verton 2002a & b).
New ‘criminal’ opportunities have also been created by the development of electronic media. They include:
· Denial of service attacks;
· Viruses, worms, trojans and other forms of malicious code;
· Unauthorised entry;
· Information tampering;
· Cyberstalking;
· Spamming (sending unsolicited bulk email);
· Mouse-trapping (where clicking the browser’s back button with the mouse does not lead out of the unwanted site but only to the viewing of further unwanted pages (eg. pornography). To escape, the user may need to close the browser or even restart the operating system);
· Phreaking (breaking into the telephone network illegally, typically to make free long-distance phone calls or to tap phone lines); and
· Computer damage.
The above are relatively new types of offending or undesirable behaviour that did not exist in the pre-computing environment. Likewise, the development of computers has created new opportunities for services theft, manipulation of the stockmarket (through ramping up of stock prices and ‘pump and dump’ schemes[3] using the Internet), software piracy, and other thefts of intellectual property.
It was believed a few years ago that only several thousand people in the US had the capabilities to launch a cyber-attack. Recently, it was estimated that there are 17 million such people in the US alone (O’Brien & Nusbaum 2000). Computer Industry Analysts, Gartner Group, also estimate that by 2003, 20 million people worldwide will be actively hacking (Bell 2002).
In relation to the tools of crime, the box below is enlightening as to how much assistance would-be criminals can obtain by simply downloading easily accessible tools that are often available free from the Internet. There are said to be some 30,000 websites that post hacker codes, which can be downloaded to break passwords, crash systems and steal data (Adams 2001). One study recently found that of 3 million sites tested world-wide, about 80% displayed a vulnerability that could be exploited by tools readily available on the Internet (Van Dijk 2001, p.5).
New tools, such as ‘autorooters’[4], are also emerging, which automate the hacking and cracking[5] process and make it even easier to compromise systems (Tanase 2002). They are regarded as a new and very serious threat to network security (Tanase 2002).