|
|
|
|
Partnership Policing for the Information Society
|
||
Separating myth from reality and snake-oil from
practicality
|
|
||
|
Identity theft is replacing drug trafficking as the crime of choice |
Drug
gangs move in on fake £1.3 billion trade - |
|
|
|
Every day Scotland Yard's paedophile unit deals with images of the most harrowing nature ... |
Oh, my God, what am I looking at? -Daily Telegraph 31 August 2003 |
|
|
|
The Internet payment system Worldpay is under attack from unknown assailants, hitting thousands of online retailers worldwide |
Worldpay battling online attack – BBC News 5 November 03 |
|
|
|
E-crime[1] is becoming a topic of mainstream news. Contrary to popular perception, most of it is familiar crime – fraud, pornography, impersonation, etc – exploiting the new on-line world. |
|
||
1. Why does the subject need political attention - NOW? |
|
||
|
Around half the population of the |
|
||
|
This is the first paper in a series to promote that debate. It summarises the issues addressed in a series of supporting working papers. The supporting papers contain specific recommendations as to how government, industry and society can work together to improve the situation, including some “quick wins” to give early benefit at low cost, as well as confidence that those “in charge” (whether in industry or government) know what they are doing and can be trusted to deliver. Overall success will, however, depend on action in three key areas: |
|
||
|
·
The development of a shared National
E-Crime Strategy for achieving a safe information society that involves
and is supported by all constituencies across government, industry and
society. ·
Government and industry
support for co-operative research and consultation on the actions
necessary (including information assurance, security, education and other
forms of prevention) to address the risk and fear of e-crime. · Developing the capability of law enforcement (including routines for co-operation with industry) to identify and deal with threats as they emerge (rather than reacting when they are out of control and thus very much more difficult to contain) |
|
||
|
2. The Political Framework for a National Strategy |
||
|
The Emerging Perception of E-crime |
||
|
Over the past year the threats from e-crime have moved from being of concern to industry specialists to being a topic of mainstream news. Below is a selection from the headlines and articles in the national media during the summer and autumn of 2003. Together, they inform and inflame public opinion and ensure this will become a matter for political debate during the run-up to the next general election, if not before. |
||
|
More than 7
million people in |
Identity
theft explodes in US - |
|
|
The SOBIG F virus has set records for the amount of e-mail messages it infected |
SOBIG
is biggest virus of all - |
|
|
High tech security investigators and police were involved in a global race against time last night to find 20 home computers harbouring a programme that threatened to cripple the Internet |
Global hunt to kill off Internet Virus - Daily Telegraph 23 August 2003 |
|
|
The trials of thousands of alleged paedophiles accused of buying pornography on the Internet are in jeopardy |
Porn
case delay after computer trial collapses - |
|
|
New and more dangerous computer viruses are growing at such a rate that the whole Internet could collapse |
How firms
can suffer even from preventing a virus - |
|
|
A computer
expert masterminded |
Fraudsters
duplicated 9,000 credit cards – |
|
|
Barclays has called in the cyberpolice and slapped a limit on online cash transfers in an attempt to head off an e-mail fraud aimed at Internet banking customers |
Barclays calls in cyberpolice - Guardian 15 September 2003 |
|
|
Computer giant MSN is closing all its Internet chatrooms - to stop perverts using them to prey on children (this Sun “exclusive” was also on the front page of the Guardian, Independent, Mail, Telegraph, Times and Financial Times as well as radio and TV news and all the wire services). |
Microsoft
chatroom shutdown over pervs - |
|
|
Busiest |
Hacker
left port in chaos – Guardian 7 October 2003 |
|
|
There were many fewer headlines putting the contrary view although these are said, by industry experts, to be more realistic: |
||
|
In every day life, with a few simple precautions you can keep your personal details private |
The leaky net - BBC 29 July 2003 |
|
|
The latest e-mail virus may be the worst ever, but experts argue that its actual economic impact is likely to be modest |
Modest
cost of SOBIG virus - |
|
|
Banking is cyberspace is quicker and easier ... a few simple precautions ... we have overcome our fear ... |
The high street is given a powder -The Times 20 September 2003 |
|
|
Constructive debate requires both industry and government to recognise the reality of public fears at the same time as ensuring that all concerned do what is practical now, without waiting for GODOT (the next Generation Of Digital Operating Technologies), let alone the resolution of cross-border jurisdictional problems which date back to the days of tramp steamers and gunboat diplomacy. E-crime is not a problem for tomorrow - it is a challenge for today. |
||
|
In the physical world shoppers like clean, well lit and well policed shopping malls. They avoid streets with graffiti, broken glass and boarded up shops. It is much the same in the electronic world, except that the scale and immediacy of the problem, together with the social and economic impact, are not local, they are international. The need is to enable citizens and business to enjoy the same level of protection and confidence on-line as in the physical world. |
||
|
Enabling a Safe and Trusted Information Society |
||
|
Society is becoming increasingly dependent
on computers and the Internet. Government has set an objective to make the |
||
|
A first step is to update policing frameworks for the electronic world. Government has recognised this by introducing new or revised legislation, such as the Regulation of Investigatory Powers Act, to help address specific areas of concern to law enforcement. Such legislation, however, addresses only part of the problem and can, if misconceived, even be counterproductive. This technology permeates society in ways that require new attitudes and approaches to create structures within which government, industry and law enforcement can co-operate in establishing safe and trusted environments in which each plays its agreed part. |
||
|
We need to focus on partnerships of equals to ensure that the services being put on-line by government, industry, education and the voluntary sector are both trustworthy and trusted. We need to identify those who should contribute to such partnerships and to involve them actively in developing the solutions needed. |
||
|
The Balance of Priorities |
||
|
There is already significant debate on the relative priorities for law enforcement given that their resources are limited. Current priorities are focused on visible social issues, such as street crime, burglary and car theft on the one hand, and on major international criminal activity, such as drugs, people trafficking and paedophilia, on the other. White collar crime is already suffering from lack of resource within law enforcement, leading industry to take greater responsibility for the investigation and prosecution of some offences. Examples include the actions by the software and entertainment industries to combat piracy and illegal copying and by the financial services industry to combat card fraud. Industry and the voluntary sector are also taking the initiative to encourage reporting of, and action against, unacceptable activities in specific areas - notably relating to the protection of children – with, for example, the setting up of the Internet Watch Foundation. |
||
|
As yet, e-crime is seen (correctly or otherwise) to be a minority concern. However, increasing publicity on the extent to which the new technologies are being exploited to support criminal and anti-social activities is beginning to cause people and organisations to question how they can defend themselves. Whether or when this will result in widespread public demand for action is uncertain, but there is a need to have effective policies and action plans ready for implementation when it occurs. |
||
|
The current National Policing Plan does not explicitly include activities relating to e-crime. Local police forces therefore have no incentive to devote resource to this activity, because it does not contribute directly to the achievement of performance indicators set by government. Local computer crime units in most police forces are inadequately funded, have critical backlogs of investigations outstanding and are unable to undertake any proactive investigation. That situation will not change unless and until public awareness and political pressure lead to a change of priorities. Such pressure will imply, however, that the medium is indeed felt to be unsafe. Meanwhile, industry and government will not be able to respond with comparatively modest effort unless the groundwork for effective partnership is already in place and working. |
||
|
Many of the recommendations in this paper are therefore based on a perception that industry will have to take the lead in developing the necessary capabilities to combat e-crime in order to compensate for its low ranking among current priorities for law enforcement resource. |
||
|
|
||
|
3. Challenges and Questions |
||
|
To date the focus of debate has been on combating e-crime - with varying definitions as to what is meant by e-crime. For example a recent book[2] on e-commerce crime contains a seven page list of types of e-crimes with examples of each[3]. For the purposes of this Study three broad categories of activity are addressed: |
||
|
· Crimes made more efficient by using computers and the Internet to gain access to larger numbers of potential victims at lower cost/risk to the perpetrator. Examples include auction fraud, identity cloning, mis-selling and paedophilia. |
||
|
· Conventional criminal activities managed through use of electronic services. Examples include the use of email, mobiles, search engines, funds transfer et al in support of blackmail, fraud, extortion, drug or people trafficking. |
||
|
· Attacks on computer systems themselves. Examples include viruses and denial of service. Many of these look to victims like familiar crimes such as vandalism (e.g. defacing web sites) or criminal damage (e.g. causing a computer to crash). |
||
|
Policing and law enforcement, supported by legislation, are taking time to adapt to these new threats, often beginning with misguided attempts to control the technology through lack of understanding as to how it is used or how it works in the real world[4].. Use of new technologies is expanding and changing in ways that makes this approach inadequate. Small firms and individual citizens are seeking to use technologies that were previously the province of experts. Large firms are seeking to address mass markets from global centres as opposed to local subsidiaries. Technologies previously available only to experts are now available to most teenagers. The widespread adoption of broadband (always on) connections increases vulnerability to attack and misuse. In consequence some problems are growing exponentially. |
||
|
There is, however, also evidence that the use of these new services is inhibited by concerns over safety and trust. The latest ONS Internet access survey shows that, of those people who had never purchased over the Internet, 23% cited security concerns as the reason. 9% of those who don’t use the Internet cite security concerns. Polls suggest that 40% of those who currently do not use Internet banking would do so if their fears over security could be resolved and that among web users only 25% had no worries about buying goods and services online. |
||
|
As in the real world, if people perceive they are vulnerable they will avoid putting themselves at risk: just as they will avoid some inner city areas by day, let alone by night - thus reinforcing a cycle of decline. There is a real threat that perceptions of the Internet as a dangerous place will, at best, inhibit growth and, at worst, destroy trust in electronic services. A pro-active approach is required that creates the right balance of trust and caution: the electronic equivalent of not walking down a dark alley at night and not leaving purse or wallet unattended on the counter when you turn away. This approach needs to involve skills and resources from many constituencies in the creation of safe environments where opportunities for criminal activity are reduced, people feel at least as safe as in the high street or park and business is confident in offering on-line services. |
||
|
This will require a common understanding of the capabilities and concerns of each constituency, as well as their roles and responsibilities in creating a safe information society. Parents, large commercial organisations and law enforcement have very different worries and concerns and very different capacities to address them. We need to engage all involved parties across the public and private sectors in an open debate to agree priorities and frameworks for co-operation, making best use of the limited resources available. There is a need to identify how best to remove any barriers to effective partnership and how government can best help, remembering that trust takes time to establish, with dialogue, example and experience more important than awareness campaigns or legislation, essential though these may be. |
||
|
The questions for consultation include: |
||
|
· How can we ensure and encourage global products and services that are less vulnerable to criminal exploitation but which respect the desires of those who wish to control their own systems and desire their private concerns to remain private? · How should we educate and motivate users of all ages to be better electronic citizens, protecting themselves, looking after others and refraining from mischief or malice? · How do we ensure that law enforcement is at least as sophisticated in its use of technology as those who are increasingly using computers and networks to help organise and commit crime? ·
How should we police that
part of cyberspace over which the ·
How do we ensure
democratically acceptable and accountable frameworks for co-operation across
boundaries, between law enforcement agencies in different jurisdictions and
between public and private sectors, including both industry and interest
groups? |
||
|
Almost all the credible answers to these questions require Government, industry, law enforcement and education to work together - beginning now. |
||
|
|
||
4. Areas for Action and Recommendations |
|||
|
In April 2002, EURIM called for a national strategy for tackling E-Crime (Briefing 34: E-Crime – a New Opportunity for Partnership). IPPR has called for action to protect the most vulnerable, (Online Freedom and Safety for Children, by Sonia Livingstone) including a surfing proficiency test for children. The Home Office has now committed to developing a cross-Departmental strategy, pulling together work in many areas covering e-crime. The current EURIM-IPPR Study focuses on six key areas where priority action is needed within that Strategy to reduce the impact of e-crime: |
|||
|
1.
|
|||
|
2.
|
|||
|
3.
|
Addressing the particular needs of Small Firms and others who are most vulnerable |
||
|
4.
|
|||
|
5.
|
|||
|
6.
|
|||
|
These have been explored in a series of workshops which produced the analysis and recommendations summarised below (full reports available on http://www.eurim.org). |
|||
|
There is a real lack of information on the extent to which e-crime is undermining trust in the information society. The first need is to improve and bring together existing work on reporting methods and structures. The second is to develop ways of handling the massive increase in volume were it to be made easier for business and individuals to report what is happening – probably by the controlled introduction of reporting mechanisms targeted for specific purposes. The final need is to improve the way intelligence on e-crime threats is gathered, analysed and disseminated to specific target audiences in the appropriate form. Recommendations include: |
|||
|
· Government to build on the work of agencies such as PITO, NISCC, NHTCU and industry (including that of the Internet Crime Forum “One Stop Shop” sub-group) to encourage the development of seamless portals for the reporting of incidents and of websites to help people identify what types of problem they face and who they should contact for assistance. |
|||
|
· The relevant government agencies to work with each other and with appropriate industry organisations to provide better intelligence and reduce duplication of effort. |
|||
|
Reducing Opportunities for E-crime and Addressing the needs of the vulnerable |
|||
|
The need for crime prevention and to minimise the opportunities for criminals is familiar in the real world. In the emerging electronic world there is a need for similar approaches. This is hindered because most users have no practical basis upon which to judge risk in the digital world. There is, therefore, a danger that only technical or legislative solutions are considered even though, as with physical crime prevention, holistic approaches are essential for success in reducing opportunities for e-crime and promoting confidence in the comparative safety of the Internet. Such approaches also need to address both the perception and the reality of e-crime in very different communities. Those who use computers and the Internet without adequate security are not only a danger to themselves, they can also be a danger to the rest of an increasingly inter-connected on-line world. This has been shown by recent problems with the latest generation of viruses and worms, spread rapidly through poorly protected systems, as well as by “distributed denial of service attacks” using hi-jacked computers. Waiting for a new generation of products and services to supposedly solve the problems is not an option. On the positive side, small business is targeted by many government initiatives, including those of DTI and DfES, albeit few of these have yet made significant impact on their attitudes and behaviour. There is a need for realistic advice and guidance tailored to the needs and concerns of small businesses and other vulnerable groups, widely disseminated through a variety of channels. This needs also to be supported by campaigns to encourage the provision of products and systems that default to secure settings and of trusted services that help those without ICT expertise to understand and implement risk management profiles appropriate to the usage they intend. Recommendations include: |
|||
|
·
Encourage hardware and
software vendors, communications providers and ICT suppliers and retailers to
work together to provide in their offerings ready-to-use security packages, installation
and support services to help small firms better secure their systems at
prices they are willing to pay, and that government mandate these for
publicly procured equipment and services. |
|||
|
· Produce a “Green Cross Code” for the safe use of computers and the Internet in homes, schools and in small businesses, that could be distributed widely and that would provide advice, point to publicly available Codes of Practice and Guidance documents for further information, and explain what to do when an incident is suspected. |
|||
|
· Extend the syllabuses of end-user courses to address the basic security precautions that all PC and Internet users should take and teach good practice at all levels, from schools and colleges to workplaces and lifelong learning centres. |
|||
|
· Consider the WARP (Warning Advice and Reporting Point)[5] approach developed by NISCC as the model for a broader scheme to encourage local sharing of incidents, information and intelligence within and between communities. |
|||
|
Many conventional crimes now involve the use of ICT systems. Consequently evidence in digital form offers new investigative opportunities even where a computer is neither the target of attack nor the primary tool to commit the crime. New skills and techniques are required at all levels within the police and supporting services to enable investigators and forensics experts to trace and analyse criminal activities that involve computers and networks and to ensure the provenance of evidence in digital form. The ability of law enforcement to cope is further impacted by the significant extra cost of investigations that involve digital evidence. Finally, crimes using computers give criminals the potential to affect huge numbers of potential victims at low cost and risk, with a consequent potentially large increase in the numbers of reported incidents. It will take a significant time to train sufficient people with the right capabilities to handle every reported incident involving computer systems – even if there is the political will and sufficient funding. Better ways of encouraging sharing of expert resource between industry and law enforcement are needed to alleviate these constraints. Recommendations include: |
|||
|
· The Home Office, DTI, law enforcement and relevant trade associations and professional bodies to co-operate in developing and publicising good practice Guidelines[6], Standards and Codes of Practice for e-crime investigations, and to investigate the practicality of accrediting investigators and others in industry with appropriate skills and experience to work to the same legal standards and guidelines as law enforcement agencies when investigating e-crime. |
|||
|
· Home Office to co-ordinate work with all interested parties to create processes that can be understood and used by any organisation or individual to verify the provenance of requests for access to or retention of data in electronic form (not just communications data) or for specialist ICT support by any authorised investigating body. |
|||
|
Significant investment is already being made in creating and running courses in particular skills for law enforcement agencies. There are commercial training operations and academic institutions running courses in similar skills for industry. There appears to be little, if any, linkage between many of the groups looking at the issues of competence and probity or involved in training. It is not clear what remit the new Skills Councils will have in this area. There is currently little contact between the various skills providers in this area, nor is there any common agreement on the sets of skills (particularly those at the higher levels) for which training would be most beneficial. Common understanding of the required sets of skills and sharing of the costs of creating and providing appropriate training could cut costs and also encourage further sharing of resources and information between the different constituencies. Recommendations include: |
|||
|
· To create a co-ordinating group with representation from the key public and private sector agencies to agree skills and training priorities and the potential for sharing resources and materials |
|||
|
· The Learning and Skills Councils and other DfES funding agencies, working through the relevant bodies, to mandate the inclusion of practical security in all publicly funded ICT end-user and technician training. |
|||
|
· Government agencies to encourage simple industry-led voluntary accreditation schemes, within relevant UK and International frameworks, to cover those offering information security consultancy, advice and skills, including those appropriate for supporting SMEs. |
|||
|
The Computer Misuse Act (CMA) has been around since before the widespread use of the Internet and is perceived to be in need of updating. Reviews have concluded that only minor changes are needed to maintain its perceived and actual effectiveness and that these should be urgently incorporated. Some conventional crimes (e.g. theft, impersonation) are legally defined in ways that make prosecution in the intangible world difficult or impossible. The need is for changes to the relevant laws to make the commission of an offence independent of the means - i.e. technology neutral. The Law Commission has carried out a number of studies to identify priority areas where such changes are required. Introducing these changes would significantly increase confidence in electronic business and enable a wider range of computer-enabled criminal activities to be successfully prosecuted and punished. A major need is for more effective co-operation across jurisdictional boundaries. The harmonisation of penalties with regard to specific computer-related crimes such as denial of service and hacking across EU member states may help but it deals with only a small part of the problem. Cross-border investigations can be greatly facilitated by the G8 24/7contact process and effective mutual assistance arrangements. Recommendations include: |
|||
|
· Government to initiate early and open consultation on the Law Commission recommendations on priority changes to existing laws to facilitate prosecution of e-crime, working with appropriate UK industry and law enforcement bodies to identify and implement those agreed to be of highest importance as a matter of urgency. |
|||
|
· Home Office to agree and introduce rapidly amendments to the Computer Misuse Act to underpin its perceived effectiveness and to reinforce the message that e-crime is being taken seriously. |
|||
|
· Government should ensure there is early and continuous industry input in international forums discussing the development of global (including pan-European) co-operation on proposals and legislation addressing the fight against e-crime to ensure that they are effective, practical and, as far as possible, technically neutral |
|||
|
Consultation |
|||
|
The recommendations in these papers can be achieved only if effective consultation processes are in place. EURIM has produced two studies on consultation processes: Briefing 26 in May 1999, Consultation, Concealment or Confusion: Practices and Principles for European Policy Formation, and Briefing 30 in July 2001, Making a Reality of Consultation. These recommend that effective consultation involves all interested parties in government, industry and society at large, is properly funded and is part of an open dialogue on the proposals under review. At a high level the issues to be addressed are relatively simple. People and organisations need to understand better how to manage their systems to address risks in the intangible world. Systems and services need to made more resistant to accidental or deliberate misuse. Products need to be made simpler to install and to configure to minimise risk. Unfortunately, achieving these simple objectives is complex, involving co-operation across many Government Departments and industry bodies and will require significant long-term commitment from key players. While there appears to be consensus on the detailed recommendations in the supporting papers produced in the course of this study, the means for establishing coherence across the implementation of those recommendations (so a that consistent image is perceived by those on the receiving end) is less than obvious. |
|||
|
The consultations, therefore, also need to be structured in such a way as to bring the necessary players together, across organisational boundaries, to identify and recommend solutions that will work. |
|||
|
© Copyright EURIM 2003. All Rights Reserved. For written permission to reproduce any part of this publication please contact the Administrative Secretary, EURIM, (email: admin@eurim.org; fax 01984 618383). This will normally be given provided EURIM is fully credited. Whilst EURIM has tried to ensure the accuracy of this publication, it cannot accept responsibility for any errors, omissions, mis-statements or mistakes. |
|||