|
|
|
EURIM – IPPR
E-Crime Study
Partnership
Policing for the Information Society
|
Draft Document
For Discussion:
|
Working
Paper 1: V0.5
Reporting
Methods and Structures
|
The Issue |
|
There is a real lack of information on the extent to which e-crime[1] is undermining trust in the information society including use of on-line services. There are a number of victim surveys which seek to measure individuals and businesses experiences of e-crime (CBI survey, bi-annual DTI security breaches survey, British Crime Survey, British Chamber of Commerce SME survey, etc) which collectively create a picture of e-crime victimisation. However, these surveys tend to capture only the experiences of knowledgeable organisations and tend to quote extrapolated costs of incidents, particularly viruses, to produce notional financial impacts which have discredited attempts to quantify the cost of e-crime. The ONS internet access survey, published regularly, shows current and projected use of the internet and thus the potential number of victims and opportunity for e-crime. It also includes some information on why people don’t use the internet. There is almost no information on the extent to which home PCs, are for example, victims of virus attacks, or the effect of spam on the way people use email. The situation is exacerbated by the tendency for reporting needs to be described in terms relating to why the information is required rather than how the information can be provided. The net result is that information on what is happening in the real world is fragmented, imprecise and incomplete. There is a need to differentiate the real dangers from the fears and perceptions of people, the media and organisations. In general people report incidents because they expect a return of some value, but the motivations for reporting will vary depending on the nature of the incident. Incentives (including, ultimately, regulation) can be introduced to encourage people to report where direct benefit is not perceived, but coerced information is often unreliable. People also expect to report information only once. However, many organisations may require or want to make use of that information. This further complicates the way in which reporting should be handled. Information can, broadly, be reported for three overlapping purposes. Note that originators provide the first two for information but expect action on the third. |
|
· Information that shows the scale and nature of the problem, and from which operational, resource allocation and risk management decisions can be made. · Information that contributes to intelligence gathering on threats, vulnerabilities and adversary capabilities that allows organisations and individuals to take pre-emptive action. · Information that identifies incidents and supports their investigation. |
|
There are many exercises to improve reporting, probably too many. Most are driven by the needs of particular organisations to collect information or to encourage reporting for specific purposes. The first need is to improve and bring together existing work on reporting structures. The second is to develop ways of handling the massive increase in volume were it to be made easier for business and individuals to report what is happening – probably by the controlled introduction of reporting mechanisms targeted for specific purposes. The final need is to improve the way intelligence is gathered, analysed and disseminated to specific target audiences in the appropriate form. The issues can be summarised by the following key questions: |
|
1. Who wants to report what to whom and what do they expect to happen afterwards? 2. Who wants to receive what reports, on what and what are they going to do with them? 3. Who should be responsible for analysing reports, producing intelligence for dissemination and information for action by which appropriate authorities and organisations? 4. How should such intelligence be distributed to different constituencies, and by whom? 5. What reporting already happens (private sector, law enforcement agencies, regulators etc.) and how might existing information be better processed and shared? 6. What are the potential volumes? What resources would be needed to handle them? |
The Approach |
|
Reporting is a complex topic. There are a number of bodies that need information for a variety of purposes. For example law enforcement needs to know the extent to which computer systems are involved in criminal activities so they know what resource levels and skills they should be planning for. They also need information to enable them to investigate and prosecute instances of e-crime. Equally, the Home Office needs information as a basis for allocating resources and deciding priorities. Commercial organisations need information on threat trends, vulnerabilities and similar intelligence, so they can make sure the associated risks are minimised. The DTI needs to know the extent to which individuals and SMEs, in particular, are affected by malicious incidents so they can run awareness campaigns and encourage appropriate good practice. The IT industry needs to know where there are security weaknesses in their products so they can make commercial decisions on fixing them, including the need to issue patches for critical vulnerabilities. Individuals need to be reassured that the environment in which they work and play is safe. This
information is already available within organisations (from This paper discusses the issues associated with creating a practical reporting structure and recommends programmes that could be put in place to work towards a practical scheme. |
The Problem Space |
|
If we are to reduce the opportunities for e-crime we need to make sure that we have adequate skilled resources and processes in place to report, investigate and prosecute e-crime when it occurs and, equally importantly, we have intelligence gathering and dissemination processes in place to enable business and individuals to close up vulnerabilities before they have a serious impact. We also need processes whereby people and businesses can report incidents that might not be criminal in themselves, but that are considered anti-social or potentially damaging. It is relatively easy for a specific community to identify the
information it requires and to set up a mechanism for collecting it. It is
far less easy (perhaps impossible) to ensure that those supplying the
information provide only the required information (and only once) in a useful
form and that resources are available to respond as necessary to information
submitted. Those providing information expect responses – if they don’t get
responses people will stop bothering to provide it. A good example of the
need to design reporting processes carefully is provided by the US National
White Collar Crime Center[2]. This was set up primarily to enable people to report incidents
such as on-line auction fraud, with large numbers of incidents being
reported. However, it is also contacted by people suffering or witnessing
other criminal activities – including someone reporting a shooting in the
house next door! It absorbs significant resource, and refers a proportion of
its reports to other agencies and countries for action, including a small
number to the |
|
Barriers to Reporting |
|
Currently incidents are not reported for a number of reasons. Where they are reported, there is little structured collation of that information in a way that helps quantify the impact of e-crime. For example, much fraud reported to police by banks now involves the use of computers or the Internet but is only recorded as fraud, not as computer-enabled crime. Theft of laptops and mobile phones is treated as simple property theft, but the true cost may be in the information held by them that is lost or compromised. Different constituencies have different reasons for failing to report incidents. Business is said to be reluctant to report incidents to the police partly from concerns about confidentiality, disruption to business and reputation but also because they do not expect any effective action to be taken. Smaller businesses often do not have the technical competence to decide if an incident is malicious or the time, if it is, to report it and support law enforcement investigation. Citizens often fail to report incidents because they do not know what has happened. Was it a crime or a malfunction? Even when they feel fairly sure that they have been subject to potential criminal activity (e.g. after receiving an e-mail supposedly from the widow of an African dictator seeking help with money laundering) they are unsure who to report this to and even less confident that anything will be done. But if every virus infection, hacking attack or “unpleasant e-mail” were to be reported would the result be more informed policing, a safer environment or paralysis by paperwork? The Internet Crime Forum (ICF)[3] has a sub-group working jointly with the Home Secretary’s Task Force on the Protection of Children looking at how best to encourage reporting of potential e-crimes or other forms of abuse of the internet and computer systems. It has been focusing particularly on home users and SMEs who currently seem rarely to notify anyone when they suspect something is wrong. Experience of the US National White Collar Crime Center shows that there is a demand for such a point of contact but the ICF subgroup work has shown there is a real danger that creating a similar site could overwhelm available resources – especially in law enforcement – leading to disenchantment with reporting because of lack of any tangible response. A key issue is the need to educate potential reporters of incidents on what to report to whom. The Home Secretary’s Task Force wants to provide somewhere to which people can report behaviour (chat, emails, websites, etc) that actually or potentially threaten children. The ICF has recognised the need for somewhere to which people can report other specific types of criminal activity such as auction fraud, fraudulent web sites, and the like. But the owners of PCs or small office or business systems rarely have the expertise to distinguish between technical faults, malicious attacks or just operator error. The work of the ICF sub-group shows that any reporting system must make it easy for the person reporting to identify the right place to report incidents of different types. It also showed that, if not carefully designed and made available for use under strictly controlled conditions, any reporting centre could easily be overwhelmed, sucking in massive resource to little effect. |
|
Barriers to Dissemination |
|
The process of gathering, analysing and disseminating appropriate information on new and emerging threats and vulnerabilities is currently fragmented and aimed largely at big business. There is no agreement on what level of information should be provided to which constituency nor what the appropriate means of delivery is. There is a need to strike a balance between exposing potential threats and vulnerabilities, possibly encouraging their exploitation, and restricting availability of such information, possibly leaving people and businesses vulnerable to attack. It is not clear who should make that decision for different types of information/intelligence. For example, UNIRAS has debated whether it should provide a service to industry at large (or even the public at large) as well as to government, and what information it should provide. Similarly, it is not clear whether it is better to provide a service where people can pull down the information at their convenience, or where the information is pushed to them. Most anti-virus software suppliers now offer a free subscription service that alerts people to new virus threats, and this could be used as a model if combined with campaigns to make people aware of the availability of such services. But all this is still dependent on the basic information being made available in a suitable format. A further barrier to the collection, collation and dissemination of information is the variety of formats in which such information is recorded and exchanged. E-crime is an international problem, and requires international cooperation to combat it. There is agreement in some areas on common standards – such as CERTs exchanging information – but there are still major problems in the way information on incidents, and derived intelligence, is shared and communicated across organisations and national boundaries. There is already much information available on commercial and government web sites about security vulnerabilities, emerging threats, viruses and the like. Most sites also include advice on how to avoid, react to or prevent such incidents. However, the vast majority of individuals and small businesses do not even look for such information – except under exceptional circumstances such as happened with the recent SOBIG virus. And at that point the problems emerge. Ways need to be found to encourage target audience to access and act on information on such sites - whether through ISPs or popular web sites used for other purposes – hobbies, news and the like. That will also entail looking afresh at the usability of such sites by the majority of the population - not just ICT enthusiasts. |
A Way Forward |
|
The reporting problem can be addressed in manageable chunks. But to do so will require co-operation amongst a number of players. We need to distinguish three reasons for establishing reporting mechanisms – although they are not entirely disconnected: |
|
· the urgent need for hard information on the size and nature of e-crime. This is essential if we are to put in place the right levels of skills, resource and working practices and commit to appropriate levels of investment across government and industry to reduce the opportunities for e-crime. · the reporting of suspicious incidents, vulnerabilities, adversary capabilities and the like, to enable the collection of intelligence linked to means whereby this intelligence can be fed back to different constituencies to enable them to protect themselves from new threats and vulnerabilities as they emerge - and to product suppliers to address security weaknesses. · the need to provide the means whereby individuals and business can report and support investigation of suspicious incidents. |
|
Although this paper is focused on reporting structures and methods, there could also be advantage in turning the problem on its head and using the power of the internet and the inter-connectedness of systems to enable pro-active monitoring of behaviour – reducing the need for certain types of reporting. This approach is also discussed. |
|
Current Initiatives |
|
The work of the ICF One Stop Shop subgroup shows that a portal site might be possible that helps a victim decide what sort of incident they have, and where to go to report it. This is already done to some extent by ISP technical support staff when called by customers with perceived technical problems with their internet connection. A first step could be to develop a matrix that shows the different types of information that could be reported with, for each type, how it can be identified by potential sources of the information and which organisations could receive the information for what purposes. This could be used as the basis for a simple guide on reporting that could be widely disseminated. |
Potential Quick Win |
|
That the work of the ICF sub-group on the “One Stop Shop” be used
as the basis of a joint industry/government group to develop a simple analysis
of the types of information to be reported as the basis of a simple guide on
reporting for wide dissemination. |
|
There are
already initiatives underway to improve reporting. For example, the National
Hi-Tech Crime Unit is setting up an internal reporting system across local
police forces in The NHTC has introduced a confidential reporting system for business that enables them to report suspicious incidents in confidence without commitment to investigation and with safeguards on respecting commercial confidentiality. This scheme is proving effective and is enabling the NHTCU to improve its intelligence gathering capability. The next step is to incorporate this information into intelligence briefings for, initially, major organisations and government departments such as NISCC. Later smaller businesses could be encouraged to report, and to receive suitably tailored intelligence reports. The NHTCU
and NISCC are discussing the development of joint incident reporting
mechanisms. PITO established an on-line site for reporting minor crime some
time ago, and have been implementing an agreed strategy to develop this into
a more comprehensive portal for the reporting of a wide range of incidents.
Significant work is being done to establish the priority policing business
areas that will be supported, and a launch strategy is being developed that
takes account of the likely demand – learning from the lessons of the Public
Records Office and others overwhelmed by hits when their site was first made
available. A key aspect of this work is the recognition that robust and
effective back-end analysis processes are needed coupled with well-structured
front-end interfaces that filter reports and direct them to the most
appropriate recipients – minimising the need for skilled staff. The particular
need to cope with reports from people with little expertise, as described in
the companion paper, Addressing
the Needs of Small Firms, will make this a demanding
requirement. Any automated processes
that handle incidents do need to take account of the potential misuse of such
mechanisms for criminal purposes – for example, fraudulent reporting for
insurance claims. |
Recommendation 1 |
|
That PITO, NISCC and NHTCU work together to ensure that a seamless
portal for the reporting of incidents is developed that meets the needs of
law enforcement, e-crime and the CNI. |
|
There are CERTs, including UNIRAS, and similar organisations, such as SAINT that act as a focus for reporting vulnerabilities in products and services and other suspicious electronic activities. They provide an intelligence service to business and to the public on current vulnerabilities, threats and the status of countermeasures. However, they rely mainly on reports direct to them on new threats and vulnerabilities, although CERTs do co-operate and share information internationally. In the short
term we need to build on these initiatives. For example, those tracking the
incidence of viruses are mainly concerned with ensuring that their products can
intercept them and prevent damage to their customer’s systems. They could
also collect additional information on the possible sources of viruses,
providing that information to law enforcement who could decide whether to
investigate and, possibly, prosecute the virus writer or propagator. |
|
Need for Education & Awareness |
|
Effective
reporting is linked strongly to education and awareness. Individuals and SMEs in particular need better understanding of how to
decide the significance of an incident, and where to report what type of
incident, as described in the companion paper, Addressing the Needs of Small Firms.
Suitable campaigns tailored to specific types of incident may enable new
reporting mechanisms to be introduced progressively without overburdening
those supporting those mechanisms. The experience of the IWF shows that,
given clear guidelines, people can decide what should, and should not be
reported. Government needs to work with law enforcement and industry, especially
the product suppliers and the ISPs, to identify different types of incident,
and ways of making the target audience aware of them and to who to report
them. The ICF One Stop Shop subgroup has, with the Home Secretary’s Task
Force, made a good start on this and its work and recommendations should be
properly funded and supported. |
Recommendation 2 |
|
That the Government build on the work of the ICF sub-group on the “One Stop Shop” to support a web-site that helps people decide what types of problem they are facing and suggests links and/or contact points that they could use to help address different types of problem. This would be aimed primarily at home users and SMEs. It could be linked with the PITO portal, as discussed above. |
|
Alternative means of establishing information sharing need to be explored. An approach that could be considered for wider exploitation is the WARP (Warning, Advice and Reporting Point) scheme being developed by the NISCC[4]. This has similarities to Neighbourhood Watch Schemes in that it is designed to provide a service tailored to its community, providing early warnings of alerts and vulnerabilities, a trusted focus for reporting of incidents and attacks, and help on finding assistance. It provides a framework within which individual communities can set up their own groups, and through which intelligence can be shared between communities. |
Recommendation 3 |
|
That the WARP approach developed by NISCC be considered as the model
for a broader scheme to encourage local sharing of incidents, information and
intelligence within and between communities. |
|
Reporting Hierarchies |
|
We need to separate reporting of incidents that, in themselves, probably do not deserve specific action from those that demand investigation. It would be unreasonable to report to the police every virus infection or every incident of a “419” contact[5]. They would rapidly become overwhelmed and can do little to help the victim. However, there is a need to accumulate such information for intelligence purposes and to trace the perpetrators. Rapid spread of a virus (such as the SOBIG virus, for example) can severely damage industry and inconvenience individuals. The persistence of 419 contacts will inevitably result in individuals suffering loss – and people should report 419 contacts where they did suffer actual loss to the police as fraud. The need is
probably for a two tier (at least) reporting process where incidents can be
reported for information, and the collected information analysed for trends
and to help identify and prosecute the originators of those causing
significant damage. An example is that being developed by law enforcement in
the |
|
Providing Intelligence |
|
A key aspect of any reporting system is the ability to provide feedback – in particular intelligence on threats, vulnerabilities and adversary capabilities that allows organisations and individuals to take pre-emptive action when managing risk or planning new business opportunities. Any such process must include incentives for those reporting incidents. This has two implications: |
|
· That there are organisations capable of collecting, and analysing information. · That there are means of getting the relevant intelligence to the right recipients. |
|
The former is already being done to an extent by organisations such as NCIS, NHTCU and NISCC. There is still a need for this information to be consolidated and interpreted in a way that is useful to the commercial world – possibly by the NHTCU. The latter is more difficult to achieve. There are a number of possible routes, including: |
|
· Via WARP communities where these have been established. · Via other channels such as Chambers of Commerce, Industry Sector Trade Associations, and the like. · Via on-line channels – for example, it could be useful to display a “top ten threats” as part of the PITO or NHTCU incident reporting web site. |
|
The first two, in particular, could encourage members of such communities to contribute information for the common good, since all in the community would benefit from reliable intelligence. While there is a demand for intelligence that could be provided by commercial services at a price, there are issues of trust that may inhibit take-up. There is also concern that such services would not be attractive to small firms and the like – who operate the vast majority of vulnerable systems. |
Recommendation 4 |
|
EURIM facilitate discussions between all interested parties on the
development of intelligence analysis and dissemination processes and
channels. |
|
Pro-active Analysis |
|
The very characteristics of the internet and modern inter-connected systems could be used to advantage, reducing the need for certain types of reporting. There are commercial organisations that already effectively monitor behaviour on the internet – and services are offered that provide information on current threats and vulnerabilities and on trends in threats. Firms provide services that scan open-source material for potentially damaging or threatening information to those organisations using their services. In some cases this activity includes support for public access to this information. An example is the ability to subscribe to virus alert services. It would be possible to extend such activities to include collection additional information – for example collecting information not just on the prevalence of viruses, but on possible sources for them so law enforcement could pursue those that are particularly damaging. This would reduce the need for people to report virus infections for intelligence purposes but it would require there to be processes in place between those collecting the information and those who want to make use of it. |
Recommendation 5 |
|
That appropriate government agencies (led by the Home Office and
the DTI) work with selected commercial organisations on the ways in which
existing internet monitoring capabilities could be extended to provide better
intelligence and reduce the need for some types of reporting. |
Abbreviations Used in this Paper
|
ACPO |
Association of Chief Police Officers |
|
CBI |
Confederation of British Industry |
|
CERT |
Computer Emergency Response Team |
|
ICF |
Internet Crime Forum |
|
ICT |
Information & Communications Technology |
|
ISP |
Internet Service Provider |
|
IWF |
Internet Watch Foundation |
|
NCIS |
National Criminal Intelligence Service |
|
NHTCU |
National Hi-Tech Crime Unit |
|
NISCC |
National Infrastructure Security Coordination Centre |
|
ONS |
Office of National Statistics |
|
PITO |
Police IT Organisation |
|
SAINT |
Security |
|
SME |
Small and Medium-sized Enterprises |
|
|
Single Office/Home Office |
|
UNIRAS |
Unified Incident Reporting and Alerting Service |
|
WARP |
Warning, Advice and Reporting Point |
|
© Copyright EURIM 2003 |