Governments can't do it, so Interpol's boss is enlisting the private sector. Rod Sweet reports
It has got to bug a career cop like Ray Kendall that the case was dropped against a 24-year-old college leaver from Manila, charged after the Love Bug wreaked $7bn worth of havoc in the global business community last May.
The ex-computer school student won't be charged under the computer crime act that the Philippines government passed weeks after the event. Nor will he be extradited to the US, despite the eagerness of prosecutors there to welcome him.
Kendall's grandfather was a cop when police coverage was something you took for granted. If your house was burgled, an officer came round automatically. Even that level of service can't be guaranteed today.
Kendall takes it as given that, where the Internet is concerned, no individual government can serve or protect. A life-long policeman who retires this month after 15 years as Secretary General of Interpol, Kendall admits there is no bobby on the beat in the global village to deal with cybercrime.
The problem, he told a recent Internet defence summit organised by venture consultants AtomicTangerine in London, was that there was no international convention governing Internet security. An even bigger problem is that developing a convention with teeth will take years.
"Take any country you want. How long does it take to get a law passed on anything? A minimum of a year," he said in an interview with B&T. "An international convention could take five years." Even then, all you need is one non-signatory country, one citizen with a PC, and the international convention is useless.
In the meantime, clever devils from Toronto to Timbuktu could right now be cooking up nasty surprises to rival the Love Bug.
The real victims of Internet security breaches are in the private sector. The headlines belong to 15-year-olds who manage to swivel satellites round remotely, but the biggest burden is borne by corporations. That's why, in his remaining days at Interpol, Kendall is pushing for a new kind of organised effort that will protect business without having to wait for international political co-ordination.
But what Kendall does need is the co-operation of the private sector. He wants corporations to give Interpol information about the hacks they suffer so it can be analysed and shared with the global business community. It will help disseminate expertise in dealing with hacking and will also act as an early warning system. And early warning systems can't be too early - even the FBI was rebuked for its sluggishness in warning the US government about the Love Bug.
This idea sounds simple enough, but Kendall believes corporations are worried about giving security-breach information away. After all, nobody's got a security problem, have they? A study by Datamonitor to be released this month shows that when it comes to cybercrime, corporations are more worried about the damage to their reputations than their bottom line.
"Relax," says Kendall - you don't get to be secretary general of a 178-country organisation without being a diplomat. He says Interpol technical staff are researching the possibility of a database the private sector can access, and add to, in confidence. "We don't care who's been hit," he said. "We care about how and by whom." As well as private-sector trust, Interpol will need private-sector money. If money were no object, Kendall would have an international database already collating data on Internet crime. The data would be analysed and the intelligence offered to those who need protection.
But Interpol doesn't have the money, or the skills, to set up and run such a system. The private sector does. With the right kind of buy-in from the global business community, the system could be up and running inside a year, according to Kendall.
Interpol's main value-add would be co-ordination. There are plenty of initiatives on Internet security around, but they're all over the place. At Okinawa the G8 countries agreed to look into the problem, and Kendall says the UN, the OECD, the EU and the Council of Europe have all launched their own initiatives. Diverse groups, from India's National Association of Software and Service Companies to the US General Accounting Office, have all clamoured for action.
Kendall believes that private attempts to offer a single point of intelligence, such as the US-based I-4 (International Information Integrity Institute), won't have the reach a well-managed, global public effort would.He also argues that Interpol should take the lead as the UN has neither the experience nor the comms infrastructure that Interpol has been developing for years in order to, for instance, distribute intelligence on drug traffic routes gathered from the latest seizures.
Interpol's main priorities remain organised crime and terrorism. But it's a testament to the real threat of cybercrime that in his last days at Interpol Kendall wants to prepare the ground for a co-ordinated, public-private effort for his successor to take up.
Private sector trust and co-operation are the key to success, he says. "Otherwise we risk not getting our act together."
More information at: