The international scope and technical complexities of cybercrime have been made abundantly clear by the number of international computer crime stories making headline news recently. The culprits are cybercriminals who are increasingly globalised and organised, and while the UK is well-positioned to fight back, an effective response demands more than any one nation can muster alone.
People need to behave better.... Cynics may disagree, but I believe this is an achievable, albeit long-term, goal.
International cybercrime cases
A two-year effort coordinated by the US Federal Bureau of Investigation (FBI), called Operation Ghost Click, recently resulted in the indictment of seven people for a DNS manipulation scam that generated at least $14 million in fraudulent advertising fees. Six of the indicted were Estonian nationals and were promptly arrested by the Estonian Police and Border Guard Board. A seventh defendant, a Russian national, was not apprehended.
Earlier in 2011, two Latvians were indicted after the FBI and a variety of overseas agencies exposed a “scareware” scam that infected 960,000 computers with fake antivirus software. The two people arrested were in their early twenties. Undoubtedly, there were other persons involved in this particular scam, which managed to cheat consumers out of more than $72 million over three years. There was also the Ukrainian-based scareware scam, known as Innovative Marketing, which is alleged to have generated over $100 million in profits over a slightly longer period.
International cooperation helps impede cybercrime
From these examples, it is clear that since cybercriminal coordination is not limited by national boundaries, international cooperation is essential in the fight against international computer crime and, in many cases, that cooperation is taking place. However, it would appear not all countries are equally proactive in this struggle against organised cybercrime. One reason is victims of cybercrime are often outside the country where the cybercriminals are operating. The cybercriminals may also be generating enough cash to buy immunity from their local law enforcement. This means the fight against cybercrime must take place on multiple fronts:
- International cooperation (such as we saw in the Estonia example);
- Diplomatic pressure to bring more countries on board with such cooperation;
- Domestic efforts by each country to protect its citizens from becoming victims.
In a previous article, I wrote about the need for security awareness at all levels of society. The need for better security awareness was underlined by the 2011 PriceWaterhouseCoopers (PwC) report. Based on the responses of UK executives to the PwC Global Economic Crime Survey, executives agree on the importance of cybercrime awareness in beating cybercrime. However, 45% of respondents said they had no cybersecurity-related training in the last year, and only 24% reported receiving face-to-face training (which was felt, by those surveyed, to be the most effective form of training).
London Conference on Cyberspace
What is the end game in this ongoing cyberstruggle? Must enterprise data always face the current high level of risk? I believe these questions were answered at the London Conference on Cyberspace last November.
The conference was chaired by the Foreign Secretary, William Hague, who put forward seven principles for governing behaviour in cyberspace. One of those principles was, “The need for us all to work collectively to tackle the threat from criminals acting online.” While that seems like a short sentence on which to hang a lot of hope, I found the full text of the chair's statement from the conference to be encouraging. The section titled “Tackling cybercrime” reads, in part:
More examples of international computer crime
419 scam originated in Eastern Europe or Asia
OddJobs Trojan attacked bank accounts in US, Poland, Denmark
Syxem worm caused damage in India and Peru
“The conference identified cybercrime as a significant threat to economic and social well-being, and one which requires a concerted and urgent international effort. As online criminals operate across national borders, all delegates strongly supported the principle that we must work collectively together to tackle the threat from cybercrime and ensure there are no safe havens for cybercriminals. There was strong support from delegates for the guiding principle that what is unacceptable offline is also unacceptable online.”
To paraphrase that last sentence: People need to behave better. I know it sounds simplistic, but if cyberspace is to be tamed and made safe for citizens and enterprises alike, the general level of human behaviour needs to improve. Cynics may disagree, but I believe this is an achievable, albeit long-term, goal.
The London Conference on Cyberspace was a small step in the right direction, and the UK has been successful in guiding international standards in the past. British Standard (BS) 5750 on quality assurance led to the International Organisation for Standardisation’s ISO 9001, and BS 7799 on security controls led to ISO 27001. Maybe setting standards is something we can still do for the world.
About the author:
Michael Cobb, CISSP-ISSAP is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Cobb serves as SearchSecurity.com’s contributing expert for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com’s Security School lessons.