|
|
E-Crime Forum 2001 : Council for Security Co-operation Asia and Pacific, Transnational Crime Working Group - New Zealand PoliceCouncil for Security Co-operation Asia and Pacific Transnational Crime Working GroupSub Group ReportCybercrime and its Effects on the Asia Pacific RegionAuthors
Executive SummaryKey Assumptions
IntroductionInformation technology is an integral part of the daily lives of a significant portion of the Worlds' population. Whether people have a computer at home, use banking services, or simply receive electricity supplies, people are reliant on technology. At the same time governments and entrepreneurs see opportunities for significant economic development through increased use of information technology, and a technology aware population, that have direct connections to domestic and overseas markets via the Internet. Thus, critical infrastructure and the information economy must be protected, and not become vulnerable to crime. A safe and secure environment will enhance trust and confidence, and contribute to a stable and productive society. Accordingly, police and other regulatory agencies need to consider how best they can meet the needs of government, the private sector, and society by providing effective crime prevention and enforcement services in the electronic era. In the non-electronic environment, national security, law enforcement and crime prevention are not the sole domain of the military or the police, but are shared among private, public and non-governmental organisations. An initial challenge for all agencies is achieving functional equivalence in their response to traditional crime committed in the electronic environment. The responsibility of agencies to protect nations and uphold the rule of law does not change, but some of the practices and responses to crime need to move in step with technology developments and the new global culture. The challenges of electronic crime are enormous and no agency or nation can realistically expect to deal with the problem alone. Thus, the recommendations of this CSCAP Working Group on Transnational Crime needs to be linked within the context of the actions of other international initiatives to mutually protect critical infrastructure, and keep our communities safe. Some of the challenges posed by electronic crime are its global reach, speed, volatility of evidence for investigators, anonymity, and potential for deliberate exploitation of sovereignty and jurisdictional issues. In addition to the growing challenge posed by electronic crime, existing defense and police service delivery must continue for traditional national safety and criminal offending incidents. However, it is recognised that as technology becomes even more pervasive, traditional threats will increasingly involve aspects of technology and electronic crime. Critical Success FactorsThe success of any Regional initiatives to make cyberspace a safer place will only achieve their objectives over time, and with ongoing explicit support through:
Priority IssuesCSCAP can usefully assist Regional government initiatives by providing views on what the priority issues are. These have been identified as:
ContentsExecutive Summary Introduction Background to Cybercrime Definitions of Cybercrime Risks Posed by Cybercrime (Incl a paper by Rino Fransico) Cybercrime in the Asia Pacific Region (Incl a paper by Jonathan Boxall) Identity Theft and Examples Role of Government in the Cyber Environment (Incl a paper by Juan Ronderos) Other Views – Privacy, Personal Information, and Stifling e-Commerce Solutions Conclusion References IntroductionIn 1991 a group of hackers were arrested after a prolonged 2-year investigation into the penetration of hundreds of systems throughout the world. After examination of their systems it was discovered that they were responsible for 50,000 intrusions targeting industrial, commercial and financial organisations and trading that information for profit to ‘information brokers’. This was a landmark in hacking investigations as it was realised that information itself was a cash crop put out for sale and tender to third parties (Austen, 1999). Society is increasingly relying on new information technologies and the Internet to conduct business, manage industrial activities, and engage in personal communications. While these technologies allow for enormous gains in efficiency, productivity, and communications, they also create vulnerability’s to those who wish to take advantage of new situations. (Vatis, 1999). In the past four years, the computer chip has gone from 1.1 million transistors to 120 million (Intel engineers believe they can reach 400 million and, beyond that, 1 billion before they run out of silicon gas), and supercomputers from 256 billion moves per second to an incredible 1 trillion. By coupling supercomputers, scientists and engineers have achieved 10 trillion operations per second. The latest desktop personal computers have now acquired the speed of yesterday's supercomputer.
BackgroundThe FBI estimates that electronic crimes are running at many billions of dollars a year. Some estimates say that only 17 percent of companies victimised report these intrusions to law enforcement agencies, as they are concerned with protecting consumer confidence and shareholder value. They say that reporting cybercrimes exposes them to leaks and that there is no substitute for constantly enhancing their own defensive electronic security (Webster, 2000). Some commentators note that not only are the traditional prerogatives of national sovereignty being challenged by the information revolution, but, they are disappearing rapidly in cyberspace. The nineteenth-century model of an independent state has become one of trappings rather than substance. Information technology is also eroding structures that have long served as information filters for the people they rule or govern, thus constraining the actions of officials within government structures. The Internet is already its own global state, with its own economy and its own digicash, and is starting to change the way the world economy functions. Direct sales over the 'Net are expected to reach $5 trillion in the United States and Europe by 2005. Public funded law enforcement is stymied by territorial laws and frontiers that are not even lines on the map in cyberspace. Budget-constrained government agencies average about 49 months to order, acquire, and install new computer systems vs. about 9 months in the private sector. Criminals can purchase state-of-the-art technology as soon as it becomes available. The ability to network has far outpaced the ability to protect networks. Large portions of the World’s economy are totally dependent on computer systems. Security is no longer defined by armed forces standing between the aggressor and the homeland. The weapons of information warfare can outflank and circumvent military establishments and civilian infrastructure. The new pervasive tools of information technology blend truth and fiction in ways not easily discernible to decision-makers. Cyber terrorists clearly perceive a new global reach for their activities. Using the tools of information warfare, terrorists can overload telephone lines with special software; disrupt the operations of air traffic control as well as shipping and railroad computers; scramble the software used by major financial institutions, hospitals and other emergency services; alter by remote control the formulas for medication at pharmaceutical plants; change the pressure in gas pipelines to cause a valve failure; or sabotage a stock exchange. More and more groups of activists and extremists have their own Web sites, from the Marxist left to the neo-Nazi far right — interfacing with like-minded individuals in a process that bypasses national governments, unbeknownst often even to their intelligence services. A national protection plan cannot be accomplished without private and public partnerships because many of the key targets for cyber attack — power and telecom grids, financial flows, transportation systems — are in private hands. Such a partnership is a prerequisite of designing and developing a defense system to protect both the private and the public sectors against critical infrastructure attack. These partnerships extend beyond humans to the technology itself (Webster & Borchgrave, 2000). DefinitionWhat is Cybercrime? The term is young and there are many definitions being developed as the issue gains political and public saliency. For this report a broad definition is used: Various types of offending behaviour directed against computer systems, networks or data. The term has multiple applications and the following typology describes a range of cybercrime. The popularised terminology for each category is also listed in italics. Crimes Against Persons - includes Cyber stalking and Spamming,
Crimes Against Property – includes Hacking, Cracking, Page-jacking and Virii
Critical infrastructure is characterised by computing and telecommunications equipment, software, processes, and people that support the processes as well as the data itself (NIPC Web, 2000). The major components of infrastructure include:
Potential Risks from CybercrimeGeneral International Risks Not since the advent of the atomic age in 1945 has the World confronted such pervasive methods and weapons that have the potential for altering the way crime is committed or wars waged. Most commentators agree that as almost all aspects of modern infrastructure rely to some extent on electronic systems, a cyber attack on critical infrastructure should be rated as having the most serious of consequences. Specific Risks to the Asia Pacific Region Different national laws for the prevention of computer crime can lead to "data havens" or "computer crime havens". The vast geographical area of the Asia Pacific region, its’ array of cultures and languages, and varying levels of economic and technological development increase the difficulty of attaining regional harmonisation of laws and procedures. The effectiveness of increased surveillance and investigation of electronic crime is open to debate, however, the Asia Pacific region needs to be seen to be active, and on top of the cybercrime issue to build consumer and investor confidence. The recent connection of the “ILOVEYOU” worm to the Philippines resulted in international caution over business dealings with not just the Philippines, but other countries in the Region. Philippine born, but US based, computer expert David Paraiso has noted an increased reluctance from big companies to deal with Philippine and Asian IT groups immediately after the “Love Bug” incident. The existence of so called cyber havens within the region would not be a good look for multinational companies contemplating investment here, and thus the economic risks from allowing cybercrime havens are seen as high. According to Miyawaki (1999), until now, if Japanese thought of cyber terrorism at all, they have trusted Japan's National Police Agency (NPA) to take care of it. But though the NPA is capable, this low-level domestic approach simply will not be sufficient in the event of a determined, coordinated cyber terrorist attack. He warns that Japan's leaders must be made aware that they are "emperors without clothes," that they do not know what they need to know about the impact of advanced technology on Japan. Japan's bureaucrats must be urged to break loose from their ministry's narrow mindsets, and to abandon old regulations that have held back technological change. At the corporate level, Japan's corporate leaders must begin to view information security comprehensively, not just as part of network security, and in their firms, they should designate a senior executive as chief security officer. Miyawaki’s concern for Japan may also ring true for other nations in the Region, thus providing further impetus for this Working Group to focus attention and thinking on the topic. Cybercrime and National DefenseDefense establishments are now undergoing radical transformations that promise armed forces that are faster, more responsive, more accurate and deadlier than their predecessors. Because of these advances, many experts are already predicting that warfare will reach levels that were previously thought off as science fiction subjects. However, the very tool that made defense establishments more formidable also carries the seeds of their potential destruction. Because of their dependence to computer systems, they are now vulnerable to cyber crimes and cyber- terrorism. Rino Francisco of the Office of Strategic Studies in Manila contemplates some of the big issues of cyber defense in the following paper. Cyber Crimes and Cyber Terrorism: The New National Security ThreatTraditionally, cyber crimes and cyber terrorism were considered to be threats properly addressed by law enforcement agencies. However, the growing dependence of defense establishments and military forces to computer systems makes them open and vulnerable to these types of attacks. For example, in March 1998, two 16 year-olds were able to gain access to the US Department of Defense’s (DOD) unclassified network, while in 1997, a 19-year old British student was fined for hacking into a US Air Force computer system “as a schoolboy prank”.i
In the United States, the increasing danger and vulnerability of these institutions was highlighted by a tremendous increase in computer security related incidents from six in 1988 to 8,269 in 1999, according to the US Computer Emergency Response Team.ii Furthermore, a test conducted by the US’s Defense Information Systems Agency (DISA) revealed that 90% of the DOD’s 9,000 computers assessed can easily be broken using tools available in the Internet.iii
Concern to such cyber threats drove the Pentagon to issue Defense Condition (DEFCON) style warnings for computer attacks. In the aftermath of the spread of the Love Bug Virus that affected, among others, military computer systems world-wide, the former decided to implement the posting of what it termed Information Condition (INFO-CON) Alerts in response to a possible computer attack.iv Awareness to the threats to national security posed by cyber criminals and terrorists is not limited to the United States. Technologically advanced countries in the Asia-Pacific region are also paying attention because of the widespread use of information technology by their defense institutions. Among these countries are Japan, Taiwan, South Korea, China and Israel. Cybercrime related activities can be loosely classified into two broad categories: one is related to the destruction or corruption of electronic data through the introduction of viruses into their system or an electro-magnetic pulse attack, which is a familiar element in nuclear war scenarios; the other involves the unauthorized accessing of data through hacking. The case of the “love bug” virus is an example of the first category. The case of the US DOD hackers exemplifies the second category. A growing trend in hacking activities involves its use as a tool for espionage, whether military, political or industrial espionage. The illicit gathering of information may be classified into three types: opportunistic or free-lance, where the perpetrator sells secrets to the highest bidder; outsourced, where a company or government contracts out the collection of information, and; state-sponsored, where the government uses its resources (particularly its intelligence service) to do the information gathering activities themselves.v Clearly, cyber crimes and cyber terrorism have come a long way from being merely a police problem to a national security concern. The growth and spread of information technology has become a double-edged sword for defense establishments. While IT can provide armed forces with new capabilities that greatly increase their effectiveness and potential, the same technology can neutralize or destroy these capabilities. Worse, even an individual now has the ability to seriously affect technologically advanced military forces. All he or she needs is the knowledge of how information systems work. From Cyber Crime to Cyber WarIn the 1998 book The Next War, authors Caspar Weinberger and Peter Schweitzer wrote a scenario of a future Asian war in which weapons such as computer viruses, logic bombs and other cyber weapons were used. Their targets: not the enemy’s fighting units but their command centers as well as civilian transport, communications and financial centers.vi Although such scenarios are the stuff of future war studies or techno-thrillers, there are already unconfirmed reports that tools of cyber crimes and cyber terrorism were used as weapons of war. During Operation Desert Storm in 1991, there was a claim that the US military shut down Iraq’s air defense system with a computer virus developed by the National Security Agency (NSA) known as AF/91 (supposedly April Fools/1991).vii Several countries have already recognized the threat posed to their armed forces by cyber attacks. Taiwan for one is concerned about China’s growing interest in information warfare, including the development of computer viruses and electromagnetic weapons that could immobilize military platforms and systems.viii As a result, Taipei recently announced that it would conduct a cyber warfare drill as part of its Year 2000 annual military exercise using many of the 2000 computer viruses its armed forces has collected.ix For its part the People’s Republic of China has not ignored the threat of cyber attack either. Such a move is understandable considering that the Chinese Peoples Liberation Army’s Guangzhou Military Region was reportedly the victim of a cyber attack. Apparently an unknown perpetrator infected a virus to the entire computer networks of the South China Sea Fleet and units of the PLA’s Second Artillery. Affected were 85 strategic and combat bases.x Beyond these activities, a number of countries were already or in the process of establishing the very organizational framework tasked to combat computer attacks. The United States Defense Department established the Joint Task Force on Computer Network Defense (JTF-CND) as its first operational cyber defense unit in January 1999. The creation of these units followed discussions on cyber defense as a war-fighting mission.xi Japan’s Defense officials also announced plans to create an organization to conduct research as well as a new unit in its Self Defense Forces to combat hacker attacks. To this end, the Japanese military requested the equivalent of $ 24.8 million for the year 2001 as budget for computer system crisis management. According to one official, this would lay the foundation for the launch of a research institute and a unit to fight cyber terrorism xii Clearly the active involvement of armed forces in cyber attack and defense will be the trend of the future. Cyber warfare might even represent the future of armed conflict. As one analyst stated, it may be for tomorrow’s wars what the Blitzkrieg was to the 20th Century.xiii Perhaps more ironically, the cyber criminals and terrorists of today might be the generals and warriors of the future. Assessment of Cybercrime in the Asia Pacific Regionby Jonathan Boxall of the Australian Federal Police. The Asia Pacific region is increasingly being discussed as a region destined to drive future growth in information and telecommunications technology. With a number of exceptions, most countries are still at a relatively early stage of development compared to Western countries. But factors, including the size of the potential market in the Asia-Pacific region, are seeing this situation change rapidly. While the region’s most populous nations are still at a relatively early stage of participation, on current projections the Asia-Pacific region is expected to account for more than half of global Internet users by the year 2003.
It is not possible to ascribe common characteristics to the Asia-Pacific region as a whole; the experience of countries is varied. Each country has formulated its own response to the development of the information economy, depending on individual circumstances. Some countries have attempted to tightly control the introduction of new technology, while others have encouraged its penetration of their markets and societies. With respect to cybercrime, there are also a range of experiences in the Asia-Pacific region. Despite these differences, a broad trend can be outlined, this being a generally low level of reported incidents but a crime type that is rapidly growing and is of increasing concern to governments, the private sector and the general public.
Countries in the Asia-Pacific region have seen the range of cybercrime reported to Western law enforcement agencies, ranging from unauthorised access to computer systems and criminal damage to e-commerce fraud and the publication of obscene material. Some recent regional examples include:
New technology such as the Internet is also being used by criminals in the Asia-Pacific region to facilitate ‘real world’ crimes. Reported examples have included amphetamine dealers using the Internet to broaden their sales networks, car smugglers in China placing orders for cars from Hong Kong via e-mail and web sites, Japanese gangs recruiting women from the Philippines to work in brothels using web sites and Hong Kong gangs sending intimidation letters by e-mail. From a previously low visibility and priority issue, cybercrime is now beginning to be seriously addressed by countries in the Asia-Pacific region. With future growth and prosperity relying on the development of the information economy, it has been recognised that cybercrime has the potential to undermine consumer confidence in new technology and investor confidence in national markets. In common with international surveys, security has been identified as one of the main inhibitors of the uptake of e-commerce in the Asia-Pacific region.
A number of strategies have been undertaken to counter the rise of cybercrime. The initial focus has been on the provision of a legislative framework to effectively cover new cybercrime offences, which many countries have only recently introduced. While countries such as Singapore, Malaysia, Korea and Japan have cybercrime legislation, a number of other countries do not.
Even where countries do have cybercrime legislation, it has been recognised that it needs to be constantly revised and updated to cope with a rapidly changing environment. Another factor that has complicated the cybercrime legislation has been the need to take into account the balance between cybercrime legislation, privacy concerns and what is often legislation’s main aim – to encourage growth of the information economy by providing increased legal certainty. A final issue in regards to legislation is its application in courts of law, which are in general uneducated in cybercrime issues, including their understanding and acceptance of electronic evidence.
Legislation should not be seen as the panacea to the cybercrime problem. Even with an effective legislative/regulatory framework, cybercrime will often be difficult to investigate and prosecute due to factors such as jurisdictional difficulties and the transitory nature of electronic evidence. But a successful investigative capacity has been recognised as an important element to a broad cybercrime strategy and a number of countries are making efforts to appropriately skill investigators and provide them with the necessary tools to help counter cybercrime.
In addition to skilled investigators, successful cybercrime investigation also requires a number of other elements. These include issues such as multi-agency coordination and cooperation with the private sector, particular Internet and other telecommunication service providers. Many countries have already realised this strategy is crucial to efficiently tackling the cybercrime problem.
Electronic forensics are also set to become an increasingly crucial tool for law enforcement in investigating a wide range of offences not normally considered ‘cybercrime’, where evidence may be held on computers, other electronic devices or computer networks. The need for electronic forensic expertise has not received the same profile as the requirement for skilled cybercrime investigators, but will be an important element to any law enforcement response to the modern information environment.
Corporate and government decision makers also need to be educated as to the risks involved in the information environment. According to a recent survey, over 70% of Asian executives are confident or very confident in the security of their company’s computer systems. Given that vulnerabilities exist in even the most well managed systems, this confidence is likely misplaced. Executives should be encouraged to deal with the issue of cybercrime before it becomes a serious issue that could potentially impact the operation of their company. With government services increasingly being provided online, the same applies to senior government representatives and officials. The approach of the Asia-Pacific region to the issue of cybercrime will be of great interest to the rest of the world, given its growing role in the global information environment. Already, there are increasing reports of cybercriminals from the Asia-Pacific attacking systems in the rest of the world or hackers using Asia-Pacific networks as a conduit for these attacks.
Identity Theft and Fraudulent Use of Personal Information –The Cybercrime of the MomentIdentity and personal information details have long been recognised by private businesses as vital information, after all knowing who your customers are is crucial to a business. Governments too are interested in identity information for electoral roles, taxation and many other State functions. Thus, personal information is collected about individuals from the day they are born, and most people are happy to fill in the many types of information gathering documents presented to them from credit card application forms to statutory declarations. Most, if not all, personal information gathered today is placed on electronic databases. Those databases may be highly secure or not as the case may be, the problem being that hackers, crackers, and corrupt employees of organisations have repeatedly demonstrated their ability to penetrate the electronic defenses of both private and public organisations, and unlawfully obtain the benefit of personal information. As we already know information in an electronic format is easily and rapidly replicated, sent, and disseminated by those who obtain it. Thus the opportunity for criminals to exploit aspects of identity theft are enormous and the impacts of this human security issue is increasing. An indication of the level and nature of the problem is presented in recent news items from around the world. Western Union Web site hacked; credit cards number taken. Hackers stole credit and debit card information from 15,700 on-line customers of Western Union, whose Web site was unprotected while undergoing maintenance. The company began notifying customers of the problem on Friday, when the computer attack was first detected. By late Sunday, Visa International and MasterCard International Inc. had been contacted so that cardholders' accounts could be monitored for possible fraud. AmEx unveils "disposable" credit card numbers American Express today announced a new suite of on-line security and privacy products, the first of which is a "disposable" credit card number for its members. As previously reported by CNET News.com, cardholders using the disposable credit card option will be able to log on to a secure Web site and receive a one-time-use credit cardnumber to make purchases over the Internet. http://www.google.com/search?q= Police are investigating what could be the first Australian case of Internet hacking, designed to jam popular e-commerce sites, after thousands of St George Bank customers were denied access to its on-line banking service. St George spokesman Adam Cooke said the bank started notifying its 120,000 on-line customers of the problem yesterday
IKEA Web site hacked. Furniture company IKEA began
informing on-line customers yesterday that its Web site was
compromised last weekend. IKEA officials in Plymouth Meeting, Pa.,
said the Web site's service to request catalogues on-line was hacked
and that names, mailing addresses, phone numbers and e-mail
addresses were open for the taking. An investigation is under way."
Personal Web data theft flourishing. Bank
account search: $249. Available around the country. Takes 10-18
business days. Ads like this on the Internet are proliferating,
experts say, despite a 10-month-old federal law prohibiting use of
deceptive techniques to get people's personal financial data from
banks.
Eve.com scrambles to assess security breach Eve.com today temporarily shut down its Web site after a security breach exposed customer order information on thousands of orders dating back to last year. The breach exposed customers' names and addresses, products and the dates on which they were ordered, the types of credit cards customers used, and the last five digits of the cards' numbers. http://www.google.com/search?q=Eve.com+scrambles+to+assess+security+breach
Chinese Hacker Invades Taiwan E-Papers, IT
Sites Several Taiwanese electronic newspapers and Web newsletters
published by IT companies were broken into Tuesday by a hacker
presumed to be based in China. The intruder posted messages wishing
the people of Taiwan a happy Mid-Autumn Festival "on behalf of
their compatriots on the Chinese mainland." Mid-Autumn
Festival, a traditional holiday, was celebrated on both sides of the
Taiwan Straits Tuesday. According to news reports, no Taiwan
government Web sites were invaded during the attacks.
Patriotic hacker attacks Guatemalan site.
The country's tax system took its Internet web site out of service
for several hours on Tuesday after an attack by hacker who claimed
to be defending the country's honour. In an e-mail message sent to
major newspapers, "Hack" claimed to have been offended by
a recent story in the daily Prensa Libre which assured that
Guatemala had no computer hackers. "I deny that, not in order
to harm anyone or to gain anything, but simply to clarify that there
are very capable people in our country," the hacker wrote.
On-line fraudsters fleece UK e-tailers On-line crime pays, according to a report published today by Experian. The global information solutions group claims nine out of ten e-fraudsters aren't caught and are simply getting away with it. The survey reveals that when it comes to checking the authenticity of credit card transactions, many of Britain's e-tailers are lax. The survey of 800 British e-tailers found that many on-line authentication systems were wanting and most relied on manual systems to check credit card details.
Software-Sellers Ask Thai ISPs To Police
Web Sites The Business Software Alliance (BSA), a grouping of major
international software companies, on Thursday sought cooperation
from Thai Internet service providers (ISPs) in its fight against
software piracy conducted over the Internet. Now, piracy has shifted
to the Internet, with people using Web sites, e-mail, chat rooms and
other forums to trade or sell software illegally.
August 3, 2000 - Hackers linked to China
stole Los Alamos documents Hackers suspected of working for a
Chinese government institute in Beijing broke into a computer system
at Los Alamos National Laboratory and pilfered large amounts of
sensitive information, including documents containing the word
"nuclear," The Washington Times has learned. The incident
involving sensitive but unclassified data was uncovered by a
National Security Agency computer analyst early last year but kept
secret until now, said U.S. intelligence officials who spoke on the
condition of anonymity.
Hackers close down Myanmar government Web site. Myanmar telecommunications engineers were trying Thursday to restore the military government's Web site after hackers shut it down, a military intelligence officer said. An officer of the Directorate of Defense Services Intelligence said myanmar.com was closed down by hackers Wednesday, but declined to elaborate. He spoke on customary condition of anonymity.
The Role of Governments, Private Industry and Internet Service Providers in Keeping Citizens SafeProtecting the public, the new e-commerce environment, and critical infrastructure in the ‘information and technology age’ raises new challenges for government, industry, and the public. As noted by President Clinton (1999). "Because so many key components of our society are operated by the private sector, we must create a genuine public/private partnership to protect America in the 21st century. Together, we can find and reduce the vulnerability’s to attack in all critical sectors. " However, how far should those partnerships extend, and to what level can public responsibility be encumbered on private companies? Juan Ronderos, CSCAP Canada, and Assistant Director of the Nathanson Center at York University explores some of issues: Information Technology (IT) has influenced the so-called “globalization” process in such manner that many have argued that we are witnessing the emergence of a new global culture that transcends local boundaries. The globalization debate started around 1960 and has produced various theories. Many scholars support the idea that globalization is the result of a new era of human history that has created a particular state of affairs that makes difficult the existence of the traditional nation-state. Other theorists argue that globalization is not something new and that it has existed for some time. Regardless of these contradictory views on globalization, what is new in the last few decades is the speed and medium in which many of the transactions and interaction among people in different jurisdictions are happening. However, it is undeniable that the Internet has brought into the life of many people around the world a new way (interconnectivity) to do business and to relate to others in what has been called the “cyberspace.” Likewise, this interconnectivity has created a problem for the current notion of the State. This interconnectivity poses a challenge to the traditional legal concept of jurisdiction. This challenge is present in many branches of law. Perhaps the most affected is commercial law, tax law, and the most important to this paper—criminal law. In this paper we will examine the issue that arises in relation to criminal activity that happens over the Internet. We argue further that a unique aspect of this form of criminality, and the method of conduction the criminal activity affects every jurisdiction—perhaps not equally, but potentially equally. These criminal incidents are different from those posed for commercial law but have similarities with the issues relating to tax law. Two questions arise: First, is there a need for the State to regulate Internet activity and enforce its regulations? And second, should the State impose certain legal responsibilities on Internet service providers (ISPs) to enforce State’s regulations. The shifting of responsibilities onto private industry and away from governmental authorities may be done in order to relieve the burden on the State, or may be a recognition that only the industries themselves are capable of regulating their own activities—and the activities of others operating ‘on their watch.’ When it comes to tax law and criminal law, the State plays a fundamental role that cannot be substituted by the private sector. In these areas the State must regulate and legislate, and then enforce the regulations and law. In terms of the Internet (cyberspace) it is the contention of this paper that the ISPs hold some responsibility to “watch” the Internet and should be held liable by regulations to report offences when obviously illegal activities happen across their network. To explore how such a regulatory framework may develop the paper examines the development of international commercial regulations. The widespread commercial use of the Internet has created a new way to approach traditional markets through e-commerce.1 New ways of banking using the Internet are now flourishing under the name of cyberbanking. Transactions involving several parties in different jurisdictions are happening almost instantly. These transactions are occurring in the cyberspace, generating a legal challenge for scholars and lawyers in determining the appropriate jurisdiction for commercial grievance. Fortunately enough, since most of these commercial practices are part of private commercial law it is somewhat easier for the parties involved to establish not only the applicable rules but also to select the jurisdiction for eventual disputes. Traditionally, rules for international commerce are set by non-governmental actors, as is the case of the norms for international shipping or INCOTERMS2 and the International Chamber of Commerce (ICC). In case of disputes, it has been an international commercial custom to use arbitration tribunals. The tribunals’ decisions can be enforced by a judicial authority through the particular jurisdiction’s procedures for recognition and enforcement of foreign judgments. While one might question the foundation for the authority of those tribunals, if they are not courts linked to a territory and representing a sovereign state nevertheless corporations affected by these tribunals’ decisions apparently do not question their authority. With respect to the INCOTERMS, they are usually accepted all around the world and they can be argued in many courts without questioning their validity. Therefore, it could be argued that more than likely the Internet will be self regulated with regard to business practices and will find its own ways to air and solve disputes. The Internet and e-commerce generates a great problem for taxation purposes. Take for example the case of an electronic auction company (EAC). A person in Canada wants to buy a monitor from a person who lives in Venezuela and is auctioning several monitors on the electronic EAC, which by the way is located in Nigeria. The person in Canada pays with a credit card issued in the Bahamas to a third company that manages the payments of the EAC. Then the question arises: where did the transaction occur, and who pays taxes and where? This problem has been approached by scholars such as Copeland who argues granting taxing rights on the basis of geographic nexus or national boundaries is no longer appropriate since electronic commerce creates a global market for goods and services where geographic location is rendered irrelevant and national borders are ignored. For this reason, the traditional source/residence dichotomy, used to divide taxation rights among nations, should be abandoned in favour of a unified, global means of taxing electronic commerce. 3 Although it is not very clear in which way such a “unified global system” to tax electronic commerce could be put in place it is certainly an interesting proposal to deal with an evident problem. Making use of some of the same characteristics of cyberspace, the Internet has been turned into a new instrument for criminal activity. Given the large amount of commercial transactions that are occurring in the cyberspace and the fact that many corporations are connected to the Internet, this medium generates a great opportunity for criminals to achieve their ends. However all crime over the Internet ought not to be addressed with similar ‘remedies.’ For example, one must emphasize that many of these criminal actions are not new, in the sense that they were already penalized in many jurisdictions. One example of these types of activities would be fraud. In these cases the use of the Internet is only a new and efficient instrument to commit these crimes. On the other hand, other offences are new and it has been only recently that legislature and courts have been responding appropriately to counter these activities. The criminal use of the cyberspace thus generates even greater challenges for the State and the international community. One example of these challenges is the extradition of a person who has committed an act deemed to be an offence in a foreign jurisdiction but not considered a crime in his/hers native country. Such was the case of the “ILOVEYOU” worm distributed around the world from the Philippines, in which the accused had to be released since there wasn’t any legislation in place that prohibited the act of generating and distributing a computer virus.4
For these types of activities it is undisputable that there should be regulations in place. These regulations would safeguard Internet users from vandalism and criminal activities. N. W. Netanel has argued that selective regulation of the Internet safeguards liberal democratic ideals.5 However, there are a series of questions that arise from this statement. Should each individual State regulate the Internet? Should all the states get together and adopt a universal regulation? And again: who should enforce compliance of these norms? If criminal activity on the Internet—cybercrime—has little relation to local jurisdictions then it would follow that regulation for these activities should have a wider range than that of State laws.
Therefore, the regulation of cybercrime should be carried out by an international effort in order to avoid duplication and incoherence that would only serve the purpose of cybercriminals. This has been the position of the European Union who have proposed an international convention on crime in the cyberspace.6 As to the enforcement of such regulations, the State should remain the main authority since the State is the only one who has legitimacy to enforce penal regulations. In addition, the State is the only body with clear accountability of its actions to it’s public. Whilst the regulations should be a concerted effort of nations, the policing of such norms should remain in the hands of individual jurisdictions, although it may be that local law enforcement will have to recruit or train specialists in order to ‘police’ these kinds of activities. However, it may be the case that eventually we will need transnational law enforcement agencies to deal with these activities. Europol may provide a partial model for a new policing regime. As J.W.E Sheptycki argues, any cross-jurisdictional enforcement agency must be (and seen to be) legitimate and accountable.7 This discussion of enforcement, legitimacy and accountability with regards to criminal activity on the Internet leads us to the final issue—the responsibility of ISPs. While one might argue that regulation should be a combined effort of nations, and should be chiefly enforced by national agencies, the difficulty arises that the Internet has a unique dynamic in the sense that it is composed mainly of private individuals, corporations and associations that freely interact. The State has little presence in the every day interaction in cyberspace. Nonetheless, ISPs have a direct relation with users who ultimately are the ones that can engage in illegal activities not to mention that the traffic of information from their clients flows through ISPs machines. Thus, it would be logical to think that ISPs would be the perfect place within cyberspace to control users and enforce regulations. Should ISPs, being private enterprises, be held accountable to the public and be assigned the burden of watching and enforcing the Internet? One might argue that it is more reasonable to assign a duty to the ISPs to watch and possibly to report but not to enforce. This is due to the fact that ISPs lack the necessary legitimacy or accountability to the public to enforce the law. Questions regarding who they are reporting to, and with what possible sanctions to be applied for wilful non-reporting are left to be answered. The situation appears to be similar to the current debate between the effectiveness of voluntary vs mandatory reporting of suspicious transactions within the financial sectors. The international communities ‘consensus’ on this issue was that financial intelligence units are required in order to process the reported potential violations. Other Views – Privacy, Personal Information, and Stiflinge-CommerceThere is significant debate about the effectiveness and legality surrounding the issue of jurisdiction and regulation of cyberspace. Some of the main themes are provided below as representative of the critique.
``While national governments
are understandably concerned about the recent cases of
cyber-attacks...they should resist the temptation to propose
regulatory measures to address this problem,'' said a statement by
the Global Internet Project, a group of senior executives chaired by
John Patrick, vice president for Internet technology at IBM. ``It is hard to imagine any set of regulatory requirements that would be flexible enough to deal with the wide range of customised solutions developing in the commercial marketplace today,'' he said. The Internet Alliance, which include Microsoft, Deutsche Telekom and Citibank, called for ``the application of existing laws before rushing to create new ones.'' The Global Internet Project said governments should focus on ensuring their own computer systems were secure, cracking down on cybercriminals within their jurisdiction, removing controls on encryption software and sharing secret intelligence on cyberthreats where possible. Arguing that most cybercrime is simply an extension of traditional law breaking, the Internet Alliance argued against some controversial points contained in a draft cybercrime convention being drawn up by the Strasbourg-based Council of Europe. Requirements for Internet service providers (ISPs) to store data for weeks or months if asked ``run contrary to legal protections and would result in the stifling of Internet growth,'' it said. ``What is preferred is a voluntary solution.'' The Alliance also expressed concern that ``law enforcement agencies may be tempted to rely upon industry to identify crime, apprehend criminals and assist in their prosecution.'' If new laws forced companies to ``co-regulate'' the Internet with local police, it added, ``this could lead to the international flight of companies to countries with more favourable regulatory environments (Reuters, 2000)
"It may be possible that the IETF as an organization can modify standards so that it becomes easier to catch cyber-criminals. I think every router can know where the packet comes from and where it goes," he said. "Using that information, you should be able to track criminals." Palme said But routers are not designed to recognize where the packets are coming from, Bellovin said. And logging all the traffic that moves through these routers would be difficult, wrote Schryver. "Searching a 1,000 TByte database on the fly, especially if it is merely a primitive sequential log, would be a serious challenge." And others pointed out that policing is not the IETF's responsibility. "It's not the network's job to do the job of law enforcement," Bellovin said. Attempting to build backdoors -- intentionally designed shortcuts around a security system -- that are only accessible to police would ultimately weaken Internet security, he added. Palme believes that part of the problem is that people do not want to help the police because they are afraid that police will abuse the technology. "Internet people seem to be an anarchistic group very unwilling to accept any kind of government control. The difference could be cultural.” Palme added. "People in America seem more negative toward helping the police than people in Europe," he said. Engineers also are asking questions about the IETF's Guidelines and Recommendations for Security Incident Processing working group, which provides guidelines and recommendations for security incident-response teams. "It's a start; we've proved that getting anywhere in this direction causes a great deal of discussion, and that expectations vary greatly," wrote Harald Alvestrand of the group. SolutionsThere is much work being done on electronic crime by individual nations and groups of nations8. However, given the acknowledged existence of cyber havens and the pervasive nature of the information technology, many solutions rely on regional or global co-operation. None of the below listed suggestions are answerers in themselves. They need to be seen as a range of options, all of which require advancement in concert. Some of the potential solutions are:
The construction of a ‘clicks and mortar’ centre to deal with cybercrime is an increasingly popular solution. The recently established National Infrastructure Protection Center (NIPC) in the USA, and recently approved High Tech Crime Unit in the UK provide examples of significant investments by their respective governments to seriously address (through provision of actual expertise and resource) many of the above listed solutions. Miyawaki (1999) suggests that the expertise of the defense forces should be used. Speaking on his homeland he points to the Information Centre of Japan's Defense Agency. “The Centre has a defined responsibility for national security (which cyber terrorism directly threatens). Though it is new, it has the potential to have access to more high-level technology expertise and technical experts than do most parts of the Japanese Government. In addition Japan needs to establish a quick-response private-sector team that would evaluate and investigate incidents of failure of key elements of Japan's critical private sector infrastructure”. ConclusionThe challenges of cybercrime are enormous and immediate, and no agency or nation can realistically expect to deal with the problem alone. Thus, the role for Asia and Pacific law enforcement needs to be linked within the context of the actions of other justice sector partners, international initiatives, and new relationships with private industries to mutually protect critical infrastructure, manage demand, and keep our communities safe. In particular, these efforts will ensure the Asia and Pacific Region does not become a haven to be exploited by criminals. The development of cybercrime is based on underlying social changes and shifts of paradigms that will continue to exert crucial influence on our regional communities and the law. In particular:
The paper recognises that some of the challenges posed by electronic crime are its global reach, speed, volatility of evidence, anonymity, and potential for deliberate exploitation of sovereignty and jurisdictional issues. Crime prevention is central to successful law enforcement and needs to be equally invested in along with reactive capabilities. The need for structured coordination and cooperation to effectively counter the challenges of electronic crime has already been recognised and put into action by both the United Kingdom and the United States. There is a need to develop a mutual structure to maximise relationships, and minimise duplication of effort and to cater for:
Exactly what such a structure would look like, how it could be funded, and many other issues are not yet well understood. It may take the shape of ‘centres of excellence’ being developed by several countries in the Region that network amongst each other to provide a web of capability and protection for themselves and smaller nations that can not afford the establishment costs of such a resource themselves. ReferencesAustralasian Police Ministers Council (APMC) 1999 Directions in Australasian Policing 1999 - 2002 APMC. Austen, J. (1999) Computer Crime – An Anthology of Cases paper for Computer Consultants Ltd, United Kingdom. Computer Security Institute 1999, 1999 CSI/FBI Computer Crime and Security Survey, Computer Security: Issues and Trends, Winter, Vol. v No.1, Computer Security Institute, San Francisco. Computer Security Institute 2000, 2000 CSI/FBI Computer Crime and Security Survey, Computer Security: Issues and Trends, Spring, Vol. vi No.1, Computer Security Institute, San Francisco. Council for Europe (2000) Draft Convention on Cyber-crime (draft 19) public discussion document, at http://conventions.coe.int, Strasbourg. Dayton Law School Net Page http://cybercrimes.net/International/Articles.html Dr Solomon's (2000) Technical Papers Site, www.drsolomon.com/vircen, visited 10 September 2000. Granick, J. (2000) The Price of Net Defense Cybercrime Website at http://www.zdtv.com/zdtv/cybercrime/chaostheory/story/0,9955,2445900,00.html Geurts, J (1999) The role of the Australian Federal Police in the investigation of high-tech crimes, Paper presented at Canberra, www.afp.gov.au/speeches/hightech.htm visited 12 September 2000. Jiefangjun Bao (Chinese Arm News) March 24, 1998 M2 Presswire (1997) cited in NCIS Project Trawler as 24 March 1997. Ministry of Economic Development (MED) 2000 Statistics on Information Technology in New Zealand 2000, MED, Wellington, www.med.govt.nz/pbt/infotech/currentstats, visited 10 September 2000. Miyawaki, R. (1999) The Fight Against Cyber Terrorism: A Japanese View, paper presented to the Centre for Strategic & International Studies, June 29, 1999. National Criminal Intelligence Service (NCIS) 1999 NCIS Project Trawler: Crime on the Information Highways NCIS and Novell, London. National Infrastructure Protection Center (NIPC) 2000 National Infrastructure Protection Center Home Page, Federal Bureau of Investigation, Washington DC, www.nipc.gov, visited 09 September 2000. National Office for the Information Economy (NOIE) 2000 The Current State of Play: Australia and the Information Economy NOIE, Canberra, www.noie.gov.au/projects/information-economy/ecommerce-analysis/state-of-play.htm, visited 10 September 2000. Netcraft.com (1999) Size of the Internet Survey, www.netcraft.com, visited 10 September 2000. Police Commissioners' Conference Electronic Crime Working Party (1999) The Virtual Horizon: Meeting the Law Enforcement Challenges ACPR, Adelaide. Pound, W (2000) Cyber Holes : A Case for Full Disclosure Cybercrime Website at http://www.zdtv.com/zdtv/cybercrime/chaostheory/story/0,9955,2445900,00.html Reuters News Service (1997) cited in NCIS Project Trawler as 30 April 1997. Reuters Business (2000) Internet industry wary about new cybercrime rules. , Reuters Business Report. Sieber, D. (1995) Computer Crime and Criminal Information Law - New Trends in the International Risk and Information Society Computer and Recht. Vatis, M. (1999) Introduction to Cybercrime National Infrastructure Protection Centre Website Vatis, M (1998) Congressional Statement of the Director National Infrastructure Protection Center Senate Judiciary Subcommittee Papers, 10 June 1998, Washington DC, www.fbi.gov/pressrm/congress/congress98/vatis0610.html visited 9 September 2000. Webster, W (Judge) and Borchgrave, A (1999) Cyber Crime, Cyber Terrorism, Cyber Warfare : Averting an Electronic Warterloo, CSIS Publications. 1 It is important to clarify that this widespread use of the Internet happens mostly in developed countries. There is a major issue of access to this type of technology on developing countries. This is one of the reasons why talking of a “new word” in which everyone is interconnected is not accurate. See “Canada Second in Internet Use” Globe and Mail, Wednesday March 22, 2000 B1. 2 The International Chamber of Commerce issued the INCOTERMS in their first version in 1936. The INCOTERMS are an international set of rules related specially to international trade, and transportation. 3 See “Who will tax the Internet? : the existing rules of international taxation cannot be used to allocate taxing jurisdiction over business income earned in cyberspace” by Thomas Wayne Copeland. Thesis (LL.M.)--York University, 1998. Also available on the Internet [http://wwwlib.umi.com/cr/york/fullcit?pMQ33477] 4 This was due to one of the most important principles of criminal law that says “nullum crimen, nullum poena sine lege.” This is the Latin for “there is no crime and no punishment when there is no law that prohibits the act.” 5 N. W. Netanel “Cyberspace Self-Governance: A Sceptical View from Liberal Democratic Theory” 88 Calif. L. Rev. 395 March 2000. 6 European Committee on Crime Problems (CDPC) “Crime in Cyberspace: First Draft of International Convention Released for Public Discussion” Draft No. 19, Prepared by the Secretariat Directorate General I (Legal Affairs). Council of Europe, April 27, 2000. Available at [http://conventions.coe.int/treaty/en/projets/cybercrime.htm]. 7 J.W.E. Sheptycki, “Law Enforcement, Justice and Democracy in the Transnational Arena: Reflections on the War on Drugs” (1996) 24 International Journal of the Sociology of Law 61-75. 8 Such as the United States National Infrastructure Protection Centre and Interpol initiative. i Julienne Mathonniére, “Educating RITA to Outwit Hackers in Security War”. Jane’s Defense Weekly, 26 April 2000. p. 36 ii Ibid iii Ibid iv Barbara Starr, “Pentagon Initiates ‘Def-Con’ Style Warnings for Computer Threats.” Found at ABCNEWS.com v “Where is All This Leading To? Commercial Espionage!”. Found at the RAND Home Page. vi Caspar Weinberger and Peter Schweitzer, The Next War. Washington DC, 1998. pp. 389-391. vii “Information Warfare”. Found at the RAND Home Page. viii “Taiwan to Tighten Up on Security”. Jane’s Defense Weekly, 12 May 1999. p. 18. ix “Taiwan to Conduct Cyber Warfare Drill”. Jane’s Defense Weekly, 16 August 2000. p. 10. x “PRC Actively Develops Information Warfare.” Inside Mainland China, Vol. 21 No. 7, Issue no. 47. p. 43 xi “US Cyber Defense Task Force is Now Operational” Jane’s Defense Weekly, 20 January 1999. p. 4. xii “Japanese Attack on Cyber Terrorists.” Jane’s Defense Weekly, 1 March 2000. p. 5. xiii John J. Arquilla and David F. Ronfeldt, “Cyberwar and Netwar: New Modes, Old Concepts of Conflict.” Found at the RAND Home Page. |
|
|
