Electronic Crime: The New Zealand Police Experience; speech by Commissioner Rob Robinson

NZ Police Commissioner Rob RobinsonAddress to the Plenary Session of the NetSafe: Society, Safety and the Internet Symposium10am to 10.30am, Tuesday 12 February 2002IntroductionCo-chairs John Hosking and Howard Broad, members of the Internet Safety Group and conference delegates.Thank you for asking me to address this plenary session of the NetSafe conference.You’ve just heard from my colleague Barbara Etter on some of the high level findings on electronic crime.This morning I want to pick up on the themes from Barbara’s address by talking about the operational issues facing New Zealand Police in the electronic crime area.I’ll finish with a few thoughts on the question – where does responsibility for Internet safety lie, and what can we do?Setting the Scene: Electronic Crime in New ZealandBut first, let me give you a quick overview of the New Zealand scene.Internet UsageDomaiNZ reports approximately 50,000 hosts registered in New Zealand, of which 21% are used for email only. According to a Neilsen/Net Ratings survey dated July 2001 , there are an estimated 1,747,203 Internet users in New Zealand, of which 1,015,577 are active accounts.Wellington is the most connected city in New Zealand according to AC Neilsen, with 44% of households connected to the Internet. Christchurch is second, with 41% of households connected, followed by Auckland at 39%. Overall, 27% of New Zealand’s households are connected to the Internet. NZ Police and Other AgenciesNew Zealand Police, the Department of Internal Affairs and the New Zealand Customs Department are the three main agencies involved in electronic crime detection and investigation.Nearly a dozen other Government agencies, as diverse as IRD, the ACC and the Ministry of Education, also deal with computer related offences.There is a growing private sector capability in the area of electronic security and investigation.A range of specialist organisations provide services to protect technical infrastructure or investigate instances of electronic crime; including traditional consultancies that provide risk management services.As you can see, New Zealand Police is just one of a variety of partners. Our contribution is part of quite a large picture.Besides our regular investigators who deal with matters like fraud or sexual offending that might have an electronic component, New Zealand Police also has an electronic crime detection capability.We have Electronic Crime Laboratories in Auckland and Wellington and we’re in the process of establishing one in Dunedin. Until recently our Electronic Crime Labs had four specialist staff. We’re increasing that to 17.So what is the current level of electronic crime in New Zealand?For reasons I’ll come to later, it’s quite difficult to get an accurate picture.However this table gives you an idea of the volume and nature of the work dealt with by my Electronic Crime Lab staff.You’ll see that the number of items examined has risen from 3,303 in 1998 to nearly 7,900 last year. This includes things like computer disks, CDs, hard drives, mobile phones and laptops seized during investigations.The total number of cases handled last year was around 660.ECL staff deal with offending from all categories, and this table shows some of the file load:- Drug Offending 14%- Frauds 10%- Homicide 14%- Sexual Offending 8%- Burglary 5%- Indecent Publications 3%The rest of the work comprises assaults, arson, bomb threats, Telecommunications Act breaches, intimidation and threats, thefts, and signal processing jobs such as voice messages generally relating to domestic incidents or crimes against the person.As the staff put it: "It would be fair to say that with very few exceptions, if it’s an offence, we get to see it."This points to the fact that New Zealand Police have not so far dealt with an overwhelming number of cases of ‘pure’ electronic crime. The type of offending we’re mostly seeing is where new technology has been used in the commission of traditional types of crime, such as fraud, drug dealing, extortion, harassment and paedophilia.Every major investigation now has an electronic component to it, with people using mobile phones, laptops, Palm Pilots and other electronic equipment as a matter of course in their daily lives.Auckland ECL staff have been involved in every homicide investigation in the region for the past two-and-a-half years.Three cases illustrate the breadth of electronic issues we’ve encountered.NZ Police Case StudiesBouwer HomicideThe high-profile Bouwer homicide is a prime example of how technology is playing an increasingly important role in serious crime investigations.Dunedin psychiatrist Dr Colin Bouwer was a high user of the Internet for both research and personal purposes. Ultimately it contributed to his downfall.Both before and after his wife Annette’s death from complications surrounding her drug induced hypoglycemia, he used the Net to garner quite specific information on the drugs implicated in killing her.His initial forays were into websites used by the medical profession to describe patients’ symptoms and ask other doctors for suggestions.Dr Bouwer asked for information on a group of drugs known as sulphonylureas, used in the treatment of diabetes related illnesses. He was specifically interested in finding out how sensitive toxicology testing was for the presence of these drugs.A trip to South Africa after Annette’s death also contributed to Dr Bouwer’s downfall. He emailed his lover in Dunedin asking about the progress of the case against him.When it was all pulled together, the electronic evidence presented at Dr Bouwer’s trial proved compelling. A guilty verdict was entered against him.Southland PaedophileAs we’re all well aware, paedophiles were early adopters of the new technology.Last year my staff dealt with a 56-year-old Southland man who had thousands of pornographic images on his computer. He’d downloaded most from the Internet, but some were of two local girls aged seven and eight.The evidence extracted from his computer was sufficient to bring a guilty plea to three charges of rape and 22 other charges of sexual offending involving the two girls. The man was an old and trusted friend of the girls’ families. The parents didn’t suspect anything untoward until one of the youngsters revealed what the man had been doing after Police Youth Education Officers delivered their child abuse prevention programme "Keeping Ourselves Safe" to her class. Operation Troy One of the cases of electronic offending we’ve dealt with involved a Wellington 17-year-old who was caught hacking.Operation Troy began after an Internet Service Provider contacted my Wellington staff over irregularities with a customer’s account. The ISP discovered someone else was using the account and my staff traced the phone number. The hacker had used a computer virus to gain access to the computers of a large number of the ISP’s customers.My staff executed a warrant on the young man’s home. He was arrested on a fraud-related charge.Other OffendingThe other types of electronic crime we’re seeing involve people sending anonymous, harassing or abusive email. The potential dangers of buying items from suspect sites on the Internet, theft of credit card numbers, and Internet scams have been well publicised.Yet we need to keep things in perspective. Millions of electronic transactions are conducted every day and the vast majority take place routinely and without criminal involvement. It would be very easy to over-hype the fear of electronic crime and to downplay the huge benefits of our increasingly electronic age. Investigative ChallengesThe proliferation of technology has certainly brought investigative challenges, and Barbara has alluded to some of them.Under ReportingOne of the difficulties we face, along with law enforcement agencies internationally, is that it’s difficult to get an accurate picture of the extent and impact of electronic crime.One of the reasons is that a significant amount of offending is simply not reported, and some may not even be detected. Do people really know what’s happening on their sites?Law enforcement agencies have always dealt with some degree of under reporting of criminal activity. Electronic crime may now be the most under reported form of criminal behaviour.This is because the victim may be unaware that an offence has taken place, or that the attack or intrusion constitutes a crime. Corporates, and in particular financial organisations, are reluctant to report electronic crime because of possible damage to reputation and loss of customer confidence.The annual American Computer Security Institute survey cites Internet connections as the most frequent point of attack, followed by internal systems. Only 36% of respondents reported to law enforcement agencies intrusions into their systems last year, although this represents an improvement on previous years (25% in 2000, and 16% in 1996) .LegislationLegally, we also face some difficulties although the situation will improve later this year. At the moment, hacking and several other harmful electronic activities are not illegal in this country.Fortunately this will change when the Crimes Amendment Bill No 6 comes into force on 1 June. It contains a range of new computer crime provisions.It will soon be an offence to access a computer without authorisation; possess hacking programmes with intent to use them to commit a crime; and to deal in hacking programmes. Denial of service attacks will also become an offence.This new legislation is one of the reasons why we are recruiting more Electronic Crime Lab staff.We need to expand our capability to respond to electronic crime and to meet the greater demand for forensic examination of electronic devices.Unregulated DomainThe Internet is still a largely unregulated environment, and this also presents challenges. Internet Service Providers, for example, are under no legal obligation to store information that might help law enforcement agencies investigate electronic crime; or to restrict the flow of indecent or potentially dangerous information.Some New Zealand ISPs host sites carrying pornography, information on terrorism and how to make bombs. They are providing the capability for people to import and distribute some very offensive and dangerous material.A recent example saw a Californian website post three graphic forensic photographs of a Tongan man who was murdered with a machete in Otara in 1988. The photographs appeared to have come from an exhibit booklet produced at the trial. They were not a pretty sight. This highlights some serious issues. The images breached normally accepted standards of good taste and decency. Anybody could access them. I felt very sorry for the victim’s family, who were again confronted with their loved one’s murder nearly 14 years after the event.After a public outcry from New Zealand, the owners of the website took the photographs down.I make the comparison with the physical world. We don’t allow graphic photographs to be published for general consumption in hard copy form. Nor do we let people bring hard core pornographic material across our borders. As a society we’ve agreed it’s negative and harmful. In my view, ISPs have the ability to act as good corporate citizens and maintain certain standards within the industry. I appreciate this may be easier said than done, and there are some technical complexities involved. However I’m urging ISPs to make sure they’re aware of just how their services are being used, and to take a responsible attitude to the products they sell. This is a controversial area, and I suspect the debate will continue for some time. Evidence CollectionWe’re also facing a whole new ball game with evidence collection. Electronic evidence is volatile and transient. Delays in securing it can lead to its destruction as log files, emails and other key data are modified, overwritten or deleted.Crimes committed on electronic devices don’t include collateral or forensic evidence such as eyewitnesses, fingerprints or DNA.Besides the basic investigative steps, electronic investigations require new types of questions to be asked, new clues looked for and new rules followed concerning the collection and preservation of evidence. Whose Responsibility is Safety?I’d now like to turn to the question of safety.Prevention is Better than DetectionThere is no doubt the electronic environment has created huge opportunities for the advancement of business, society and individuals; and for exploitation by criminals. While New Zealand Police will always attempt to detect and apprehend criminals to ensure community safety, enforcement alone won’t be enough.Given the Internet’s unregulated, global nature and the difficulties I mentioned earlier with evidence collection, prevention is becoming increasingly important.As a recent Australasian crime scoping paper put it:"Clearly, whilst an adequate law enforcement response capacity must be maintained, the main thrust of any law enforcement strategy for dealing with electronic crime must be one of prevention." Therefore my message here today is pretty simple: "Prevention is better than detection". You can draw the analogy of swimming between the flags. The chances of drowning are reduced if you adopt prudent measures. You can’t remove the risk entirely, but you can mitigate it.Calvin Coolidge had a nice turn of phrase when he said: "I sometimes wish that people would put a little more emphasis upon the observance of the law than they do upon its enforcement."Everybody must play their part – businesses, Internet Service Providers, parents, educational bodies, consumers, Police and other government agencies.To put it another way, each of us must take responsibility for safety in our professional and personal lives.The first step is to make people aware of the potential dangers.E-Crime Prevention for BusinessBusinesses, and any organisation with the capability to connect electronically, must adopt responsible risk management strategies. They have a duty of care to customers and stakeholders to manage risk. As an aside, New Zealand government, private sector, academic and voluntary agencies were surveyed last year to assess their capability to combat electronic crime .Early analysis of the results show most organisations concentrate on preventing hacking with little focus on electronic crime in general.Many organisations have no specific technology focus; there are few specialist staff; and there is low and inconsistent use of protection and prevention technologies. Users without advice or knowledge are at risk.This highlights the point I made earlier – that we must begin to view the electronic environment in a similar way to our physical surroundings.Most organisations install physical security measures as a matter of course. The same approach needs to be adopted in the electronic environment.There are many services available to help organisations protect themselves and their customers. Private security firms and management consultants are a source of good quality risk management, capable of advising on computer security.I expect that as the awareness of Internet issues grows, safety will bring a competitive edge. Just as some car companies charted a new course by developing sophisticated safety features and promoting them in their advertising in a bid to attract customers, so organisations with an Internet presence will follow.Ultimately, the successful and long-lived traders will be the ones whose sites are safe to use. People need assurances that their money will be protected, and trust will become an important competitive edge.It’s also good insurance for organisations to be proactive with their own security rather than waiting for the Government to act when something goes wrong. The cost of recovery is huge.A Reuters story suggests US corporations spent an estimated US$12.3 billion on cleaning up damage from computer viruses last year. Some predict viruses and worms could cause even more damage in 2002. E-Crime Prevention for IndividualsConsumers too, must take basic crime prevention steps. We need to be cautious with our financial details. If possible, we should deal with companies we know, or large companies with a track record. If we’re giving out credit card details or dealing with banks, it’s sensible to make sure the connection is secure.Up-to-date virus scanning software is an absolute must, now that some viruses allow hackers to take complete control of computers.Adults, teenagers and quite young children are now entering into on-line relationships where they are disclosing personal details to complete strangers. Again, let’s look to the physical world. We might not tell a person we’d just met in a pub our personal details, but put some of us in front of a computer and we disclose all sorts of things that could potentially put us at risk.All I’m asking is that we adopt basic crime prevention measures.We lock our houses and cars, and mostly we don’t leave our wallets lying around. We wouldn’t let our young child play unsupervised in a park at night. So why let our guard down just because we’re operating in the electronic environment?Role of the Education SectorThe education sector can play a significant role in helping to keep young people in particular safe on the Net. I’m encouraging everyone in the sector to think about the steps they can take.The Internet Safety Group is doing a great job educating young people and schools about how to keep themselves safe while using the Internet. Yours is the first national Internet Safety initiative in the world, and I congratulate you on the effort you’ve put into it.I’m also pleased to see that my Police Youth Education Service staff are working cooperatively with the ISG to help schools with Internet safety advice. All Police Youth Education Officers have been supplied with copies of the Internet Safety Kit. Liz Butterfield will be training them, and she’ll also become a regular contributor about Internet safety in YES newsletters. Internet safety is particularly relevant to the Keeping Ourselves Safe programme. I’ve already mentioned the case of the little girl in Southland who was able to tell her parents about being abused after receiving a KOS lesson.When the Year 7 and 8 programme was last revised, a video vignette and classroom activities were included about the unsafe use of the Internet and personal computers. Police and the Internet Safety Group will look for opportunities to include further Internet safety information during the revision of the secondary school programme currently taking place. As we’ve heard from Barbara, cooperation and partnerships are the way of the future.Looking to the FutureInter-agency liaison and relationships will also play a significant role in the Police approach to electronic crime.As I mentioned earlier, we are one of many organisations with an interest in this area.We will continue to develop strong relationships with other agencies, both here and internationally, and build our capability to detect and investigate electronic crime. We are part of the research work Barbara is coordinating, and we’ll continue our involvement as it provides valuable input into our strategy and policy development.And we’re committed to implementing the Australasian E-Crime Strategy she spoke about.GCSB Centre for Critical Infrastructure ProtectionTwo specific initiatives underline the fact that information-sharing and inter-agency relationships are integral to New Zealand’s overarching approach to electronic crime. Last August the Government announced the formation of a Centre for Critical Infrastructure Protection (CCIP) within the Government Communications Security Bureau.The CCIP will be dedicated to providing advice and support to protect New Zealand’s critical infrastructure from cyber threats.It will have three main roles:- Providing 24 hour, seven days a week "watch and warn" advice to owners of critical infrastructure and to government departments;- Analysis and investigation of cyber attacks; and- An outreach and training brokerage function.The New Zealand CCIP will provide a significant contribution to the global effort to protect critical infrastructure – infrastructure that everyone relies on every day – from damage that may be caused through misuse of the Internet .National Cybercrime ForumAlongside this will be the work of groups like the soon-to-be established National Cybercrime Forum. The CCIP will be a member.Currently there is no single or coordinated access to information on electronic crime and its prevention in New Zealand.The Forum will be a neutral coalition of public, private and community interests dedicated to increasing awareness and education; ensuring that electronic crime issues gain a high public profile; and fostering relationships between contributing organisations.Once the Forum is operating, New Zealand will be one of the few countries in the world to have a single electronic crime information channel representing a diverse spectrum of interests.New Zealand Police will be fully involved in the Forum, as we believe it has an important role to play in electronic crime prevention. ConclusionIn conclusion, there is no doubt that electronic crime will continue to grow in scope and impact over the coming years. New Zealand Police and other agencies are rising to the challenges presented by the new computer-rich environment. However our work is only part of a much bigger picture. A cooperative approach from all parties is fundamental to a successful response to electronic crime.We must pool our resources and work together on education and prevention. As I said earlier: "Prevention is better than detection". Conferences like this make a valuable contribution to that collective effort, and I thank you for offering me the opportunity to take part.ENDS