Information security and cybercrime

Ian Brown, Lilian Edwards and Chris Marsden1 Introduction Information systems are increasingly important to the efficient operation of government, corporations and society in general. With that importance has come an increasing risk of information security breaches, compounded by systems networked nature. That makes effective information security a public policy issue of far broader impact than technical information technology (IT) policy. Network and Information Security (NIS) policy making and investment have evolved rapidly, especially since 1999. This evolution has been punctuated at certain points where the necessity of adequate or mature NIS policy has been sharply emphasised by vulnerability to attack or shocks: The Millennium Bug or Y2K programme of 1997-9, which led to a complete inventory of computing inside large organisations, often for the first time since the deployment of the enterprise Personal Computer (PC) in the mid-1980s; Denial of Service (DoS) attacks, beginning in 2001 against Yahoo! and eBay; Business continuity planning in the wake of the attacks in September 11th 2001; Corporate responses to the increasing financial returns for attackers (for example the growth of phishing and the 2004-5 cyber-extortion cases against gambling websites). The continued tendency towards government action to directly confront cybercrime, cyber-terrorism and cyberwar, as for instance with the US 2009 appointment of a cybersecurity czar (sic).

Legislation, policy, government spending and corporate response in the field of information security have been examined by for instance the Organisation for Economic Cooperation and Development (OECD)2 and the European Commission, which has identified three key risks for Internet security: 1. Attackers are increasingly motivated by profit rather than the technical interest that drove earlier hackers with growing interest from organised crime and a sophisticated underground economy in stolen information and hacking tools 2. Mobile devices and networks present a significant new threat landscape, where security is so far less developed than on the personal computer

Respectively, Senior Research Fellow, Oxford Internet Institute; Professor of Internet Law, University of Sheffield; Senior Lecturer in Law, University of Essex.
2

See OECD (2005) The Promotion Of A Culture Of Security For Information Systems And Networks In OECD Countries DSTI/ICCP/REG(2005)1/FINAL of 16 December 2005 at http://www.oecd.org/dataoecd/16/27/35884541.pdf

3. Ubiquitous computing will move computation and networking into the fabric of buildings and everyday things (e.g. through RFID and sensor networks), presenting new vulnerabilities.3 Malware, botnets and other tools for crime The production of malicious software or malware used to attack systems and defraud individuals has soared in recent years. In 2008 security software firm Symantec identified 1,656,227 distinct new malicious programs, an increase of 165% since 2007.4 This growth has resulted from increasing opportunities for fraud, the vulnerability of online services to attacks by botnets made up of huge numbers of compromised PCs, and an underground economy driven by interest from organised crime. The authors of this software, those using it to control networks of compromised computers and acquire and sell on sensitive information, and their targets are located around the globe. The Honeynet Project found in 2006/2007 that Brazil had the highest number of observed bots or compromised machines, followed by China, Malaysia, Taiwan, Korea and Mexico. The controlling servers were located principally in the United States, followed by China, Korea, Germany and the Netherlands.5 However, the distributed criminal networks that have grown up around these tools often include participants close to victims where they can (for example) more easily transfer funds. As the UK Police Central e-Crime Units Sgt. Bob Burls has commented: "It's a myth that hackers are 15-year olds in darkened rooms and similarly that all cybercriminals are overseas. As with drugs, you have major traffickers but also street dealers. Wherever there is criminality there are criminal hierarchies, there will also be local pockets of criminality."6 Conduits for attacks Software: operating systems, browsers and other applications Viruses, Trojan horses and other types of malware typically exploit weaknesses in installed software to gain control of an Internet-connected machine and access data entered by and available to users. This code spreads mainly through e-mail attachments, websites and by directly connecting to vulnerable machines. IT security company ScanSafe found in June 2008 that the number of legitimate websites being compromised and used to infect visitors

Communication on a strategy for a Secure Information Society Dialogue, partnership and empowerment COM(2006) 251
4

Symantec (2009) Global Internet Security Threat Report: trends for 2008, vol. XIV, available at http://eval.symantec.com/mktginfo/enterprise/white_papers/bwhitepaper_internet_security_threat_report_xiv_04-2009.en-us.pdf
5

J. Zhuge, T. Holz, X. Han, J. Guo, & W. Zou (2007): Characterizing the IRC-based botnet phenomenon. Informatik Tech. Report TR-2007-010. Available at http://honeyblog.org/junkyard/reports/botnet-chinaTR.pdf
6

I. Brown and L. Edwards (2008) McAfee Virtual Criminology Report, available at http://resources.mcafee.com/content/NAMcAfeeCriminologyReport

machines accounted for 66% of all malware blocked,7 but distribution channels vary in significance as vulnerable software is patched, security software is updated and new weaknesses are found. Just one recent attack on Microsoft Internet Information Services web servers hit around half a million websites.8 Software companies are in a constant arms race with hackers to fix vulnerabilities before they are exploited. Microsoft for example claimed to have disinfected more than 526,000 PCs in the Storm botnet in the last quarter of 2007, but accepts that Storm botnet controllers are "probably out there still making money with some other botnet."9 The frequency with which security problems continue to be discovered in widely used operating system and application software makes it extremely difficult for any adequate level of Internet security to be achieved. Microsoft and other large software companies have made many improvements in their security development processes, but the software market does not seem to be driving the use of well-understood but little deployed security engineering techniques such as dramatic decreases in complexity of the security core of operating systems and much more careful isolation of the potentially malicious code present in Web pages and e-mails. Until software companies are properly incentivised to make a step-change in the quality of their products, law enforcement agencies will be unlikely to have the resources to deal with the resulting flood of e-crime. The use of open source software10 is not a security panacea. While many programmers may be examining source code for flaws, not all open source projects have the resources available to patch vulnerabilities in a timely way once discovered. Attackers are also more easily able to find flaws given the availability of source code.11 Networks Botnets, networks of computers compromised by malicious software, are one of the key vectors for online attacks and criminality. During 2008 Symantec identified 9,437,536 distinct machines in such networks. The largest networks contain hundreds of thousands of machines and are capable of flooding the Internet with more than 100 billion spam messages per day.12 These networks are also used to launch Distributed Denial of Service (DDoS) attacks, where thousands of compromised machines send traffic to a target machine, overwhelming it and sometimes its network connectivity. We have continued to see DDoS attacks conducted against companies and governments, some as part of nationalist political campaigns. The FBI/Computer Security Institute

Scansafe (2009) Annual Global Threat Report 2008, available at http://www.scansafe.com/resources/global_threat_reports2

8 9

Gregg Keizer (2008) Huge Web hack attack infects 500,000 pages, Computerworld, 25 April Gregg Keizer (2008) Microsoft: We took out Storm botnet, Computerworld, 22 April See further discussion in Guadamuz, Chapter X

10 11

Ross Anderson (2002) Security in Open versus Closed Systems The Dance of Boltzmann, Coase and Moore, Open Source Software Economics, Toulouse
12

Joe Stewart (2008) Top Spam Botnets Exposed , SecureWorks, available at http://www.secureworks.com/research/threats/topbotnets/?threat=topbotnets

Report 2007 report estimated that up to 10,000 DDoS attacks occur each day worldwide, with the hourly cost of these attacks reckoned between $90,000 for a sales catalogue company to $6.45m for a retail brokerage. Attackers commonly extort money from targets by threatening attacks when they would be most costly at gambling sites just before a major sports event. Presentation sharing site SlideShare was hit in April 2008 in apparent reprisal against users presentations on corruption in China.13 Several tools were released early in 2008 to enable attacks by disgruntled Chinese computer users against CNN in retaliation for their coverage of issues in Tibet.14 During the conflict between Russia and Georgia, DDoS attacks were observed against government and media sites in both countries.15 Attacks were also observed at the end of 2007 between Russian and Ukrainian groups, and against Russian political activist Gary Kasparov.16 We have even seen attacks on the Church of Scientology by the "Anonymous" activist group.17 Payment services Payment services are the route that almost all cybercriminals use to transfer fraudulent gains. These include traditional bank transfers and direct debits; money services such as Western Union; and new payment systems like PayPal. Financial regulation has not kept up with innovations in payments systems, which makes the old policing mantra "follow the money" decreasingly effective in the cybercrime era. London's Metropolitan Police have identified four key types of fraud facilitated by payment services: 1. Online auction site frauds: money is transferred in payment for goods that are never delivered, sometimes to fake escrow sites that do not provide the service claimed of holding payments until delivery. 2. 419/advance fee frauds: Victims receive e-mails promising money in return for helping a fraudster transfer money, upon the payment of a "small" fee that will later be repaid. Once entrapped, victims have been persuaded to pay large fees that are never reimbursed. 3. Lottery fraud: E-mail and letters are sent to victims claiming they have won a lottery. Winnings can be claimed upon payment of a fee sometimes substantial. Victims, often elderly, are commonly further persuaded using telephone calls. 4. Criminal cashback: goods plus fees to a "shipping agent" are paid for using a stolen bank draft or cheque. Once the seller has transferred these fees back to the

13 14 15

Mark Hendrickson (2008) SlideShare Slammed with DDOS Attacks from China, TechCrunch, 23 April Jose Nazario (2008) NetBot Attackers Anti-CNN Tool, Arbor Networks Security, 23 April

Jose Nazario (2008) Georgia DDoS Attacks A Quick Summary of Observations, Arbor Networks Security, 12 August
16 17

Jose Nazario (2007) Political DDoS? Ukraine, Kasparov, Arbor Networks Security, 13 December Jose Nazario (2008) Church of Scientology DDoS Statistics, Arbor Networks Security, 25 January

"shipping agent", they commonly find the issuing bank recovers the draft or cheque, having being duped out of both the goods and the "shipping fees".18 Dupes ('mules') are commonly used as a middle-man to transfer money from victim to fraudster. Recruited as an "international sales representative", "shipping manager" or other fake job, they are asked by fraudsters to receive "payments" that they then transfer internationally after deducting a small "commission." When apprehended by police, the money has long since vanished through a payment system and cannot be retrieved often leaving both the mule and victim out of pocket. A key concern of law enforcement agencies is services that do not allow payments that are the proceeds of crime to be recovered. In a report19 for the US Federal Reserve, Ross Anderson concluded: "Online fraudsters use a variety of nonbank payment services to launder the proceeds of crime. People had assumed that traceability was the key. However, investigation reveals that revocability is more important. Fraudulent payments within the banking system can be pursued and recovered with a reasonable probability of success; but once stolen funds are used to buy transferable financial assets such as eGold, recovery becomes much harder. This suggests that much of the benefit that could be obtained from regulating nonbanks more closely can be got by greater transparency about counterparty risks The current [Financial Action Task Force] rules impose unnecessary burdens, particularly on the poor, while not doing enough to facilitate rapid recovery of stolen assets." Impersonation (identity fraud) is the other main route by which cybercriminals have committed fraud. By gaining access to the passwords required to log-in to online banking services, fraudsters are able to directly withdraw funds from target accounts, or undertake more sophisticated fraud such as pump and dump stock scams. By accessing information such as individuals account details, dates of birth, social security and passport numbers and addresses, fraudsters are able to gain access to funds in existing accounts and new loan and credit facilities. The US Federal Trade Commission in 2007 received 221,226 Internet-related fraud complaints totalling $525,743,643.20 Javelin Strategy and Research have predicted that identity fraud will decline between 2007 and 2013, but individual victims' costs will rise from $860 to $1,271 due to growing sophistication in criminal fraud techniques that use elaborate social engineering schemes and multiple channels to evade detection for longer periods of time.21

18

Metropolitan Police Service (2008) Money transfer fraud, available at http://www.met.police.uk/fraudalert/money_transfer.htm

19

Ross Anderson (2007) Closing the Phishing Hole Fraud, Risk and Nonbanks, US Federal Reserve. Available at http://www.cl.cam.ac.uk/~rja14/Papers/nonbanks.pdf
20

Federal Trade Commission (2008) Consumer Fraud and Identity Theft Complaint Data January December 2007 p.10
21

JavelinStrategyandResearch(2008)ConsumerIdentityFraudReport.

Legal responses UK Law: Computer Misuse Act 1990 amendments Existing UK law specifically tailored to deal with computer crime is largely to be found in the Computer Misuse Act of 1990 (CMA). As one of the earliest legislative attempts to deal with computer crime, it was self-evidently not drafted for the Internet era. As a result, although the Act deals fairly effectively with hacking and dissemination of viruses, doubts have arisen as to whether the CMA adequately covers DoS.22 Two obvious routes existed within the CMA as originally drafted, which might be explored by those seeking to criminalize DoS. The first was section 1, originally designed to punish hacking, which prohibits unauthorised access to any program or data. The other was section 3, designed to counteract the spreading of viruses, which originally prohibited any unauthorised modification of the contents of any computer which was intended to impair the operation of any computer. While s 3 was generally seen as most appropriate to the offence, there was doubt as to whether an actual modification was made since a server which is brought down by a DoS attack suffers only temporary damage with usually no loss or corruption of data after the attack. In 2004, Members of Parliament in the All-Party Internet Group (APIG) began a review of the CMA, on the basis that this legislation was created before the emergence of the Internet and therefore required updating. The Act was seen to focus too much on standalone computers, and not enough on computer networks. In addition some of the definitions used in the 1990 Act need updating. The final report outlined several recommendations to the government for changes to the CMA. In March 2005, APIG called for amendments to the CMA to address the threat from denial-of-service attacks. An updated version of the CMA could be of greater benefit if it combined security regulations relevant for standalone and network situations. The Police and Justice Bill of 2005 thus amended section 3 by replacing the word modification with act, which word is undefined save for including a series of acts. In addition, section 3(2) of the CMA, as amended, specifies that the intent necessary to commit the crime exists whether the intention is to produce temporary or permanent impairment, or hindering or prevention of access to a computer, program or data. Meanwhile DoS had finally arrived at the courts. In the unsatisfactory first UK prosecution for DoS, R v Caffey,23 the charge was unauthorised modification under s 3 of the CMA, but there was no opportunity for argument as to the applicability as the case fell on a dubious Trojan virus defense.24 The second reported prosecution was of greater significance. In R v Lennon,25 a teenage hacker was accused of sending five million emails to cause a DoS attack against his former employer. At first instance, the judge refused to find there was an offence under section 3, not because of any doubts

22 SeeAPIGreport(discussedbelow)at5(regardinghackingandviruses);at5975at1112(discussingthe efficacyoftheCMAinprosecutionsofDoSandDDOSattacks). 23 (SouthwarkCrownCourtOct.17,2003)(unreported,). 24 The accused claimed that although his server had indeed launched the DoS attack, this had only been because it had been taken over as a zombie by malicious code. Forensic experts however failed to fail any evidenceofsuchcode.Remarkablyhowever,thecourtstillacceptedthedefenseandacquitted. 25 Unreported,WimbledonMagistratesCourt,December2005.

about the applicability of the word modification but because In this case, the individual emails caused to be sent each caused a modification which was in each case an authorised modification. Although they were sent in bulk resulting in the overwhelming of the server, the effect on the server is not a modification addressed by [the Act]. In other words, the judge accepted the argument that an unsecured website impliedly authorises the sending of emails to itself. DoS was merely different in volume but not in essential character to the sending of email in the ordinary way. On appeal, perhaps unsurprisingly the decision was reversed26. The Queens Bench held that: the owner of a computer which is able to receive emails is ordinarily to be taken as consenting to the sending of emails to the computer. His consent is to be implied from his conduct in relation to the computer. Some analogy can be drawn with consent by a householder to members of the public to walk up the path to his door when they have a legitimate reason for doing so, and also with the use of a private letter box. But that implied consent given by a computer owner is not without limit. The point can be illustrated by the same analogies. The householder does not consent to a burglar coming up his path. Nor does he consent to having his letter box choked with rubbish. It is enough to say that it plainly does not cover emails which are not sent for the purpose of communication with the owner, but are sent for the purpose of interrupting the proper operation and use of his system. Note that although the appeal court thus solved the particular problem of DoS, the question of how authorised was to be interpreted was never raised in the CMA amendments. Thus the CMA still leaves unresolved the scope of the standing implied consent given by web servers to receive email and page requests. If five million emails sent to a server are outside the bounds of implied consent, surely millions or even thousands of spam emails face the same challenge? Does any reasonable user impliedly consent to the receipt of even one spam email? It seems possible therefore that in future spammers might also find themselves charged effectively with DoS under s 3 a result neither the judiciary nor the reformers probably intended. On other problems with the CMA as originally drafted, the maximum penalty for some offences has also been increased to ten years. The bill doubles the maximum jail sentence for hacking into computer systems from five years to ten years, a provision that will classify hacking as a more serious offence and make it easier to extradite computer crime suspects from overseas. Furthermore a new s3A contains provisions to ban the development, ownership and distribution of hacker tools. Some industry commentators considered the language used to be worryingly ambiguous, possibly criminalising the use and sale of crucial security tools such as anti-DOS intrusion detection software. In particular s 3A provides that it is an offence to supply or offer to supply [such a tool], believing that it is likely to be used to

26

DPPvLennon[2006]EWHC1201(Admin).

commit, or to assist in the commission of [a Computer Misuse Act s1/s3 offence]. Security experts have questioned how they cannot believe it is likely security tools they create will be abused by hackers and cyber-criminals given the prevalence of the black market economy. The Crown Prosecution Service has however issued guidance on s 3A which seeks to reassure the security community.27 European law The European Union (EU) is the worlds largest free trade area, and all twenty-seven Member States must implement European law. Failing implementation, European law can in certain circumstances take direct effect despite the lack of national law. Therefore much over-arching NIS legislation and policy takes place at European level. Table1: Summary of national legislation and European law implementing NIS28 Jurisdicti Privacy on Law Electronic Privacy Law Electronic Cyber Crime 29 Commerce Law Law30 Framework Decisions and Communication s31; 2001 Council of Europe Convention on Cybercrime is harder law

European Data Directive 2002/58/EC Electronic Union Protection repeals Directive Signatures: Directive 97/66/EC 15 Directive 99/93 of 95/46 of December 1997, 13 December 1999 24 Data Retention Electronic November Directive 2006 of 21 Commerce: 1995 February Directive 2000/31 of 8 June 2000

27

AlthoughwithmixedsuccessseeRichardClaytonsresponseat http://www.lightbluetouchpaper.org/2007/12/31/hackingtoolguidancefinallyappears/
28

Forarecentsurvey,seeMitrakas,Andreas(2006)InformationsecurityandlawinEurope:Riskschecked? 15:1InformationCommunicationsTechnologyLawMarchat3353;alsoITU(2008)GlobalCybersecurity Agenda HighLevelExpertGroup,GlobalStrategicReport,athttp://www.cybersecurity gateway.org/pdf/global_strategic_report.pdf

29

AusefulsourceofebankinglegislationinEnglishishttp://rechtsinformatik.jura.unisb.de/cbl/cbl statutes.php
30 31

AllcountriesintheTablehavesignedtheCouncilofEuropeCyberCrimeConvention

SeeparticularlyCommunicationoncybercrime,COM(2007)267andPeers,S.(2009)StrengtheningSecurity and.FundamentalFreedomsontheInternet.AnEUPolicyontheFight.AgainstCyberCrime,Reportforthe EuropeanParliament,PolicyDepartmentC:Citizens'RightsandConstitutionalAffairs,PE408.335at http://www.europarl.europa.eu/meetdocs/2004_2009/documents/dv/study_internet_security_freedoms_/Study _Internet_Security_Freedoms_en.pdf

United Data Regulation of Kingdom Protection Investigatory Powers Act 1998 Act 2000, Data Retention Regulations 2007 No.219932 and 2009 No.85933

Germany Federal Information and Penal Code Data Communication Sections: Protection Services Act 1997, 202a: Data Law(BDS Telecommunications Espionage G) last Act 2004 (Tele 303a: Alteration amended kommunikationsgeset of Data 2001; z-TKG) last amended 303b: Computer G-10 law 14/03/2005 Sabotage applies to communic ations secrecy France Informatio E-Signature Law: Godfrain Act n Law 2004-801 of 6 Decree No. 2001- 1988. Technolog August 2004 relating 272, 30 March 2001 Penal Code y and to the Protection of in accordance with Chapter 3, Liberty Data Subjects as article 1316-4 in the Articles 323-1 Act (Loi Regards the civil code and through 323-4: Informatiq Processing of related to electronic Attacks on ue et Personal Data signatures Systems for Liberts) Law n2004-575 of Automated Data 1978 21 June 2004 of Processing Confidence in the Digital Economy There has been harmonisation among countries based on both common European legislation and cooperation in for instance police and Computer Emergency Response Team (CERT) activities. The extent to which this harmonisation resulted in convergence of national policies depended critically on:
32 33 34

Electronic Communications Act 2000, Electronic Signature Regulations 2002, E-Commerce Regulations 2003 Digital Signature Law 2001

Computer Misuse Act 1990

Whether national political responses to specific NIS problems34 produced strong national legal and policy differences; and Whether pan-European policy preceded national response.

http://www.opsi.gov.uk/si/si2007/uksi_20072199_en_1 http://www.opsi.gov.uk/si/si2009/uksi_20090859_en_1 Includingdataprotectionfailuresandprevalenceofvirusesandothercomputercrimes

National responses to cybercrime date from the period around 1990 and also show significant legislative and policing developments that pre-date the European response (ENISA, the European Network and Information Security Agency, was only founded in 200435). In criminal law, pre-existing national legislation combined with a European cooperative police force (Europol) led to harmonisation rather than convergence. In all these cases, European legislation came after national legislative and institutional arrangements, and national lawmakers had substantial initial room for independent policy formation. In telecoms legislation, an area of longstanding European convergence, the Data Retention Directive of 2006 signalled a greater convergence between national regimes. The very late establishment of ENISA as the central NIS coordination mechanism indicated a desire by Member States to maintain existing national institutional arrangements in their current form. From 2010, Europol formally becomes an agency of the European Union.36 The European Council Framework Decision on Attacks against Information Systems37 was adopted on 24 February 2005. Its objective is to improve cooperation between judicial and other competent authorities, through approximating rules on criminal law in the Member States in the area of attacks against information systems. The Framework Decision indicates that attacks against information and computer systems are a tangible and dangerous threat that requires an effective response. The Framework Decision and the Cybercrime Convention have synchronised definitions of the relevant offences. Council of Europe Convention on Cybercrime One of the main international legislative instruments relevant to both global and European regulation of cybercrime and security is the Council of Europe Convention on Cybercrime. The final text of this was agreed on 23 November 2001 and it entered into force on 1 July 2004.38 A further Protocol on racist and xenophobic acts in cyberspace was signed on 28 January 2003 and entered into force on 1 March 2006.39 The Convention is open for signature by both Council of Europe Member States (EU Member States plus fifteen other countries) and those non-Member States that participated in its drafting (including the United States). It is also open for accession by other non-Member States.

35Regulation(EC)No460/2004oftheEuropeanParliamentandoftheCouncilof10March2004establishingthe

EuropeanNetworkandInformationSecurityAgency,OJL77,13.3.2004
36

SeeIP/08/610(2008)EuropoltobecomeEUagencyin2010,Brussels,18April2008at http://europa.eu/rapid/pressReleasesAction.do?reference=IP/08/610
37 38

CouncilFrameworkDecision2005/222/JHAonattacksagainstinformationsystems.

Duetoitsarticle36,whichcontainstheconditionsforentryintoforce.ItspecifiesthattheConvention shouldfirstberatifiedbyfiveStates,includingthreeMemberStatesoftheCouncilofEurope.TheConvention wouldthenenterintoforceonthefirstdayofthemonthfollowingtheexpirationofathreemonthperiodafter thefifthratification.ThisconditionwasfulfilledwithLithuaniasratificationon18March2004,triggeringthe entryintoforceon1July2004.

39

Additional Protocol to the Convention on cybercrime, concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems CETS No.:189 at http://conventions.coe.int/Treaty/en/Treaties/Html/189.htm

The Convention is regarded as one of the most comprehensive documents on cyber-crime available. Substantively, it focuses on efforts to outline common definitions for crimes relating to computers and also measures to encourage international co-operation. It is the only international agreement that covers all relevant aspects of cybercrime policing (substantive criminal law, procedural law, and international cooperation). Since much cybercrime is by its nature cross-jurisdictional, the most valuable contribution of the Convention is to harmonise definitions of offences across states so that extradition and co-operative policing are made much easier. Although the Convention is applicable only to state governments and not to the private actors who de facto control many important parts of the Internet infrastructure, guidelines for law enforcement by service providers were issued in April 2008.40 How effective is the Cybercrime Convention? Some argue that the number of nations who have signed up is not impressive.41 27 EC nations have joined to date but only 12 have ratified, six years on, leaving 15 to go. Outside the EU, the Convention is seen as Western dominated, both in development and at the current time. Of the few non-EU nations that have acceded, only the US and Ukraine have ratified. On the other hand the Convention is often held up as a model law, even for countries unwilling to accede because the treaty is seen as too Western, or too demanding of resources. Marco Gerke, University of Cologne, a UN and CC cybercrime expert, states that "the impact of the Convention is going beyond the number of countries that formally signed it. At least a couple of dozen countries have used the Convention while updating their legislation to bring themselves in line with international standards.42 The key question for the success of the Cybercrime Convention is perhaps whether it can entice into membership those countries known to harbour the ringleaders of organised cybercrime such as many countries in the former Soviet Union bloc as well as those that suffer the brunt of cyber attacks the USA and Western Europe. Even where developing world and Eastern European countries have the political will to take a stance against cybercrime, it is often difficult to justify allocating resources for it, when the beneficiaries will be not that states own citizens but those of other countries. Despite this the ongoing success of the Cybercrime Convention can be seen at a micro as well as macro level. Many countries are in the process of harmonising their law to meet Cybercrime Convention standards whether or not they plan to join, e.g. many Latin American countries. In other regions such as the Arab states, there may be a preference to put together their own regional instruments rather than accede but in most cases these are very similar to the Convention. It is thus arguably a very successful instrument for international harmonisation.

40

See http://www.coe.int/t/DG1/LEGALCOOPERATION/ECONOMICCRIME/cybercrime/cy_activity_Interface2008/56 7_provdguidelines_provisional2_3April2008_en.pdf

41

SeeR.Andersonetal,SecurityEconomicsandEuropeanpolicy,ProceedingsoftheWorkshoponEconomics andInformationSecurity,2008,athttp://weis2008.econinfosec.org/papers/MooreSecurity.pdf
42

PrivateconversationwithEdwardsduringtheresearchfortheMcAfeeVirtualCriminologyReport2008, supra.

The Council of Europe, who sponsor the treaty, also provide training in how to operate against cybercrime and use the Convention, for both judiciary and police, as well as assisting regions to move towards accession or developing their own instruments: see e.g. workshops held in 2007/2008 for West Africa and Caribbean regions, as well as programmes for the training of judges, e.g. by Cybex in Spain. The Convention despite having only been in force since 2004 is however showing signs of a need for updating. Specific problem areas such as phishing, identity theft and crime in virtual worlds e.g. fraud on virtual banks are not covered as nominate crimes, though they may be subsumed beneath broader categories, such as phishing beneath online forgery and fraud (arts 7 and 8). New investigation instruments like key-loggers (Magic Lantern) and identification instruments (CIPAV) are already in use in countries like the US but not mentioned in the Convention either as permissible or not. Renegotiating the treaty would likely be a Herculean task, so future additions are likely to be made by ways of optional protocols, as with the existing example relating to hate speech. Will the Cybercrime Convention ever develop into a standing cyber crime police force, much as NATO has developed a standing capacity to combat hostilities in its region? It is clear that national police forces, whether standard operations or specially trained cybercops, struggle to make any meaningful impact on cybercrime when so much of it is directed from countries outside their jurisdictional competence. One-time co-operative international policing operations have had some striking successes, notably in relation to international paedophile rings, but these are very expensive, and extremely difficult and time-consuming to mount. An argument for a standing international cyber security force clearly exists, particularly as Interpol seems to have little or no profile in the field of cybercrime. The political will (and funding) for such a force seem at the moment however to be absent, and as noted at the start of this chapter, we seem instead to be entering a phase of distinctly national cyber-security initiatives43 as states realise the full potential impact of a cyber-infrastructure attack. Specific legal problem areas Phishing Phishing is the use of social engineering and hacking techniques to gain information such as financial or other personal data. Profit is usually achieved for phishermen by sending emails which by some means or other extract login and password details from recipients which can then be used to gain access to bank and similar accounts. Phishing is a fast rising crime and has accelerated in particular since the current recession began. Figures released in October 2008 in the UK by APACS, the UK clearing banks association, 44 showed that from January to June 2008 phishing attacks rose by 186% on the same period in 2007. In total there were more than 20,682 phishing incidents during that six

43Seee.g.theannouncementoftheUKsfirstnationalCyberSecurityStrategylaunchedinJune2009,reportedat

http://news.bbc.co.uk/1/hi/uk_politics/8118348.stm.FortheUSequivalent,seeinfran73.
44

See http://www.apacs.org.uk/APACSannounceslatestfraudfigures.htm .

month period compared to 7,224 the previous year. Similarly the FTC issued a special phishing warning for the USA, also in October 2008.45 There are two key reasons why phishing is a particularly growing threat at the current time. First, as credit facilities become restricted and subject to detailed checking, procuring personal data to open new accounts and acquire new credit cards loses appeal, while using phishing data to clean out existing accounts becomes more attractive. Secondly, the recession has brought in its midst vast confusion and loss of trust in the consumer sector.46 As confusion around financial bust and merger (perhaps) clears, phishing is likely to diversify into public sector websites (e.g TV and motor licensing sites) with deleterious consequences for public confidence in e-government;47 and into phishing of virtual currencies from virtual worlds48 where law enforcement will have, one suspects, not the first idea of where to start.49 In the previous and following sections we discuss what role (if any) law can play in preventing the kind of cyber insecurity that engenders phishing. A key issue for the law, however, is how to regulate the losses of users in this sphere, and in particular if banks should be obliged to reimburse customers for phishing losses. It is a common myth in the UK that banks are required to reimburse phishing losses where bank accounts are drained by phishers. It seems that most consumers draw an analogy with the well known rights in respect of misuse of credit card details under the Consumer Credit Act (CCA) ss 83 and 84. In fact, UK law here is unclear and antiquated.50 The CCA provides only that banks issuing credit cards must reimburse cardholders where the card data is fraudulently misused by a third party. In relation to debit fraud, remedies are purely conferred by the voluntary Banking Code, and there have been disputes in the past even over conventional misuse of debit card details, e.g., re "phantom" cashline/ATM withdrawals where banks have refused to reimburse, claiming the customer is at fault or lying. Thus the commonest case of phishing, where a chequing or saving account is drained, is not covered by hard law since no consumer credit arrangement is involved. Instead, the matter appears to be covered only by banking practice as laid down in the Banking Code, not in hard law. Historically, as Bohm et al have pointed out,51 under the Bills of Exchange Act 1882, a bank that honoured a forged cheque was bound repay the amount

45 46

See http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt089.shtm .

BBC News 10 October 2008 Bank turmoil fuels phishing boom, at http://news.bbc.co.uk/1/hi/technology/7663055.stm .
47 48

See http://blogscript.blogspot.com/search/label/phishing .

See ENISA Report Virtual Worlds, Real Money, November 2008, at http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_pp_security_privacy_virtualworlds.pdf .
49 50

See amusing fictional account in Stross C Halting State (2007). Anderson R

See N Bohm, I Brown and B Gladman Electronic Commerce: Who Carries the Risk of Fraud? 2000 (3) JILT at http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2000_3/bohm/ ; Closing the Phishing Hole Fraud, Risk and Nonbanks, available at http://www.kansascityfed.org/econres/PSR/PSRConferences/2007/pdf/Anderson.pdf . 51 Supra.

debited to the customers account. By analogy, a bank which allowed a phisherman to withdraw the contents of an account using forged credentials should surely be equally liable. Yet the latest edition of the Banking Code makes customers liable for unauthorised online banking transactions unless they have taken reasonable care defined as the use of up-to-date anti-virus and spyware software and a personal firewall and that customers keep passwords and PINs secret.52 In practice to date banks have usually paid up, but it may be questioned if financial cutbacks combined with a rise in claims will not put pressure on this gentlemans agreement. In other countries, a mishmash of legal and para-legal remedies has emerged, with little harmonisation across borders. For example,

in the US, claims by customers that they have suffered loss due to card fraud of some kind are repaid under EFTA, the Electronic Fund Transfer Act, subject only to the customer reporting the fraud properly. Fault on the part of the consumer is not as relevant consideration. In Canada, losses are usually indemnified by banks but only according to voluntary banking codes. Furthermore fault removes customer rights, and in Canada, fault on part of customer to exclude bank liability has reportedly been defined very widely e.g. if shoulder skimming has occurred, this might be fault, similarly dropping card on floor revealing data, or having PIN stuck to back of card.53 In Costa Rica, the customer is left to carry the losses of bank frauds and ID fraud on their own.54

This lack of harmonisation is a problem given the increasing ability of consumers to bank outside their home jurisdictions, especially using Internet banks. In the event of consumer losses due to phishing, difficult issues may arise both of identifying the relevant legal system and the legal remedies available. It also indicates though the rise of a culture where consumers are presumed at fault if losses occur due to phishing, and have to prove their innocence to get their money back. This seems disturbing, given that it is the banks, not the consumers, who are in the best place both to identify and warn against phishing entreaties, and to improve banking security thereby safeguarding consumers against foolhardy decisions e.g. by implementing two factor authentication for consumer withdrawals. Accordingly, as discussed below, the House of Lords Report on Personal

52

British Bankers Assocation, The Banking Code, March 2008 s12.9. Available at http://www.bankingcode.org.uk/pdfdocs/PERSONAL_CODE_2008.PDF.
53

Personal conversation by Edwards with Mary Kirwan, Canadian security expert, while conducting research for the Macafee Virtual Criminology Report 2008, supra.
54

With thanks to Andres Guadamuz for this information.

Internet Security recommended in 2007 and again in 2008 that banks should be presumptively held liable for phishing losses as a matter of law.55 Buying zero day exploits Exploits or zero day exploits are software vulnerabilities that allow a particular piece of software to be hacked or in some way compromised. They are, basically, bugs, which arise inevitably in the creation of software as it goes through its development life cycle. Exploits which compromise widely used programmes such as Internet Explorer, Word, Excel, Linux kernel programs, etc can be extremely valuable. They can be used to cripple a commercial competitor or to open back doors in programmes allowing theft of personal data e.g. bank account details. They can even in theory inflict significant damage on the infrastructure of a nation state. They can also be used indirectly to blackmail the vendor of the affected software. The market for exploits is cloaked in secrecy but some details have emerged in the last few years: White or legitimate market: Two main agencies exist which openly buy exploits at market prices, using contracts and non disclosure agreements (NDAs) Tipping Point56 , and iDefense57 ; other players include Snosoft58 and a number of small firms whose business model is to employ in-house vulnerability researchers. Occasional examples also exist of security researchers attempting to sell exploits on the open market by bug auctions. In 2005, a researcher fearwall discovered a bug in Microsoft Excel that could have caused potentially enormous damage, and after first contacting Microsoft, went public by putting it up for sale on eBay. Bids reached $1,200 before the auction was pulled under pressure from the vendor. Fearwall claimed he had really been seeking not money, but publicity to pressurise Microsoft into patching the vulnerability. Grey market: sales of exploits to government agencies. This market is a white hat market but little is known about it. It is rumoured the US National Security Agency59 has purchased exploits, and that various government agencies employ vulnerability experts to hunt for exploits as full time staff or on freelance contracts.

55

House of Lords Science and Technology Committee, Personal Internet Security, HL 165-I, 5th Report of Session 2006-07 - Volume I: Report
56 57 58

http://www.tippingpoint.com/ . http://labs.idefense.com/ .

See http://snosoft.blogspot.com/2007/01/exploit-acquisition-program.html for an example of their terms of purchase of exploits.

59

See C. Miller (2007) The legitimate vulnerability market, Proceedings of Workshop for Economics of Information Security, , available at http://weis2007.econinfosec.org/papers/29.pdf and Sutton M and Nagle F Emerging economic models for vulnerability research, Proceedings of Workshop for Economics of Information Security, 2006, available at http://weis2006.econinfosec.org/docs/17.pdf .

Black market: sales to criminals and corporations engaged in industrial sabotage or espionage. Again revenue can then be gained directly by closing down a system, or indirectly by attempts to blackmail a vendor by threatening release of an exploit, resulting in bad PR and possible loss of market share. This market is almost impenetrably difficult to research. However one known example occurred in January 2006 when a Microsoft WMF exploit was sold by auction for $400060 allegedly to more than one black hat buyer. Investigations showed the exploit was later used by at least one buyer to capture machines to spread pump and dump spam.

Legal issues around exploit sales It might be surprising that there can be a white market in exploits at all. Discovered exploits in their nature are primarily intended to impede or cripple software and, by extension, to hurt users and vendors who make money from that product. Arguably their sale should be illegal, or at least controlled, as the sale of weapons or dangerous goods like dynamite, poisons or hand-guns are in most European countries. On the other hand it can be argued that exploits are, rather like encryption, a dual use good. While their primary purpose is to cause damage, they can also be used by security experts to provide an early warning service of possible vulnerabilities (this is the business model of the likes of iDefense), and studied to build safer, less vulnerable software. From a legal perspective it is not at all clear what is being bought and sold in the exploit market. A vulnerability is not a tangible object like a gun, so the first obvious argument would be that it is a piece of intellectual property (IP), and this seems anecdotally to be what some buyers and sellers claim. However the only appropriate IP regime of protection would probably be copyright, and this analysis leads to severe problems. The programme code that the exploit relies on, and will often incorporate, will be the copyright of the vendor not the creator of the exploit and the vendor will certainly not have licensed his code to the zero day exploiter to use (or abuse) in this way. Furthermore, sometimes what is sold may not be code as such, but merely a particular word or an idea knowledge about how or when a vulnerability operates in which case IP will not be appropriate, although trade secrets may be. In fact, what is bought and sold mainly appears to be silence. Agreements in the exploit market are notoriously hard to broker because if the exploit seller demonstrates that the exploit works to the buyer, then he will often have given away the value of what was on sale: even more so if he hands his code over to the buyers to test. As with all ideas, once it has been explained, what is left to sell? The market thus appears to reply mainly on non-disclosure agreements rather than transfer of property per se. Since sales will normally be made under conditions of anonymity, there is also the problem of multiple sales. An exploit might be traded under three different names to three different markets. As a result the exploit market is de facto limited to a small group of experts who know and trust each other with open auction sites partly filling the gap.

60

Cited in Miller, supra.

Finally, there remains a strong argument that an exploit market should not be valid in any form. Vendors tend to argue that any exploits that exist should belong to them and thus in law not be saleable either back to them, or worse still, to someone else. Its my code and my mistake said one unnamed programmer for a major software vendor. Shouldnt I be entitled to fix it? If Shakespeare had made a spelling mistake in one of his plays wouldnt he expect just to be told about it, not to have to pay for it before he could fix it?61 Some security experts and economists argue however that a white market should be allowed: In a professionalised world of organised cybercrime, security experts, just like cyber criminals, increasingly work for financial reward not just glory. Discovering an exploit is hard work and researchers should be paid for it, since their work is for the public good. If a white market for vulnerabilities does not exist, researchers will sell to the black market, probably for greater reward. Discovering vulnerabilities should be encouraged as otherwise software remains insecure, adding to the instability of critical infrastructure and the growth of the zombie bot population. An exploit market increases potential scrutiny.

Many commentators still however feel uneasy about this covert arms trade, with a strong argument made that encouraging the discovery of software vulnerabilities simply encourages illegal activity and produces insecurity (of both software and the market).62 Both the current major players on the white market respond that they engage in responsible disclosure that is, they disclose the vulnerability to the software vendor after they have made it available to their own customers. The vulnerability is thus eventually fixed (patched). They also claim to facilitate the procurement of exploit information by having a larger range of sources than any one company normally would. For example, iDefense reported in 2007 having a pool of about 400 contributors of vulnerability information over the last four years.63 Given an inevitable time gap between when a vulnerability has been found and when the vendor can patch it, the white market business model is to provide advance disclosure to their own paying clientele who are thus protected before patching is implemented. The fault if any can then be said to lie with vendors for not patching sooner and more effectively. Vendors, however, including major players such as Google and Microsoft, take the view that best practice is to disclose software vulnerabilities straight to them so they can be patched as fast as possible, and discourage an exploit market. Some vendors have been known to offer bounty programmes for amateur bug spotting while discouraging the

61

Conversation quoted during personal interviews by Edwards with a spokesman for iDefense for McAfee Virtual Criminology Report 2007, supra.
62 63

Kannan and Telang (2005) Markets for Vulnerabilities? Think again, Management Science, 51 (5). As above

professional approach.64 Some support mandatory vulnerability disclosure. While delayed disclosure of bugs in traditional software products such as Word or Excel may be workable, and prevent collapse of confidence in a product, in relation to web services, immediate disclosure to the service provider so the vulnerability can be patched is regarded as vital, since silence leads to further infections being spread to multiple users. 65 A distributed non-commercial scheme in which all Internet users work voluntarily together to search and disclose exploits may also be a future model; a preliminary basis for such already exists in the StopBadWare list of infected websites, which appears as warnings against lists of Google search results.66 Future legal directions In August 2007 the House of Lords Science and Technology Committee published the results of their year-long inquiry into Personal Internet Security.67 Their investigation was particularly concerned with the nature and scale of the security threat to individuals; how these threats could best be tackled; what types of governance and regulation would be most appropriate in this area; and how well the government is responding to cybercrime. A wide range of individuals and organisations gave evidence to the inquiry, including academic lawyers and computer scientists, trade bodies such as the British Computer Society and Association of Payment and Clearing Services, Internet Service Providers, law enforcement agencies and childrens charities. The committee made recommendations in a number of areas, with the main aim being to better align the security incentives of organisations, ISPs and users. They found that end users rarely have the time or technical background to shoulder the responsibility pushed onto them by the government for securing their own online activities. Financial services institutions, ISPs and software vendors in particular are in a better position to manage some security risks.68 The best way to encourage them to do this would be to carefully reallocate to them some of the liability for fraudulent payments, traffic from infected machines and insecure software. Banks have been encouraging customers to switch to online services (which are much cheaper to provide than branches and staff) while at the same time attempting to shift risk for fraudulent transactions onto those same customers, as discussed above. Given the continuing arms race between virus authors and anti-virus software companies, and the ingenuity of those harvesting passwords from infected PCs and phishing sites, it will be difficult for the average user to assess the risk and veracity of a transaction. Banks have

64 65

Eg Netscapes Mozilla Foundation (http://www.mozilla.org/security/bug-bounty.html)

See Day O, Palmen B and Greenstadt R (2008) Reinterpreting the Disclosure Debate for Web Infection, Proceedings of the Workshop for Economics and Information Security, at http://weis2008.econinfosec.org/papers/Greenstadt.pdf
66

Project run by Harvard and Oxford Universities plus others in collaboration with Google: see http://stopbadware.org/
67 68

Supra n 54. This argument was first made in N. Bohm, I. Brown and B. Gladman, supra n 49.

been slow to develop and deploy the type of hardware authentication tokens69 that would protect users, because the costs of their failure to do so fall partly on their customers. Banks are also in a better position than their customers to profile and analyse transactions for suspicious events. The Lords therefore recommended that banks be encouraged to take more responsibility for their customers security by holding them liable for electronic fraud losses. They also suggested that banks and other businesses should be required to notify customers when security breaches occur, giving them advice on practical steps to reduce the resulting risks.70 The committee similarly found that ISPs are in a better position than their customers to protect against certain types of attack. In particular, they are able to monitor outgoing traffic for and receive reports of spam, worm infections or Denial of Service attacks. Once such traffic has been detected, ISPs are able to limit infected machines network access to sites that will allow them to download the latest software patches and antivirus signatures and hence remove the infection. The Lords recommend that the E-Commerce Directives Article 12 mere conduit defence71 be removed once ISPs have detected or been notified of such traffic, making them liable for damage done to third parties unless they take preventative measures with a limited time period. Finally, the committee noted that software companies have historically paid limited attention to the security of their products and that radical and rapid change is needed. This is partly due to their ability to dump liability onto customers using restrictive licensing agreements that would be held void in many other markets (and partly due to the preference seemingly shown by consumers for flashy new features over security and stability in software). The committee therefore recommended that in the short term, liability waivers should be ignored when vendors have been negligent. In the long term, a framework for vendor liability and consumer protection should be developed. More specifically, the committee suggested that users should receive better security advice when first setting up new software; that patches should automatically be downloaded when machines first go online; and that default security settings should be set as high as practicable to give users time to understand risks and tradeoffs of reducing those settings. These recommendations broke new ground in the debate on Internet security in the UK. While they were almost completely rejected in the governments initial response to the report, 72 they have continued to generate discussion and further activity by the Lords Science and Technology Committee. They were also echoed in a recent cybersecurity review carried out by the US government, which further recommended attention to

69

See for example details of Barclays Banks new PINsentry device at https://www.barclays.co.uk/pinsentry/.
70MandatorysecuritybreachdisclosureislikelytobepassedaspartofthereformofthePrivacyandElectronic

CommunicationsDirective2002in2009,butonlyforthetelecommunicationsindustriesandnotforthelikesof banks.Seefurther,Edwards,ChapterDP1atPPxx.
71

Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market, OJ L 178, 17.7.2000, p. 116.
72

The Government reply to the Fifth Report from the House of Lords Science and Technology Committee Session 2006-07 HL Paper 165, Cm 7234.

indemnification, tax incentives, and new regulatory requirements and compliance mechanisms.73 While cybersecurity remains an enormous global problem, it does seem some consensus on a holistic strategy to combat it, taking into account law, business practice and technology or code, is finally beginning to emerge.

73

United States Government (2009) Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure, available at http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf