Threat Management, Network Security

The global landscape: International cooperation

Managing use of copyrighted material across national borders is forging new partnerships, reports Greg Masters

As Bob Dylan 2.0 might put it: The times, and the means of distribution, they are a-changin'.

His music and other artists' creations now often are downloaded through illegal peer-to-peer (P2P) networks, various social media and other sites by individuals who want to avoid paying the entertainment companies representing them.

On Jan. 19, MegaUpload, a P2P file-sharing site, became the victim of its own success when New Zealand police, following a request from the FBI, shut down operations with a raid on its headquarters in a rented $30 million mansion near Auckland.

Certainly the parameters of “acceptable use” have altered considerably since Sean Parker and two partners started Napster in 1999 as a P2P service. The service made it easy to distribute music, even though the enterprise was flagrantly flouting legal boundaries. Consumers who were fed up paying $19 for a CD were easily tempted to abandon ethical concerns for the convenience of downloading music for free.

But, this phenomenon was able to exist only because the internet at that time was still in its early stages. If large corporations were aware of the activity, it was still only a blip on their screens, not enough of a threat to instigate action.

Nowadays, however, copyright holders could not ignore the number of users MegaUpload attracted: MarkMonitor, an enterprise brand protection firm, put the figure at more than 21 billion visits per year. The half-billion dollars in revenue corporate big daddies were claiming to lose also proved intolerable.

Just like Napster in its early days, this site, established in 2005, had put up a pretense of legitimacy by agreeing to remove files when infringement complaints came in. This gesture proved insufficient, however. Its dissemination of purloined movies, television shows, music and other digital content clearly skirted copyright laws.

Facebook and YouTube began their existence flirting with copyrighted material, also. But, to reach mainstream acceptance and avoid being sued out of existence, they had to clean up their acts. When Google bought YouTube for $1.65 billion in October 2006, that process entailed deleting copyrighted material from the servers.

Still, the growth of file-sharing sites such as these has increased the stakes for large entertainment companies and other copyright holders, as well as the law enforcement and legal bodies attempting to exert control and enforcement over which laws govern usage across national boundaries. To date, it is difficult for law enforcement to pursue many of the electronic crimes across international boundaries – often due to country-specific laws relating to cyber crime, says Gunter Ollmann (left), vice president of research at Damballa, an Atlanta-based network security vendor.

“Many countries simply don't have the appropriate laws,” he says. “Subsequently, law enforcement must look for other ‘related' crimes conducted by the cyber thieves – and use those in their international law enforcement discussions.”

For example, at the time of the massive Mariposa botnet, which was primarily employed to steal data and launch denial-of-service attacks, Spain neither had laws governing botnets nor any that made the unauthorized installation of software on someone else's computer a crime, Ollmann says. So, to arrest and prosecute the Mariposa operators there, law enforcement had to make a case around credit card fraud. That is, the criminals were caught making physical copies of the credit card details they leeched from their victims' computers to purchase goods and services in Spain.

Philip Victor, director of the Centre for Policy & International Cooperation at the International Multilateral Partnership Against Cyber Threats (IMPACT), agrees that the challenge is gigantic as cybercriminals are unfettered by national boundaries, while law enforcement agencies' efforts are limited to local jurisdictions. "All agencies, countries industry partners and organization should cooperate with each other to share their expertise and resources," he says. This entails the sharing of databases and information from neutral organizations containing such details as the names of cyber crime offenders, profiles of previously identified theft/cyber crime, the anatomy of different cyber crime groups, information for latest threats and proactive measures to practice.

"Every country should ideally audit and list their critical infrastructures and key organizations who are involved in the areas of cybersecurity, along with list of responsible focal point within the country who can contribute in securing their cyber infrastructure, Victor says. This will shape a national security database which could play a vital role in terms of takedowns, and serve as a contact point for rapid action response.

Nevertheless, Victor adds, the nature of crime may differ, but the modus operandi or the motifs of these crimes remain the same. He'd like to see the harmonizing of cyber law between nations while developing proper extradition and investigation methods on cross-border crimes.

This is a strategy that Jody Westby, CEO of Global Cyber Risk, a Washington, D.C.-based consultancy that helps global businesses manage risks, would also like to see put in place. "Law enforcement agencies must have 24/7 points of contact and trained personnel to track and trace cyber criminal activities, and conduct the search and seizure of digital evidence," she says.

Some countries are making strides. Chester Wisniewski, a senior security adviser at Sophos Canada, says many law enforcement agencies regularly collaborate on international cyber crime cases. He points to cases in Russia, Egypt, Estonia and other countries.

“To some degree, criminal law is being passed in a coordinated fashion to enable charges to be laid internationally,” he says.

But, this is a process that law enforcement agencies have been forging for years. “The advanced countries have specialized computer investigation units, who are familiar not only with computer forensics and investigation, but their own country's laws as they pertain to computer crimes,” says Art Bowker (left). a member of the High Technology Crime Investigation Association (HTCIA), which provides education and collaboration to its global members.

And, other obstacles persist, Bowker says. Companies may still wish not to report incidents, for instance. As well, a number of countries don't have developed laws in place for dealing with cyber criminals, and some lack the investigative resources and capability to go after the thieves, he explains.

Who has provenance?

Today, the principal challenges for any cross-national law enforcement efforts involve both jurisdictional rights and international laws, says Marcus Chung (right), COO of Malwarebytes, a San Jose, Calif.-based provider of anti-malware solutions. Any cooperating agencies would need to first agree that certain enforceable laws were broken, and then work together to coordinate the actual arrests within their respective jurisdictions.

While a police agency from one country can't enter another to arrest someone, many nations have treaties in place in which suspects will be locally arrested and held for extradition, says Bowker. That is what is occurring in New Zealand now with the MegaUpload case. This kind of law enforcement action just doesn't happen by magic, Bowker adds. Authorities around the globe recognize that contacts need to be developed and maintained and, when the need arises, they reach out to their foreign counterparts.

Concurrently, the recent arrests of LulzSec and Anonymous members clearly has led to revelations that the FBI was actively notifying governments and companies to potential vulnerabilities it was uncovering during its investigation, he says, recalling one report that 300 public and private entities in the United States and around the globe were notified. In the United States, InfraGard – established by the FBI to work in partnership with the private sector – serves such a purpose. There is also the Secret Service Electronic Crime task forces performing similar functions.

“Law enforcement and the private sector both within and outside of the United States are seeing the value in networking to protect themselves from cyber threats,” Bowker says.

Malwarebytes' Chung agrees, pointing out that the recent efforts of the U.S. Department of Justice (DoJ), FBI, Hong Kong authorities, and law enforcement in the Netherlands, Germany, Canada, U.K. and New Zealand highlight what is widely perceived as a successful anti-piracy operation that seized more than $50 million in assets and yielded several high-profile arrests of the leadership behind MegaUpload. The authorities, he says, had to coordinate multiple arrests, freeze financial assets and issue search warrants across eight countries.

If a crime against an American organization occurs overseas, the FBI will escalate it to its liaison who works with the DoJ to make a formal request to the foreign government's federal police, adds Wisniewski. The bar is set high for this to occur, but considering MegaUpload founder Kim Schmitz (aka Dotcom)'s record and the wealth he has accumulated, not to mention the alleged damages caused, he met these conditions, Wisniewski says.

Obstacles to overcome

But, while there are agreements for international cooperation in place, much still needs to be done, particularly within local jurisdictions. Law enforcement around the world is battling the specific laws in their countries, says Ollmann.

“I've not yet encountered a law enforcement officer that feels their own country's laws are specific enough to the electronic crimes they are encountering and being expected to investigate,” he says.

Authorities are collaborating well with each other, but have been hamstrung by the disparities among the laws of the various countries in which the cyber criminals are operating, he says. “The internet is international, but the laws most certainly aren't,” Ollmann says.

In the meantime, electronic crime conferences geared toward a law enforcement audience have sprung up around the world, and officers are relying on these to both meet with their international counterparts and build new relationships among international teams, he says. Chung says he expects to see this trend of cooperation to increase as the MegaUpload case is widely viewed as a success for both international law enforcement and cross-continental teamwork. “The ongoing blurring of international borders across cyber space requires such coordinated efforts to be successful in prosecuting cyber criminals,” he says.

From a legislation perspective, there has been a lot of focus on copyright-related fraud, says Ollmann –  e.g., Canada's Protect IP Act (Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act, or PIPA]; the U.K.'s Serious Organized Crime Agency (SOCA); and the Anti-Counterfeiting Trade Agreement (ACTA), a multinational treaty intended to set international standards for intellectual property rights.

But, he is not so optimistic about intenational collaboration. The threats legislation is designed to address have been a problem for a couple of decades. Much of the proposed legislation still misses the mark, he says.

 “I have little hope for effective legislation to deal with ‘today's' complex threats appearing in this decade,” says Ollmann. “There is still a tremendous need for education. There is a noticeable generation gap between those responsible for enacting legislation, and those understanding or being affected by the legislation.”

As well, while progress has been made, homogenizing all the various national laws is still some time off, Wisniewski (left) says. To illustrate differences in progress, the European Union has harmonized much of its cyber law to facilitate easier extradition and investigation on the continent. Canada, meantime, is currently considering a bill, known as C30, that would allow the Royal Canadian Mounted Police easier access to logs of activity from Canadian ISPs, he says. Here in the United States, President Obama has been trying to update the American cyber crime laws, but nothing has passed to date.

Bowker says he expects legislators to come up with something that is more thought out than the cyber crime bills currently under consideration, but not in an election year.

“You can bet that if the recent Anonymous arrests are as successful as they appear, that case will become one key argument for why information needs to be shared,” Bowker says.

Mitigation and control

In the MegaUpload case, in early Jan., criminal copyright charges were filed in the United States by the FBI and Department of Justice against the principals of MegaUpload. The U.S. authorities alleged ill-gotten profits by the P2P site in excess of $175 million and losses by copyright owners of $500 million. As MegaUpload is a Hong Kong entity with the core management team based out of New Zealand, including the founder and CEO, Kim Dotcom, who is currently under house arrest in New Zealand, this required legal cooperation among authorities in three nations, says Marcus Chung, COO of Malwarebytes.

Outside of search warrants and extradition agreements, he says the notable laws that likely will be invoked in this case include The Digital Millennium Copyright Act, the European Union Copyright Directive, and the New Zealand Federation Against Copyright Theft. All of these, as well as user privacy laws, such as the Electronic Communication Privacy Act, are likely to be cited both by the prosecution and defense.

“As Bob Dylan 2.0 might put it: The times, and the means of distribution, they are a-changin'.”

Jody Westby, CEO of Global Cyber Risk, says that in addition to substantive cyber crime laws, and the procedural laws that govern how investigations and search and seizure take place, a number of other legal frameworks are likely to be used in court. She expects to see laws on jurisdiction and extradition, which can also include international agreements, such as mutual legal assistance treaties (MLATs), and rules that assist in going through the courts for approval for assistance from one country to another.

Dotcom was freed on bail, but had conditions put in place that prohibit him from connecting to the internet, Bowker says. “This is an area more and more community corrections officers are going to have to get up to speed on, learning how to enforce conditions that restrict and/or monitor cyber offenders' computer and internet use.”

Mitigating and controlling the activities of cyber criminals across borders is part of the ongoing challenge to coordinate information sharing among various law enforcement agencies, both foreign and domestic, says Chung. There are privacy laws and due process that differ at both the regional and international levels. Due to this level of complexity, at a minimum there are typically local “search warrants,” financial information (to facilitate the freezing of assets) and evidence of criminal behavior that is shared among the agencies.

Westby adds that sharing often is facilitated informally through relationships and contacts because the formal process can be cumbersome. Regulations begun under the Homeland Security Act of 2002 allow the Department of Homeland Security to share critical infrastructure data with foreign governments, she says.

The role of ISACs

One important resource are Information Sharing and Analysis Centers (ISACs). They can play a valuable role in facilitating data exchange within their industry sectors and coordination with government agencies, says Westby.

“Many ISAC members are multinational companies, so this sharing also has a spill-over effect to international locations,” Westby says. “They can also help facilitate cooperation among providers.”

One must keep in mind, however, that ISACs are not designed for or intended to “hunt and prosecute” cyber criminals, she says. ISACs are primarily useful in sharing information among their members, including approaches and coordination on cyber crime.  

But Chung says ISACs are likely to take an increasingly prominent role in coordinating inter-agency efforts and assisting in both the hunting and evidence-gathering stages of prosecuting cyber criminals.

“If you share information about threats, you can develop patterns, which can lead to common players,” says Bowker. “The more you communicate, the more you are able to identify the bad actors. You can't arrest them until you identify them.”

The key, Bowker says, is to share information that allows members to protect themselves while at the same time can lead to arrests and prosecutions. That is why he advocates law enforcement become and remain active in these groups.

Other information-sharing bodies exist as well. Westby says that IMPACT is helpful in building a 24/7 point-of-contact database and helping countries coordinate. It now has more than 130 nations signed up and is now the official operating arm of the U.N.'s International Telecommunication Union (ITU) Global Cybersecurity Agenda, she says.

Recently, ITU-IMPACT was asked to participate and observe in an ongoing project that was a joint effort by the World Economic Forum's Risk Response Network and an IT industry group. "The Risk and Responsibility in a Hyperconnected World" Initiative provides a platform for decision-makers to undertake coordinated action to set in place the risk evaluation, detection and response mechanisms necessary to protect networked communications and future growth in the online networked economy, says IMPACT's Victor.  

Early this year, he adds, IMPACT supported the ABIforums Cybersecurity Summit 2012, held in Kuala Lumpur, Malaysia. The gathering brought together government and business leaders from around the world to address cross-border cyber security challenges, and looked to set new models for private-public-sector leadership in addressing high-priority security threats and vulnerabilities, and collaboration on the most pressing issues in global management of critical information infrastructure.  

But, there are still many questions about leadership with some nations, including the United States, unwilling to fully get on board international efforts. For its part, the United States has failed to show effective leadership in helping to build international cooperation and harmonize cyber crime laws, Westby says, which has contributed to the soaring nature of cyber crime here and abroad.

Wisniewski agrees, adding that “if we want to stop the death of a million cuts that we are all suffering online, we need to ramp up the resources and cooperation and we need to do it quickly. Criminals overseas are acting with impunity, knowing that only the biggest offenders who attract the wrong sort of attention from their governments will ever face prosecution. Law enforcement budgets need to adjust to this new reality, and we need a whole lot more talented internet security experts to be trained to meet the needs of a new era in cyber crime.”

In a final analysis, most agree that in a world increasingly tied together by global markets, it only makes sense that everyone comes together to protect each other's cyber assets.

[sidebar 1]

GOTCHA: Nab a cyber criminal

In early Jan., criminal copyright charges were filed in the United States by the FBI and Department of Justice against the principals of MegaUpload. The U.S. authorities alleged ill-gotten profits by the P2P site in excess of $175 million and losses by copyright owners of $500 million. As MegaUpload is a Hong Kong entity with the core management team based out of New Zealand, including the founder and CEO, Kim Dotcom, who is currently under house arrest in New Zealand, this required legal cooperation among authorities in three nations, says Marcus Chung, COO of Malwarebytes.

Outside of search warrants and extradition agreements, he says the notable laws that likely will be invoked in this case include The Digital Millennium Copyright Act, the European Union Copyright Directive, and the New Zealand Federation Against Copyright Theft. All of these, as well as user privacy laws, such as the Electronic Communication Privacy Act, are likely to be cited both by the prosecution and defense.

Jody Westby, CEO of Global Cyber Risk, says that in addition to substantive cyber crime laws, and the procedural laws that govern how investigations and search and seizure take place, a number of other legal frameworks are likely to be used in court. She expects to see laws on jurisdiction and extradition, which can also include international agreements, such as mutual legal assistance treaties (MLATs), and rules that assist in going through the courts for approval for assistance from one country to another. 

 [sidebar 2]

Mobile strategy: Safeguarding data

What do enterprises need to do to safeguard their data as more and more employees use mobile and other personal devices to access corporate assets?
 
A sound mobile security strategy starts with understanding how the devices' applications will be used and the sensitivity of the data that they will be accessing, says Joe Nocera, principal at PricewaterhouseCoopers (PwC). "A focus on the application use cases and nature of the data is critical to determine the level of security that is required. Once these use cases are understood, a good practice is to perform a risk assessment on the potential loss of the data the mobile abdication can access to understand any exposure the data loss might have on the organization. Controls can then be selected that align with identified risks and relevant regulatory requirements," he says.   

It's critical in the the early stages of deploying security to better enable collaboration on potential security requirements, such as the requirements for storage of the data on the device, says Nocera.
 
He says it's essential to ask:

  • Is the data stored on the device in a secure fashion, if so is how is it protected?
  • Is the data stored on virtual desktop via network server?
  • Is the data presented via a web server but stored on the server; can we confirm that no sensitive data is cached to the local device?
  • Can the data have read only access or read and write access from the device? 

Depending on the answers to these questions and others, Nocera is seeing organizations focus on a range of controls, including mobile device management, virtualization, tunneling and application specific encryption. "Organizations are also struggling with how to best deploy and manage strong authentication and remote device wipe capabilities in the event the mobile device is no longer in the possession of the authorized user," he says. "Advanced-thinking organizations are even going so far to consider using the GPS location information and the device-specific camera functions to better determine the use of the mobile abdication and its data access risks to further enhance security."
  
An effective mobile security strategy can enable an organization to harness the productivity and flexibility of today's mobile devices and applications while safely mitigating the risks if one considers all relevant threat vectors and the usage patterns of the applications deployed, he says.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.