Håndtering av problemet med Cyberkriminalitet

Introduksjon

For noen dager siden publiserte det australske Representantenes hus, komite for kommunikasjon, sin rapport om nettkriminalitet og sikkerhet. Dette dokumentet har den ambisiøse tittelen "Hackere, svindlere og botnet: Håndtering av problemet med Cyberkriminalitet", og er en imponerende, nesten 300 siders lesning med statistikk, eksempler, og selvfølgelig forslag til hvordan man kan løse problemet med nettkriminalitet.

Rapporten har til og med en lang forklarende liste over forkortelser og tekniske termer, noe som er nyttig lesing for dem som ikke er så kjent med alle hjørner av IT-sikkerhet.

Så tidlig som i rapportens forord er en betydelig redegjørelse gjort:

There has been an exponential growth in the volume of malicious software and the sophistication and adaptability of cyber crime techniques. In the face of these trends, the Committee believes the expectation that end users should or can bear the sole responsibility for their own personal online security is no longer a tenable proposition. We need to apply the same energy and commitment given to national security and the protection of critical infrastructure to the cyber crime threats that impact on society more generally.

En felles innsats

Legg spesielt merke til setningen  "(...) the expectation that end users should or can bear the sole responsibility for their own personal online security is no longer a tenable proposition" ("(...) forventningen om at sluttbrukere skal eller kan bære eneansvaretansvaret for sin egen personlige Internettsikkerhet er ikke lenger en holdbart erklæring").

Utvalget erkjenner at statlige institusjoner og organisasjoner i privat sektor (som IT-produsenter, Internet Service Leverandører og web hosting selskaper) bør alle være involvert i å sikre Internettet.

Dette samsvarer det synet som Norman uttrykte i vår sikkerhetsartikkel i november 2008 - Fighting malware on two ends. For å kunne bekjempe nettkriminalitet mest mulig effektivt, kan man ikke kun stole på beskyttelse av sluttbrukere. Effektiv beskyttelse av Internettets knutepunkter og infrastruktur krever at flere interessenter er involvert.

The report includes 34 recommendations. Some examples are:

• a national coordination point to oversee the broader strategy,
• a national cyber crime reporting centre, enabling a one-stop-shop to report cyber crime,
• better coordination and training for law enforcement agencies,
• public-private information sharing on a wider range of cyber crime types.

A controversial recommendation

One of the recommendations (No 14) immediately caused some controversy (Norman's emphasis in bold below):

That the Australian Communications and Media Authority take the lead role and work with the Internet Industry Association to immediately elaborate a detailed e-security code of practice to be registered under the Telecommunications Act 1997 (Cth).

That the code of practice include:

• an obligation that the Internet Service Provider provides basic security advice when an account is set up to assist the end user to protect themselves from hacking and malware infections;
• a mandatory obligation to inform end users when their IP address has been identified as linked to an infected machine(s);
• a clear policy on graduated access restrictions and, if necessary, disconnection until the infected machine is remediated;
• the provision of basic advice and referral for technical assistance for remediation; and
• a requirement that acceptable use policies include contractual obligations that require a subscriber to:
  • install anti-virus software and firewalls before the Internet connection is activated;
  • endeavour to keep e-security software protections up to date; and
  • take reasonable steps to remediate their computer(s) when notified of suspected malware compromise.

One of the committee's members disagreed with this final bullet of recommendation 14. 

The Australian security specialist, Alastair MacGibbon, on the other hand agreed with the committee's majority that this recommendation was a good idea. Quoting from an article in The Sydney Morning Herald:

MacGibbon acknowledged the measure might sound harsh but noted that we expect this level of regulatory approach in the offline world, likening it to car safety regulations such as those forcing people to wear seatbelts.

"We know that anti-virus and firewalls and patching systems and all those other things reduce the likelihood of things going wrong; if we know that those things will protect us, why is it that as a nation we aren't mandating those systems be installed on computers and maintained?" he said.

Some Pros and Cons

Enforcing security does equal better security (at least in this case)

It is probably correct that if Internet users are forced to install security programs (in this case antivirus and firewall) before they are allowed to access the Internet, this will in general enhance the general security on the average end user's computer.

Most of us are law-abiding citizens and will not go to great length to try to circumvent this requirement by attempting to trick the Internet Service Provider (ISP), and thus avoid this requirement.

Nor is it likely that many who already had such software in place will remove this, and trick the ISP just because they are ideologically against the fact that the requirement has been made mandatory. 

Personal freedom

Legislating every-day tasks vs. freedom of the individuals is a never-ending battle between two conflicting points of view. The consensus seems to be that "somewhere" in between the two extremes is most sensible.

The issue discussed here is a typical one where some will argue that it is up to each and every person if - and even more importantly - how he chooses to protect himself.

It may be argued however, that this is not only a question about self-protection. An infected computer represents a threat not only to the owner, but also to others that this computer is able to reach, and indeed the Internet community in general. An analogy is a person who becomes infected with a virus; he might be quarantined not only for his own protection, but to protect members of his community from infection.

Another aspect of the personal freedom issue is that for such a legislation to be effective, the ISP needs to have some kind of technology in place to check whether a computer is protected by security software or not. This may be viewed by some as tampering with personal information that is not the ISP's business.

Some may also fear that if such a requirement is mandatory, only some pre-qualified security software packages will be accepted among the plethora of security software that exists. Presumably well-known vendors' solutions might be those recommended or allowed.

Who pays?

This is not discussed in the report, and may obviously be part of the debate.

Seen from the community's point of view, the most economically sound is probably that governmental institutions enter into agreement(s) with security software vendors, as this has the potential to result in the best deals (per piece of software).

The second best from a purely economical view, is that the ISPs enter into such agreements on behalf of their customers. They are able to negotiate better agreements (one would presume) than each and every individual.

The least optimal seen from a socio-economic point of view is that each person chooses his preferred security software. On the other hand, this will give the individual more personal freedom (which is seen as advantageous by most).

Whatever is chosen as a model, it is obvious that this will be an extra cost for someone. The counter-argument is that this will be less expensive than not protecting, and thus allowing more to be victims of computer crime.

Security software needs frequent updates

These days more than ever, security software needs frequent updating in order to protect the users sufficiently. Several tens of thousands malicious programs are created each and every day, and the antivirus vendors publish new virus signature files frequently to keep their customers updated.

This introduces a special problem, as the security obtained by having an antivirus product installed rapidly declines towards zero unless the program is continuously updated.

How this updating requirement should be taken care of is a challenge with the committee's recommendation.

Several layer defense

As we mentioned in the beginning of this article, it is wise to combat cyber crime from different angles. From this perspective tightening end user security is a means to accomplish one building-stone in a several-layer defense structure.

Final words

Regardless of one's view regarding the issue of mandatory antivirus and firewalls, the Australian report is very interesting reading. It is highly recommended for those who wish to get a broader overview of the Internet's threats as perceived by a nation's point of view, and the mitigating elements that are up for discussion and evaluation.

References

• "Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime", report from the Australian House of Representatives' Standing Committee on Communications (full report, PDF format),
• 'Secure your PC or lose the net', The Sydney Morning Herald, 22 June 2010.