E-crime presents as one of the major challenges of the future to Australasian law enforcement. Equally, it is a major consideration for business as it strives to maintain competitiveness in a global marketplace and attempts to capitalise on the enormous potential benefits of electronic commerce. Addressing security issues is a key policy initiative that will assist in the development of e-business in Australia.
The issue of e-crime is dynamic and complex and is emerging as a critical issue of good corporate governance 2 for the private sector. Cyberspace is transforming business models. The Internet is the driving force, creating new opportunities for growth through increased globalisation, new products and services approaches, greater speed to market, and enhanced cost-competitiveness (Deloitte Touche Tohmatsu 1998).
My presentation to you today will attempt to alert you, or to increase your awareness of, the very serious issues at stake in relation to online security.
My presentation will also outline the proposed policing response to security and electronic crime issues and how this will assist Australasian business. The paper will highlight the necessity for cooperation and coordination between the public and private sectors3 in enhancing security and hence preventing and reducing electronic crime by:
- defining the nature of the problem;
- exchanging information and intelligence;
- jointly developing and sharing resources and expertise;
- achieving a mutual understanding of what can and cannot be achieved;
- bringing common and critical issues to the attention of governments.
My paper will emphasise the fundamental importance of prevention and partnerships.
Significant efforts are being made within policing to understand the business environment so that we can w ork with the private sector to facilitate the uptake of new technologies and contribute to profitability, shareholder value and economic growth.
Failures in this area for the private sector can result in extensive financial damage and cost organisations heavily in terms of lost business opportunities.
Some topical issues which have significant implications for Australian business include:
- electronic commerce;
- business interruption (such as those brought about by Denial Of Service (DOS) attacks);
- security of business information (including intellectual property); and
- enhanced ability to manipulate the stockmarket and share values.
The Corporate Context
It is fully recognised that company directors owe a fiduciary duty to the company and Baxt explains this as (2000, pp.25-26):
A "fiduciary" duty has been defined by the High Court of Australia as the duty to act with fidelity and trust to another. That is, the director must act honestly, in good faith, and to the best of his or her ability in the interests of the company. The director must not allow conflicting interests or personal advantage to override the interests of the company. The company must always come first.
This immediately creates a degree of tension between the private sector and policing, the latter owing its primary duty to the community.
However, Baxt goes on to highlight the concept of 'corporate citizenship' (2000, p.26):
Moreover, the company operates in a social and physical environment, which introduces the concept of corporate citizenship. There are many legal responsibilities in this context. The company must observe trade practices, environmental, occupational health and safety laws and a myriad of other rules. Finally, without customers, there is usually no company. A director should have regard to all these factors if the company is to operate successfully.
A recent Ernst and Young survey of more than 150 large to medium sized Australian companies found that the largest 'confidence gap , that is the gap between the level of concern and how well companies believe those risks are being managed, was 'environmental risk (2000a, p.7). The report comments (2000a, p.7):
This issue was not on the radar screen in the previous survey and reflects growing awareness by companies of the importance of becoming better corporate citizens. Evidently company executives are taking a new look at environmental risk factors as investors demand higher standards from companies in terms of environmental and social reporting.
It would appear reasonable to appeal to companies to demonstrate good 'corporate citizenship in the area of security and electronic crime, so as to prevent and reduce the incidence of this phenomenon in order to create a safer and more secure community. However, it is becoming clear that security is emerging as an issue central to good corporate governance.
Security and e-crime present as both potent market and investor issues. Business and its leaders need to understand that e-crime is not a technical issue but a core corporate issue of increasing significance. It is first and foremost about business and not technology (Deloitte Touche Tohmatsu 1998). It is not an issue for IT Managers or Chief Information Officers but rather an issue for owners, managers and directors and the whole organisation. Indeed, integrated strategies will be required in the form of philosophies, policies, procedures, and practices, implemented through defined action plans (KPMG 2000, p.13).
E-crime is a very real issue of responsive corporate governance.
The Environment and Nature of the Problem
It is useful to consider the current and future environment in which we all must operate. In this regard, the Australasian Centre for Policing Research (ACPR) has recently completed a technology environment scan for Australasian policing (Rees 2000).
As most of us are aware, Australia has been avid in its uptake of technology and is among the leading nations in terms of key measures of Internet infrastructure, penetration and activity (NOIE 2000a, p.4). The most recent National Office for the Information Economy (NOIE 2000b) report entitled 'The Current State of Play provides the following points of interest:
- In the year to May 2000, an estimated 46% of adult Australians accessed the Internet (NOIE 2000b, p.8).
- In the year to May 2000, an estimated 33% of Australian households had home Internet access (an increase of 135% since May 1998) (NOIE 2000b, p.8).
- 802,000 Australian adults (or 6% of all Australian adults) shopped via the Internet in the 12 months to May 2000, an increase of around 152,000 adults over the year preceding May 1999 (NOIE 2000b, p.5).
- Internet banking and online bill payment increased 810% between May 1998 and May 2000 (NOIE 2000b, p.6).
This rapid increase in the use of computer technology has facilitated Australia s participation in the emerging Information Economy but also increases its exposure to security and electronic crime issues. The very features that have made us so dependent upon new Information Technology - ease, access and low cost - are also what makes us so vulnerable (James & Cooper 2000, p.53).
In the business context it has been stated that (KPMG 2000, p.2):
With the growth of e-business, internal and external perpetrators can exploit traditional vulnerabilities in seconds. They can also take advantage of new weaknesses - in the software and hardware architectures that now form the backbone of most organizations... [V]ulnerability to electronic crime grows as organizations are increasingly connected to, and reliant on, individuals and systems they do not directly control.
Whilst estimates vary, it was predicted that by the end of 2000, there would be 900 million people using the Internet, increasing at the rate of 1.7 million new users per day (Berwick 1999, p.7 citing: www.intergov.org/public_administration/information/ latest_web_stats.html). In addition, it would appear that users are becoming more active.
The use of the Internet will continue to evolve and grow in many areas including (California High Technology Crime Advisory Committee (CHTCAC) 2000, p.26):
- electronic commerce;
- online banking;
- drug stores with prescription services;
- health care services and records; and
In Australia, NOIE reports that electronic marketplaces are emerging in the pharmaceutical, automotive, office products and superannuation industries (NOIE 2000c, p.iii). Industries reported to have some investment in B2B commerce include the Commonwealth Government (for both their customers and suppliers), Customs, telcos, finance, QANTAS, supermarkets, and content providers (eg. media, video etc.) (NOIE 2000c, p.37).
Technology, particularly Information Technology, is clearly becoming more pervasive in our society. We are already reading about the establishment of a national database of electronic health records for all Australians (Van Dijk 2000a, p.1). These developments are occurring at a time when community members are becoming more concerned about information security and infringements of their privacy. Indeed, it has been reported that 56% of Australians are worried their privacy is being invaded by new technologies (Coorey 2000).
The issue of privacy is also gaining increased attention as incidents highlight deficiencies in current protection regimes and the ability of the private sector to amass a wealth of information on individuals.
Of particular relevance to business is the issue of security. One Australian organisational survey found that, among the different risks associated with electronic commerce, information security topped the list of concerns with 72% of respondents worried about this aspect of the new business channel (Ernst & Young 2000a, p.3).
Concerns in this area can be divided into issues of access control and concerns about information and transaction security (NOIE 2000c, p.14).
Breaches of security can certainly be newsworthy and potentially very damaging to companies. Theft of credit card numbers, for example, is frequently in the media.
In the largest known case of cyber theft, a hacker stole 485,000 credit card numbers from an e-commerce site and secretly stored the information on a US Government agency's web site (The Australian, 21 March 2000).
Creditcards.com was hacked, and 55,000 card numbers were held hostage for $100,000. When the extortion attempt failed, the hacker posted the card numbers on the Web. The company has since put up a web site where merchants and customers can check for fraudulent transactions (Berinato, ZDNet, 17 December 2000).
Fraud is an issue which is facilitated by such breaches of security. This type of crime (including forgery and false pretences) has already been found to be the most expensive crime in Australia, costing the Australian community in monetary terms up to $3 to $3.5 billion per year or 15.3 to 17.9% of total crime costs (Walker 1997, p.6). The enormous potential for growth in this area, particularly the impact of e-technologies, was recognised by the Australasian Police Ministers Council (APMC) at its meeting in Perth in July 2000. As a result, a national project is being undertaken to examine the possibility of a national approach to fraud control to ensure that fraud is addressed in a systematic, coordinated and standardised way.
Consider for a moment that a web site operated by Harvey Norman reportedly had to be shut down because a quarter of the orders placed on it were on stolen credit cards (The Advertiser, 30 August 2000, p.13). In addition, a recent study found that 12 times more credit card fraud occurred on Internet transactions than on conventional sales (The Advertiser, 30 August 2000, p.13). Another global report found that e-commerce firms were reporting up to 25% of online transactions as fraudulent, with the average being 5%.
It needs to be recognised that the risks faced by e-businesses are not the same as those faced by storefront operations. The differences are not only in method but also in scale and geographical distribution (Deloitte Touche Tohmatsu 1998).
In relation to the importance of information security, a computer expert from The Netherlands stated (cited in KPMG 2000):
Now that most transactions and exchanges have become electronic, you really don t need to be an expert to predict that this will become, or already is, a crime generator. What is relatively new is the value of business information. We see a tendency for rising criminal activity in this field. Not only the theft of information, but also the threat of making information public.
Janet Reno, the former US Attorney General, at a recent symposium on protecting Intellectual Property in the Digital Age, referred to the increasing volume and sophistication of Intellectual Property Crime (including the involvement of organised crime) and stated that (2000):
Those who would profit from the research and development efforts of our best and brightest find havens to manufacture and ship infringing products halfway around the world because the profits are sure and the threat of getting caught is low or non-existent.
Despite these evident risks, it is clear that enormous benefits will flow from the utilisation of computer technology, including such things as electronic commerce. For instance, NOIE s report on e-commerce beyond 2000 suggests that e-commerce initiatives in Australia could bring about a '2.7% increase in the level of national output, and enhance consumption by about A$10 billion within the next decade (NOIE 2000d). It has also been predicted that e-commerce will be worth $1.6 trillion to the Asia/Pacific region by 2004 (Gosnell 2000).
The computer has become an integral part of our way of life. However, as our dependency on computer technology increases, so too does our vulnerability. This vulnerability and associated implications, including disruption to business and the possible loss of trust and confidence, were clearly demonstrated in recent times with:
- the distributed denial of service attacks on Yahoo, Ebay and other major Internet players;
- the security breach in Australia involving the ABN/GST web site (Van Dijk 2000b);
- the 'Love Bug' virus (or ILOVEYOU worm); and
- the denial of service attacks on the St George Bank in September 2000 (Kaye 2000, p.1; Spencer & O Brien 2000, p.29).
The 2000 ABN/GST incident
A student known variously as K2 and Kelly exposed a glaring security breach in the Australian GSTAssist web site. Simply by typing in a string of numbers, K2 was able to access the records of more than 20,000 GST-registered providers, including their bank details. He alerted more than 17,000 of the providers by emailing their confidential details to them. K2 rejected the notion he was a hacker, saying it involved no cracking but was a wide open security flaw (Dancer 2000, p.76).
Global connectivity means that havoc can occur, in a very short timeframe, throughout the world. New criminal opportunities have been created by the development of electronic media. Denial of service attacks, viruses, unauthorised entry, information tampering, cyberstalking, spamming, 'page-jacking and computer damage are relatively new types of offending or undesirable behaviour that did not exist in the pre-computing environment. Likewise, the development of computers has created new opportunities for services theft, manipulation of the stockmarket (through ramping up of stock prices and 'pump and dump schemes using the Internet), software piracy, and other thefts of intellectual property.
The Emulex case
This case involved a $US2.5 billion (or 1.7 billion pounds) hoax of chilling simplicity and demonstrated Wall Street s vulnerability to Internet-based fraud. In August 2000, a computer networking company called Emulex watched in horror as its shares lost 62% of their value at one point, wiping more than 1.7 billion pounds from its stock market value. Investors were reacting to a press release that was posted on the Internet at about 9.30 am, announcing that the company s chief executive had resigned, that its recently reported fourth-quarter results were to be restated, and that Emulex was under investigation by the US Securities and Exchange Commission. These claims were all false but the company was hit by an immediate wave of selling. When Emulex announced that the press release was utterly false, the shares recovered most of their losses, but closed more than 6% down (Jones 2000).
The Rentech Inc. case
In this classic, 'pump and dump scam, two persons were involved in posting messages on US bulletin boards such as Yahoo! and Raging Bull that said the price of Rentech, a US biotech stock, would increase by 900 percent over the next few months. Similar messages were sent to 4 million email addresses in the US, Australia and other markets. On the first Nasdaq trading day after the messages were sent, Rentech s share price doubled. One of the two then sold his 65,500 shares, making $17,000 profit. The incident led to an investigation involving both Australia s ASIC and the US Securities and Exchange Commission which ultimately led to the conviction of one offender and the charging of another (Fenton-Jones 2000).
The spread of computer culture and 'IT-literacy in society can be expected to raise the IT skills and capability of both younger generation criminals, and the awareness of all criminals to the possibilities for committing 'cybercrime (National Criminal Intelligence Service (NCIS) 1999, p.20).
In relation to offenders, employees and insiders have been the largest threat to organisations. Hence, computer crime is often referred to as an 'insider crime. In fact, a recent international fraud survey found that 82% of all identified frauds were committed by employees, almost a third of which were by management (Ernst & Young 2000b, p.1). However, as advances continue to be made in remote data processing, the threat from external sources will probably increase. With the increasing connectedness of systems and the adoption of more user-friendly software, the sociological profile of the computer offender may well change (United Nations (UN) 1999, p.9).
It has been suggested too that the threat of the lone computer hacker is giving way to the more alarming trend of 'hacker collectives and the advent of organised cyber-insurgency (James & Cooper 2000, p.52). Consider for a moment that one collective, 'LOpht , testified before a US Congressional investigation that they could halt all Internet activity within 30 minutes (James & Cooper 2000, p.53).
Computer technology also provides an effective tool for terrorists and foreign intelligence organisations. As James and Cooper state (2000, p.53):
The Internet provides activists, from the protestor to the hardened terrorist, with the means to apply a full range of tactics, including protest and blockade, disruption and destruction, potentially leading to the loss of life. The 'cyber option not only enhances the traditional roles and traits of terrorism, but also offers new forms of attack and a range of targets hitherto unavailable.
Because many telecommunications networks, such as the public telephone network and the Internet, are now connected globally, there is an international dimension often added to the offending. It has been suggested that with modern mobile devices such as laptop computers, mobile phones and modems, crimes can now be committed anytime anywhere, with the potential scale of the crime scene and the impact of the offending potentially the entire network-connected world (Bliss & Harfield 1998).
Another dimension to the issue of the electronic crime problem, which we all need to be aware of, involves threats to the National Information Infrastructure (NII). The NII is the grouping of information networks whose operations form the core of our political, strategic and socio-economic well-being as a society. The key industry/functional groupings within the NII are:
- banking and finance;
- transport and distribution;
- energy and utilities (electricity, oil, gas and water);
- information services; and
- other critical government services including defence and emergency services.
Clearly we need to work together to address these numerous and diverse threats. The Commonwealth Government recently stressed that information security is a major priority (Senator the Hon Richard Alston & The Hon Daryl Williams, 2 February 2001). It has also announced new initiatives, such as the E-Security Coordination Group and the Critical Infrastructure Priorities Group, to increase protection of the NII.
E-crime presents some unique challenges because of characteristics such as:
- Global reach (including issues of jurisdiction, disparate criminal laws and the potential for large scale victimisation);
- The speed at which crimes can be committed;
- The potential for deliberate exploitation of sovereignty issues and cross-jurisdictional differences by criminals and organised crime; and
- The volatility or transient nature of evidence, including no collateral or forensic evidence such as eyewitnesses, fingerprints or DNA.
Electronic crime is variable in its manifestations, so it is difficult to discuss in terms of aggregate incidence and impact. This inability to accurately define the nature of the problem is not helped by the fact that currently no statistics on computer crime are maintained by Australasian police. Unfortunately, definitive information on the present extent and impact of electronic crime both in Australia and overseas is not available. A significant amount of this crime is simply not reported and some may not even be detected. This lack of reporting is in part because of a great reluctance to notify incidents to law enforcement authorities so as to avoid any potentially adverse impact on consumer confidence or share price, or perhaps because of a lack of confidence in law enforcement to deal with such issues in a timely or effective way.
Two major surveys on computer crime have been conducted in recent years in Australia: one in 1997 by the Office of Strategic Crime Assessments (OSCA) and Victoria Police, the other in 1999 by the Victoria Police and Deloitte Touche Tohmatsu.
The 1997 survey claimed that Australian industry was 'under threat . A representative sample of over 300 Australian companies was surveyed. Of the respondents, 37% had experienced some form of intrusion or unauthorised use of computer systems in the last 12 months. Nearly 90% of companies that had experienced computer-related incidents had been subjected to attacks from sources internal to their own organisation. Over 60% were subjected to intrusions from external sources (meaning that a significant number of companies had been subjected to attacks from both employees and outsiders). Some of the issues highlighted included (OSCA & Victoria Police 1997):
- Australian industry was subject to a significant level of computer security incidents at a rate comparable to the US;
- The threat from outsiders appeared to be growing;
- A primary target of attacks was Australia s banking and finance industry, which was also a critical component of the NII;
- There appeared to be a direct correlation between increasing dependence on sophisticated information technologies and a growing level of vulnerability to attack.
The 1999 Computer Crime and Security Survey was sent to the 350 largest Australian companies in November 1998. The key findings included (Deloitte Touche Tohmatsu & Victoria Police 1999):
- One third of the companies surveyed reported an attack in the last 12 months;
- 83% of those companies that reported being aware of an intrusion had been attacked from an internal source and 58% had been attacked from an external source;
- Of those companies that were attacked, 42% did not report the incident outside the company;
- Attacks against organisations appeared to be random and opportunistic, in that only 12% of those attacked suffered losses in excess of $10,000;
- According to respondents, the most likely motivation for an attack was curiosity (71%);
- The attacker was most likely to be a disgruntled employee or an independent hacker.
In the 1999 survey, companies were concerned that attacks would become more organised and premeditated. Hacking remained as the greatest concern for the future (at 64%). While the responses indicated that attacks at that time were essentially random and motivated by curiosity, a significant number of organisations were concerned that this was not going to remain the case (Deloitte Touche Tohmatsu & Victoria Police 1999, p.16).
Another survey, conducted in the US, titled 'The 2000 Information Security Industry Survey , which involved a survey of nearly 2,000 high-tech and infosecurity professionals (Campbell 2000), found that companies needed to devote more attention to 'cybersabotage , as well as hacking. Nearly twice as many companies experienced insider attacks, such as theft, sabotage or intentional destruction of computer property, as compared to 1999. Meanwhile, 41% more companies had to deal with employees who intentionally disclosed or destroyed proprietary corporate information.
The same US survey found that the number of companies spending more than $US1 million a year on computer security had nearly doubled in 2000, compared with 1999, yet internal and external security breaches continued to rise, because of employee carelessness and increased hacker activity (Campbell 2000).
On the issue of reporting, the 1999 Australian survey indicated that the main reasons that companies would be prepared to contact law enforcement agencies were for prosecution and recovery of losses (Deloitte Touche Tohmatsu & Victoria Police 1999, p.15). This is in contrast to a major international fraud survey which found that a major factor was that organisations wished to investigate the full extent of the problem, along with the desire to demonstrate fraud would not be tolerated, as opposed to seeking recovery of losses/assets (Ernst & Young 2000b, p.1).
Indications are that electronic crimes are more than likely on the increase. For instance, AusCERT (the Australian Computer Emergency Response Team), Australia s peak agency assisting in the prevention of computer based attacks, has confirmed that Australia has seen a dramatic rise in the number of reported cyber incidents.
In 2000, a total of 8,197 computer security incidents were reported to AusCERT, representing a four-fold increase on the number reported in 1999 (University of Queensland 2001). Such incidents were commonly either network scans, viruses or distributed denial of service attacks. The statistics provided by AusCERT for the last 3 years are of concern as they demonstrate an alarming increase in the incidence of such incidents:
However, we are still lacking comprehensive data on the nature of the problem.
The former US Deputy Attorney General, Mr Eric Holder, recently stated (KPMG 2000, p.4):
How big is the computer and high-tech crime problem? We simply don t know. We do know that computer crime costs industry and society billions of dollars every year. There is substantial evidence computer crime is increasing in scope and in complexity. And we know that, left unchallenged, computer crime will stifle the expansion of electronic commerce and, potentially, pose a serious threat to public health and safety, particularly when we look at the vulnerability of critical infrastructures, such as the air traffic control system, the power grid, and national defence systems - all of which are totally dependent on computer networks.
We are clearly witnessing exponential growth in the uptake of technology and the use of the Internet. It is reasonable to assume that such growth will be accompanied by an increase in the incidence of electronic crime, as well as developments in the area of the scope and complexity of such crime. At this point in time, it is difficult to know what is occurring in this area due to a clear reluctance by industry and others to report many electronic crimes to police.
Recent incidents such as the DOS attacks in 2000 and the Love Bug virus/worm have demonstrated that significant vulner abilities exist on a global scale.
It is interesting to note that a March 2000 survey in the US suggests that consumer confidence in online shopping had been hurt as a result of attacks on prominent sites (http://www.washingtonpost.com/wp-srv/Wplate/2000-03/02/2141-030200-idx.html; cited in KPMG 2000, p.9):
A third of online consumers overall said they might be less likely to make a purchase via the World Wide Web in light of recent news events...Nearly seven in 10 online shoppers contacted in the telephone poll said they were concerned or very concerned by news of attacks that had blocked access to such Web sites as Yahoo and Amazon.
There is certainly scope for growth in the use of the Internet for electronic commerce (NOIE 2000e, p.6). It is reported that only 6% of the total adult Australian population or 13% of Australian adults accessing the Internet actually order or purchase goods or services via that medium (NOIE 2000e, p.6). In addition, a recent Ernst & Young Special Report on Internet Shopping in Australia (cited in Ernst & Young 2000a, p.11) found that 50% of online shoppers cited credit card security on the Internet as their prime concern compared to 19% in the US and 24% in the UK.
Ernst & Young found that an organisation must establish an environment of trust and understanding within the enterprise and with its customers, business partners and shareholders. Their research showed that addressing issues of risk, security, reliability, trust and assurance were critical to success in the marketplace (Ernst & Young 2000a, p.11).
The early warning signs mentioned above simply cannot be ignored.
Caragata (2000) carried out extensive research into hundreds of the great industrial and commercial disasters of the 20th century, including, for instance:
- Titanic sinking (North Atlantic 1912);
- Hindenberg Zeppelin explosion (US 1937);
- Union Carbide pesticide disaster (Bhopal, India 1984);
- Chernobyl nuclear disaster (Ukraine, 1986).
Ignoring early warning signs was a key, consistent causal factor across all the major industrial and commercial disasters, along with other factors. Caragata (2000, p.38) goes on to describe the 'footsteps to disaster' or the four principal structural deficiencies which lead to such disasters as:
- inadequate electronic monitoring and poor quality information;
- inadequate back-up or fail-safe systems;
- inadequate funding for an early warning system; and
- weak risk standards.
It could be argued that these structural deficiencies currently exist in Australia in relation to electronic crime.
The Policing Response to Date
Commissioners of Police of Australasia have recognised that unless law enforcement acts quickly, society and our quality of life could be seriously affected by unchecked electronic crime.
Commissioners of Police at their March 2000 Police Commissioners Conference, the theme of which was 'Crime @ the speed of thought', decided to firmly place the issue of electronic crime on the law enforcement agenda and to urgently develop a strategy to enable a timely and effective policing response to future issues and challenges. To this end, the Conference formed a Steering Committee of four Commissioners of Police and a Working Party, chaired by the Director of the ACPR.
The Steering Committee consists of Commissioner Mick Palmer (AFP) as Chair, Commissioner Mal Hyde (SA Police), Commissioner Barry Matthews (WA Police) and Commissioner Robert Robinson (NZ Police).
A Working Party was formed with delegates from various jurisdictions/agencies. The core tasking for the Working Party was to develop a draft law enforcement strategy on first priority matters which addressed such issues as:
- the formation of strategic and effective partnerships, including the potential for resource sharing;
- legislation and regulation;
- skills acquisition, development and retention;
- national and Australasian forensic computing capacities;
- training and education; and
- coordination and cooperation, nationally and internationally, in the utilisation of resources.
The Steering Committee requested the Working Party to scope out the nature of the problem prior to the development of any strategy.
In September 2000, the Working Party finalised and published a comprehensive and detailed report entitled 'The Virtual Horizon: Meeting the Law Enforcement Challenges (Police Commissioners Conference Electronic Crime Working Party 2000). This report is now a public document and is available http://catalogue.nla.gov.au/Record/2187758. Copies of this document have also been provided for the information of conference participants.
The scoping paper recognised that the issue of regulatory and legislative reform is a critical one and that such reform at the jurisdictional, national and international levels will clearly be required to effectively address electronic crime issues.
In relation to training, it was recognised that much more needs to be done to ensure that all law enforcement personnel have a basic understanding of search and seizure issues in relation to electronic evidence, for instance. There is also a need for more advanced training for those involved in the investigation of electronic crime and for specialist training for a cadre of expert staff involved in the forensic computing area.
Similarly, efforts need to be directed to establishing and facilitating the exchange of information and intelligence between policing and the community, as well as the private sector, in order to detect, prevent and respond to electronic crime. Initiatives of the National Infrastructure Protection Center (NIPC) in the United States, such as Outreach and InfraGard, are instructive in this regard (NIPC n.d.). Issues of security, timeliness, confidentiality and flexibility of police response are factors that need to be considered.
Recent initiatives in this area are also of interest. It was reported in January of this year that a group of 19 technology vendors in the United States announced the formation of an alliance that is supposed to provide a conduit for sharing information about viruses and other potential threats to corporate and government computer networks (Verton 2001). Plans for the IT Information Sharing and Analysis Center (IT-ISAC) were detailed by government officials and participants such as Cisco Systems, Computer Sciences, IBM, Hewlett-Packard, Microsoft, and Oracle. Their goal is to set up a secure mechanism that companies can use to exchange information about security vulnerabilities with each other and government agencies. The new virtual data-sharing centre will be oversighted by a Board of Directors drawn from many of the founding members. The formation of the IT-ISAC was described as 'a giant step forward in the protection of the nation s information networks.
Interestingly, the IT-ISAC is the fourth such private sector alliance to be formed in the US, joining similar initiatives in the banking, electricity and telecommunications industries (Verton 2001).
On another issue, skills acquisition and retention, particularly in the form of specialist forensic computing staff, will be increasingly difficult as policing competes with the private sector and the market dictates high prices for such expertise. The 'brain drain issue will continue to present a significant challenge for policing as our experts are lured elsewhere.
Another capability issue which is examined in the scoping paper is the current state of police forensic computing capabilities, as well as the need for a national capability. It will be essential to have a national or Australasian capability to deal with complex and multijurisdictional cases, to achieve economies of scale, and to either identify or develop international best practice in this area.
Following on from the scoping exercise, an analysis was undertaken and a law enforcement strategy developed. The vision for the strategy is 'A safer and more secure community . The document is currently in the process of receiving final endorsement from Police Commissioners and will be formally considered by them, along with implementation issues, at their annual Conference at the end of March 2001. The Australasian Police Ministers Council (APMC) will also be briefed on developments in this area.
At this stage, the strategy identifies 5 important focus areas, which are inextricably linked and will have limited impact unless dealt with collectively. They are:
- Education and Capability;
- Resources and Capacity; and
- Regulation and Legislation.
Complementary workplans which address each of these focus areas have also been developed and action will be taken to implement the various taskings, once the documents have been endorsed by all Commissioners.
The Role of the Private Sector
Fighting electronic crime will be expensive and there would be clear benefits in the strategic sharing of scarce resources, such as training opportunities, equipment and expertise, and a mutual understanding of what can and cannot be achieved.
The role of the private sector will be a critical issue in any response to electronic crime. The sector has a legitimate leadership role in the response to electronic crime and there is scope to increase the current role for the benefit of all parties, particularly in relation to defining the nature of the problem, and exchanging information and intelligence.
Prevention, including responsible risk management and information security management (Standards Australia 1999; Standards Australia/Standards New Zealand 2000a & b), will be a key issue. Both public and private sectors must be encouraged to recognise vulnerabilities and to implement appropriate safeguards. Security will involve implementing protection against threats to confidentiality, integrity or availability of systems and data.
Adequate attention to security does seem to be an issue. The 1999 Australian survey referred to above found that most of the companies surveyed (62%) had a security policy. However, the policies were commonly of a general nature and specific processes and procedures needed to effectively manage security threats were frequently not in place (Deloitte Touche Tohmatsu & Victoria Police 1999, p.2). The survey also found that 11% of Australian companies that responded were connecting to the Internet without a security policy (Deloitte Touche Tohmatsu & Victoria Police 1999, p.6). Such findings are cause for concern.
Prevention must be a major thrust of any electronic crime strategy otherwise the private sector and law enforcement agencies run the risk of being thwarted or overwhelmed by this type of crime.
Partnerships, which are genuine, mutual and cooperative, will be essential. We must simply work together if we are going to tackle this issue head-on.
As Janet Reno stated (2000):
[W]e re going to have to match wits with some of the most sophisticated criminals in the history of the world. We re going to have to know the technology and we re going to have to know the law that goes with the technology. Let us make sure that we form partnerships between the public and private sector as they have never existed before, that will enable us to solve these sophisticated criminal problems that we will see again and again. Law enforcement will not be able to do it by itself. We will require a partnership as we have never had before. But I think that partnership will redound to the benefit of us all.
Where to From Here
It is becoming more and more evident that strong leadership is required in the area of online security and electronic crime to ensure public safety and security, and to realise the enormous economic and social benefits that will flow from the uptake of technology and increased participation in electronic commerce. Such leadership in the private sector will be essential to business and consumer confidence, the containment of fraud and business continuity.
Policing recognises that private sector leadership is the overriding policy principle in relation to growth in electronic commerce and that a guiding principle is self-regulation. It is also appreciated that there is a fear or strong perception in some quarters that law enforcement will favour a 'big stick or heavy-handed approach and hence the compliance costs for industry will be high and the benefits of going online or doing business electronically will be significantly diminished. Policing recognises the importance of self-regulation wherever possible, and sensible regulation or co-regulation where necessary.
Law enforcement is conscious of the need to approach this issue in non-threatening management terms or good business practice in order to persuade government and the private sector, in particular, of the vital role to be played by law enforcement in providing a credible and robust information economy.
Law enforcement is but only one of the key players in this area and a coordinated and determined approach will be required across a number of sectors. This may sound like a familiar refrain, but the issue of electronic crime will amplify the need for such interaction and coordination.
As a starting point, there needs to be greater awareness of the importance of law enforcement and security issues in relation to the information economy. For instance, these matters do not presently receive the detailed treatment they deserve in key policy documents such as Australia s Strategic Framework for the Information Economy (NOIE 2000f). Awareness within both the public and private sectors, and amongst consumers, needs to be addressed.
At a national level, policing will need a capacity to strategically assess and prioritise, and perhaps allocate, e-crime taskings to various agencies. This is lacking at present. Such deficiency could lead to unnecessary duplication of effort or the compromise of the integrity of an investigation. It also means that there is little capacity to detect low value/high volume fraud, organised crime and international scams.
The method of prioritisation will also need careful attention to accommodate legitimate private sector needs. Nevertheless, it needs to be recognised that resources will never be available for the complete policing of all crimes, including some electronic crimes.
A comprehensive, flexible and holistic strategy will be required and strategic and effective partnerships with the community and the private sector will be absolutely essential. As indicated previously, such partnerships must be genuine, mutual and cooperative.
Law enforcement and the private sector need to come together and work through their respective needs and expectations and arrive at a mutual understanding on what can realistically be achieved in any such partnerships.
Policing fully realises that it will need to rely more heavily on the private sector to assist in what has previously been perceived as core business. For instance, it may be necessary to give serious consideration to some outsourcing of forensic computing tasks, given the current level of expertise within the private sector and the continuing 'brain drain within law enforcement. Similarly, the use of joint taskforces and the establishment of essential infrastructure as joint ventures (as has occurred with the NIPC in the United States) may need to be further explored.
The establishment of a national centre for cybercrime as a joint venture between governments and the private sector may be worthy of further exploration.
Fighting electronic crime will be an expensive endeavour and a significant commitment (and an injection of resources) from governments will eventually be required to address what constitutes 'new business for policing. This is not just about a realignment of existing effort. The 'new business will be characterised by new forms of crime, a far broader scope and scale of offending and victimisation, and challenging technical and legal complexities.
The support of the private sector will be important in the area of prevention and in persuading governments of the need to build an effective prevention and response capability in this critical area. We cannot afford to ignore the recent warning signs like the denial of service attacks, both here and overseas, and the 'Love Bug virus/worm.
For the private sector, online security and e-crime present as both potent market and investor issues. Business and its leaders need to understand that e-crime is not a technical issue but a policy issue of increasing significance. It is an issue central to responsive and responsible corporate governance and to good corporate citizenship.
The challenge of e-crime is real and immediate. As KPMG states (2000, p.5):
Many do not realise that the same technological advancements that have enabled business growth and innovation are also available to facilitate cyber misbehaviour. In addition, organizations may not yet fully understand that protecting assets in the virtual world is a more complex and exacting endeavour than protecting assets in the physical world.
The identification, assessment and management of 'eRisk (Ernst & Young 2000a) is a key part of doing business. Indeed, business can turn e-crime preparedness, or effective security, into a new competitive advantage.
Converting email users into e-tail shoppers on the Internet has already been hailed as the key to taking e-commerce in Australia to the next stage of development (Van Dijk 2000c). It needs to be recognised that police can play an important role in achieving this transition by deterring would-be offenders, investigating and prosecuting those who exploit the system and engendering trust and confidence in cyberspace throughout our community.
Clearly, we must work together as we have never done before. Our increased awareness of e-crime and security issues now needs to be translated into timely and effective action. It is only with the leadership, cooperation and assistance of the private sector that success in this area will be achieved.
Alston, Senator the Hon Richard & Williams, The Hon Daryl 2001, 'Information Security - A Major Priority', Joint Media Release, 2 February, www.richardalston.dcita.gov.au, or www.law.gov.au/ministers/attorney-general.
Baxt, R. 2000, Duties and Responsibilities of Directors and Officers, Australian Institute of Company Directors, 16th Edition, March.
Berinato, S. 2000, 'Are killer hack attacks coming?', ZDNet, 17 December, http://www.zdnet.com/zdnn/stories/news/0,4586,2665640,00.html
Berwick, D. 1999, 'Keynote Address: Trends in Information Technology Crime', Australasian Crime Conference and Seminar, 15 November, Australasian Crime Conference, Adelaide.
Bliss, A. & Harfield, C. 1998, 'The threat of computer crime: identifying the problem and formulating a response at force level', The Police Journal, January, Butterworths, Surrey, UK, pp.25-34.
California High Technology Crime Advisory Committee (CHTCAC) 2000, Annual Report on High Technology Crime in California, California High Technology Crime Advisory Committee, Sacramento, CA, http://www.ocjp.ca.gov/pub_CHTCAC_annu1.pdf, visited 31 March 2000.
Campbell, C. 2000, 'Hacking rises despite increased security spending , http://pcworld.idg.com.au/pc.../19CC3B9BFEDD3AB64A2569/0001FEFOF!OpenDocumen, visited 8 October 2000.
Caragata, P. 2000, 'Early warning systems , Company Director, Vol. 16 No. 5, June, pp.37-39.
Coorey, P. 2000, 'Secrets on tap , The Advertiser, 17 June, p.77.
Dancer, H. 2000, 'K2 uncovers GST keyhole', The Bulletin, 11 July, p.76.
Deloitte Touche Tohmatsu 1998, Selected E-Business Issues: Perspectives on Business in Cyberspace, http://www.deloitte.com/tidalwave/security.htm, visited 3 October 2000.
Deloitte Touche Tohmatsu & Victoria Police 1999, Computer Crime & Security Survey, Deloitte Touche Tohmatsu & Victoria Police, Melbourne.
Ernst & Young 2000a, An Australian View of Risk Management, Assurance & Advisory Business Services, March.
Ernst & Young 2000b, Fraud: The Unmanaged Risk. An International Survey of the Effect of Fraud on Business, Fraud Investigation Group, May.
Fenton-Jones, M. 2000, 'Net racketeers feel the heat', The Sydney Morning Herald, 15 November, Money, p.3.
Gosnell, P. 2000, 'Chamber's e-commerce bid', Melbourne Sun, 3 May, p.52.
James, L. & Cooper, J. 2000, 'Organised exploitation of the information super-highway', Jane's Intelligence Review, July, pp.52-55.
Jones, A. 2000, 'Internet hoaxer creates shockwaves on Wall St', Business News, 28 August.
Kaye, B. 2000, 'St George still a 'sitting duck', Computerworld, Vol.24 No.11, 11 September, pp.1 & 4.
KPMG 2000, E-Commerce and Cyber Crime: New Strategies for Managing the Risks of Exploitation, Forensic and Litigation Services, USA.
National Criminal Intelligence Service (NCIS) 1999, Project Trawler: Crime on the Information Highways, NCIS, London.
National Infrastructure Protection Center (n.d.), 'Outreach/Infragard', http://www.fbi.gov/nipc/outreachinfragd.htm, visited 25 May 2000.
National Office for the Information Economy (NOIE) 2000a, The Current State of Play - July 2000, NOIE, Canberra, http://www.noie.gov.au/information_economy/ecommerce_analysis/ie_ stats/StateofPlay/index.htm, visited 24 August 2000.
National Office for the Information Economy (NOIE) 2000b, The Current State of Play - November 2000, NOIE, Canberra, http://www.noie.gov.au/projects/information_economy/ecommerce_analysis/ie_ stats/StateofPlayNov2000/index.htm, visited 13 February 2001.
National Office for the Information Economy (NOIE) 2000c, E-Commerce Security: The Integration of Business E-Commerce Systems: Scoping Study for the National Electronic Authentication Council (NEAC), NOIE, Canberra, http://www.noie.gov.au/publications/NOIE/NEAC/publication_csir0608.pdf, visited 3 October 2000.
National Office for the Information Economy (NOIE) 2000d, E-Commerce - beyond 2000, NOIE, Canberra, http://www.noie.gov.au/publications/NOIE/ecommerce_analysis/beyond2k_final_report.pdf, visited 23 April 2000.
National Office for the Information Economy (NOIE) 2000e, The Current State of Play: Australia and the Information Economy, NOIE, Canberra, http://www.noie.gov.au/projects/information_economy/ecommerce_analysis/state_of_play.htm, visited 18 April 2000.
National Office for the Information Economy (NOIE) 2000f, NOIE - Strategic Framework for the Information Economy - Progress Report - April 2000, NOIE, Canberra, http://www.noie.gov.au/projects/information_economy/strategic_framework/april2000_update.htm, visited 3 May 2000.
Office of Strategic Crime Assessments (OSCA) & Victoria Police 1997, Computer Crime and Security Survey, OSCA / Victoria Police, Melbourne.
Police Commissioners' Conference Electronic Crime Working Party 2000, The Virtual Horizon: Meeting the Law Enforcement Challenges. Developing an Australasian Law Enforcement Strategy forDdealing with Electronic Crime. Scoping Paper, Australasian Centre for Policing Research, Report Series No:134.1, Adelaide.
Rees, Andrew 2000, ACPR Technology Environment Scan, Australasian Centre for Policing Research, Report Series No:133.1, Adelaide.
Reno, J. 2000, Statement by the Attorney General: Symposium of the Americas: Protecting Intellectual Property in the Digital Age, 12 September, http://www.cybercrime.gov/ipsymposium.htm, visited 3 October 2000.
Spencer, S. & O'Brien, S. 2000, 'Internet banking service attacked', The Advertiser, 2 September, p.29.
Standards Australia 1999, Risk Management AS/NZ 4360:1999.
Standards Australia/Standards New Zealand 2000a, Information Security Management Part 1: Code of Practice for Information Security Management AS/NZS 4444.1:1999 BS 7799.1:1999.
Standards Australia/Standards New Zealand 2000b, Information Security Management Part 2: Specification for Information Security Management Systems AS/NZS 4444.2:2000 BS 7799.2:1999.
The Advertiser 2000, 'Stolen credit cards used on retailer's web site', 30 August, p.13.
The Australian 2000, 'Cyber burglar steals 485,000 card numbers', 21 March, p.1.
Thomas, C. & Waters, N. 2000, 'Start-up corporate governance', Company Director, August, pp.8-10.
United Nations (UN) 1999, International Review of Criminal Policy - United Nations manual on the prevention and control of computer-related crime, UN, New York, http://www.ifs.univie.ac.at/~pr2gq1/rev4344.html, visited 30 May 2000.
University of Queensland 2001, 'AusCERT notes substantial growth of computer security incidents', 25 January, http://www.uq.edu.au/news/search,asp?method=byCategory&c_id=51, visited 12 February 2001.
Van Dijk, S. 2000a, 'Dotcoms clamour for health business', Computerworld, Vol.24 No.11, 11 September, pp.1 & 4.
Van Dijk, S. 2000b, 'GST rush at Tax Office exposes security neglect', Computerworld, Vol.24 No.2, 10 July, pp.1 & 3.
Van Dijk, S. 2000c, 'Making e-tail shoppers out of email users', Computerworld, Vol.23 No.46, 26 June, p.8.
Verton, D. 2001, 'Technology vendors detail plans to share security information', Computerworld, http://www.computerworld.com/cwi/story/0,1199, NAV47_STO56410,00.html, visited 8 February 2001.
Walker, J. 1997,' Estimates of the costs of crime in Australia in 1996', Trends and Issues, No. 72, Australian Institute of Criminology, Canberra.