Rahasia : Tackling the Problem of Cyber Crime

A few days ago the Australian House of Representatives' Standing Committee on Communications published its report on cyber crime and security. This document has the ambitious title "Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime", and is an impressive, almost 300 pages reading with statistics, examples, and of course suggestions on how to solve the cyber crime problem

The report even has a long explanatory list of abbreviations and technical terms, which is useful reading for those who are not that familiar with all corners of IT security.

As early as in the report's foreword a significant statement is made:

There has been an exponential growth in the volume of malicious software and the sophistication and adaptability of cyber crime techniques. In the face of these trends, the Committee believes the expectation that end users should or can bear the sole responsibility for their own personal online security is no longer a tenable proposition. We need to apply the same energy and commitment given to national security and the protection of critical infrastructure to the cyber crime threats that impact on society more generally.

A joint effort
Note in particular the sentence "(...) the expectation that end users should or can bear the sole responsibility for their own personal online security is no longer a tenable proposition".

The committee acknowledges the fact that governmental institutions as well as organizations in the private sector (like IT manufacturers, Internet Service Providers and web hosting companies) should all be involved in securing the Internet.

This corresponds to the view that Norman expressed in our security article in November 2008 - Fighting malware on two ends. To be able to fight cyber crime most efficiently, one cannot rely on end-user protection only. Effective protection of the Internet's nodes and infrastructure requires that several stakeholders are involved.

The report includes 34 recommendations. Some examples are:
- a national coordination point to oversee the broader strategy,
- a national cyber crime reporting centre, enabling a one-stop-shop to report cyber crime,
- better coordination and training for law enforcement agencies,
- public-private information sharing on a wider range of cyber crime types.

A controversial recommendation
One of the recommendations (No 14) immediately caused some controversy (Norman's emphasis in bold below):

That the Australian Communications and Media Authority take the lead role and work with the Internet Industry Association to immediately elaborate a detailed e-security code of practice to be registered under the Telecommunications Act 1997 (Cth).

That the code of practice include:

- an obligation that the Internet Service Provider provides basic security advice when an account is set up to assist the end user to protect themselves from hacking and malware infections;
- a mandatory obligation to inform end users when their IP address has been identified as linked to an infected machine(s);
- a clear policy on graduated access restrictions and, if necessary, disconnection until the infected machine is remediated;
- the provision of basic advice and referral for technical assistance for remediation;

Some Pros and Cons
Enforcing security does equal better security (at least in this case)
It is probably correct that if Internet users are forced to install security programs (in this case antivirus and firewall) before they are allowed to access the Internet, this will in general enhance the general security on the average end user's computer.

Most of us are law-abiding citizens and will not go to great length to try to circumvent this requirement by attempting to trick the Internet Service Provider (ISP), and thus avoid this requirement.

Nor is it likely that many who already had such software in place will remove this, and trick the ISP just because they are ideologically against the fact that the requirement has been made mandatory.

Personal freedom
Legislating every-day tasks vs. freedom of the individuals is a never-ending battle between two conflicting points of view. The consensus seems to be that "somewhere" in between the two extremes is most sensible.

The issue discussed here is a typical one where some will argue that it is up to each and every person if - and even more importantly - how he chooses to protect himself.

It may be argued however, that this is not only a question about self-protection. An infected computer represents a threat not only to the owner, but also to others that this computer is able to reach, and indeed the Internet community in general. An analogy is a person who becomes infected with a virus; he might be quarantined not only for his own protection, but to protect members of his community from infection.

Another aspect of the personal freedom issue is that for such a legislation to be effective, the ISP needs to have some kind of technology in place to check whether a computer is protected by security software or not. This may be viewed by some as tampering with personal information that is not the ISP's business.

Some may also fear that if such a requirement is mandatory, only some pre-qualified security software packages will be accepted among the plethora of security software that exists. Presumably well-known vendors' solutions might be those recommended or allowed.

Who pays?
This is not discussed in the report, and may obviously be part of the debate.

Seen from the community's point of view, the most economically sound is probably that governmental institutions enter into agreement(s) with security software vendors, as this has the potential to result in the best deals (per piece of software).

The second best from a purely economical view, is that the ISPs enter into such agreements on behalf of their customers. They are able to negotiate better agreements (one would presume) than each and every individual.

The least optimal seen from a socio-economic point of view is that each person chooses his preferred security software. On the other hand, this will give the individual more personal freedom (which is seen as advantageous by most).

Whatever is chosen as a model, it is obvious that this will be an extra cost for someone. The counter-argument is that this will be less expensive than not protecting, and thus allowing more to be victims of computer crime.

Security software needs frequent updates
These days more than ever, security software needs frequent updating in order to protect the users sufficiently. Several tens of thousands malicious programs are created each and every day, and the antivirus vendors publish new virus signature files frequently to keep their customers updated.

This introduces a special problem, as the security obtained by having an antivirus product installed rapidly declines towards zero unless the program is continuously updated.

How this updating requirement should be taken care of is a challenge with the committee's recommendation.

Several layer defense
As we mentioned in the beginning of this article, it is wise to combat cyber crime from different angles. From this perspective tightening end user security is a means to accomplish one building-stone in a several-layer defense structure.

Final words

Regardless of one's view regarding the issue of mandatory antivirus and firewalls, the Australian report is very interesting reading. It is highly recommended for those who wish to get a broader overview of the Internet's threats as perceived by a nation's point of view, and the mitigating elements that are up for discussion and evaluation.