+

Cyber crime and data sharingDr Ian Brown, Senior Research Fellow, Oxford Internet Institute

+

+Outline

Definitions and the scale of the threat Graffiti, fraud, terror and war Value at risk

Developing an effective strategy and working with other organisations

+Cyber graffiti

Defacement of Web sites with inadequate security

Mainly for propaganda and bragging

Increasingly used to distribute “drive-by” malware

+Cyber fraud

Highly efficient criminal economy has sprung up (bot herders, coders, mules, phishermen)

Phishing (Symantec observed 207,547 unique phishing messages 2H 2007) – with increased targeting

Denial of Service extortion (Symantec observed 5,060,187 bots 2H 2007)

Anti-Phishing Working Group Q2 2008 report

+Scale of fraud

Internet Crime Complaint Center 2007 Annual Report p.3

Symantec Report on the Underground Economy 2008 p.49

+Insider fraudInformation required Price paid to

‘blagger’ Price charged to customer

Occupant search/Electoral roll check (obtaining or checking an address)

not known £17.50

Telephone reverse trace £40 £75 Telephone conversion (mobile) not known £75 Friends and Fami ly £60 – £80 not known Vehicle check at DVLA £70 £150 – £200 Criminal records check not known £500 Area search (locating a named person across a wide area)

not known £60

Company/Director search not known £40 Ex-directory search £40 £65 – £75 Mobile t elephone account enquiries not known £750 Licence check not known £250 “What price privacy?”, Information Commissioner, May 2006

+Cyber terror

“Terrorists get better returns from much simpler methods such as car bombs. Cyberterror is too low key: not enough dead bodies result, and attacks are too complex to plan and execute.” (Bird 2006)

Reality is use for communications, research (CBNR info poor - Stenersen 2007), propaganda, recruitment and belonging (Labi 2006 and Shahar 2007), tactical intel (US Army 2005)

+Cyberwar?

Attacks on Estonian finance, media and govt websites by Russian nationalist groups after statue moved

“Complexity and coordination was new… series of attacks with careful timing using different techniques and specific targets” (NATO)

Arbor Networks monitored 128 distinct attacks, with 10 lasting over 10 hours and reaching 90Mbps

+Digital Pearl Harbor

Exercise conducted by US Naval War College & Gartner July 2002

3-day simulated attack on Critical National Infrastructure with attackers given $200m, 5 years planning, access to state-level intelligence

Local, temporary attacks could be successful; sustained, national attacks would not

+China TITAN RAIN

Incursions into DoD, German chancellory, Whitehall, NASA, Lockheed Martin…

“Chinese attackers are using custom Trojan horse software targeted at specific government offices, and it is just walking through standard defences. Many government offices don’t even know yet that they are leaking information. 99% of cases are probably still not known.” (NATO)

“Intrusion detection systems react to obvious signatures such as lots of traffic from one IP address – so onion routing and botnets are used to disguise the origin of intrusions.” (Sommer)

+Governmental responses

Protecting govt infrastructure – $294m requested by DHS for 2009; $6bn requested for NSA initiative

Critical infrastructure programmes – e.g. CPNI, InfraGard

Law enforcement response – e.g. PCeU; FBI has 800+ full-time agents, received 320,000 complaints in 2007

Updating legislation – Council of Europe Cybercrime Convention

+Industry responses

Software patches and anti-virus tools – arms races

Anti-Phishing Working Group

CERTs/CSIRTs

Security Development Lifecycle programmes

+Issues for geospatial intelligence Intelligence and military agencies generally have high

standards of computer security BUT they are increasingly interacting with other governmental

and private organisations with much weaker controls general-purpose software is ridden with vulnerabilities proliferation of data makes it harder to control

Is your key goal availability and integrity of data?

Where confidentiality is important, how far can you trust data sharing partners’ systems?

Where personal data is involved, can you manage data protection requirements and risks?

+Planning your response

What are your key information assets – and how far will they be shared with (less) trusted partners?

What are your key threats? Graffiti artists? Fraudsters? Sub-state actors? Nation states? Insiders?

How well are your systems designed, operated and policed to manage your information risk?

Are you partnering appropriately with other agencies and industry?

+References

Juliette Bird (2006) Terrorist Use of the Internet, The Second International Scientific Conference on Security and Countering Terrorism Issues, Moscow State University Institute for Information Security Issues, October 2006

Nadya Labi (2006) Jihad 2.0, Atlantic Monthly pp.102—107, Jul/Aug 2006

Yael Shahar (2007) The Internet as a Tool for Counter-Terrorism, Patrolling and Controlling Cyberspace, Garmisch, April 2007

Anne Stenersen (2007) Chem-bio cyber-class – Assessing jihadist chemical and biological weapons, Jane’s Intelligence Review, Sep 2007

US Army (2005) Army Regulation 530–1, Operations Security (OPSEC), Apr 2007