Cyber crime and data sharing Dr Ian Brown, Senior Research Fellow, Oxford Internet Institute

Outline Definitions and the scale of the threat Graffiti, fraud, terror and war Value at risk Developing an effective strategy and working with other organisations

Definitions and the scale of the threat

Graffiti, fraud, terror and war

Value at risk

Developing an effective strategy and working with other organisations

Cyber graffiti Defacement of Web sites with inadequate security Mainly for propaganda and bragging Increasingly used to distribute “drive-by” malware

Defacement of Web sites with inadequate security

Mainly for propaganda and bragging

Increasingly used to distribute “drive-by” malware

Cyber fraud Highly efficient criminal economy has sprung up (bot herders, coders, mules, phishermen) Phishing (Symantec observed 207,547 unique phishing messages 2H 2007) – with increased targeting Denial of Service extortion (Symantec observed 5,060,187 bots 2H 2007) Anti-Phishing Working Group Q2 2008 report

Highly efficient criminal economy has sprung up (bot herders, coders, mules, phishermen)

Phishing (Symantec observed 207,547 unique phishing messages 2H 2007) – with increased targeting

Denial of Service extortion (Symantec observed 5,060,187 bots 2H 2007)

Scale of fraud Internet Crime Complaint Center 2007 Annual Report p.3 Symantec Report on the Underground Economy 2008 p.49

Insider fraud “ What price privacy?”, Information Commissioner, May 2006

Cyber terror “ Terrorists get better returns from much simpler methods such as car bombs. Cyberterror is too low key: not enough dead bodies result, and attacks are too complex to plan and execute.” (Bird 2006) Reality is use for communications, research (CBNR info poor - Stenersen 2007), propaganda, recruitment and belonging (Labi 2006 and Shahar 2007), tactical intel (US Army 2005)

“ Terrorists get better returns from much simpler methods such as car bombs. Cyberterror is too low key: not enough dead bodies result, and attacks are too complex to plan and execute.” (Bird 2006)

Reality is use for communications, research (CBNR info poor - Stenersen 2007), propaganda, recruitment and belonging (Labi 2006 and Shahar 2007), tactical intel (US Army 2005)

Cyberwar? Attacks on Estonian finance, media and govt websites by Russian nationalist groups after statue moved “ Complexity and coordination was new… series of attacks with careful timing using different techniques and specific targets” (NATO) Arbor Networks monitored 128 distinct attacks, with 10 lasting over 10 hours and reaching 90Mbps

Attacks on Estonian finance, media and govt websites by Russian nationalist groups after statue moved

“ Complexity and coordination was new… series of attacks with careful timing using different techniques and specific targets” (NATO)

Arbor Networks monitored 128 distinct attacks, with 10 lasting over 10 hours and reaching 90Mbps

Digital Pearl Harbor Exercise conducted by US Naval War College & Gartner July 2002 3-day simulated attack on Critical National Infrastructure with attackers given $200m, 5 years planning, access to state-level intelligence Local, temporary attacks could be successful; sustained, national attacks would not

Exercise conducted by US Naval War College & Gartner July 2002

3-day simulated attack on Critical National Infrastructure with attackers given $200m, 5 years planning, access to state-level intelligence

Local, temporary attacks could be successful; sustained, national attacks would not

China TITAN RAIN Incursions into DoD, German chancellory, Whitehall, NASA, Lockheed Martin… “ Chinese attackers are using custom Trojan horse software targeted at specific government offices, and it is just walking through standard defences. Many government offices don’t even know yet that they are leaking information. 99% of cases are probably still not known.” (NATO) “ Intrusion detection systems react to obvious signatures such as lots of traffic from one IP address – so onion routing and botnets are used to disguise the origin of intrusions.” (Sommer)

Incursions into DoD, German chancellory, Whitehall, NASA, Lockheed Martin…

“ Chinese attackers are using custom Trojan horse software targeted at specific government offices, and it is just walking through standard defences. Many government offices don’t even know yet that they are leaking information. 99% of cases are probably still not known.” (NATO)

“ Intrusion detection systems react to obvious signatures such as lots of traffic from one IP address – so onion routing and botnets are used to disguise the origin of intrusions.” (Sommer)

Governmental responses Protecting govt infrastructure – $294m requested by DHS for 2009; $6bn requested for NSA initiative Critical infrastructure programmes – e.g. CPNI, InfraGard Law enforcement response – e.g. PCeU; FBI has 800+ full-time agents, received 320,000 complaints in 2007 Updating legislation – Council of Europe Cybercrime Convention

Protecting govt infrastructure – $294m requested by DHS for 2009; $6bn requested for NSA initiative

Critical infrastructure programmes – e.g. CPNI, InfraGard

Law enforcement response – e.g. PCeU; FBI has 800+ full-time agents, received 320,000 complaints in 2007

Updating legislation – Council of Europe Cybercrime Convention

Industry responses Software patches and anti-virus tools – arms races Anti-Phishing Working Group CERTs/CSIRTs Security Development Lifecycle programmes

Software patches and anti-virus tools – arms races

Anti-Phishing Working Group

CERTs/CSIRTs

Security Development Lifecycle programmes

Issues for geospatial intelligence Intelligence and military agencies generally have high standards of computer security BUT they are increasingly interacting with other governmental and private organisations with much weaker controls general-purpose software is ridden with vulnerabilities proliferation of data makes it harder to control Is your key goal availability and integrity of data? Where confidentiality is important, how far can you trust data sharing partners’ systems? Where personal data is involved, can you manage data protection requirements and risks?

Intelligence and military agencies generally have high standards of computer security BUT

they are increasingly interacting with other governmental and private organisations with much weaker controls

general-purpose software is ridden with vulnerabilities

proliferation of data makes it harder to control

Is your key goal availability and integrity of data?

Where confidentiality is important, how far can you trust data sharing partners’ systems?

Where personal data is involved, can you manage data protection requirements and risks?

Planning your response What are your key information assets – and how far will they be shared with (less) trusted partners? What are your key threats? Graffiti artists? Fraudsters? Sub-state actors? Nation states? Insiders? How well are your systems designed, operated and policed to manage your information risk? Are you partnering appropriately with other agencies and industry?

What are your key information assets – and how far will they be shared with (less) trusted partners?

What are your key threats? Graffiti artists? Fraudsters? Sub-state actors? Nation states? Insiders?

How well are your systems designed, operated and policed to manage your information risk?

Are you partnering appropriately with other agencies and industry?

References Juliette Bird (2006) Terrorist Use of the Internet, The Second International Scientific Conference on Security and Countering Terrorism Issues , Moscow State University Institute for Information Security Issues, October 2006 Nadya Labi (2006) Jihad 2.0, Atlantic Monthly pp.102—107, Jul/Aug 2006 Yael Shahar (2007) The Internet as a Tool for Counter-Terrorism, Patrolling and Controlling Cyberspace , Garmisch, April 2007 Anne Stenersen (2007) Chem-bio cyber-class – Assessing jihadist chemical and biological weapons, Jane’s Intelligence Review , Sep 2007 US Army (2005) Army Regulation 530–1, Operations Security (OPSEC) , Apr 2007

Juliette Bird (2006) Terrorist Use of the Internet, The Second International Scientific Conference on Security and Countering Terrorism Issues , Moscow State University Institute for Information Security Issues, October 2006

Nadya Labi (2006) Jihad 2.0, Atlantic Monthly pp.102—107, Jul/Aug 2006

Yael Shahar (2007) The Internet as a Tool for Counter-Terrorism, Patrolling and Controlling Cyberspace , Garmisch, April 2007

Anne Stenersen (2007) Chem-bio cyber-class – Assessing jihadist chemical and biological weapons, Jane’s Intelligence Review , Sep 2007

US Army (2005) Army Regulation 530–1, Operations Security (OPSEC) , Apr 2007