Monday, February 2, 2009

cybercrime is rising sharply, experts have warned at the World Economic Forum in Davos.


Cybercrime threat rising stridently.
The threat of cybercrime is rising sharply, experts have warned at the World Economic Forum in Davos.

They called for a new system to tackle well-organised gangs of cybercriminals.

Online theft costs $1 trillion a year, the number of attacks is rising sharply and too many people do not know how to protect themselves, they said.

The internet was vulnerable, they said, but as it was now part of society's central nervous system, attacks could threaten whole economies.

The past year had seen "more vulnerabilities, more cybercrime, more malicious software than ever before", more than had been seen in the past five years combined, one of the experts reported.

But does that really put "the internet at risk?", was the topic of session at the annual Davos meeting.

On the panel discussing the issue were Mozilla chairwoman Mitchell Baker (makers of the Firefox browser), McAfee chief executive Dave Dewalt, Harvard law professor and leading internet expert Jonathan Zittrain, Andre Kudelski of Kudelski group, which provides digital security solutions, and Tom Ilube, the boss of Garlik, a firm working on online web identity protection.

They were also joined by Microsoft's chief research officer, Craig Mundie.

To encourage frank debate, Davos rules do not allow the attribution of comments to individual panellists

Threat #1: Crime

The experts on the panel outlined a wide range of threats facing the internet.
There was traditional cybercrime: committing fraud or theft by stealing somebody's identity, their credit card details and other data, or tricking them into paying for services or goods that do not exist.

The majority of these crimes, one participant said, were not being committed by a youngster sitting in a basement at their computer.

Rather, they were executed by very large and very well-organised criminal gangs.

One panellist described the case of a lawyer who had realised that he could make more money though cybercrime.

He went on to assemble a gang of about 300 people with specialised roles - computer experts, lawyers, people harvesting the data etc.

Such criminals use viruses to take control of computers, combine thousands of them into so-called "botnets" that are used for concerted cyber attacks.

In the United States, a "virtual" group had managed to hijack and redirect the details of 25 million credit card transactions to Ukraine. The group used the data to buy a large number of goods, which were then sold on eBay.

This suggested organisation on a huge scale.

"This is not vandalism anymore, but organised criminality," a panellist said, while another added that "this is it is not about technology, but our economy".

Threat #2: the system

A much larger problem, though, are flaws in the set-up of the web itself.

It is organised around the principle of trust, which can have unexpected knock-on effects.

Nearly a year ago, Pakistan tried to ban a YouTube video that it deemed to be offensive to Islam.

The country's internet service providers (ISPs) were ordered to stop all YouTube traffic within Pakistan.
However, one ISP inadvertently managed to make YouTube inaccessible from anywhere in the world.

But in cyberspace, nobody is responsible for dealing with such incidents.

It fell to a loose group of volunteers to analyse the problem and distribute a patch globally within 90 minutes.

"Fortunately there was no Star Trek convention and they were all around," a panellist joked.

Threat #3: cyber warfare

Design flaws are one thing, cyber warfare is another.

Two years ago, a political dispute between Russia and Estonia escalated when the small Baltic country came under a sustained denial-of-service attack which disabled the country's banking industry and its utilities like the electricity network.
This was repeated last year, when Georgia's web infrastructure was brought down on its knees during its conflict with Russia.

"2008 was the year when cyber warfare began.. it showed that you can bring down a country within minutes," one panellist said.

"It was like cyber riot, Russia started it and then many hackers jumped on the bandwagon," said another.

This threat was now getting even greater because of the "multiplication of web-enabled devices" - from cars to fridges, from environmental sensors to digital television networks.

The panel discussed methods that terrorists could use to attack or undermine the whole internet, and posed the question whether the web would be able to survive such an assault.

The real problem, concluded one of the experts, was not the individual loss.

It was the systemic risk, where fraud and attacks undermine either trust in or the functionality of the system, to the point where it becomes unusable.



What solution?

"The problems are daunting, and it's getting worse," said one of the experts. "Do we need a true disaster to bring people together?," asked another.

One panellist noted that unlike the real world - where we know whether a certain neighbourhood is safe or not - cyberspace was still too new for most of us to make such judgements. This uncertainty created fear.

And as "the internet is a global network, it doesn't obey traditional boundaries, and traditional ways of policing don't work," one expert said.

Comparing virus-infected computers to people carrying highly infectious diseases like Sars, he proposed the creation of a World Health Organisation for the internet.

"If you have a highly communicable disease, you don't have any civil liberties at that point. We quarantine people."

"We can identify the machines that have been co-opted, that provide the energy to botnets, but right now we have no way to sequester them."

But several panellists worried about the heavy hand of government. The internet's strength was its open nature. Centralising it would be a huge threat to innovation, evolution and growth of the web.

"The amount of control required [to exclude all risk] is quite totalitarian," one of them warned.

Instead they suggested to foster the civic spirit of the web, similar to the open source software movement and the team that had sorted the YouTube problem.

"Would a formalised internet police following protocols have been able to find the [internet service provider] in Pakistan as quickly and deployed a fix that quickly?" one of them asked.

How Soon Will Cybercrimes Be Punished?
In criminal offenses, there would be no crime when there is no law punishing it. That explains why various crimes done through the internet still persist these days. In cases where the offenders are caught, court proceedings won't go so well because only the part of the offense which is governed by the Revised Penal Code (RPC) is being litigated. The main bulk of the offense, the cybercrime, is usually left untouched. This is the main issue; yet, the current RPC is still inadequate to deal with such matter. Hence, the government's highest monitoring body for the conditions and status of Information Technology in the Philippines is now putting pressure on the legislature to propose a bill against cybercrimes.
The Commission on Information and Communication Technology (CICT) define cybercrimes as those offenses done in the realm of the internet which, just like usual offenses, have grave and concrete effects to the ones who are affronted. The crimes identified are hacking, identity theft, phishing, spamming, website defacement, denial-of-service (DoS) attacks, malware or viruses, child pornography, and cyber prostitution. Such crimes are not yet punishable under the country's criminal law. That is why there is a need for a legislative action to eventually make each of the aforementioned offenses become a felony in order for perpetrators to be punished in accordance with the law.
CICT is very hopeful that increased awareness and support will push the Congress to finally pass a bill against cybercrimes. The commission endorsed the "Cybercrime Prevention Act of 2008" wherein four cyber-related bills authored by different lawmakers are consolidated. A representative from the Council of Europe, an organ of the European Council, also joined the technical working group in refining the bill a year prior to the endorsement. Such representation is meant to "harmonize" the bill with European standards on cybersecurity. It has to be considered that such crimes are not solely confined to one nation but rather that they traverse territorial boundaries considering that the crimes are committed in the World Wide Web..
Currently, CICT feels that there is an increasing support from private sector groups. The Business Process Association of the Philippines (B/PAP) which represents the outsourcing industry is an example. The said umbrella organization supports such bill because it infers that once the country is secured from different forms of cybercrimes through existing and enforceable laws, it would be easier to sell the services that are done in the country to foreign investors. The bill would ensure that the clients are well covered when we speak of cybersecurity in the Philippines.
With these, it can be said that the current conditions the country is facing calls for progressive and up-to-date legislations. Neighboring countries like Singapore and Malaysia have already adopted such measure. Unluckily though, the bill is hampered by the other so called "more important" considerations discussed in both Lower and Upper House of the Congress in the Philippines. It is already five years since the bill was endorsed, yet, the Congress still fails to accommodate it. While increased support and awareness regarding cybercrimes becomes more apparent, hopefully ,the legislature will finally act on this issue.

No comments:

Post a Comment