Corruption Matters - October 2017 | Issue 50
Cybercrime: the new game changer
As a young lawyer in the UK in the 1990s, Esther George was given a tip by a friend: specialise in computer crime. She attended courses on the side and learnt how to build computers from scratch, largely teaching herself. By the turn of the millennium, Esther was firmly in her lane prosecuting hackers and the like. Esther will attend the Australian Public Sector Anti-Corruption Conference in Sydney, 14–16 November, to speak about her experiences as a cybercrime expert.
It’s called high-tech crime, e-crime, cybercrime, computer crime, digital crime and so forth – all of which describe the same thing. What does it mean exactly?
There are many terms used to describe the criminal use of technology. The terms are often intermingled and normally used to describe a criminal activity in which a computer or a network are an essential part of a crime. However, cybercrime is also used to include other traditional crimes, in which computers or networks are used to make the illicit activity possible (for example, hate crimes, identity theft, credit card account thefts and so forth).
There is no universally accepted definition of cybercrime, but cybercrime cases can be defined as those where information or communication technology is used. This includes three categories of cybercrime: (1) cases where computers are the targets of crime (for example hacking offences), (2) where computers or other devices are used as a crime tool (for example, distribution of child abuse images) and (3), cases where computers or other devices are used as storage and/or communication tools to facilitate the commission of an offence (for example, online drug deals).
The scale of cybercrime can be monumental and catastrophic. Conversely, some cases can be smaller, less pervasive and easily go undetected. Please provide some examples of the range of cases in this space.
Cases vary from indecent images of children, hacking offences, hate, racism and violence websites, online fraud, stalking and harrasment, software and other piracy. Distribution of malware (virus, Trojan, worms, adware, botnets, etc), phishing, spam, attacks on specific users, attacks on networks (denial-of-service attacks), attacks on infrastructure and attacks on governments (cyber terrorism, cyber war, et cetera).
Would you agree that computers and other forms of electronic devices and technologies are essential in the investigation of a crime today?
Yes, nearly every crime nowadays involves electronic evidence. The more connected a country is, the more vulnerable it is. Unlike the Cold War, for example, where you would see the weapons between the US and Russia, today, you cannot see the weapon build-up and you do not necessarily need to be the same-size country, which is why you see countries accusing each other of waging a cyber war.
If we are calling it a game, the game has changed; the rules are no longer the same. For example, if it’s a game, then it’s a game most players do not know that they are playing or who the other players are. The rules of conventional warfare are not applicable to the cyber environment.
Along with the phenomenal rise of technology, comes the phenomenal rise of cybercrime. What should we come to expect of this type of criminality in the future?
We should expect technical innovations to increase, and for innovations to be neutral. What I mean by “neutral” is that technology can be used for good, but it can also be used for criminal activity. For example, social networks are set up for people to connect with one another, but they are also being used for crime. We have seen someone transmitting the killing of someone online; I am sure that was never intended when social networks were set up.
Technological tools can be dual purpose; they can be used by businesses for one purpose but they can also be used for criminal purposes. Innovators have to look at the fact that it could easily be turned into a negative purpose. For every innovation, you have to build it in from the word “go”, and that’s where it has not happened yet.
Technology can be targeted by criminals and it can also be used to facilitate a crime; frequently both together. With regard to cybersecurity as a defence, in your experience as a consultant, how adequate are the measures we have in place to protect our organisations?
You are never going to have a system that is 100% safe but what you need to do is adequately secure or harden your system, so that (unless it is a targeted attack) the hacker will find it hard to access your system and the many opportunist hackers will move on to the many millions of systems out there that are not secure and are easier to access. Employees need to be properly trained and an organisation should have policies and procedures that are enforced which deal with the prevention, detection and response to cybersecurity-related threats and incidences.
What we need to do is become more innovative in how we are securing our systems. What you have got to remember – and we’re seeing it a lot nowadays – is that banks, big businesses or government departments may be secure but the hackers are not stupid; they will go after a third party (usually a smaller company) that is a supplier to the bank, big business or even government. You have got to make sure that all your partners – no matter how small they are – are equally secure to the same level as you are. There should at least be a minimum standard of security that all organisations should attain. In the UK, there is a national cybersecurity program called Cyber Essentials helping businesses and organisations of any size to achieve a level of good cybersecurity practice.
It’s one thing to detect a cybercrime and stop it; but another to catch the perpetrators and prosecute. What are the challenges that come with prosecuting a cybercrime?
You have to go back a step to detection. Sometimes companies are just not aware, or find out years later, that there has been a security breach. So that’s the first problem. Secondly, you need to consider how many of those breached actually get reported. In some countries, you are required to report because it is part of the legislation; in others, it is not a requirement.
Of the ones that are required to report the breach and it is investigated, the problem can then lie with the investigators themselves. Are they trained to deal with electronic evidence? Most of these crimes are going to involve a computer or a mobile telephone, and so forth, and the investigators need to know how to deal with the evidence, how to trace it and how to preserve it once they find it, and they need to know the difference between what is intelligence and what is evidence. Cybercrime crosses international borders, so you have to add into the mix international cooperation and the complexity of mutual legal assistance requests.
When you get to the prosecution phase, you want a prosecutor who is trained to deal with cybercrime and electronic evidence and its admissibility, and of course you require a judge who understands the issues. If you have a prosecutor and judge that do not understand the issues, it’s likely you’ll have a jury that doesn’t understand either, and you’ve lost the case before you’ve even started. The entire criminal justice system, including defence, needs to be educated on how to deal with cybercrime and electronic evidence.
You worked as a senior prosecutor for the Crown Prosecution Service of England and Wales. It was during this time that you developed Global Prosecutors E-Crime Network (GPEN) as a way to address some of the challenges that you and other prosecutors were experiencing. How does it work?
GPEN is a virtual forum. It is part of the International Association of Prosecutors (IAP) and was its first network. There are now six others covering corruption, counter-terrorism, human trafficking, international criminal justice, military prosecutions, sexual violence and war crimes. It has a learning centre; a repository of interactive training programs at different levels, including basic, intermediate and specialised training. We also have a GPEN library and we are encouraging other countries to share their material, to put it into the library and learning centre. The idea is that GPEN members can download it, adapt it and use it in their own training programs.
We have a monthly newsletter and we have a contacts database, as the IAP has members from 171 different countries. We also hold regional capacity-building events and hold webinars every month on a different topic. For example, we recently held one on the dark net, which is – if you think of the internet like an iceberg – the layer under the water that we do not usually see. So, at the top, you have all the popular search engines we all know and use; these show us sites we all see. Just like an iceberg underneath, there are a whole lot of sites that we do not get on to and the ordinary search engine does not index or knows exists, and it’s here that you can buy whatever you like (drugs and so forth) with, for example, bitcoins – virtual currency that is very popular at the moment.
What are the top three messages you would like to get across to delegates at APSACC?
(1) Everybody needs to be trained; the level of training may differ, but everyone needs to be alert to the dangers of cybercrime. That includes consumers who need to be taught cyber hygiene – people need to be taught to keep their systems clean.
(2) The need for efficient and effective international cooperation.
(3) A global problem needs a global solution and the Council of Europe Convention on Cybercrime is the only treaty that specifically deals with cybercrime. It is global in scale, and countries should be encouraged to sign up to it or at least utilise the principles of the convention as a way forward.
The Australian Public Sector Anti-Corruption Conference will run from 14 to 16 November 2017 at The Westin Sydney. APSACC is Australia's premier corrruption and misconduct prevention forum. The 2017 program offers over 80 speakers, more than 22 sessions and six workshops. |