Best Practices and Enforcement in Cybersecurity: Legal, Institutional and Technical Measures Mohamed CHAWKI, Ph.D. © 2011 1 About the speaker Senior Judge in Egypt. Advisor to the Minister of Military Production. Former advisor to the Chairman of Securities and Exchange Commission. Egyptian Regulator of the Exchange. Holds a Ph.D. in Law from the University of Lyon III in France, for a dissertation on the legal framework to fight cybercrime and to protect data exchange in both Europe and the USA. My domain of interest covers: cybercrime, data protection and national and security. Founder and Chairman of the French Association of Cybercrime Prevention (AILCC). 2 International Association of Cybercrime Prevention www.cybercrime-fr.org Not – for profit organization located in Paris, with 12 chapters worldwide to increase the awareness against cybercrime. We have organized 4 international conferences on cybercrime and information security in: Egypt (2008), Brazil (2009), Lebanon (2009), and the US (2010) and 3 regional conferences in Egypt, South Africa and Morocco. We have organised more than 20 seminars and workshops on cybercrime. Our next international conference takes place in Australia in December 2011, and next regional conference takes place in Malaysia next May 2011. 3 Introduction to Cybercrime Cybercrime refers to a broad range of illegal activities perpetrated through cyberspace by means of information and communication technologies (ICTs). Depending on the role played by technology, other distinctions can be made: Old crimes can be committed by new tools (Espionage, Identity theft, Terrorism) New tools can make new crimes possible (Botnets, Phishing, hacking, etc) - - A growing and evolving form of crime. Cost estimated at $ 100 billion annually. 4 Parker’s Definition of Cybercrime “…any intentional act where a victim suffered or could have suffered a loss, and a perpetrator made or could have made a gain and is associated with computers” - Parker presents three categories of cybercrime: A computer as the target of a crime (Trespass, Malicious Code, Dos Attacks) The computer used as a tool for conducting a crime (Theft, Fraud, Child pornography) The computer is incidental to the commission of the crime (Blackmailers or Drugs dealers) 5 Cybercrime Vs. Real World Crime Theft Physical Space Theft: Possession of property shifts completely from the victim to the offender. Cyberspace Theft: Property is copied, so both the offender and the victim have the property. 6 Copying as Theft Randal L. Schwartz, former programming consultant for Intel. In July 1995, he was charged with computer theft for copying a password file. Claimed it wasn't theft because Intel still has the passwords. On September 11, 1995, he was sentenced to several years’ probation, a fine of US $ 68,000 and left to pay about US $ 170, 000 in personal legal bills. 7 Cyberspace “Growing Opportunities for Crime” 1. 96 billion surfers on Internet (June 30, 2010) 6 Trillion Web pages accessible on Internet 2.2 Billion Google searches/month 12% of all global trade now happens online US$ 240 million from global cyber-crime 8 Africa Top 5 Internet Countries Nigeria: 43,982,200 Internet users, 28.9% of the population. Egypt: 17,060,000 Internet users, 21.2% of the population. Morocco: 10,442,500 Internet users, 33.4% of the population. South Africa: 6,800,000 Internet users, 13.8% of the population. Algeria:4,700,000 internet users, 13.6% of the population. 9 10 Cyber Security – Why is it an Important Issue? Although the threats in cyber space remain by and large the same as in the physical world (ex. fraud, theft and terrorism), cyber threats are different due to 3 important developments: Automation has made attacks more profitable. Action at a distance is now possible. Attack technique propagation is now more rapid and easier. Cybercrime and National Security * In security matters, there is nothing like absolute security. * We are only trying to build comfort levels, because security costs money and lack of it costs much more. * Comfort level is a manifestation of efforts as well as a realization of their effectiveness & limitations. Recent studies reveal three major findings Growing threat to national security - web espionage becomes increasingly advanced, moving towards well-funded and wellorganized operations aimed at not only financial, but also political or technical gain Increasing threat to online services – affecting individuals and industry because of growth of sophistication of attack techniques Emergence of a sophisticated market for software flaws – that can be used to carry out espionage and attacks on Govt. and Critical information infrastructure. Findings indicate a blurred line between legal and illegal sales of software vulnerabilities Computer-Related Risks and the National Infrastructures 14 Why ? Imagine if… On 9-11, the last image people saw on their TVs was the World TC collapsing and then the phones went dead and the power grid failed Imagine if… On 9-11, after the initial attacks, as all flights were grounded, those planes still in the air could not land because of a series of attacks on the air traffic control system 15 Top Emerging National Security Cyber Threats Cyber Terrorism Botnets Cyber Espionage Cyber attacks against financial services: A - Phishing B - Identity Theft 16 - Cyber Terrorism - Definition: “Politically motivated, attacks against information, computer systems, computer programs and data which results in violence against non-combatant targets by sub-national groups or clandestine agents” (FBI) 17 Terrorist Cyber Capabilities - - - The FBI reveals various reports about activities of terrorist organizations in the Internet Main activities: Research Publishing Information (recruitment) Communication between members of terrorist groups Terrorist financing and money laundering AL QAEDA TRAINING MANUAL “Using public sources openly and without resorting to illegal means, it is possible to gather at least 80% of all information required about the enemy” 18 Objectives of Cyber Attacks - Loss of Integrity Loss of Availability Loss of Confidentiality Physical Destruction 19 - Botnets - Compromised computers that run under a common control structure - Botnet was started from the IRC bots and computer virus/worm. - Elements of a botnet are: Zombies (bots) IRC control channels Botmaster The Threat from Botnets Functions Email senders - Spam, phishing, virus DOS attacks Rented out for $300 to $700 per hour Over 10,000 botnets become active each day (Symantec) It has been estimated that up to one quarter of all personal computers connected to the internet may be part of a botnet (BBC, 2007). 21 - Cyber Espionage This act involves the unauthorized probing to test a target computer’s configuration or evaluate its systems defenses or the unauthorized viewing and copying of data files. U.S. counterintelligence officials reportedly have stated that about 140 different foreign intelligence organizations regularly attempt to hack into the computer systems of U.S. government agencies and U.S. companies. The Internet, including satellite links and wireless local networks, now offers new, low cost and low risk opportunities for espionage. 22 Echelon Echelon was reportedly set up in 1971 as an electronic monitoring system during the Cold War. EuropeanUnion member Britain helps operate the system, which includes listening posts in Canada, Australia, and New Zealand. Echelon is described as a global spy system reportedly capable of intercepting wireless phone calls, e-mail, and fax messages made from almost any location around the world. Some government officials warn that criminals now sell or rent malicious code tools for cyber espionage, and the risk for damage to U.S. national security due to cyber espionage conducted by other countries is great. 23 - Phishing Scam to steal valuable information such as credit cards, social security numbers, user IDs and passwords. Also known as "brand spoofing" Official-looking e-mail sent to potential victims : Pretends to be from their ISP, retail store, etc., Due to internal accounting errors or some other pretext, certain information must be updated to continue the service. 24 Technology To update your account information and start using our services please click on the link below http://wed.da-us.citibank.com/cgi-bin/help_desk/verify.asp 25 Technology 26 Statistics… The number of unique phishing email reports received by APWG from consumers and reporting partners in June 2010 is 33,617. The country hosting the most phishing websites is the US. The percentage of computers infected with banking trojans and password stealers rose to 17 percent compared to last year. Source: APWG 27 - Identity Theft - Is the use of other individuals’ information to create a new identity and accounts. Is now # 1 reported crime to the Federal Trade Commission. ICTs improvements make check and credit fraud easier. Oct. – Feb. is peak time for fraud: Holidays are high time to spend for us. Holidays are high transaction volume for merchants. 28 Mechanisms of Cyberspace Identity Theft Cyber-Trespass Phishing Websites Spywares Malicious Applications Spoofing 29 How do Thieves Use The Stolen Data? - - - - - Producing and using counterfeit checks under your name or an employer’s name. Securing a driver’s license with their photograph but in your name. Opening a bank account and writing checks. Obtaining loans. Assuming the Identity of another person. 30 Why do Cyber attacks are so Successful? We face many challenges: Anonymity of offenders. Choosing the appropriate jurisdiction. Search and seizure of digital evidence. Logistical and practical barriers. 31 National Legal Framework on Cybercrime Source: www.cybercrimelaw.net - Some countries have specific cybercrime laws. Some countries do not have specific cybercrime laws. Some countries are debating the adoption of cybercrime laws. Region No. of Countries Countries with Cybercrime Laws Africa 52 6 Asia 44 23 Europe 46 36 North & Central America 23 5 Oceania 12 2 South America 12 5 32 The Republic of Botswana A) B) C) D) E) F) Adopted Cybercrime and Computer Crime Related Act of 2010. This law prohibits: Unauthorized access to computer system. Unauthorized access to computer service. Access with intent to commit an offence. Unauthorized interference with data. Interception of data to facilitate another offence. Cyberfraud. 33 South Africa A) B) C) Law No. 25 of 2002 entitled “Electronic Communications and Transactions Act” , was adopted in 2002. Articles 85 – 89 prohibits: Unauthorized access to computer system. Data interference. Fraud by computer. 34 Algeria Adopted a new law of 19 articles in July 2009 to fight cybercrime. Articles 3, 4 and 7 give the state powers to censor Internet content and prosecute cases when that is required. Articles 10 and 11 require “Internet service providers” to store all communications and identifying information for a minimum period of one year. Articles 13 and 14 introduce a new body for combating cybercrime. 35 Republic of Senegal A) B) C) D) Adopted law no. 2008 – 11 on cybercrime. Articles 431 – 7 to 431 – 65 prohibit: Illegal acts against computer systems. Illegal acts against personal data. Child pornography offences. Illegal use of computer service. 36 Zambia In 2004 , The Computer Misuse and Crimes law, was passed in Zambia: A) One of the offences is unauthorised access to computer data. The second offence is that of access with intent to commit offences. Other offences include unauthorised modification of computer material, damaging or denying access to computer system, unlawful possession of devices and data Electronic fraud. B) C) 37 Mauritius A) B) C) D) E) F) G) The Computer Misuse and Cybercrime Act was adopted in 2003. The main offences mentioned in this law are: Unauthorised access to computer data. Access with intent to commit offences. Unauthorised access to and interception of computer service. Unauthorised modification of computer material. Damaging or denying access to computer system. Unauthorised disclosure of password. Electronic fraud 38 Egypt A) B) C) D) Didn’t enact specific legislations to fight cybercrime. Some laws may be used to fight cyber offences like: Intellectual property law no. 82 – 2002 Electronic signature law no. 15 – 2004 Telecommunications law no. 10 – 2003 Child law no. 12 - 2006 39 ---Regional level-- OHADA “ The Organisation Harmonozation of Business Law”: - Exchange of information between member countries. Organize workshops to exchange experience between member states. Participate with the African Union to fight cybercrime. - - for the 40 International Convention on Cybercrime The Convention on Cybercrime is the first international treaty seeking to address Computer crime and Internet crimes by harmonizing national laws. The following offences are defined by the Convention: illegal access, illegal interception, data interference, system interference, misuse of devices, computerrelated forgery, computer-related fraud, offences related to child pornography and offences related to copyright and neighbouring rights. Opened for signature on 23/11/2001. Number of ratifications: 30 Number of signatures not followed by ratifications: 16 41 Issues for the Future Increase the awareness about changing threats due to the growing technical skills of extremists and terrorist groups. Develop more accurate methods for measuring the effects of cybercrime. Help to determine appropriate responses by law enforcement to cyberattacks. Explore ways to increase security education and awareness for businesses and home PC users; and Find ways for private industry and government to coordinate to protect against cyberattacks. 42