|
Kidnap. Rape. There are no lesser words that can be used to describe what happened to the daughter of an anti-spam investigator in Russia.
His daughter was recently released, according to Joseph Menn’s recent article on Boing Boing, after having been kidnapped from her home five years ago, fed drugs, and made to service men, as a warning to ward off further investigations.
The criminals behind these vicious acts were also responsible for large spamming organization associated with Russian Mob activity.
Note that we say “also.”
When someone is mugged, harassed, kidnapped or raped on a sidewalk, we don’t call it “sidewalk crime” and call for new laws to regulate sidewalks. It is crime, and those who commit crimes are subject to the full force of the law.
For too long, people have referred to spam in dismissive terms: just hit delete, some say, or let the filters take care of it. Others—most of us, in fact—refer to phishing, which is the first step in theft of real money from real people and institutions, as “cyber crime.” It’s time for that to stop.
Some of these crimes involve technology. So what? Criminals have used technology before.
Some of these crimes cross borders. So what? Crimes have crossed borders before.
Spam isn’t illegal everywhere yet. So what? Spam 2.0 (spam, malware & spyware) is the leading edge of far worse activities, often things that have been illegal as long as we’ve had laws.
It is high time that governments and law enforcement stop thinking of computer crime as that perpetrated by teenagers in their parent’s basement. It is the Russian Mob and other organized criminals that are doing this.
While we are at it, we should mention ‘cyber-warfare’, something often conflated with cyber-crime. Cyber-crime is not “cyber-warfare.” There may be state or terrorist agencies copying the tactics and methods of these criminals, but that does not mean that the criminals must be left alone until new cyber-warfare agencies have been created and funded.
As Purdue computer science professor ‘Spaf’ Spafford was recently quoted as saying in a note-worthy piece ‘Cyberwar Vs. Cybercrime’ on the GovInfo Security blog
“Why aren’t we seeing the investment and prioritization being made in law enforcement, first? Why is all the publicity, funding and prioritization being given to the military—with efforts such as the build-up of the military cyber command—when so much of the clear and present threat is from the criminal element and not from other nation-states?”
Just so, Prof. Spafford!
As we have said repeatedly on this site, these are criminal gangs who have found an incredible loophole in the justice systems of the world: they can rob banks and people, with little chance of getting caught, let alone going to jail. This is not because they’re doing things that aren’t illegal; they’ve just found a new way to hide.
David Black, manager of the RCMP’s cyber infrastructure protection section recently said to CAUCE Executive Director Neil Schwartzman “we don’t do spam”. OK, but why not? Spam is no longer, and hasn’t been for some time, about simply sending unwanted emails. Spam is now a delivery mechanism for malware, which in turn threatens infrastructure, and facilitates theft. We have seen precious few cases filed using existing Federal computer intrusions laws in Canada, and none, to our knowledge have been filed under the renovated anti-phishing law, S-4, passed in September 2009.
Governments and law enforcement agencies need to begin to treat online theft with the same seriousness as they do other physical crimes. It is time to bring this up to the diplomatic level, or seriously consider refusing packets from places that treat the Internet, and innocent victims, as their personal ATM.
CAUCE is made up of people who care about email qua email. We understand it, we love it. It is still the ‘killer app’. Furthermore, we understand why some folks in law enforcement or the judiciary might ask, “When there are people stealing millions or hurting people in the commission of violent crimes, why are you wasting our time with ‘just’ a spam case?” Here’s why:
Cyber criminals consider cyber crime to be a virtually riskless offense; they’re unlikely to be identified; if identified, they’re unlikely to be investigated; if investigated, they’re unlikely to be charged and prosecuted; if prosecuted, they’re unlikely to be convicted; if convicted, they’re unlikely to do jail time.
The courts need to make it clear that that’s wrong in all respects. If you commit cyber crimes, you will be identified, investigated, charged, prosecuted, convicted and sentenced to serious time and we will seize your assets.
This will not happen so long as crime, which involves the Internet, is dismissed as “cybercrime” and either scoffed at, or used to justify ever-increasing cyberwarfare budgets.
This isn’t just email. This isn’t a war. This isn’t “cyber.” This is crime. It is time to call a cop, and expect a response.
This post was co-authored by CAUCE Executives J.D. Falk and Neil Schwartzman.
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byWhoisXML API
Sponsored byCSC
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byRadix
Russian organized crime is closely tied to the Russian government and performs ‘favors’ for them in return for immunity from prosecution.
The issue of Internet crime is thus not just a police issue.
The Russian government has ordered opponents murdered on the streets of London. The only reason for using Polonium as a poison is that it is unobtainable outside government labs and its use thus sends an unmistakable message.
The nexus between cyber-crime and cyber-warfare groups is very close in both Russia and China. The best way to protect the country against cyber-warfare is to take cyber-crime seriously.
And the best way to take cyber-crime seriously is to require US banks to fix their broken infrastructure that makes Internet crime so easy. The Europeans have almost eliminated card-present fraud with the chip and pin scheme. And almost all the residual fraud would be eliminated if chip and pin was deployed universally and the legacy mag-stripe schemes eliminated.
Such measures are not justified if we consider cyber-crime to be merely a loss prevention problem. The losses are not that great. But if we consider cyber-crime to be creating an infrastructure that enables terrorists and military opponents, then it is worth spending ten dollars to deny the criminals one.
If that premise is recognised, that would imply a call for all the attendant sanctions and penalties (UN / US OFAC etc) that are attached to states like Iran, Cuba, Syria .. and of course, finding a state and/or international organization who gets to bell the cat and brand either or both world power + permanent member of the UN a rogue state. The geopolitical implications of that would be startling, for sure. The cyberwar angle is where it is far easier for two things to happen - 1. The line between non state and state actors is blurred 2. Even those non state actors who have engaged in "cyberwar" have had several layers of separation and plausible deniablity between them and the relevant states. Of course - mere online crime is far more traceable and can be pinned on specific persons. Especially where there's an offline dimension such as kidnap and forced prostitution like in this case. Authors of bots can be tracked, street hoods / mobsters etc are quite often well known to the police in their local area of operations. The trouble is, of course, actually getting cooperation from law enforcement in other countries (either because of a lack of MLATs / extradiation treaties etc, and/or because of well.. informal arrangements between some police officers and criminals)
Or we could just fix our banking infrastructure so they can't steal our money. Then figure out what parts of our critical infrastructure matter and fix them so that they can't be knocked out by a cyber attack. If we applied half the effort that that has gone into DRM schemes into building secure control systems we would be secure. The reason DRM schemes are breakable is that they are attempting to keep secret information that can potentially be read by a billion plus end points.
I agree with your point about securing banking infrastructure. Just wondering if a broader perspective isn't needed .. its a single tree in a huge forest (though a rather large tree, I must admit)
The criminals who kidnapped and raped that girl were not terrorists in a "national" sense - this was standard common or garden intimidation that is characteristic of organized crime around the world. I agree with your point about it not merely being loss prevention, but it is not one dimensional enough to just blanket pin it all on terrorism. But of course we are both on the same page, from multiple previous comments you've made on circleid, and its going to be hard to put all of that in a few lines. Yes, it isnt hard to write white papers either... translating .doc and .ppt to real life on the other hand..
There really is much less difference between terrorism and organized crime than US commentators imagine. The Baader Meinhof gang financed itself robbing banks, the IRA ran protection rackets, Al Qaeda provides logistics and support for the opium trade. Organized crime is actually pretty difficult to set up, there is no honor amongst thieves, they constantly inform and engage in power struggles amongst themselves. It usually takes a major binding force to keep the groups together over a long period. The Triads and the Mafia both began as political movements, members of the IRA have turned to major bank robberies. State support for terrorism was not a factor in the rise of any of the major European groups and probably did little to sustain them at their peak. The East Germans almost certainly allowed the Baader-Meinhof gang to continue operating for several most years, but they never directed it in the way US observers tend to imply. Hezbollah was formed in response to the Israeli invasion of Lebanon, it received support from Iran because it had already established itself as the major Shi'ite power in the Lebanese resistance and civil war. It is not an arm of the Iranian regime. Terrorist actions by states are a different matter. The French blew up the Rainbow Warrior, the Libyans were probably responsible for Lockerbie. But most governments announce their terrorist acts in advance as 'military actions' of some sort. Planting bombs on a plane is considered terrorism. But dropping them on civilian areas from a military plane is not. The real concern for me as far as cyber is concerned is that the barriers to entry are low and there is no possibility of reliable attribution. Yet military and diplomatic strategy is dominated by people who have built their careers on nuclear deterrence. Another real problem with the cyber-crime nexus is that it can threaten the regime itself. All a certain Russian colonel needed to build a personal private army was the ability to guarantee them immunity from prosecution in return for certain political 'favors' from time to time. The problem with such people is that they can become a bit too powerful. Hitler faced a similar problem with his Stormtroopers. That is why the NAZIs murdered about a hundred of their own people in the Rohm Purge (night of the long knives) four years before Kristallnacht and the rest.
There is usually a clear distinction in the objectives of these - to classify them as "regular crime" and "crime for political goals" Yes, various terrorist operations have robbed banks and dealt drugs to finance their operations. And stories about nigerian scam revenues being funneled to anybody from niger delta terrorists to al qaeda. But that's a case of the same actors engaging in two different sets of crime. You can have dedicated terrorists who are not criminals and even think of themselves as a sort of robin hood. You can also have bank robbers and drug dealers whose intention isnt to overthrow the petit bourgeoisie as much as it is to get themselves drink money (or on a grand scale, sports cars, luxury villas, cash stashed in untraceable bank accounts)
What might be "black ops" to one country could well be a breach of the laws of another country. Like the recent cases in italy where various CIA members were prosecuted for extraordinary rendition of suspected al qaeda members, to the case in Dubai where suspected israeli agents using fake passports killed a Hamas leader. [Note - Israel certainly hasn't admitted to killing the guy]. It is not always that a country wants to advertise (let alone have it found out) that it has participated in a black ops operation in a foreign country.
Neil (and J.D.) I totally agree with you that cyber crime is crime and cyber fraud is fraud. The “cyber” criminal will be sentenced by a judge for these offences and not for using his computer. I do beg to differ on one instance. To my mind most police officers do not understand cyber crime, nor are able to recognize what is reported to them. Thirdly, most countries do not have a system that aggregates reports (where cyber crime is concerned). So the magnitude of the problem is unknown. How can a police officer prioritise this way?
Hence, I would suggest that all this has to be amended. As long as this does not happen, the RCMP official will keep saying “we don’t do spam”. Why? He simply does not have a clue what is hitting Canada.
To my mind it’s time to start a discussion on these problems. How can we make sure people responsible for prioritizations learn how to prioritize differently? What does this take? If we can come up with some good answers, who knows, we may be able to influence several communities. Believe me, this is thé discussion.
I have and will be writing more on this on my own blog: http://woutdenatris.wordpress.com. You may want to follow me, as there is more to it then just this.
Wout de Natris
Leiderdorp, 7 November 2010
Much as you post your thoughts on your blog, neil and jd post on circleid etc .. we need the equivalent of an RSS aggregator (or in cybercrime terms, Something on the lines of the AISI in Australia) set up across countries - a data aggregator and a network of points of contact to funnel reports to, as well as automated formats and tools to script and automate report processing. Something that's on a larger scale than ARF and not spam specific .. INCH/IODEF if it gets sufficient traction perhaps.