Docstoc

2nd Asian Cyber Crime Summit Hon

Document Sample
2nd Asian Cyber Crime Summit Hon Powered By Docstoc
					Summary Report: 2nd Asian Cyber Crime Summit: Hong Kong
University Council Chamber November 5-6 2003

Dr. Roderic Broadhurst1


        “He that will not apply new remedies must expect new evils for time is the
        greatest innovator.”


        Sir Francis Bacon [cited in Ralph Nader, 1966 Unsafe at Any Speed, Pocket
        Books: NY]



Introduction


At the second meeting of the Asian Cyber-crime Summit it was recognised that
economic and social development was becoming increasingly dependent on digital
technology. However, the benefits of digital technology were also increasingly prone
to criminal exploitation so that it threatened the development of e-commerce and e-
learning. Co-operation between public agencies and private industry, within and
between nations, was now essential and information technology assistance to less
developed nation is important not only to prevent the creation of criminal havens, but
also to foster security and prosperity in cyberspace.


In this rapporteur‟s summary I will touch briefly on several themes that have been
raised by speakers and comment on the changes observed since the first meeting in
April 20012. Before doing so I want to thank the sponsors3, speakers and delegates for
their generous contributions and participation in this follow-up meeting. The
presentations given at this conference will be compiled into an electronic version for
rapid dissemination to all participants. Several of the papers prepared for the summit

1
  Senior Fellow (broadie@hkucc.hku.hk), Centre for Criminology, University of Hong Kong:
www.hku.hk/crime. The author wishes to thank Professor Peter Grabosky of the Australian National
University for his assistance as co-rapporteur.
2
  Proceedings of the first summit were published by the University of Hong Kong, Centre for
Criminology (www.hku.hk/crime): see R. Broadhurst, Ed. 2001, Proceedings of the First Asia
CyberCrime Summit, and further information on regional initiatives can be found in Broadhurst, R.G.
Ed. 2003, „Trans-national Organised Crime Conference: proceedings‟, Hong Kong Police.
3
  In addition to the support of the Hong Kong Customs and Excise, Department of Justice, and Police,


                                                                                                       1
will also be disseminated as the proceedings as early as possible in 2004.


The presence of delegates from 16 4 jurisdictions and several international bodies
(United Nations, Council of Europe, UNAFEI, UNDCP, Interpol and APEC) from
across the region, representing industry and government, reflect the clear recognition
that in order to mitigate the effects of computer-related crime an international
response is now crucial. The continued development of information technologies and
the rapid expansion of Internet commerce and digital connectivity are now also key
generators of the process of globalisation – indeed they are the signature of these
immutable processes. The inter-dependence that is inherent in the globalisation of
markets built on information technology in turn is founded on the need to provide
credible individual and collective security if these „new‟ technologies are to realise
their economic and social promise. At the extreme of the risks now posed, cyber-
criminals operating in the context of failed or failing states contribute to the
criminalization of the world economy, by providing both safe havens and plundered
resources. From the UN perspective Dr. Slawomir Redo observes:


         The current decade is witnessing an unprecedented process of the
         transnationalization of crime. The rapid                     development of computer
         telecommunications and other technology has led to the growth of new forms
         of transnational crime, especially computer-related crime…the entire public
         sector, including criminal justice administration, in one way or another has to
         address these dynamic developments.


The sense of urgency about the risks posed by a „lawless‟ Internet noted in April
2001, subsequently magnified by the events of September 11 2001, form the backdrop
to the discussions at the second Asia Cyber-crime Summit 5 . The concerns about
possible risks to human security and commerce identified over 30 months ago have
for the most part become reality with notable concern now expressed about the role
and potential development of serious criminal networks active in exploiting the


the sponsors were MPA, Microsoft, Mastercard, IFPI, Internet Crime Group, and E-Bay.
4
  From the region: Brunei Darussalam, PR China, Hong Kong and Macau, Taiwan, Japan, Singapore,
Malaysia, Thailand, South Korea, Philippines, India, Indonesia, Mongolia, Australia, and the USA.
5
  For a lively discussion of the need to develop and support international organizations such as Interpol;
see Gros, J., 2003, “Trouble in Paradise: Crime and Collapsed States in the Age of Globalization”,


                                                                                                        2
opportunities in the on-line environment. Nevertheless, meetings of this kind continue
to help activate the vital international links that enable comity between jurisdictions
and are both co-operative exchanges and opportunities for the building of trusted
networks of committed actors.


An International Response


This second meeting re-visited the principal theme of the first summit, namely the
need for greater international and regional law enforcement and industry co-operation.
The role of digital and information technologies in the generation of national wealth
now means the new risks associated with these changes require continued attention on
all fronts: national, regional and international. The passage of the Council of Europe‟s
Cyber-crime Convention in December 2001 and its expected activation at the close of
2003 6 provide a sound basis for an international mechanism for law enforcement
cooperation and harmonisation of laws (see papers by, Gianluca Esposito, Yasuhiro
Tanabe and Wayne Walsh). The convention apart from enhancing mutual legal
assistance provides comprehensive powers to: expedite preservation of stored
computer data and partial disclosure of traffic data; for production orders; search
computer systems; seize stored computer data; enable real-time collection of traffic
data; and intercept the content of questionable electronic data. APEC like other
regional forums has recognised the important role of e-commerce in fostering
economic development and through its „E Security Task Group‟ (APEC
Telecommunications and Information Working Group 7 ) have begun to provide
guidance on a raft of issues relating to “e-readiness‟ and governance. In addition,
although not specifically directed at cyber crime, the complimentary role of the
United Nations Convention Against Transnational Organized Crime (in force as of
2003) is a highly relevant global instrument for addressing some of the more


British Journal of Criminology, Vol. 43:63-80.
6
  Dr. Esposito also noted the recent adoption by the Council of Europe of the additional protocol to the
Cybercrime Convention addressing “racist and xenophobic material”. An encouraging response to the
“revolutionary” nature of the conventions approach to international harmonisation was the decision of
the Organisation of American States to consider a collective ascension to the convention. As of
15.12.03 the Convention had 33 signatories and 4 ascensions/ratifications – one short of the 5 required
for activsation (see www.conventions.coe.int/Treaty/ENT/)
7
  For further background see the paper by Steve Orlowski and for examples refer to APEC, 2002,
„Electronic Authentication: issues relating to its selection and use‟, eSecurity Task Group, APEC
Secretariat, Singapore.


                                                                                                       3
nefarious aspects of cyber crime. Unlike a few years ago it is now possible to talk
about an international consensus on combating cyber crime, especially the trans-
national forms it often takes. Thus the positive „moral climate‟ for enforcement action
whether by civil, criminal or administrative measures and for the necessary cross-
border cooperation is such that it is no longer acceptable for the relevant authorities to
claim international inertia as reasons for in-action.


As Dr. Gianluca Esposito noted, a number of countries outside the Council of Europe
(USA, Mexico, Japan, Canada and South-Africa) were involved from the outset and
have signed the convention, and many others notably in South America are
considering it. Indeed many jurisdictions in the Asian region (notably Thailand) have
looked at the convention for guidance in formulating national laws. Gianluca Esposito
expressed the hope that the Council of Europe‟s treaty and additional protocol would
be ratified


         by as many countries around the globe as possible and closer co-operation be
         set up between international and national institutions, law-enforcement
         authorities and ISPs, within an internationally agreed legal framework, to
         counter the threats posed by cyber crime.




As Dr. Redo (UNODC) in the opening address emphasised, the „digital divide‟
between nation states is rapidly growing and the role of „advanced‟ IT based
economies in bridging this divide is essential. The necessary help required to build
effective IT capacity and security in Less Developed Countries (LDC) was in his view
not a matter of „foreign aid‟ but mutual self-interest: because the possible risk of „safe
havens‟ in respect to cyber-crime was now a reality8. Nowhere more extreme is this


8
  UN global statistics for 2000 cited by Dr. Redo are worth repeating: “only about 4.5% of the global
population had network access, but that 44% of North Americans and 10% of Europeans did, while
rates for Africa, Asia, and South America ranged from 0.3 to 1.6%. Currently, more than 98% of
global Internet protocol bandwidth, at the regional level, connects to and from North America. Fifty-
five countries account for 99% of worldwide spending on information technology production. There is
a clear trend towards knowledge-based economies, but factors other than development, such as the
structure and access costs for telecommunications services, affect rates of access and use. The fifth of
the world‟s people living in the highest-income countries have 86 % of the world‟s Gross Domestic
Product, but 93 % of Internet users, whereas the bottom fifth have 1 % of GDP and only 0.2 % of
Internet users.”


                                                                                                      4
„digital divide‟ than in Asia with countries such as South Korea, Japan, Hong Kong9
and Singapore leading the way with internet access reaching as many as 80% of
households (often with broadband), while Laos, Cambodia, Mongolia and Myanmar
had less than 2% of their populations connected. However, rapid growth of computer
use in China has seen their numbers of subscribers to the Internet reach 55-58 million
users, exceeding Japan, although the proportion of households connected remains
relatively low and is not expected to reach 20-25% of households until 2006. A paper
by Dr. K. Togtuun illustrates the many problems faced by transitional economies,
such as Mongolia, in developing a secure information technology infrastructure.
Mongolia has begun the process of developing IT laws and has created within its
police a unit to “struggle” against cyber-criminals10.


The recognition of what sociologists call „communities of shared fate‟ was now
essential if cross-border co-operation was to develop into effective long-term
collaboration. Underlying the growing recognition of mutual interdependence Dr.
Redo noted that there was now “…clear evidence that mutual legal assistance is
taking shape which, at some point, may lead to more comprehensive global legal
arrangements and instrument(s)” 11.


Operation „Buccaneer‟ described by Richard Downing (US Department of Justice)
focused investigation on a complex trans-national Internet networks (in particular a
„Warez‟ group self-titled “DrinkorDie‟) that stored and traded in pirated software,
movies and games. This case illustrated what could be done with coordinated cross-
national law enforcement cooperation 12 . A computer intrusion case (described by

9
  Internet penetration in HK based on approximately 2.4 million accounts was estimated to be in the
region of 53-59% of households of which approximately a third have broadband connections (see
Patrick Lam and Richard Turnbull).
10
   The new unit nevertheless successfully tackled an intrusion into the computers of the Golomt Bank
of Mongolia in October 2001 leading to the loss of 81.6 tugrics with arrests occurring in March 2002.
11
   He also reported that a draft resolution cosponsored by Argentina, Bulgaria, Canada, Ethiopia and
the United States of America was presented at the fifty-eighth session of the General Assembly (2003)
on “Cybersecurity and the protection of critical information infrastructures. If adopted, it invites
Member States and all relevant international organizations to take into account in their actions and
cooperation the need, inter alia, to protect critical information structures from possible misuses,
including tracing of attacks and, where appropriate, the disclosure of tracing information to other
countries
12
   The case required the co-operation of law enforcement in Australia, Finland, Norway, Sweden, USA,
and the UK over 14 months and identified 10 major „Warez‟ FTB sites involving about 10 terrabytes of
data. It should be noted that the success of the case greatly depended on the cooperation of an insider to
the network of „pirates‟, who were responsible for „release‟ or cracking and those who courier or


                                                                                                        5
James Burrell) as a predicate to an attempt to extort $USD 200,000 from Bloomberg
LLP was carried out by a citizen of Kazakhstan who was eventually was extradited
and convicted for extortion and computer intrusion offences and sentenced to 51
months prison also shows what can be achieved with effective MLA13.


Private-Public Partnerships in Combating Cyber-crime


The development of partnerships across the private sector and partnerships between
industry and government and international bodies is vital to realise these changes..
Such partnerships have developed apace, however, the nature and parameters of the
complementary roles these actors may play remain tentative and imprecise. It is
increasingly evident that a substantial part of the effort against cyber-criminals is
coming from private sector „policing‟ with public police playing the key role in the
final or crucial aspects of investigation. In many jurisdictions it is the actions of the
private sector that are in the forefront of addressing IP and computer intrusion
offences because public police often lack the resources and expertise.


This begs the question about what is the right balance between the public and private
sector in combating cyber-crime? As industry learns to „combine‟ to deal more
effectively with the challenges of cyber-crime it must also give priority to consumer
safety. As the novelty of computers abates and consumers become increasingly aware
of the hazards of computer use, the manufacturers of hardware and software must
seek more effective means to make them „safe‟ to use. In this respect I am reminded
of earlier examples from the heyday of the mass production of the motor vehicle (per
the above citation drawn from Ralph Nader‟s expose of motor vehicle safety) when
consumer safety was knowingly compromised in the pursuit of profit. Manufacturers
who quickly recognised the market value of safe products and re-tooled accordingly


distribute the products on the Internet. The offenders could be described as „delinquent professionals‟,
including systems administrators and other computer experts.
13
   The offenders gained access gained to an internal computer system at U.S. based Bloomberg LLP
and sent e-mail messages to the CEO demanding approximately $200,000 (USD) in exchange for
information concerning security vulnerabilities of the organization‟s enterprise computer systems.
Bloomberg LLP CEO deposited approximately $200,000 (USD) in an offshore account and arranged a
meeting with subjects at a location outside the U.S. FBI in cooperation with international law
enforcement partners conducted an operation to obtain additional evidence against the subjects that
involved extradition processes in respect to several US criminal offences, such as extortion, Interstate
Threatening Communications and Unauthorized Computer Access.


                                                                                                           6
retained profitability while those that did not faltered. Thus, it was „refreshing‟ at the
Summit to hear Microsoft (Scott Charney) reflect on its failure to led the market in
respect to consumer safety and to recognise that today the market now demands a
secure and trusted environment if computers and information technology are to realise
their full potential.


Mr. Pindar Wong (VeriFi HK) also eloquently used the unsafe „highway‟ analogy to
remind us of the inherent decentralised and open architecture of the Internet.
Although created originally for small and specialised communities operating in an
environment of trust the rapid global expansion of the Internet renders it highly
vulnerable to a lawless „frontier‟ style Internet culture. Technology was now driving
cultural adaptations and provided an environment for criminal opportunities that
could no longer be addressed by the technological „fix‟. He illustrated this problem by
giving examples of the various forms of malicious code (computer viruses) unleashed
via email systems14. The serious effects of malicious software, such as „code red‟,
„nimda‟, and „blaster‟ and other computer „worms‟, was amply illustrated by Dr.
Yuejin Du‟s (MIT, CERT/CC) presentation on the consequences for China internet
users and the subsequent response of Chinese authorities15. The risks now posed by
the release of malicious codes of increasing complexity (often specifically targeted
against either a significant commercial or government site) were substantial and could
threaten the viability of e-commerce. Josh Halpern (ICG) and Pindar Wong alluded to
the danger of under-estimating the „communities of cyber criminals‟ now operating in
the various “ chat rooms” that proliferate on the Internet. Excellent examples of these
sorts of “crime rookeries” can be found in the Internet web-based “businesses” that
often operate out of Eastern Europe and Russia to supply the latest counterfeit credit




14
   I am grateful to Pindar Wong for drawing attention to the following references on malicious codes:
Moore, D., Shannon, C., Voelker, G. M. and S. Savage, 2003, „Internet Quarantine: Requirements for
containing self-propagating code‟, IEEE INFOCOM; Staniford, S, Paxson, V. and N. Weaver 2002,
„How to 0wn the internet in your spare time‟, in Proceedings of the 11 th USENIX Security Symposium
(Security ‟02), available at http//www.icir.org/vern/papers/cdc-usenix-sec02/; and visit
www.symantec.com for periodic reports on threat assessment on the Internet,
15
   Due Yueyin reported that „MSBlast‟ released in July 2003 infected 120 000 computers in China
while the early „Deloder‟ congested or degraded about 40 000 servers including back bone servers
considerably worse than the 22 000 serves infected by „Sql slammer‟ in January 2003. Needless to say
up to date laws and mechanism for improved international cooperation were required to enable China
to respond effectively.


                                                                                                    7
cards. At these e-commerce sites „batches‟ of cards may be purchased on-line from
„trustworthy‟ but deviant businessmen.16


The development of computer emergency response teams (CERT‟s) both nationally
(for example as discussed by Du Yueyin in China, Takashi Sato in Japan, James
Burrell of the USA FBI, Scott McLeod in Australia and Roy Ko of Hong Kong
CERT) and internationally through the G8 sponsored 24/7 network were now playing
a vital role in responding to computer crime as well as combating the spread of
malicious code (see Richard Downing US Department of Justice17). Another menace,
with equally insidious effects, is the rapid spread of „spamming‟. In Korea 18
pioneering responses to the ubiquitous menace of „spam‟ were discussed by K.J. Park
of the Korean Information Security Agency (KISA). In the Korean example, efforts to
both criminalize this conduct and to stress the critical role of consumer awareness
have proven somewhat effective, however, extra-jurisdictional „spammers‟ still
operated with relative impunity. KISA provided data that estimated that on average 41
„spam‟ mails were received per person per day in Korea in July 2003 down from
about 50 but unless spamming was addressed this was likely to flood email systems to
extinction19. KISA noted that many „relay servers‟ were sourced from schools and
that improving information security in that sector along with requiring ISPs to register
bulk mailers may stem the flood of unsolicited commercial email. According to a
KISA survey 56% of „spam‟ involved sexually explicit material, 19% other illegal
products, 14% was fraud style emails, and 11% other forms of advertising.


As Peter Grabosky observed these legislative experiments will provide an opportunity
to see how effective they are at ensuring that emails contain clear and conspicuous
identification as an advertisement and, include “opt out” instructions permitting the


16
   For graphic examples see: http://forum.carderplanet.com <http://forum.carderplanet.com/ and
http://www.dumpsmarket.com/forum/. The latter site may be inactive at times but usually has a lively
forum for Chinese speaking fraudsters. I am grateful to Mr. G. Moore for providing details of this and
other illegal websites.
17
   Richard Downing reported that as of May 2003, 35 countries now participate in the global 24/7
networks of CERT‟s.
18
   A US federal law is pending on an anti-spam measure that will supersede 37 state laws and increase
penalties and measures against illegal spam. An Australian Spam Bill was also introduced in 2003: see
http://www.aph.gov.au/library/pubs/bd/2003-04/04bd045.htm.
19
   KJ Park cited dated that estimated „spam‟ comprised about 50% of emails but predicted by 2005
80% of emails would be „spam‟. Message Labs an email security system provider estimates that spam
accounted for one in every 2.5 emails in 2003 compared to one in eleven in 2002 (A.M. Squeo, „US


                                                                                                     8
recipient to exclude future unsolicited communications from the same source.
Legislation may also penalize the falsification of sender addresses and some
jurisdictions are considering prohibitions on the use of electronic address harvesting
tools and of harvested address lists. As Grabosky and other speakers (for example,
Scott Charney, Jeff Bullwinkel) noted the absence of a specific criminal law to
address cyber-crimes such as spam did not rule out civil law remedies that may allow
action for trespass to chattel and criminal damage.


For those jurisdictions who have in place substantive laws that criminalize various
aspects of computer crime, statistics on known offences are consequently available.
Data for Japan (see Takashi Sato‟s paper for data on arrests and the substantial
number of cyber-crime victims who now use counselling services) and Hong Kong
were presented and the trends include significant changes in the nature of the offences
reported and increases in more serious offences. For example, in Japan arrests for
computer related crimes involving the Internet were 31.7% of 262 arrests in 1997 and
29.9% of 415 arrests in 1998, but by 2002 they accounted for 92.2% of all 1 039
computer-related arrests, with a growing trend in fraud-like offences noted. In the
case of Japan the majority of Internet related crime involved pornographic and
associated offences.


Hong Kong police statistics for reported computer related offences (see Table 1
below) show rapid increases in hacking and deception offences and significant
increases (compared with 2001-2002) in the first nine months of 200320. Although
intrusion offences are often minor, many speakers noted their growth in conjunction
with increases in deception offences. They observed that intrusion is now more likely
to be a predicate to more serious offences. The increases in 2003 was also associated
with the popularity of online games in Hong Kong; Lam Cheuk Ping noted “…many
reported “hacking” cases in 2003 were related to misappropriation of online game
data (or tools)”.




House Advances Spam Bill‟, Asian Wall Street Journal, December 10, 2003).
20
   A forthcoming edited volume entitled Cybercrime: The Challenge in Asia by R. Broadhurst and P.
Grabosky provides an overview of cyber crime in the Asian region and will be published by the


                                                                                                    9
Table 1: Computer Related Crimes Reported in Hong Kong 1995-2003


Reported Cases             1995     1996      1997     1998     1999     2000     2001      2002     20031
Hacking/ Cracking2         4        4         7        13       238      275      114       164      325
Criminal Damage            2        4         3        3        4        15       27        16       14
Online Deception           0        0         2        1        18       29       65        64       84
E-Theft & Other            8        13        8        17       57       49       29        30       29
All                        14       21        20       34       317      365      235       272      454


Notes: 1. Number of reports recorded as of September 2003 and the data source is the Technology
Crime Unit HKP and differs from cases “investigated” cited by R. Turnbull; 2. Unauthorised access or
access to a computer with criminal or dishonest intent.



Changes and issues since the 1st Summit in 2001


A major shift since the first meeting has been to have a greater focus on the role of
„crime prevention‟ (broadly defined) that includes not only the development of
appropriate laws (in many countries still on the drawing board) to deal with cyber-
crime but also the development of comprehensive public crime prevention
programmes. Although a number of speakers emphasised the need for further
criminalization and the deployment of deterrence based strategies (for example Bob
Kruger and Jeremy Banks) others drew attention to the need for far greater investment
in basic crime prevention (see Howard Schmidt, Peter Grabosky and Steve Orlowski).
The required balance between providing resources for detection and prosecution and
for investing in community based crime prevention was dependent on the local
circumstances found in each jurisdiction. Ultimately deterrence was about increasing
the certainty of detection and punishment (per Mike Ellis) but this alone would not be
especially effective 21 . If the demand for illegal goods (be it child pornography,
prescription pharmaceuticals or the latest pirated Hollywood movie) marketed via the
Internet could not be reduced by market innovation and public education then
deterrence based strategies could provide only temporary relief. Interventions such as


University of Hong Kong Press early in 2004.
21
   Both MPA and IFPI have adopted counter-measures that recognize the attractions of Internet access
by creating legitimate download sites, e.g. „Songlines‟. Such measures are crucial if Internet users are
to access IP products that provide a genuine product and alternative, however, many user groups
complain about the limited mainstream products available to download and the industry preference to


                                                                                                       10
Microsoft‟s bounty on virus software writers, IFPI‟s general focus on deterrence to
                                                                              22
frighten the average law-abiding „music pirate‟ and BSA‟s                          deployment of
automated „web crawling‟ software to identify bogus or illegal web-sites are yet
unproven measures despite impressive efforts shown by the latter approach in Table 2
(see presentation by R. Kruger).


However, it is readily acknowledged that „web-crawler‟ technology is imperfect and
that „take-down‟ notices do not end infringing websites but often displace them to
other jurisdictions or lead to their re-invention in less detectable form. Web-page
„jacking‟, considered somewhat fanciful in 2001, has been found an effective way to
steal customer‟s identification. The discovery in December 2003 of a HSBC cloned
internet banking web-page that may have compromised an unknown number of
                               23
customers‟ identification           brings this form of cyber-theft and the presumed
effectiveness of counter-measures into stark relief.


Table 2: BSA Automated “Web-Crawler’ Activity January-September 2003


Region                    infringing sites          „take down‟ notices


Asia                      38 907                    15 242
Europe                    483 659                   17 739
Latin America             83 524                    17 650
North America             634 267                   87 723


All                       1 240 357                 138 354


This data suggests that most of the identified activity takes place in Europe (39%) and
North America (51%) but effective „take down‟ is very low in Europe (3.7%) and
North America (13.8%) compared to Asia (39.2%) and Latin America (21.1%). It is
most likely that the relatively low identification of infringing sites in Asia is a
function of the present inefficiency and special problems faced by search engines
encountering Chinese (either traditional or simplified) and other non-European


use them as a means of selling physical rather than „soft‟ or electronic products.
22
   The BSA was founded in 1988 with the purpose of protecting the copyright of the computer software
industry now operates in 68 countries.


                                                                                                  11
languages. Indeed the need for such multi-lingual search engines is a major research
priority and may prove highly useful in increasing the risks of interdiction for cyber
criminals. As criminologists would recognise, data of the kind reported in table 2 is
more likely to reflect the activity of the enforcers rather than of the criminals, and
basic research on the prevalence, nature and gravity of cyber-crime is essential. At
present too little was known about the patterns of criminality or victimisation and this
reflects the low priority given to fundamental criminological research in preference
for research on technological fixes.


The catastrophic effects of „cyber-pirates‟ on the revenues of the music and other
creative industries were only now being fully addressed in the context of e-commerce.
Although intellectual property (IP) theft was a focus of the first meeting, attention
given to the role of the Internet in providing a cheap and efficient distribution system
for organised IP pirates was not. Indeed the problem of organised criminal activity in
IP piracy was perceived to be limited to the question of how best to target illicit CD
manufacture and the interdiction of physical objects (music CDs, movie VCDs and
DVDs, patent and brand counterfeiting). The perception now is that this was a
serious under-estimation of the dangers of the role of organised crime or criminal
networks in exploiting the Internet as a means of profiting from counterfeited
products.       Legitimate industry has now begun to provide for the low cost
„downloading‟ of popular songs, movies and other creative products from the Internet
(see the presentation of IFPI‟s Jeremy Banks). The concern at this meeting was
whether such industry responses were to partial and too late for an Internet user
population now accustomed to relatively free access or alternative sources of IP
goods.


Hackers, according to the FBI‟s James Burrell, are becoming technologically more
advanced through online sharing of information, tools, and techniques via the use of
private chat rooms and secure or encrypted online communications. The online
availability of source code and automated „easy to use‟ hacking tools that act as
system reconnaissance, provide multiple exploit tools and deploy „spy-ware‟ (i.e.
keystroke monitoring or transmission) had also increased the risks of computer


23
     See China Daily, December 7, 2003:2


                                                                                     12
intrusion activity as a predicate to other criminal activity such as: extortion; financial /
Internet fraud; identity theft; telecommunications theft (voice mail and PBX systems)
and economic espionage. Moreover, „patch‟ countermeasures had proven inadequate
because too many users failed to update (regardless of whether the software was licit
or illicit) as „MS blaster‟ demonstrated, despite the availability of an effective patch
some months before the release of this particular malicious code.


Trends in computer and network attack also showed that more and more software and
systems vulnerabilities are being identified and this assisted the rapid global
proliferation of malicious software (including variants). In addition evidence of the
deployment of intelligent malicious software designed to elude detection by anti-virus
software. Now automated „intelligent‟ computer and network attack capabilities allow
remote initiation of attacks to be directed at any computer or network on the Internet
while making it more difficult to identify the actual source of the attack. These
advanced forms of intrusion code enable users to garner competitive advantage by
extracting sensitive economic data from competitors, provide data (such as customers
records) for extortion and denial of service activities.


Report Card: the situation in 2003 and beyond


In summary, however, we may characterise the developments since April 2001 in the
general context of more data, places, customers and complexity as follows:


      Clear evidence of increased sophistication in the forms of criminal activity and
       a shift towards profit focused offences, especially fraud and deception-like
       offences. The role of organised crime (serious criminal networks) especially in
       the exploitation of intellectual property through mass scale copyright
       infringement was recognised. However, the overlap between traditional
       organised crime activities and new modes of crime facilitated by computers
       and Internet connectivity was not yet fully understood.




                                                                                         13
        A notable increase in the virulence and sophistication of malicious code that
         requires timely and substantial coordinated responses from CERT or
         equivalent agencies.


        In response to consumer and market forces there has been increasingly co-
         ordinated action by the private sector against cyber crime and in ways more
         complementary to government capabilities. There has been a shift away from
         „alarm raising‟ by industry toward more collaborative action.


        The willingness and capacity of the private sector to protect their own assets
         has increased. The private sector has begun to develop creative solutions to
         some the challenges of cyber-crime. In addition to providing technical support
         and information to state law enforcement agencies, they have begun to pursue
         civil law remedies with a view towards sending a deterrent message to
         prospective offenders24.


        There has been a quickening of governmental and cross-national co-operation.
         However, systematic evaluation of the progress made in developing truly
         comprehensive forms of mutual legal assistance (MLA) was required. Action
         was necessary to map and assay the effectiveness of MLA in closing the gaps
         in the international legal system so crucial to combating computer crime. The
         monitoring of compliance was now a priority (see the paper by Gianluca
         Esposito).


        Both governments and private industry have generally improved their cyber-
         crime investigative capacity 25 and now cooperate cross-nationally (see for

24
   For example, a recent successful civil action in PR. China on behalf of the motion picture industry
recently illustrates. The Motion Picture Association (MPA) achieved resolution of two civil actions in
relation to DVD piracy in the Beijing Second Intermediate People's Court, and six cases in the People's
Courts of Shanghai, in 2003. The terms of the settlements included: ceasing further replication and
destroying all copies; making formal apologies; the payment of penalties averaging US$10,000 per
case and; an agreement to pay increased penalties if unauthorized replication re-occurs. (Personal
communication Mr. Mark Day and see: The Motion Picture Association (MPA) Announces
Expeditious Resolution of Two Landmark Civil Action Proceedings Concerning DVD Piracy in China.
Encino, CA/Hong Kong, and, Motion Picture Association (MPA) Announces The Successful
Resolution of Six Civil Action Proceedings Concerning DVD Piracy in Shanghai. Encino, CA/Hong
Kong).
25
   For example, the Philippine NIB prosecuted three „cyber-criminals‟ who exploited a community


                                                                                                     14
        example, „Operation Buccaneer‟).                However, training and retaining of
        expertise required continued investment 26 . Concerned remained about the
        parlous state of some law enforcement agencies in the region and the
        consequential risk of cyber-crime safe havens.




To summarise, greater focus was now required on organised forms of information
theft (the basic offence that constitutes cyber-crime). The utility of conventional
notions of „organised crime‟ also needed re-conceptualisation in the context of e-
commerce for organised cybercrime takes on a very different structural form (see
paper by Hong Kong Police Inspector Fung Wai Keung 27 ). While partnerships
between public and private law enforcement and between each other have developed,
they have yet to recognise the role of trans-national criminal activity and the
consequent requirement for strategic development of partnerships.                           Prescient
examples, however, exist as John Newton (Interpol) noted:


        “It is clear that the struggle between the payment card industry and organised
        criminals will continue for many years, if not forever, as each seeks to exploit
        computers to further their aims. The introduction of better card verification
        and improved card authorisation traffic encryption methods will go some way
        to counter recent criminal developments.                 However, the industry cannot
        operate alone in a vacuum and working closely in partnership with other
        affected parties and law enforcement is essential if the dishonest actions of
        organised criminals are to be disrupted and curtailed. In particular there is a
        need to quickly fill the information void created by cross-border and
        international payment card crime.              The Interpol Payment Card Website
        provides a working model for a timely cross-industry, cross-law enforcement
        exchange of non-personal information about emerging crimes and links them


website using fake credit card under the new Republic Act No. 8792 (E-commerce Act) and Republic
Act No. 8484 (Credit-card Fraud) in November 2003 (see Computer World Philippines Nov. 12, 2003:
Vol.13: No. 16).
26
   Superintendent Lam Cheuk Ping outlined the training programmes of the Hong Kong Police and role
of the high-tech crime unit. Police training requires considerable investment and more capable agencies
are usually willing to assist, if required, in developing the capabilities of neighbouring forces.
27
   Inspector Fung provides a number of case studies and notes the role of fluid networks of hackers and
criminals colluding to extort and undertake virtual forms of intimidation.


                                                                                                    15
        together on the basis of common characteristics. The global partnership has
        delivered information and local solutions to investigators throughout the world
        and continues to do so.”


Comprehensive legislation on IT and security matters is pending in Thailand 28 and
urgent amendments are required to update and re-equip PR China laws. A paper by
Greg Urbas on the development of legislation designed to counter intellectual
property offences and cyber crime in the region showed that while some states had
enacted new laws, many remained ill-equiped to deal with the cross-border nature of
these offences. As Dr. Urbas notes in concluding the overview of legislation in Asia:


        Cybercrime legislation in the Asia-Pacific region is still in the very early
        stages of development and exhibits wide variation in terms of legislative
        approach, overlap with general criminal, commercial and intellectual property
        law, and differentiation between offences and penalty levels. This variation is
        not surprising given the vastly different historical, social and political contexts
        within which these laws have evolved, and the differing levels of
        technological development within the region.




Steve Orlowski also reported an APEC cyber-crime legislation survey involving 14
nations29 that found all had some legislative provisions to address cyber-crime and to
support law enforcement.               However, mutual legal assistance, extradition
arrangements, and provision of cross border information in respect of computer
offences were found in only half the countries surveyed. The survey noted that the
main concerns related to the difficulties in requesting the collection and preservation

28
   The new law is anticipated to take effect in late 2004 (personal communication Ms. Surangkana
Wayuparb, National Electronics and Computer Technology Centre, Ministry of Science and
Technology) but as noted by Police Colonel Naras Savestanan the extent to which general police, as
distinct from the small specialist unit already established, were equipped to handle computer-related
crime remained a very significant challenge.
29
   These were Australia; Brunei Darussalam; Canada; China; Hong Kong, China; Japan; Korea;
Malaysia; New Zealand; Philippines; Singapore; Chinese Taipei; Thailand and United States;
responded to the survey. Two of these only provided partial responses (for details see paper by Steve
Orlowski and http://www.apectel28.com.tw/document/webword/estg/telwg28-ESTG-07.doc). A
database is to be compiled to serve as examples and in developing or reviewing their legislation and
procedural arrangements



                                                                                                  16
of evidence in real time, issues relating to jurisdiction for offences and offenders, and
lack of, or limitations in, mutual assistance and extradition arrangements. APEC
Ministers who have called for further work by APEC economies to develop laws and
procedures that facilitate the investigation and prosecution of cross-jurisdictional
cyber crime had noted these problems. As noted above it is essential to continually
monitor progress and where necessary provide assistance and encouragement in
ensuring MLA is not impeded.


Counter-measures: The Situational Crime Prevention Approach


A number of presentations focused on the improvements and challenges faced by
forensic specialists tasked with investigating computer-related crime, noting the shift
away from „script kiddie‟ releases of malicious software to bespoke code designed to
steal information, especially ID data. The greater use of encryption and access
protection was also noted by many speakers confronted with the challenge of
extracting evidence from computers, and servers. Superintendent Tan Kok Liang,
amongst others (Royal Malaysia Police) observed that at least 30% of the 730 cases
dealt with by their Forensics Laboratory to date in 2003 involved sophisticated access
protection 30. Another continuing problem emphasised by the FBI‟s James Burrell
(and others) was the reluctance of victims to report offences and the inability of many
victims to even be aware that they or the computers had been compromised. Some
preliminary results of the UN survey of Crimes Against Business in Hong Kong bear
this out. Of the 47 businesses (7.7% of the 612 businesses participating in the
survey31) that reported a cyber-crime incident(s) in 2002 only 2 (4%) brought the
matter to the attention of police . Moreover, compared to issues such as tax regimes,
export and import regulations, regulations on safety and labour the general problems
of crime and corruption was rated significant with over half of businesses (54%)
reporting that crime was a moderate to strong obstacle to doing business in Hong
Kong.



30
   Superintendent Tan also observed the limitations imposed on police computer forensic investigation
by Section 90A of the Malaysia Evidence Act in respect to the release of incriminating evidence stored
in computers, especially encrypted and access-protected computer data
31
   Survey by HKU SSRC/Centre of Criminology by CATI in July 2003 – completed responses n = 612,
and 28% of all telephone contacts: preliminary results only reported and for more details contact the


                                                                                                    17
Leading crime prevention scholars Newman and Clarke (2003) in a recently released
book entitled Robbery on the Information Superhighway provide a comprehensive
review of crime prevention for e-commerce. In the on-line „situation‟ the theft of
information and the manipulation of identity and trust are the key. In their approach
crime is an opportunity that occurs when the following conditions combine in time
and place: the presence of motivated and tempted offenders (offender pathology is not
required), attractive and tempting targets in the absence of effective guardians. When
this situation arises crime will occur providing the offenders also have appropriate
resources (i.e. social and technical capital) to undertake the crime. Consequently
efforts to reduce on-line offences and e-commerce crime needed to recognise these
basic ingredients and the numerous pathways or opportunities for crime in via on-line
rather than face-to-face environment. A crucial factor is how trust is acquired and
maintained when merchants must be more intrusive about their (unseen) customers
identity and credit risk and the apparent ease in which trust is manipulated by
fraudsters and others operating in the on-line situation. Of interest is Clarke and
Newman‟s attention to the risks posed in the post-transaction phase (i.e. the delivery
of goods or services ordered) a matter over-looked in our discussions. They correctly
note that most measures designed to counter crime in the e-commerce environment
relied upon either identifying potential offenders or shoring up „guardianship‟ via
information security but seldom configured the inter-relationships between these and
nature of the attractive target. Risk aversive systems of e-commerce therefore needed
to be far more integrated than conventional environments and require more than
passing attention to what the information security engineers like to call „social
engineering‟.


Although there is consensus about the risks of computer-related crime, apart from
criminalizing the conduct at a global level, there is much less consensus about what
might be done to prevent it. There is a discernable but barely articulated concern that
the technological solution to information security is a mirage: more hope than reality
and that dependence on the promise of a technology fix is an approach fated to fail.
So also is the faith in a deterrence-based approach were the criminal law is deployed
as the principal instrument of prevention. Deterrence is unlikely to succeed in all or


author.


                                                                                    18
even in some circumstances and experience with conventional crime suggests over-
reliance on the law, as a deterrent or moral educator is alone unlikely to help
substantially even if legitimately supported of the community. Much has been said
about the need for public education and better crime prevention but little has been
said about how this might be done and what are the most effective strategies or indeed
the money to do so on a mass scale.      In addressing cyber threats, several speakers
(here drawing on James Burrell) emphasised the kinds of basic measures required;
these included:


      improve security awareness by providing adequate resources to secure
       transactions and equip system operators and administrators;
      improve coordination and collaboration by enabling systematic exchanges
       between the private sector and law enforcement including joint operations;
      take steps to ensure that technology does not outpace the ability of law
       enforcement to investigate;
      broadly criminalize the conduct (including juvenile offenders) and focus on all
       violators big and small;
      strengthen international initiatives by updating existing treaties and
       agreements to recognize the existence, threats and trans-national nature of
       high-tech computer related crimes.


Nevertheless, much of what we think will help in preventing cyber-crime is based on
too little knowledge about offender and victim behaviour as it applies in the on-line
environment. Unless we wish to avoid the mistakes of the past basic research is
required to understand the interplay between the socio-economic environment and the
behaviour of individual or group actors in exploitation of „cyberspace‟.


Conclusion


If a 3rd Asia Cybercrime Summit takes place sometime in late 2005 or 2006, I and
others would predict that the same issues that have exercised the 2nd summit will be
present. So also will there be entirely new issues and those barely emerging now.
There will be no hiatus between now and then, as two major global conferences will



                                                                                    19
address an array of such issues: the World Summit on the Information Society
(December 2003) and the Eleventh United Nations Congress on Crime Prevention and
Criminal Justice (April 2005). For certain, North Asia and China in particular will be
super-weight players in any global system of cyber crime prevention. However rapid
IT growth may be it is unlikely to continue its apparently exponential trajectory
unless the digital divide is indeed broken and poorer nations and neighbours are
included. Regrettably this is unlikely unless multi-national corporations and
governments in the richer states undertake positive long-term investment where it is
most needed. I thus hope that at our next meeting we will have the company of CERT
or computer forensics officers from Cambodia and other states where the digital
divide renders them and us vulnerable to the entrepreneurial instincts of predatory
criminals.


Perhaps the advent of astonishing compression technologies will render the transfer of
a pirated DVD so rapid as to render these products a highly attractive commodity to
jurisdiction-jumping pirates with commercial interests in „rogue‟ ISPs. Perhaps
uncurbed spamming will make the email system so inefficient that the invitations we
send out to delegates of the next will be delivered by fax or airmail. More extremely
perhaps an intelligent super-virulent malicious code that exploits the existing software
monoculture had been released that periodically „shuts down‟ entire systems, their
backbones and overcomes built in redundancy in all but the most protected systems.


It is, however, certain that four issues will still be on the agenda and these are the
continued search for a truly viable international law enforcement mechanism, the role
of trans-national criminal networks, how to make private and public partnerships
genuinely collaborative and the continued need for research and training.




                                                                                     20