IP resource policy monitoring and contributing

International cooperation on cyber crime

International cooperation, the actual exchange information across borders takes on many guises. This blog plans to focus on the different aspects of cooperation, interactions and information exchanges that law enforcement agencies, industry and governments run into.

Policy monitoring and contributing

Internet resource organisations, like ICANN, RIPE NCC and SIDN set policies around the way they distribute IP resources, i.e. domain names, IP addresses and AS numbers. The proposed policies are discussed in groups specifically created for these time consuming processes. Everyone from the community can chip in and have their say, or start there own policy group when they think a subject is important to raise. These could e.g. be very technical subjects or on how to deal with privacy sensitive data that is stored for several reasons by the IP resource organisations. It is important to realise that law enforcement agencies (LEAs) could quite legitimately state that they are part of these communities.

What has the distribution of IP resources to do with cyber crime?

Cyber criminals use IP resources to have access to the internet. They need domain names to lure traffic towards their operation and IP addresses to access the internet and receive information or to communicate between themselves. Sometimes a criminal organisation even starts a company that poses as an ISP in order to be allocated large chunks of IP addresses that it can use for it’s malign purposes.

In order to get access to an IP resource the cyber criminal has to surface in the real world. I.e. he has to register at the IP resource organisation and pay for the IP resource. He has to be hosted somewhere and assure access through an ISP. In all these cases he leaves traces behind that are of use to law enforcement agencies.

If IP resource organisations are able to check registrations for accuracy or have policies in place that will ensure that misuse of their resources is discouraged this would make the life of a cyber criminal or spammer less easy. As this is not always the case at present, this makes that policy discussions within the IP resource community are of direct interest to LEAs.

WHOIS data

In the digital world IP resources are burned up like fuel by cyber criminals. The speed with which IP addresses are used and discarded, domain names change is phenomenal and hard to follow for LEAs. This means that investigations could entail into the thousands of IP addresses and dozens of domain names. (Some of) the data behind the IP resources is found in the so called Whois databases and as such a source of investigation, a starting point for LEAs. The access to this database is of great importance to LEAs. Have you wondered what happens to your investigative opportunities if Whois databases are totally shut off? And what the alternatives are?

WHOIS policy, an example

When ICANN, ca. 2005, proposed to shut down most of the Whois database, this was very disturbing to law enforcement. The discussion up to that point was held without LEAs present. It became apparent that without participation the need for access for LEAs was not an issue to consider and the shut down actually become reality.

Faced with this problem my erstwhile employer OPTA, the Independent Post and Telecommunication Authority in the Netherlands, decided to present to ICANN by and at the highest level and to participate in the ensuing policy process. By making ourselves heard and plead for a form of tiered access for law enforcement, we became an integral part of the discussion. From that moment on we were a partner and one of the forces to be reckoned with. It gave me first hand experience of how such a process works.

Are you aware that this discussion has started all over again?

Influence through participation

The lesson learned was that only by participating it is possible to steer discussions, let alone start them. LEAs have legitimate claims, but if they are not heard, they will not be a part of the decision making process. I have seen first hand that the large contingent of LEA representatives from different backgrounds, from all over the world at the ICANN in Brussels (June 2010) made an impression on the different ICANN communities. It showed ICANN that:
A) the due diligence recommendation the FBI and SOCA put to ICANN is seen as a serious proposal by LEAs;
B) LEAs are there to stay;
C) LEAs are members of the community.

Mind, this is not the end of story. It is a beginning. The beginning of a relationship between industry and LEAs that has to establish and deepen in order to bring about results that will be complementary to both sides. If participation by LEA stops after Brussels, chances are that not much will change.

Some question for you to ponder on

There are many more policy discussions going on at present and coming up in the future. Do you know what proposals are being discussed in IP resource communities in your part of the world that are of interest to LEAs? Have you thought about what the implications of the coming of IPv6 are for investigations? Have you ever wondered whether you should be involved in these discussions?

Wout de Natris,

11 October 2010

De Natris Consult


About Wout de Natris

As a consultant I specialise in establishing new and different relationships between industry, governments and law enforcement where internet safety and the fight against cyber crime are concerned. This makes me a bridge builder. Hence the blogs name. In this blog I intend to stress the need for interaction, cooperation and exchange of information in order to change the mentioned relationships. On offer: a comprehensive training on all non-technical aspects of spam enforcement and a cyber awareness presentation for companies and institutions
This entry was posted in International cooperation: IP resources. Bookmark the permalink.

2 Responses to IP resource policy monitoring and contributing

  1. Nice development, but I wonder why you say the participation has only begun yet? Hasn’t there always been a form of cooperation or communication between LEA’s and pe Icann? Is this really a new development. As an outsider I can hardly believe so.

    • To my best knowledge this is a fairly new development, that only started ca. 2008. Before that it was only ad hoc, case related. Since 2009 it is also aimed at a more strategic level.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s