International cooperation on cyber crime
International cooperation, the actual exchange information across borders takes on many guises. This blog plans to focus on the different aspects of cooperation, interactions and information exchanges that law enforcement agencies, industry and governments run into.
Policy monitoring and contributing
Internet resource organisations, like ICANN, RIPE NCC and SIDN set policies around the way they distribute IP resources, i.e. domain names, IP addresses and AS numbers. The proposed policies are discussed in groups specifically created for these time consuming processes. Everyone from the community can chip in and have their say, or start there own policy group when they think a subject is important to raise. These could e.g. be very technical subjects or on how to deal with privacy sensitive data that is stored for several reasons by the IP resource organisations. It is important to realise that law enforcement agencies (LEAs) could quite legitimately state that they are part of these communities.
What has the distribution of IP resources to do with cyber crime?
Cyber criminals use IP resources to have access to the internet. They need domain names to lure traffic towards their operation and IP addresses to access the internet and receive information or to communicate between themselves. Sometimes a criminal organisation even starts a company that poses as an ISP in order to be allocated large chunks of IP addresses that it can use for it’s malign purposes.
In order to get access to an IP resource the cyber criminal has to surface in the real world. I.e. he has to register at the IP resource organisation and pay for the IP resource. He has to be hosted somewhere and assure access through an ISP. In all these cases he leaves traces behind that are of use to law enforcement agencies.
If IP resource organisations are able to check registrations for accuracy or have policies in place that will ensure that misuse of their resources is discouraged this would make the life of a cyber criminal or spammer less easy. As this is not always the case at present, this makes that policy discussions within the IP resource community are of direct interest to LEAs.
In the digital world IP resources are burned up like fuel by cyber criminals. The speed with which IP addresses are used and discarded, domain names change is phenomenal and hard to follow for LEAs. This means that investigations could entail into the thousands of IP addresses and dozens of domain names. (Some of) the data behind the IP resources is found in the so called Whois databases and as such a source of investigation, a starting point for LEAs. The access to this database is of great importance to LEAs. Have you wondered what happens to your investigative opportunities if Whois databases are totally shut off? And what the alternatives are?
WHOIS policy, an example
When ICANN, ca. 2005, proposed to shut down most of the Whois database, this was very disturbing to law enforcement. The discussion up to that point was held without LEAs present. It became apparent that without participation the need for access for LEAs was not an issue to consider and the shut down actually become reality.
Faced with this problem my erstwhile employer OPTA, the Independent Post and Telecommunication Authority in the Netherlands, decided to present to ICANN by and at the highest level and to participate in the ensuing policy process. By making ourselves heard and plead for a form of tiered access for law enforcement, we became an integral part of the discussion. From that moment on we were a partner and one of the forces to be reckoned with. It gave me first hand experience of how such a process works.
Are you aware that this discussion has started all over again?
Influence through participation
The lesson learned was that only by participating it is possible to steer discussions, let alone start them. LEAs have legitimate claims, but if they are not heard, they will not be a part of the decision making process. I have seen first hand that the large contingent of LEA representatives from different backgrounds, from all over the world at the ICANN in Brussels (June 2010) made an impression on the different ICANN communities. It showed ICANN that:
A) the due diligence recommendation the FBI and SOCA put to ICANN is seen as a serious proposal by LEAs;
B) LEAs are there to stay;
C) LEAs are members of the community.
Mind, this is not the end of story. It is a beginning. The beginning of a relationship between industry and LEAs that has to establish and deepen in order to bring about results that will be complementary to both sides. If participation by LEA stops after Brussels, chances are that not much will change.
Some question for you to ponder on
There are many more policy discussions going on at present and coming up in the future. Do you know what proposals are being discussed in IP resource communities in your part of the world that are of interest to LEAs? Have you thought about what the implications of the coming of IPv6 are for investigations? Have you ever wondered whether you should be involved in these discussions?
Wout de Natris,
11 October 2010
De Natris Consult