Below is the text of my article published in ‘Virus Bulletin’ of May 2011. The copyright of the article lies with Virus Bulletin.
Discussing the fight against spam, malware and cybercrime has become almost a national pastime. The vulnerabilities of the Internet and networks are such that some believe that our existence as we know it could be threatened by a single keystroke. Whether or not that is
the case, the level of intelligence relating to cybercrime needs to be improved in order to prioritize defence. In the following I will make some suggestions to achieve just that.
I propose the introduction of a ‘defence triangle’. At its corners are: CERTs and anti-abuse desks, anti-spam enforcement and anti-cybercrime enforcement. The intelligence position of each corner can be strengthened.
It’s a fact that most countries (if not all) have no central record of anything relating to cybercrime. For convincing figures about cybercrime we need to look to AV vendors and organizations like Spamhaus, but their statistics do not necessarily cover the whole range of incidents. In order to be able to prioritize correctly, one
needs reliable data.
It is safe to assume that the CERTs have reliable data on security breaches, botnets and such (if they catch the threat). That leaves the other two corners of the triangle. I propose the building of two central databases to which members of the public can report incidents online. One for spam, phishing, any suspicious looking emails and malware, and one for other types of cybercrime.
Analysis of this data would give the law enforcement community a tremendous boost in intelligence and threat assessment and avoid the need to use vendor-supplied (thus commercially driven) data.
So we have central databases, but we still need industry and institutions to commit to the fight against cybercrime by reporting cybersecurity incidents to the proper authorities. Are incidents actually being reported? How can cyber priorities be set if intelligence breaches, phishing and extortion are not being reported? The reporting of these crimes might help to prevent panic when/if a serious breach occurs. Everyone concerned – including politicians and policy makers – would already be aware of and prepared for
To raise the level of intelligence relating to cybercrime the three partners of the triangle must cooperate. Exchange of reliable data must be the first step. Through interaction and coordination, each of the partners can focus on direct and verifiable threats. Of course, none of this will happen magically.
Governments must provide the conditions in which the often conflicting interests of industry, security and privacy are brought together and turned into a positive force. At a minimum this will be a facilitating role, but would most likely also need to be a financial, and potentially steering role.
I foresee three initial steps:
1. Countries set up national online incident report databases, which feed into an analysis and coordination centre.
2. Industry and other institutions report cyber incidents to the proper authorities.
3. Governments provide the conditions for coordination and cooperation between criminal and so-called ‘softer’ law enforcers, CERTS and industry.
Through these steps reliable data will become available and all involved will be able to prioritize towards dealing with the most acute cases, whether in national security or cybercrime (related) issues. The ensuing coordinated actions will drive back crime on the Internet, enable more criminals to be caught, and make the Internet
environment safer. I even believe that with the facts laid bare, the cross-border cyber enforcement issues between nations will be discussed differently. In theory, it doesn’t seem that hard, but who will be willing to pick up these challenges?
Wout de Natris, De Natris Consult
Leiderdorp, May 2011