Effective cyber enforcement. Challenges for governments

All in all I’m involved now for 7 ½ years in Internet safety. If signs are not misleading me, several developments seem to lead to important steps forward where cooperation in Internet enforcement and security are concerned. In this blog post I focus on challenges that face governments where effective enforcement in all things cyber is concerned. I will try to provide an answer for law enforcers and governments to the question: How can law enforcement become more effective in Internet related investigations? This is done from the premise that enforcement can be more effective and that results can be reached that are hard to obtain in present constellations. I focus mostly on the national level, but the international angle cannot be ignored.

Who enforces what?
What follows next probably will seem very boring to you, but it’s necessary for you to go through this to understand how complex this topic is. Even if we look at it only from a national point of view. This is what we do here. Still, I ask you to pause for one moment and realize that what you are about to read needs to be:
a) multiplied in the international arena and;
b) with the necessary cooperation with industry and the Internet community, which is not always happening on a structural basis.

If you would please, for yourself, answer the following questions.

I receive a spam e-mail. Who do I turn to, to file a complain?
The header in the e-mail I spoofed? Who do I turn to?
My e-mail address was obviously sold by a company to another. Who do I turn to?
My address was harvested?
The content of the spam message is misleading?
And what if the message is fraudulous?
I was phished?
Someone is selling something on Ebay, but is not delivering?
The content of a message is fake pills?
The content offers replicas?
Someone offers threatened animal species online?
Cigarettes sold without tax?
A company is ddossed?
Websites are infected?
Someone downloaded unsolicited software?
A computer operates as a zombie computer?
A company or system got hacked?
Data was leaked through a hack?
Etc. etc., etc.

I guess that you get the picture just how diversified enforcement is. To how many enforcement agencies did your answers lead? Can you file a complaint with this agency? If you can, are they sufficiently staffed, with effective enforcement tools?

Differences per country
It’s important to realize before you continue reading that the answer will be different per country. Every country has made its own decision under which jurisdiction these topics were brought. In some countries the overall picture can be less diversified as in others, because of choices made. Still it’s a hodgepodge of agencies. If we take the Netherlands as an example, there is the spam and malware enforcement agency, consumer protection, privacy commissioner, local police, national high tech crime team, national prosecutor cyber crime, national cyber security center, tax office, health enforcement and agricultural enforcement agency. Some are enforcers, others are not, but have a role in this. All with their own law, tools and enforcement powers, height of fines, priorities, effectiveness, coordinating role, etc. In other words, it’s neigh to impossible to coordinate between all.

One agency, two, x agencies?
Of course some examples mentioned above are very specific and more or less separated from other tasks. Online investigation on animals, health issues and tax evasion are very specific tasks. Where investigative techniques are concerned there will be overlap, but that may be it. For a lot of the other issues mentioned, we can seriously question whether many separate agencies operate more effectively than one or two. (Should we allow for a separation between criminal and administrative law, or even ignore this distinction to be effective? Couldn’t one agency work in both realms and use the law that is most effective in a specific case?) Why spread sending, spoofing, content, harvesting under (at least) four agencies, while they may be investigating the same persons or company? I conclude that there are far too many different agencies involved. Hence a suggestion to governments to restructure their enforcement forces on most things cyber.

Diversification is sub-optimal
One of the negative side effects is that there has not been one high level meeting of spam, malware, fraud, cybercrimes enforcement agencies, certainly not together and some not in their own “column”, ever. Not nationally nor internationally. This means that there is no common policy developed, i.e. there is no (commitment to) policy, at best intentions, there is no common approach, no agreed upon priorities and no attempt to harmonization of policy. All this leads to the fact that in most countries, not all, Internet safety and enforcement is still in its infant shoes and at its worst not even that.

Individual vs. centralized approach
If the past years show something, it is that for almost all agencies international, cross border issues are too large a subject to handle. Hence they focus on what they can do, or worse just don’t bother. Reaching out into other networks is even one step further out there. We may see the anti-spam community of the London Action Plan do an attempt to break through this barrier later this year. In order to succeed they need to find partners willing to accept the challenge. Can Europol or Interpol match the effort? Or should governments take the lead?

Centralized approach? Questions that need answers
In order to have a greater chance of success at Internet related enforcement, changes in policy, laws, and maybe above all, focus are called for. Looking at the above, I would suggest governments to start by looking into the following ideas.

1. What Internet related enforcement tasks could logically be combined?
2. What is the best agency to deal with these tasks?
3. What powers does this agency need to be successful?
4. Is it possible to harmonize centralization attempts at the EU level (or beyond)?
5. To what extent is coordination at national level necessary?
6. What role could a national cyber crime and/or security center play?
7. How to organize involvement and commitment in a data sharing center?

Efficiency is within reach
Concluding, I think that at a time when all alarm bells concerning the Internet are going off, governments should seriously look at these challenges from an angle which appears as simple as it is complex: how can the threats facing society be fought as effective and efficient as possible? A challenge it is, as they involve many conflicting interests and perhaps even aversions. However, they will find that looking at a few very basic questions will probably get them a long way. At the national as well as on the international level, discussions and action become less complex, for the simple reason that there’s only one point of contact to deal with in every aspect relevant in this field. Exchanging information, cooperation and coordination become unnecessary at the national level and comprehensive in cross border cases, harmonization of international policy, etc. Also relations with industry and the Internet community will profit and become more focused because of the same reasons.

Saving costs as well
Governments will find that centralization and coordination will save costs all around, lead to solving more cases, more effective disruptive actions and optimal exchange of information.

Grab the moment
Discussion on the setting up of botnet related national data sharing centers are being discussed in many countries at present. This will speed up talks on cooperation. Governments should use this momentum to re-organize and innovate their own organizations and policy as well. A win-win situation may be nearer than most think.

Wout de Natris, De Natris Consult

Haarlem, 7 maart 2012

Advertisements

About Wout de Natris

As a consultant I specialise in establishing new and different relationships between industry, governments and law enforcement where internet safety and the fight against cyber crime are concerned. This makes me a bridge builder. Hence the blogs name. In this blog I intend to stress the need for interaction, cooperation and exchange of information in order to change the mentioned relationships. On offer: a comprehensive training on all non-technical aspects of spam enforcement and a cyber awareness presentation for companies and institutions
This entry was posted in Botnets, Cyber crime, Cyber crime reporting, Cyber security, International cooperation: cross border aspects and tagged , , , , , , , , , , , , , , . Bookmark the permalink.

One Response to Effective cyber enforcement. Challenges for governments

  1. Dorthy Kuhl says:

    Well said Great information, keep up the great work!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s