Public Private cooperaration: the Zeus take down example

Microsoft took down a Zeus botnet recently. Within days it was publicly accosted by Fox-IT’s director Ronald Prins for obstructing ongoing investigations and having used Fox-IT’s data. This was followed by the accusation that Microsoft obstructs criminal proceedings by divulging online aliases of digital, undercover investigators after a served court order into these e-mail addresses and sharing them online.

On top of all this EU Commissioner Cecilia Malmström announced that cooperation between law enforcement and industry will be forged in the European  Cyber Crime Centre as of 2013. Coincidences do not exist. Why?

McColo

When I heard about McColo first, the international spam fighting community of the London Action Plan met at eco in Wiesbaden, Germany. It was not during a presentation at the workshop, mind, no, it sort of syphoned through. Not one of the spam fighters present knew anything about it. This amazed me and also made me feel a little ashamed. How was this possible? Pretty soon the botnet was back online and serving the world its daily ration of spam.

Botnets are vulnerable

What McColo did show the world that its possible to stop bots from spewing spam and malware, as with all things it’s possible to go for the root and take it down. Even if the owner(s) are sort of invincible for now.

Several bots were taken down since. Some by Microsoft, some by coordinated police actions. And now both sides are fighting it out in the press, fighting each other instead of focusing on the common enemy: the bots/botherders. But hey, there’s a lesson here and stop overlooking it: both are successful!

Lessons from OPTA

In my years at OPTA, the Independent Post and Telecommunication Authority, as spam fighter, I specialised in human relations. Why? We soon found out that visiting a company that is somehow involved in sending spam, could also be the subject of other investigations. So we always checked with colleague organisations. At first they didn’t really know who we were, but after a while it became standard practice. Even better, it led to a regular informal meeting on cyber crime of most Dutch organisations involved with online enforcement, which I had the honour to chair for several years. At present, I’ve been told, relations are even much more formal, copying the ISAC model of information sharing. The best lesson learned here, was that openness comes from both sides, not just one. Let’s keep this thought in mind.

Lessons from Microsoft and Fox-IT

What seems clear to me is that a company like Microsoft has tremendous resources that outdo most national police organisations’. These investigative resources should not be lost due to a, it seems like, badly coordinated, but unintentional, action. If the clamour shows something, it is that both sides need to be more open to each other and learn to use respective strengths and avoid weaknesses.

It is not without a good reason that in some countries it is possible to go for private actions in court against spammers and worse. This needs investigation, evidence and resources. Microsoft uses this possibility to go after the biggest spammers.

Unfortunately, uncoordinated a civil (class)action can intrude on or even disrupt criminal or administrative investigations of months or even years of preparation. Leading to the loss of evidence, the warning of criminals and even news reports like the ones at the base of this article. Reports damaging reputations at all sides, whether just or not. While both go for the same target. This solution seems sub-optimal to me. But where can the two meet in a trusted space?

The EU Cyber Crime Centre & trust and coordination

If the European Cyber Crime Centre is to act strongly where cooperation is concerned, it is to make sure that actions and investigations are well coordinated. It has to start with building an environment of trust. Also with industry.

If public and private organisations learn to trust each other and from there to coordinate, they can actually choose which way forward would be the most effective. This means that the EU Centre not only has to coordinate with industry, but it becomes the centre stage of coordination for all investigations on the Internet. Not only for police, but also spam, malware, privacy and fraud investigations. The question laying at the top of prioritising should be: Who in which country is best equipped to gather evidence? That would truly lead to effective actions.

The EU has a chance to reach this level of effectiveness and so has the US. Will they grab it?

If the world learns to use the powers, knowledge and strengths available, Mrs. Malmström’s claim “being among friends and colleagues in this room today I’m hopeful we will win this battle” may well come true. It will take effort, courage and will though.

Wout de Natris, De Natris Consult

Leiderdorp, 4 May 2012

Advertisements

About Wout de Natris

As a consultant I specialise in establishing new and different relationships between industry, governments and law enforcement where internet safety and the fight against cyber crime are concerned. This makes me a bridge builder. Hence the blogs name. In this blog I intend to stress the need for interaction, cooperation and exchange of information in order to change the mentioned relationships. On offer: a comprehensive training on all non-technical aspects of spam enforcement and a cyber awareness presentation for companies and institutions
This entry was posted in Botnets, Cyber crime, International cooperation: cross border aspects, Malware enforcement, Self regulation, spam, Spam enforcement and tagged , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s