Cyber Law and Policy

This blog is full of posts about cyber-crimes; I thought it is a good idea to cover the reaction of governments and other relevant authorities.

The increase in our interaction with the web across the globe has caused more and more criminal activities to take place as hackers look for ways to exploit this growth of users. This has led to several new attempts to curb these attacks and provide solutions to online problems that arise. National laws continue to address cyber-crime issues, but further and greater cooperation between states is the best way to decrease and solve crimes that cross national borders.

Internet Governance is an umbrella term that groups state, private, and technical solutions that are provided for online crimes. An increasing number of Governments have started to take the trend of virtual life seriously and are beginning to consider such users as ‘online citizens’. In fact, in a changing and increasingly virtual world, governments are reconnecting with the citizens directly to their homes. With a growing portion of our time spent online the concept of the cyber-citizen is now established and recognized by business, government, and society.

However, we are still learning and figuring out how to recognize and identify this concept lawfully. For now we only have a broad idea about how online behaviour will be governed by a network of national laws and how the breach of the latter will be punished.

Koobface? Facebook?

I have recently been surfing about “The Social Network” (by the way, watch it if you haven’t yet, great movie) and Facebook when I came across the term “Koobface”, an anagram of “Facebook”. Like many of us, the term was unfamiliar to me and so I decided to write a blog post about it.

Internet and Web 2.0 have contributed a lot to the way we do things; be it how we socialize (social network websites), communicate (e-mail), do business (online shopping) or gather information (Wikipedia) and so on. But this is not always for the general good. With the emergence of Web 2.0, new threats break through as well. One such threat is Koobface.

It is no surprise that cyber-criminals have now chosen social networking websites as their new mean to propagate malware. Koobface is one of the first malwares that has successfully and continuously spread around using social network as its medium of propagation.

Usually, a Koobface attack is initiated with a spam sent through social networking websites such as Facebook, Twitter or MySpace. The spam has a catchy message with a video link. It can also send messages to the inbox of the user’s friend from the same social network. Once the user clicks on the link, he is redirected to a look-alike Youtube website which requires the user to install an executable (.EXE) file in order to watch the video. The downloaded file is malicious and infects the computer.

Koobface makes clever use of the link-sharing behaviour that is often seen among social-networking site users. Moreover, Koobface is very modular and, thus, a simple addition of propagation component can make it target other social networks. A real threat indeed since the propagation of the malware to other social networks is very easy and quick to implement.

It has been about one year since its “launch” and Koobface is still successfully extending its reach across networks. It is looked upon as a role model for a new generation of malware.

Cybercrime today

Our blog has thus far only focused on specific types of cybercrime activities and on incident-based arguments, but through this post we attempt to give a more generic overview and cover the state of cybercrime today.

This blog post is inspired from the following video which reveals some shocking statistics about cybercrime.

The numbers shown on the video are definitely not negligible, and they keep increasing every year. The number of cybercrimes each year has grown exponentially since the first attacks several decades ago, but it is apparent that our initiatives taken to counter these deeds are not keeping up with the pace.

Today cybercrimes not only affect individuals but also corporations, financial institutions and governments. These attacks cause losses in the form of data, information, money, necessities (like electricity), and so on. And these losses are massive. As (dramatically) exemplified by the video: the information stolen from an ATM within 24 hours costs a million dollars; computer crime has cost America 8 billion dollars over the past 2 years; in 2008, 1 trillion dollars were lost in businesses because of cyber-attacks.

How did we allow such huge problems to arise? Or did everything happen before we could even realize it? I think the second statement is more correct. Internet is often defined by words like anonymity, speed, low-cost, connectivity, no border constraint, mass coverage and so on, and these are the qualities that have made us blind all this while. Moreover, the Internet wasn’t designed with security in mind. Only later did such issues crop up.

Recently, international police (INTERPOL) took initiative to intervene in this ever-growing computer security business (which, as of today, is estimated to have a value of 105 billion dollars according to McAfee) and set some rules. Authorities have slowly begun to realize that cyber-attacks can have real and dramatic consequences on nations and economies, and , what’s worse, these consequences will only grow in magnitude with time. At the anti-crime conference held on 18th September 2010, Ronald K. Noble, secretary general of INTERPOL, asserted that “We have been lucky so far that terrorists did not — at least successfully or at least of which we are aware — launch cyberattacks”.

Indeed, in my opinion the first step to fight cyber attacks is to set up solid international rules and regulations, and constant monitoring of internet activities just like we do in real world. While some of this is already happening, we still have a long way to go.

Cyberterrorism and Google Earth

Cyberterrorism is often considered as a subset of Cybercrime and it is the “convergence of terrorism and cyberspace” as cited in Denning’s Testimony before the Special Oversight Panel on Terrorism (Denning, 2000). Though there is no universally agreed definition for the term, in short it is the activity of using Internet to plan and/or execute terrorist attacks. It can either mean attacks on computers or network in order to steal crucial information or the use of Internet technologies to plot attacks. This post talks about the later aspect of Cyberterrorism.

Terrorists use a wide range of technologies to plot an attack like specialized softwares (e.g. for hacking), but also freely available tools used by any internet user –such as Google Earth.

Google Earth offers very clear and accurate satellite images of almost every part of the planet which is creating more and more concerns among the governments. Their stand is that Google Earth captures very sensitive sites of their countries such as army camps, government buildings and so on. They worry, doubt and sometime even confirm that terrorists use these images to study the sites in detail and plan their attacks accordingly.

In fact, the only surviving terrorist from the 2008 Mumbai attack has confessed that they used Google Earth to study their target sites and synchronised their acts accordingly.

Google’s take on this is that Google Earth’s noble uses outweigh the misuses of the tool. It says that the tool is used for many life-saving situations during natural disasters e.g. earthquakes, forest fires and so on.  This can be related to the misuse of Craigslist mentioned by Anand during lecture.

The current solution is that many governments blur out images showing sensitive areas and other countries just ban the tool (such as in Iran and Sudan).

But to what extent can the governments, especially for large countries, hide the numerous sensitive places from Google Earth images? And for those countries that ban the tool: aren’t they missing the good uses of the tool as well? What can/should Google do to overcome this issues and complaints? And finally to what extent can Google or Craigslist be responsible for the misuses, considered as cybercrimes, which have occurred?