Military and Strategic Journal
Issued by the Directorate of Morale Guidance at the General Command of the Armed Forces
United Arab Emirates
Founded in August 1971
عربي

News

2013-10-01

Cyber attacks targeting critical infrastructure pose a major threat: Dr Russell G Smith

By:  Sakha Pramod
 
At a time when digital technology is integrating the world, cyber crimes are posing a major threat to financial and banking services as well as critical infrastructure.  Nation Shield talked to Dr Russell G Smith, Principal Criminologist, Australian Institute of Criminology about the emerging challenges in the cyber world and how the International Conference on CyberCrime and Computer Forensic (ICCCF) 2013 would be addressing those issues. Excerpts:
 
Digital technology is integrating the world. But digital crimes are posing a major threat to security and economy of nations threatening the concept of integration itself. How do we meet this challenge?
Technology certainly is becoming all-pervasive throughout the world and in terms of integration, developments in electronic payment systems in banking and finance are really the area in which there is the greatest degree of integration. For example, the International Conference on CyberCrime and Computer Forensic examined the risks and operation of mobile payment systems.  These are the areas in which global standards apply so that people have to use the same systems across the globe. On the other hand,  criminals are also aware of this and if they can compromise those global systems, they can do it once only without the need to adapt their cyber crime topology for each individual country. Just one compromise will be suitable to work right across all countries. An example concerns remote skimming of data on plastic payment cards used in ATMs and payment terminals. Although integration is good when rolling-out new technologies and making them adaptable in all countries, the risk is that if they are compromised this can occur across many nations.
 
Technology-related crime is an ever growing problem with increased application of mobile technology. How has mobile technology contributed to the threat?
With mobile systems, and also wireless systems, the concern is that the same level of attention to security has not really been placed on them as was developed for other segments of the market. Initially people did not use PINs on mobile devices at all. They are starting to now. There is much greater security awareness but the same level of protection has not really been present for mobile devices. I think that is partly because mobile technology was taken up by young people who would like to carry out transactions quickly and easily and not have any barriers to their use of devices like having to use PINs and other forms of identification. Young people like to get instant responses and so the industry has tried to make systems that are simple, quick and easy to use but perhaps not as secure as they should be. So I think that is an area of concern. The other related issue in the mobile and wireless area is the development of contactless cards that was introduced, again, as a simple way for people to transact business without having to use a PIN. Initially, very low credit limits applied, but now these limits have gone up for such transactions. I think we need to be careful about allowing these very open technologies to be used without adequate security measures in place. 
 
The other area of concern regarding mobile technology and cyber crime is the problem of child exploitation and also the content that is used on mobile devices. We have problems right round the world of young children taking nude photos of themselves and police then charging them with indecency offences. I think there is a need to raise awareness among young people who use mobile phones of the need to use them securely and carefully. The police have also in some countries decided not to prosecute young children for such offences. But there is still a possibility that the photos they take will then be put on internet and shared among child exploitation offenders and others. Once an image is put on the net, it is very difficult to undo the damage and have the image removed.  
 
 What are the core areas that the International Conference on CyberCrime and Computer Forensic 2013 would be looking at?
The area of verification of identity is very important. I think that is something that governments are trying to look at but there needs to be more attention given to this. It might be appropriate to hold a whole conference on identity crime or identity misuse because misuse of identity is not just an issue for commercial transactions but it is involved in a lot of organized criminal activity, terrorism offences, cyber-stalking and cybercrime where people pretend to be somebody else for the purposes of offending. 
 
Costs of cyber crime are estimated to run into USD100 billion a year worldwide. Which are the main areas hit by cyber crimes in terms of economic costs?
First, I would say it is very difficult to do research on the cost of cyber crimes. There is a report on E-Crime just released in the United Kingdom by the House of Commons Home Affairs Committee that considered the problem of trying to put a cost estimate on cyber crime in Britain.The Committee referred to a previous estimate of £27 billion as the cost of cybercrime in Britain, but noted that this had been criticised. The trouble is computers are so prevalent in society now that any activity could potentially be defined as a cyber crime. Misuse of a locking device to get into and steal somebody’s car is technically a cyber crime because it is using a computer chip to commit the offence. But would you include all car thefts within the cost of cyber crime? To estimate cyber crime costs, you really need to define what kind of cyber crime you are looking at. If it is just financial transactions you can probably calculate that quite precisely.  But in all those other computer-enabled crimes perhaps you should not really include ordinary crimes simply committed using a computer. For instance, use of mobile phones and computers by criminals is technically a cyber crime. But if one uses computers to plan a robbery, you cannot put a cost on that. So I think definition of cyber crime is important before you attempt to quantify the cost of the problem.
 
What is happening is that governments and also businesses want to have a figure put on the cost of cyber crime so that they can then go to treasury departments and argue  for a need to increase their budgets for computer security. Arguably, the main area in which cybercrime is costing money is in connection with financial transactions. Throughout the world there are billions of dollars being lost to personal scams. If you look at cyber crime costs, you must also consider how much it costs in terms of expenditure on security and prevention.
 
How critical is the issue of cyber security in Australia and how do you cope?
The government has taken a keen interest in cyber security in Australia with a recently-released national policy trying to provide the framework for how the government is going to respond to cyber security threats. Some of the ideas have been to increase training, particularly for law enforcement, and so there is going to be a new training center established in Australia to train investigators in computer forensics and also to educate the community on how to protect themselves and also to train the business community to protect themselves against cybercrimes. There are some other initiatives dealing with security in government ensuring that new electronic payment systems, electronic taxation etc. are all as secure as possible. The other area relates to consumer fraud and consumer scams which have attracted attention from government agencies in recent years. A National Cloud Computing Strategy has also been released and the government has done a lot of work to try to identify the risks that cloud computing will hold for businesses and for government departments using that technology.
 
How important do you think is exchange of ideas to reduce costs of cyber crimes?
It is very important for any new security measures to be as widely used as possible, particularly in financial services and banking. New security risks when discovered should be shared by banks because they all face exactly the same issue. Sharing information in the private sector is important and it is critical to bring in the law enforcement agencies as well. Law enforcement agencies around the world and those involved in intelligence gathering also share information. The difficulty with that is often that they have their own systems in place and it is physically impossible for other government agencies to gain access to them. So the solution to that is to have some cooperative agreements with the law enforcement agencies in different countries. However, they are often slow to develop formal cooperative arrangements and it is hard to get information quickly. In the world of cybercrime, you need to have real-time access to data and solutions.
 
Cyber crimes are a new phenomenon and many countries are not equipped to cope with them. Don’t you think the advanced countries should take the lead in this area to the benefit of all?
Developed countries certainly have got the money to devise effective solutions. They should make some of those solutions available to developing countries either free of charge or at minimal cost. Particularly in the Asia-Pacific region there’s lot of cybercrime. In the case of the anti-money laundering regime where compliance strategies are extremely expensive, even for large banks in western countries to implement. For small Pacific nations to try to implement such strategies is impossible. In that area, though, there is a lot of sharing of technology and information between larger and smaller nations.
 
Cyber threats can, admittedly, compromise not only financial institutions but high security entities like nuclear plants. How prepared are we to deal with these security issues?
Some of the cyber attacks have focused on the financial services industry. They could, just as well, be focused on critical infrastructure, not just nuclear, but also petroleum and water supplies, telecommunications and I think electricity is a key area of risk. One of the most effective cyber-attacks or cyber-terrorist attacks could be to compromise electricity supplies to a large city. Most nuclear plants operate with electricity and if that is disrupted that can have serious consequences. There have been minor instances of attacks on critical infrastructure reported in the past. There was one case in Queensland Australia in 2000 in which a man hacked into a local Council’s computerized waste management system following the loss of his job at the plant. To sabotage the system he set the software on his laptop to identify itself as one of the pumping stations and then suppressed all the alarms. During the attack he had command of 300 supervisory control and data acquisition nodes governing sewage and drinking water. He caused millions of litres of raw sewage to spill into local rivers and parks killing marine life and causing offensive smells. This sort of thing can happen and if done on a large scale, could create serious problems.
 
Cyber threat has no frontiers as it can come from any part of the world. Does that pose a new challenge as we may be able to make good the damage but we cannot bring the perpetrators to book?
There are more and more cyber-crimes taking place across the borders. They usually involve criminals in one country who are working with individuals who may be in two or three other countries and they use systems that are routed through other different locations. So the problem for law enforcement is that they have to deal with many different jurisdictions involved in one activity and that creates enormous difficulties in obtaining information and also in finding out where the offence took place. For the purposes of international law and extradition, it is necessary to determine where the offenders and victims are located or where the major impact of the offence took place. I don’t think criminals are going to stop cross-border activity. In fact they are likely to plan their activity more carefully in future. There is this possibility of “jurisdiction shopping” where criminals choose a country as a base which has the least effective cyber-crime laws with thelowest penalties. This will take place much more in future because if offenders are prosecuted they may avoid any penalty or receive a relatively low penalty. We have seen that in the past. There was a case several years ago in which the offender was based in a country where there were no cyber-crime laws in place and he could not be prosecuted. Related to that is the cloud computing problem where data are stored overseas and law enforcement have enormous difficulties in gaining access to it for the purposes of investigations.
 
Do we have international bodies to forge a united front against cyber crimes?
There has been a vast degree of improvement in that area. The United Nations Office on Drugs and crime, based in Vienna, is doing a lot of work on cyber-crime at the moment. They are trying to develop uniform approaches to improving education and training. But there is lot more work that needs to be done. Many international bodies now deal with the law enforcement aspects of cybercrime. In Europe we have Europol, Eurojust, Eurostat for crime statistics and they are all working in their own way on cyber-crime issues. The European Convention on Cybercrime is another important development and a number of countries that are not within the EU have ratified the Convention. This Convention is a major attempt to try to have uniform laws and procedures to deal with cyber-crime. There are other important initiatives that we have to continue to develop. In the area of finance and banking there is probably more international cooperation than in other areas. Particularly the anti-money laundering regime is now implemented widely across the globe. The Wolfsberg Group, for example, is an association of twelve global banks that aims to develop financial services industry standards and related products in connection with anti-money laundering and counter-terrorism financing. There is, however, a lot more to be done. 
 
Does the international legal system suffer from any lacunae in dealing with cyber crimes?
The risk is that some of the less-developed countries might not have the resources to adopt what the other countries are recommending they should use to control cybercrime. It is all very well to have a wealthy set of countries set up rules and regulations on the best way to respond to crime but if they have to be implemented in a country that have a hundredth of their budget, it might not be possible to implement such systems. So there needs to be a lot of flexibility in the sort of regimes that are put in place to make them suitable for all sizes and categories of country.
 

Comments () Views (3712 ) Print
    • Add Comment

    Your comment was successfully added!

    Visitors Comments

    No Comments

    Related Topics

    ShieldAfrica: The Benchmark Trade Fair for African Continent

    Read More

    Lacroix’s Smart Solutions Evolve to Counter the Latest Threats

    Read More

    Proper maritime security is of global interest:Vice Admiral Andreas Krause, Deputy Commander of German Naval Forces

    Read More

    Reem AlHashemi Dubai to host EXPO 2020

    Read More

    Mohammed Ahmed Al Bowardi in an exclusive interview with Nation Shield

    Read More

    Paramount Highlights Mwari

    Read More
    Close

    2024-05-01 Current issue
    Pervious issues
    2017-05-13
    Comment 32
    2014-03-16
    Comment
    2012-01-01
    Comment
    2014-01-01
    Comment
    2021-06-01
    Views 88211
    2021-02-21
    Views 87821
    2022-06-01
    Views 86271
    2021-09-15
    Views 85847
    .

    Voting

    ?What about new design for our website

    • Excellent
    • Very Good
    • Good
    Voting Number 1647

    Video


    Navigation


    Visitors NO.

    2 4 0 1 4 4 1 3 3
    © 2014 Nation Shield Magazin. All rights reserved
    Designed & Developed by
    smart vision