G8 GOVERNMENT / INDUSTRY CONFERENCE ON HIGH-TECH CRIME
TOKYO, MAY 22-24, 2001
REPORT OF WORKSHOP 3:
THREAT ASSESSMENT AND PREVENTION
1. INTRODUCTION
The rapid development of ICT (Information and Communication Technology) is creating a new society which offers the community and individuals countless possibilities for enrichment and fulfillment. However, this new information society is also very vulnerable and exposed to new risks and new threats caused by criminal people.
In order to combat effectively high-tech crime, international cooperation is indispensable. The partnership between governments and the private sector is also critical and has been emphasized during last meeting.
Considering threat assessment and prevention, the results of previous workshop draw attention upon the difficulty to categorize threats, the specifics of prevention measures for each identified actors and the related mechanisms either to collect and/or disseminate information.
Consequently our proposed agenda for that workshop will address:
- Preparing a taxonomy of threats.
- Identification of prevention measures and their related actors.
- Reporting and distributing related information.
- Incentive measures to be identified for information sharing.
As a guideline, results should be achievable and practical.
2. DISCUSSION OUTPUT
- A taxonomy needs to address "threat" and not "crime" issues. Taxonomy of crime is difficult (depending of regulation), threat taxonomy is easier and more realistic.
Council of Europe (CoE) convention may not be comprehensive as a taxonomy of threats.
CoE current taxonomy is:
- Offences against confidentiality and integrity and availability of computer data and systems (including critical state infrastructures).
- Computer related offences (forgery and fraud).
- Content related offences (covers only child porn).
- Offences related to infringements of copyright and related rights.
CoE does not address all computer-assisted threats.
| Consequently, we should broaden the range of concern throughout two major categories of threats: computer infrastructure attack and computer assisted threat with the proposed hereunder definitions: |
|---|
- Computer infrastructure attack: operations to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves. Malicious acts, unauthorized access, theft of service, denial of service.
- Computer assisted threat: malicious activities (i.e. fraud, drug, trafficking, money laundering, infringement to intellectual property rights, child pornography, hoaxes, gathering of information, illegal copy of data) which are facilitated by a computer. The computer is used as a tool in the threat or offence.
Keeping in mind that all types of threats could be covered during the workshop, the group focused on a few representative type of threats with a significant damage potential.
- During the identification of taxonomy, some generic issues were highlighted.
From the outset, it has been recognized that awareness on the need to protect systems against cyber-crime is required in any case.
Other observations:
- Clarify what is the legal framework and/or new legal framework is needed, including what new activities are illegal and what protective measures are legally allowed.
- There should be on going co-operation between Government and Industry for raising public awareness on the threats and use of security technology.
- Use evaluated and certified products and services as available, and keep systems up to date with software revisions and security patches.
- Basic set of best practices or ITS (Information Technology Security) standards have proved to be efficient to raise awareness among industry. Some of existing papers have been elaborated jointly by private and public sectors, and proved to be efficient for both sides whether it is national or international initiatives (ISO/IEC 17799).
- Questions concerning content related threats (including the use of anonymity in that context) should be discussed at an international level.
- Due to the decentralized architecture of new computer networks, user's protection and threat prevention should be addressed at a peripheral level: the user itself.
- Users of computer networks should decide what level of protection they need, provided they can access reliable tools and technologies (e.g. Privacy Enhancing Technologies).
- Government should, however, continue ensuring and fostering fundamental rights to their citizens.
- Prevention should be addressed by governments as they do in the offline world.
The table hereunder contains only a subset of some threats, which should be discussed in details by another working group, at national or international level.
| THREATS (unauthorized / without rights) |
Entities responsible for prevention |
||||
| GOVERNMENTS | PROVIDERS | USERS | |||
| NETWORK |
Type of prevention to be defined |
||||
| Interception of data on network (no active action against the user) |
- Accommodate use of cryptography - Give incentive to industry to develop privacy enhancing technologies. |
Implement cryptography on network | Use cryptography | ||
| Network probing (active action against the user) |
Use filtering plus firewalls plus intrusion detection systems |
Use filtering plus firewalls plus intrusion detecti Systems Inform Inforand discourage users who are making network probing |
|||
| Denial of Service, whatever the resources concerned (network, bandwidth, storage, CPU and so on) |
Share information with other actors. | - Share information with other players. - Develop new technologies for new DoS attacks (e.g. bandwidth management system) |
- Share information with other players - Use Quality of Service tools and tools that manage bandwidth, blocking non needed services, etc. |
||
| Access to network service | Use strong authorization & controls | Use strong authorization controls (ex : access to networks of corporations) | |||
| Traffic analysis | Accommodate use of encrypted networks | Implement encrypted networks | Use encrypted networks | ||
| Masquerading of IP identity | Route specific address filtering, including for providers of public access point (cyber-cafe) | Route specific address filtering | |||
| Modification of network transaction | Cryptography, integrity checks securing the network devices | Cryptography, integrity checks securing the network devices | |||
| Etc. | |||||
| COMPUTER | |||||
| Masquerading of identity | User strong user authentication, without prejudice of data protection framewor | ||||
| Modification of stored data | To be completed | To be completed | To be completed | ||
| Theft of computer service | To be completed | To be completed | To be completed | ||
| Unauthorized access to stored data | To be completed | To be completed | To be completed | ||
| System analysis | To be completed | To be completed | To be completed | ||
| Gathering of stored data | To be completed | To be completed | To be completed | ||
| Etc. | To be completed | To be completed | To be completed | ||
| LEGAL USE OF TECHNOLOGY THAT CAN REPRESENTS THREATS | |||||
| Distribution of illegal content | To be completed | To be completed | To be completed | ||
| Distribution of hoaxes | To be completed | To be completed | To be completed | ||
| Illegal copy of data | To be completed | To be completed | To be completed | ||
| Ransom demand | To be completed | To be completed | To be completed | ||
| Incitement to murder | To be completed | To be completed | To be completed | ||
| Incitement to racial hatred | To be completed | To be completed | To be completed | ||
| Etc. | |||||
As a comment, one could say there is a consensus about the existing threats even though definitions and/or identification might be slightly different.
| As a recommendation, each country, at domestic level, should "map" his taxonomy to make it addressable with other countries. Do not limit that list to "computer" threats but extend it to take into account ICT or "high technology" use and/or activity (for instance cell phones fraud, remote bomb priming). |
|---|
- We don't have to look for statistical purity but for information to help protect users.
General requirements:
- Awareness should include understanding of what to report, how to report, etc.
- Objectives: collecting data on threats, enhance understanding of nature of threats, developing sharing experience in dealing with threats.
- Collection of different kind of threat related information (incident, crime, vulnerability) is essential at national level.
- This collection should be established bearing in mind the possibility of subsequent international sharing, collation and comparison. Government should organize the gathering of information at national level.
- User identification is needed on a case by case basis, for example for trusted counter measures.
Four types of information are needed to assess and counter threats:
- Statistics from individuals and companies about attacks they have suffered (not yet reported).
- Statistics from individuals and companies on vulnerabilities of their systems (not yet reported).
- Statistics from individuals and companies on illegal activities or contents they have found on the Internet.
- Counter measures.
Some statistics are already available, in particular those from judicial agencies and police forces based on actual complaints or reports (related to attacks or illegal activities), received directly (already gathered)
Why do we need statistics? :
- To raise awareness.
- To understand trends in cyber-crime: is it increasing? What are the new issues? Etc. To what structures can we report? :
- To a domestic point of contact (whatever it is: police or other, centralized or not)
Should be open to all users, including individuals, allowing them to report what happened (network attack, intrusion, crime, vulnerability). - To a domestic police 24x7 point of contact, but is this an appropriate structure to send reports?
OK to open a prosecution procedure and for urgent cases only. Not appropriate for other type of reports. - To a CERT or IRT (Incident Response Team)
Most legitimate point of contact for their constituency, for actual threats. Not appropriate for actual crimes. Not necessarily related to threats coming from a single country. These can be expensive depending on the level of service, so affordable only for big companies with IP or network activities. Further, establishment CERTs for medium sized or small companies is encouraged. Not relevant for other threats such as e-mail harassment, credit card fraud, etc. - To a trusted private third party
Appropriate for e-commerce.
Use CI (Competitive Intelligence) tools and methodologies to help assessing extend of threat and black figures (e.g. trends, weak signals, etc.).
Governments should be responsible for coordination of information exchange.
| Governments should organize how to centrally gather information which have been partially collected by other organizations. No suggestion is made as for the legal structure for such a centralized structure, providing data may be sanitized for the sake of compliancy with local and/or international regulations. |
|---|
- Incentive for information sharing could be achieve by looking for a mutual interest such as business continuity
Industry proposes customer based products and services. The problem is that consumers are not necessarily interested in products which have great security if it has impact on cost.
Because of government has a role in stimulating commerce and ensuring public safety, there is a role for governments to encourage and contribute financially to enhance security, and to engage in a proactive process of evaluating security of new systems or devices.
- What kind of information public sector would like to receive:
Single incidents or aggregated information.
Information on intrusion acts and on any kind of security issues. - What is the easiest way to give information?
If it does not hurt concerns of private sector to provide information to governments: privacy, antitrust, liability
If information is aggregated sector by sector (bank, utilities, ISPs...), no risk of damaging the reputation for individual companies - Why to send report:
Mutual benefit: exchange of information that makes the business operating smoother.
Help awareness of the general public.
Help police in evaluating the risks, and train new police forces subsequently.
Help develop appropriate public policy. - How can these principles be further discussed at national level?
Trust in relationships first: companies who are victims should be sure that its complain will not go to the public, either by mistake or by law requirement.
Legislative or administrative protection may be necessary to protect confidential aspects of information reported.
Proactive dialog in both ways.
Trade associations are good starting points, some of them already desire to open discussion. Users association should be included in discussion.
- Develop Code of Best Practice (voluntary actions) or IT baselines and standards: both are useful.
Government role is not only regulating but also educating people as an incentive measure (e.g. using new technologies).
Creating public awareness is a key topic as for the use of technology but also as for the threat knowledge through a government/industry cooperation.
Information sharing (as for prevention and security measures) is another key topic thus addressing reaction measures and exchange of knowledge.
We should also keep in mind that Code of Best Practice has not the same meaning in countries.
| Develop codes of practice that are legally enforced or incentivized as minimum requirements. |
|---|
3. CONCLUSION
Each country has specifics regulations and security practices. Consequently, enforcing worldwide procedures should not be the proper way to achieve collection of threat information and dissemination of prevention measures and early warnings.
As a result, we should recommend the identification of common practices for G8 countries, and maybe others ones, and the achievement of a level of information exchange without enforcing the way to realize it, regarding:
- Domestic taxonomies of threats should be made interoperable (compliant).
- Prevention measures, as exampled in the table, should be used and implemented according to domestic regulations and practices.
- According to domestic circumstances, data which has been collected by various organizations should be aggregated.
Metrics to assess that level of communication should be address in further workshop providing the expected attendees will supply their mapping system and information regarding their communication practices as for reporting and distributing related data.
The preliminary study and/or communication of materials should be expected prior to the organization of another meeting in order to intensify the strategic initiatives during days of workshops.
Back to Index