By Dr Kim-Kwang Raymond Choo
Information and communications technologies (ICT) are fundamental to modern society and open the door to increased productivity, faster communication capabilities, and immeasurable convenience. Economically open and technologically advanced nation states such as Australia have thrived on the wealth that ICT have enabled. The increased dependence on ICT and the pervasive interconnectivity of our ICT infrastructure has also changed the way criminals conduct their activities, and vulnerabilities in our ICT infrastructure are fertile grounds for criminal exploitation. Few today would challenge the assertion that the era of globalisation has been accompanied by an increase in the sophistication and volume of malicious cyber activities. This is, perhaps unsurprising, as cyber space was never built with security in mind.
Malicious cyber activities are a rapidly expanding form of criminality that knows no borders, and such activities can have serious effects on the present and/or future of defensive or offensive effectiveness of a country’s cyber and national security. Malicious cyber activities may not have the dramatic impact of a nuclear and/or kinetic military attack and/or result in mass casualties, but they could potentially overwhelm and paralyse a nation’s critical infrastructure and, consequently, cause social unrest. For example, a coordinated attack on a nation/city’s power grid networks using sophisticated malware (similar to Stuxnet and Flame) could potentially cripple our transport system and other critical infrastructure systems (typically connected to the internet). This could result in undesirable consequences such as equipment being forced to operate beyond their intended design and safety limits, resulting in cascading system malfunctions and shutdowns.
Cyber security threats are real, and Gregory Wilshusen, Director Information Security Issues of the US Government Accountability Office, in his testimony before the Subcommittee on Oversight, Investigations, and Management, Committee on Homeland Security, House of Representatives confirmed that ‘Reported attacks and unintentional incidents involving federal, private, and critical infrastructure systems demonstrate that the impact of a serious attack could be significant … [and]the serious impact that cyber threats can have on federal agency operations, the operations of critical infrastructures, and the security of sensitive personal and financial information’.
Uncertainty about the physical location of the malicious cyber activities, unfortunately, complicates efforts by governments to respond and investigate and to use retaliation as a deterrent. For example, countries such as China and Russia are often singled out as the originating country of malicious cyber activities by scholars and commentators and in key government reports. However, questions such as “How do we accurately attribute the source of malicious cyber activities?” and “How can we determine whether a cyber attack is criminal or an act of cyber war?” remain – a view consistent with that of the US Office of the National Counterintelligence Executive (2011): ‘US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the [US Intelligence Community] cannot confirm who was responsible’. It would be rather unlikely for governments to resort to large-scale hostile or military cyber retaliation simply on the basis of the cui bono logic or circumstantial evidence. A Colonel in the US Army who directs the International Relations Program in the Department of Social Sciences at the US Military Academy at West Point’, for example, suggested that ‘In the case of the nuclear standoff between the United States and the Soviet Union, deterrence was both cheaper and more technically feasible than defense. However, it is questionable whether deterrence can play a significant role in current U.S. cybersecurity policy’.
Global reliance on cyber space for the conduct of both business and pleasure has meant that economically open and technologically advanced nation states such as Australia and Singapore are a target-rich environment. Unfortunately, cyber space cannot be simply shut down to address these threats. In an increasingly interconnected and ICT-conducive environment, government agencies need to reassess security and policing roles and techniques in order to better attune the delivery of modern day governance and policing to the needs, wants and expectations of the society. For example, voice over internet protocol (VoIP) applications and cloud computing have shifted the way in which people communicate, and consequently changed the requirements for the investigation of criminal or improper activity and digital forensics procedures. Jurisdictional differences in substantive and criminal law, however, may hinder police efforts to hold perpetrators to account for malicious cyber activities.
Criminals, however, do not operate with the same set of constraints. They will go to great lengths and constantly seek to exploit new areas and opportunities to manipulate and exploit vulnerabilities and opportunities whether these be in law enforcement, regulatory, banking, legal, business, economic or online environments. Their only limitation is that of the imagination. One may say with confidence that the increasing pervasiveness of ICT means that these technologies will continue to be exploited for criminal purposes by malicious actors, both terrestrial and cyber.
We cannot afford (continue) to have slow moving bureaucratic processes or overly broad legislation and regulation that may result in unintended consequences. Although we may never be able to completely eradicate malicious cyber activities, we should aim to maintain persistent pressure on criminals and actors with malicious intent to safeguard our cyber and national interests. In order to mitigate emerging and evolving cyber security threats and make informed decisions about cyber and national security (as well as keeping pace with the needs and preferences of society), government agencies particularly those in law enforcement and national security agencies need to look ahead and consider how offences will be conducted in the cyber space environment in the future in order to better attune their policing roles and techniques.
It is essential to canvass global developments of the criminal, political, regulatory and business environments that may give rise to malicious cyber activities as many of the risks are based in global features of the criminal economy and the global threat landscape. Planning for our cyber future is always planning for uncertainty. By bringing together different perspectives and approaches from different countries and disciplines, we can provide current and relevant policy and practice evidence with much broader international and inter-disciplinary perspectives that would inform governments’ policy and operational responses to cope with the emerging cyber threat landscape, particularly in a climate of enduring fiscal restraint. This would also allow governments to identify existing weaknesses in regulatory behaviour or regime (as this could have the undesired result of regulatory arbitrage where cyber criminals take advantage of a regulatory difference between two or more jurisdictions to facilitate their malicious cyber activities), ways to design national regulatory measures to address them more effectively, and ensure that the responses are harmonised with international best practices.
A number of jurisdictional complications may be solved by greater international cooperation. It is welcoming news that Singapore and Vietnam have signed the Cooperation Arrangement in Preventing and Combating Transnational Crimes to prevent, detect and combat cross-border criminal activities including cyber crime; and that the Australian Government’s Cybercrime (Legislative Amendment) Bill 2011 was passed by the Senate after being referred to the Parliament Joint Committee on Cyber Safety in 2011. The Bill purports to allow Australia to accede to the Council of Europe Convention on Cybercrime and recognises the need for governments to continuously update and improve the investigatory and legal tool available to them in order to effectively police new and changing forms of malicious cyber activities. As Gary Lewis, UNODC Regional Representative for East Asia and the Pacific, emphasized in the 2011 Asia-Pacific Regional Workshop on Fighting Cybercrime: ‘Cooperation between law enforcement agencies and with the information and communication technology (ICT) sector is essential. Let us not forget that in fighting [organised criminal]network, we ourselves also constitute a network. It may sound corny to say this, but it takes a network to defeat a network’.
Reviewing official statistical data on reported offences, arrests and convictions is often a useful starting point as it provides a measure of the government’s efforts and yields detailed information about known offenders and conduct. Despite the incidence and cost of malicious cyber activities are known to be huge, no accurate data exists. It would be pleasing to be able to cite comprehensive statistics on patterns and trends in malicious cyber activities, but this remains an elusive goal as such activities are generally unreported and undetected. The vast majority of reports on patterns and trends in malicious cyber activities disseminated (and in turn cited) are generally from the commercial sector and may not include details such as the research methodology or provide access to the raw data. The ‘diversity of methods used to collect information on cyber incidents can produce widely different results …[and]this facilitates extrapolations about the scale of the problem and the cost of cyber crimes’. For example, there have been assertions that cyber crime has ‘[s]urpassed Illegal Drug Trafficking as a Criminal Moneymaker’ and a more recent report by Detica commissioned by the UK cabinet office estimated ‘the cost of cyber crime to the UK to be £27bn per annum’. However, such figures have been disputed by both media and academia.
A comprehensive review of current sources of data and research initiative will contribute to the development of clear international definitions and procedures for the collection of data on malicious cyber activities – a much-needed research activity in Australia as identified by the Australian Government House of Representatives Standing Committee on Communications. A more coherent approach in collating data will also help to ensure that government policy is responsive to trends in malicious cyber activities and to avoid overreactions. Once the scale of malicious cyber activities is known, its macroeconomic effects, as well as the impact of crime prevention, effectiveness of existing policy and legislative responses can be evaluated. The evaluation and study of policy and legislative implementation is important, as a badly implemented policy may not result in any of the hoped-for benefits eventuating (regardless how well-conceived the policy may be). Findings will improve knowledge of the nature and dimensions to the problem, and of suitable risk management and mitigation strategies, thereby enabling governments and the private sector to set priorities and better target scarce resources in fighting cyber threats that make the most impact.
Dr Kim-Kwang Raymond Choo is a Fulbright Scholar and Senior Lecturer at the University of South Australia.