Sixth Annual Meeting of the Internet Governance Forum
27 -30 September 2011
United Nations Office in Nairobi, Nairobi, Kenya
September 28, 2011 - 14:30PM
***
The following is the output of the real-time captioning taken during the Sixth Meeting of the IGF, in Nairobi, Kenya. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.
***
(Joining session in progress.)
>> ALEXANDER SEGER: A lot of discussion about cybercrime, but the concepts are far from clear. There is a little confusion. With this confusion it's also unclear of who is responsible for what. We are not able to bring across a clear message to countries, to governments, to the private sector of what we are really talking about.
I do very much hope that during the next 90 minutes we can start sorting this out and make some progress. The intention from the Council of Europe's side is that we have discussion that was also posted on the IGF website. We will then continue the discussions in November in Strassbourg, which is on 22d and 23d of November and on 23d of November we have the 10th anniversary of the Budapest Convention.
We will work there for possibly half a day. And then in the future possibly we can develop some sort of a guidance paper or a guideline to provide advice on how our countries, how governments, how all the stake‑holders can deal with the issue of cybercrime in a more specific manner.
We'll have a number of panelists here. I will introduce them as we go along. I will ask them to introduce themselves as we go along. Each of them will speak for a maximum of five minutes. Eve of them has one slide. Some of them have no slides. So don't worry. We also have Paul from Kenya as the moderator. Paul, he is there, and so this allows us also to bring in people from ‑‑ from outside. We had last year an excellent workshop in ICT and Lithuania about capacity building and we had a lot of moderation there and I think this is a very important tool.
With this I would like to give the floor to the first speaker here, Markko Kunnapu, from Estonia from the Ministry of Justice. And Markko is also Chair of the Cybercrime Convention Committee. Could somebody please put the next slide on?
Very good. Thank you. You see, this works, this is multistakeholderism. This is Markko's slides. Markko, you have five minutes.
>> MARKKO KUNNAPU: Okay. Thank you. My name is Markko Kunnapu, and I work in the Department of Justice and I was in the Estonian government. Just to start with, strategies are needed. And we need both strategies? The answer is yes. And I think most of the countries have some sort of strategies, policy papers concerning fight against crime. Normally they should include also fight against cybercrime, but I think most of the countries right now don't have any strategies concerning cybersecurity. Estonia also was one of the countries who didn't have it until 2007 when we had the cyber attacks which were also targeted against critical information infrastructure. That was an impetus for us to start drafting government strategy concerning cybersecurity.
And this was not regarded as a criminal justice instrument or just as another crime. It was considered as threat to national security. That's why Ministry of Defense coordinated the drafting.
There were several Working Groups, I think almost all the ministries of Estonia, including Ministry of Social Affairs, Ministry of ‑‑ Economic Affairs, they were ‑‑ ministry of foreign affairs, Ministry of Defense, I already mentioned that. They were all just working with that. Then we started the Working Groups in June, 2007. And in the beginning of 2008, we already had the final strategy.
And why do we need both?
Because these terms are different than when cybercrime ‑‑ fight against cybercrime and cybercrime strategy is a criminal justice instrument. That means that there are only police, prosecutors and courts involved. And cybersecurity's much broader. I think I already mentioned that all the Ministries are involved. And actually there are also different fields, different areas that are affected, starting from transportation, finance system, economy, even just military, and then political issues. They all are involved.
That's why you need both these strategies.
These are parallel issues, just complement each other and also provide for the mechanism that these different institutions, these different procedures could work with each other, incorporate with each other.
I already mentioned that there are parallel procedures just as regards criminal justice system. Then there is a criminal procedure which is quite strict. And on the other hand if you speak about cybersecurity information ‑‑ information security in general, then we can speak about administrative procedure.
These are two different procedures. And they have different aims. Just if we speak about Criminal proceeding, then the aim of the proceeding is just to collect evidences and prosecute the perpetrators.
As regards cybersecurity, then the aim is to protect information system.
If these information systems provide for different critical services, then government's task is to keep alive, keep running these services.
I already mentioned that cybersecurity is comprehensive and I said disciplinary issue. I mentioned that there are several fields, military aspects, political aspects, technological aspects and those economical aspects. And cybersecurity strategy is a document which has to take into account all of these different policies, and just to combine them and provide for general targets, general aims.
As regards cooperation among different institutions, then I already mentioned that there is police and there are prosecutors, but also as regards cybersecurity, then it's mostly done by different governmental organizations. They regulate, the authorities and other bodies. And if you have some sort of attack against your information systems then it's really necessary that you have a mechanism that all these institutions could exchange information. As regards Criminal proceeding, there are quite strict rules concerning who ‑‑ who and then how gives permission for the disclosure of the information and so on. And the information must move from law enforcement to government authorities and vice versa, because all these institutions have their role in fighting cyber attacks, for example.
And what I think is the most important concerning the strategies, and we have also action plan which concrete actions, concrete details, list of Ministries who are responsible and deadlines.
And then we have also periodical review.
Right now the first cybersecurity a strategy was meant for 2008, 2012. Right now we already gathering information and collecting input to start drafting a new strategy from 2013.
This is really important, because, as I mentioned, Estonia was one of the first countries actually to draft governmental cybersecurity strategy.
We can say that we were quite beginners during that time. And then all these notions and definitions, we had to just define them by ourselves, because there was ‑‑ there was no international experience during that time.
And then that's why I think that periodic review is also really necessary because cyber threats are just getting more and more comprehensive, and also government responses must be also updated.
And I think that would be all. If you have further questions, I will be just ‑‑ ask them laid.
>> ALEXANDER SEGER: Thank you, I think we will have each participant, each panelist to speak briefly and then collect the questions afterwards.
Important to note, yes, Estonia responded to the attacks of 2007 by in 2008 adopting a cybersecurity strategy under the leadership of the Ministry of Defense with many other institutions. Ministry of Justice, criminal justice, just one of many stake‑holders in that the primary focus is national defense, infrastructure protection and so forth. And it's very interesting when you go to international cybersecurity meetings, there's hardly anybody there from Ministries of justice. Maybe U.S. is an exception. It's usually people dealing with many other issues but not with the rule of law criminal justice methods. It's very important to retain microsets that both is needed cybercrime and cybersecurity strategies. We know that following Estonia in 2008 we had Australia in 2009, Canada in 2010, the Czech Republic a few weeks ago, France, Germany, Netherlands, United Kingdom. They all adopted cybersecurity strategies. South Africa, India are in the process of doing the same.
The United Kingdom is one of the very few countries with cybercrime strategies in addition to cybersecurity strategies.
A very interesting strategy was also published not so long ago by United States of America. And I'm very happy now to have Chris Painter explain a few words on how you see from the State Department's perspective differences between cybercrime and cybersecurity. And Chris has no slide.
>> CHRIS PAINTER: I have no slide. Maybe I can't even talk. I don't know. So I come into this with a perspective of I have been a Prosecutor doing cybercrime. I was in the Department of Justice for a long time working on various cybercrime issues and cybersecurity issues.
And then at the White House, working on our cybersecurity strategies there and this international strategy, then finally at the State Department looking at the full panoply of cyber issues. So with that background I think what I'd say is that the cybercrime and cybersecurity are really inextricably intertwined. They are very, very related. Here's how I see it. I'll agree with our Estonian colleague to be sure there are differences in terms of the Ministries involved. I think cybercrime clearly evolved as a national priority for many countries. First there was a lot of activity in cybercrime, including the ‑‑ you know, the negotiations and the writing, the Budapest Convention, the G8 high‑tech crime grew and the 24/7 network that I've been privileged to help run for many years.
There's been a lot of activity because I think nations understood the criminal threat, but they didn't understand the larger cyber threat and how they might protect themselves.
That said, I think that we have in the U.S. worked on this for quite some time. First let me tell you why I think they're inextricably intertwined. It is ‑‑ I don't think you can have strong cybersecurity if you do not have strong cybercrime laws and enforcement of those laws and international cooperation that leads to that.
It is to use the physical world example, it is like if you did everything you needed to do for cybersecurity, physical security, you bolted the doors, you locked the windows, you did everything you could. But there were no consequences for the people that broke in. That's not a solution. You need both the consequences, the criminal consequences for the people who break past those barriers, and you need to actually harden the targets, you need to take every step you can to make sure that you're resilient, you have good steps in place and things to deal with these issues. So I don't think you can have cybersecurity without good cybercrime enforcement. And I think they actually go together in a number of other ways, too.
Cybercrime cases often will reveal vulnerabilities in systems because cybercrime cases in the investigative stage could show new levels of attack or new types of attack, new groups of attack or new threats. And that can very easily if governments are organized in the right way be plowed into the network defense element. It can be plowed into the certs and the other part that you need to defend that works in country. So I agree again there are different focuses but they are very, very closely intertwined.
We ‑‑ the U.S. has thought about this as a priority cybersecurity and cybercrime for sometime. Cybercrime as I mentioned has been a focus of our Justice Department and others and the FBI and the Secret Service. Cybersecurity we had our first cybersecurity strategy in 2003. And that ‑‑ we also had some international work around the same time. So we had a cybersecurity strategy that was released in 2003. We have ‑‑ there's been a lot of work about that since then, which was a statement of some of the basic principles and it included cybercrime in that cybersecurity strategy.
In the G8 at the same time, there was principles, 11, because for some reason we couldn't do ten. 11 principles for critical information infrastructure protection that basically was aimed at countries and said: Here is the things you need to have to have good critical information infrastructure protection which frankly is the same as cybersecurity in my view. They're just different labels. And some of those things were: Have national certs, make sure you do research and development. Make sure you have early warning systems and make sure you have strong cybercrime laws, make sure you have the ability to cooperate internationally. So, again, cybercrime and cybersecurity were very closely intertwined there.
More ‑‑ more recently as Alexander said and when President Obama took office, we wrote ‑‑ I was part of the team that wrote the cyberspace policy review for the president. And we looked at all of our cybersecurity strategies, including our cybercrime enforcement and how that worked. And we wrote a report about some recommendations of how the government could be organized and how we can more effectively deal with the cybersecurity problem, but that included cybercrime again. And indeed when President Obama gave his speech in May of 2009 where he characterized this threat as one of the greatest economic and national security threats we face as a country, a lot of the examples he gave were cybercrime examples and international cybercrime examples. So that shows you how these things are very closely related.
Alexander mentioned the ‑‑ the strategy was just released back in May. International strategy for cyberspace, and that deals not just with cybersecurity or cybercrime. It deals with all of the issues in cyberspace with the goal of having a open interoperable, secure and reliable information and communications infrastructure. Significantly, two major parts of that document deal with cybersecurity and also cybercrime, two of the norms that we want to build a consensus with other countries are around are cybersecurity due diligence and protection from crime which is protection from crime in the physical world and on the Internet. So those are all core concepts that are looped together.
The last thing I want to note is that, you know, there's ‑‑ this is sort of a three‑legged stool. You have on the one hand needing to have strong laws in place, the countries around the world really need to have.
On the other hand you need strong capabilities, capacity. You need trained law enforcement officers. I would submit that even though these are specialized people, the Justice Department and the Home Affairs Department often and the interior departments they need to be able to talk to other Ministries and there should be a lot of communication in Ministries, not just for cybersecurity but because of some of the cybercrime aspects and how you can share information. And then the third is to be able to cooperate internationally. It's critically important to have all of those.
Alexander mentioned the octopus conference that's coming up which is really important. There is a training of the 24‑7 Network which is about 50 countries now that's coming up in Rome in the November. These are capacity building efforts. I mentioned on another panel that I was on I was here in Nairobi for the first time two months ago and we did a capacity building seminar with the Kenyan government for the five East African countries, where we talked about cybercrime and security. I think it is important to understand that there are certainly differences, and I actually think it's good that countries are coming up with cybersecurity strategies for cybercrime because it's raising the national awareness of these issues.
I would also agree with Alexander. I believe ‑‑ my personal view is that when governments are thinking about cybersecurity they should include the cybercrime people as well. This is for the reasons I've talked about and I think it's useful to have those perspectives together. The defense perspective and the addressing threats. You can think about mitigating vulnerabilities, but you can address and go after threats and that's what cybercrime enforcement does.
>> ALEXANDER SEGER: Thank you, key point to retain, what you do in cybercrime will also help you in the security front and vice versa hopefully.
There are key issues that relate to both, namely the need for capacity building at all fronts, interagency cooperation. In particular when your different institutions dealing with cybersecurity and those dealing with cybercrime, that they closely coordinate with each other, exchange information.
Then, of course, the capacity to cooperate internationally both in the cybercrime and the cybersecurity front.
Could somebody press the button on the ‑‑ thank you.
There has been close cooperation in recent years with countries outside Europe and one of those is Sri Lanka. We had a wonderful workshop in April this year with Pakistan, India, Bangladesh, Maldives, joining us in Sri Lanka and the key organizer there was Jayantha Fernando, driver in his country and at the international level and therefore, very good for us to hear his views on cybersecurity and how that applies in a country like Sri Lanka.
>> JAYANTHA FERNANDO: Thank you, Alexander, for inviting me to this event.
Well, Sri Lanka can perspectives were also quite unique in the sense that at the very beginning when we embarked on a journey where the ICT sector became trust area of good from economic perspective. And there was a lot of focus, especially with the last 7, 8 years, we were rather confused as to whether we should have a cybersecurity framework or whether we should have a cybercrime framework.
So like how Chris Painter mentioned at the beginning of his presentation, we knew of all of these issues of the and we thought of dealing with the legal consequences first. And that's what led to kind of a comprehensive regime to deal with a series of cybercrime strategies with several legislative frameworks all linked together.
So, in the early days, the legislative formula or the legislative program was driven more towards providing the enabling infrastructure, both from the electronic banking area perspective. And a lot of emphasis was given to providing and ensuring trust, integrity and reliability to electronic transactions with the establishment of dedicated sector‑specific Certification authorities, both for the banking sector and for the government sector.
But ‑‑ but then, having that kind of a cybersecurity strategy in a way was found to be inadequate because increasingly, most of our critical information infrastructure was getting or facing regular cyber attacks. And Sri Lanka was a country as many of you know, facing numerous issues from money laundering to crime in financing to many other challenges with the use of ICT tool in all of our sectors in the banking, private sector and even in government.
And then with our telecenter across the rural community we had even the rural DPUs and some of those centers became points where criminal activity was carried out.
This led us to consider coordinated cybercrime strategy. And that led to a series of legislative frameworks, starting from the computer crimes act. But we felt that the computer crimes act itself was not adequate in the context of a comprehensive cybercrime strategy. So we embarked on a mechanism to get the other sectors involved in a consultative process in formulating the necessary legal framework. And that, in turn, resulted in the payment devices to exact the money laundering act and the terrorism financing act and the measures going alongside each other.
All of the statutory frameworks, including the bill that is being currently formulated in Sri Lanka which hopefully might go through this year, namely, the amendment of the publications ordinance that deal comprehensively with protecting minors on the Internet is all linked together with the cybercrime framework.
And in that formulation, what we found as being the best formula for us to go forward was to look at models available. And we realized early on that Budapest Convention was the best model for us to look at.
And one of the best lessons that we learned from the Budapest Convention is not just to in‑court substantive provisions in the law in all of these areas that I mention, but to provide Checks and Balances and focus on human rights issues, especially in the area of law enforcement activity in the investigation and prosecution of cybercrime activity.
So we are continuing the drawing from the best practices provided to us from the Budapest Convention, and we are hopeful to created collaboration will result in better adherence to Checks and Balances, at least in the future.
Now the strategy was illegal, we recognize the need for others as well as administrative as well as interagency cooperation. So in that context my agency was involved in setting up the national cert, the Sri Lanka cert which is a member of first and the national coordinating center for cyber threats and incidents.
And in providing that formula, we realize that a pure government owned ‑‑ starting the way forward that we need to bring together private sector and other communities and the technical community in the country in the technical coordination to deal with cybercrime and cyber incidents.
And we are working towards creating a multistakeholder model even in the government of Sri Lanka cert. And that is the direction we are heading, but it has been an extremely challenging task at least from my perspective.
Funding the Sri Lanka cert and setting it up was one thing, but continuously ensuring that the highly skilled, trained people are paid market wages in a governmental framework has been a huge challenge. And we have overcome some or all of those challenges and we are happy to say that one day despite the criticism some of us had we are hopeful that in the long‑term we'll be able to showcase a best practice model.
The Sri Lanka cert is a government owned company, and that government owned company model created in 2006 is what gave us a flexible environment.
But in this interagency cooperation that we were looking at, working with the law enforcement and judicial sector and the prosecution service, we also embark on a series of training activity.
And this is where I would like to commend the support extended to us by the Council of Europe including the World Bank and other banks who came to us with supporting mechanics. And this is ‑‑ they are once again, donors can also place some kind of a limited or sometimes a significant role. It can be significant in some contribution but limited in the active participation, but they can play a role in supporting and helping developing countries in getting the necessary frameworks in place.
We are also thankful to the other private sector efforts. Sri Lanka also signed up, the cert signed up to the security of Microsoft. We have benefited immensely from that.
Finally I would like to emphasize that the cyber crimes strategy as the previous speaker noted out is an interlinked mechanism to ensuring very good or a very ‑‑ very well found cybersecurity strategy. And that is why the government policy adopted in December, 2009, there was a dedicated provision dealing with how government and other agencies connected together with the critical ICT infrastructure should adhere to some Monday mum norms and practices in terms of IES policies, and we have not just looked at the Sri Lanka can standards arena we have been drawing on best practices from the British standards institutes. So having said all that, my conclusion is that cybersecurity and cybercrime strategies are complementary of each other. One is a feeder to another. And good cybercrime strategy will help to strengthen and ensure an excellent cybersecurity strategy in the long‑term.
Thank you.
>> ALEXANDER SEGER: Thank you, Jan. This is an extraordinary experience that we can see in Sri Lanka, how starting with the idea of creating an enabling environment, the authorities have played an essential role, more and more branched out, cover the cybersecurity issue, cover the cybercrime issue going to setting up certs and institution building and so not only the legal framework being very concerned, which is often rare for ICT agencies being concerned about conditions and safeguards with regard to investigative powers. This is very important that this is addressed. In Sri Lanka as in any country.
And we also are pleased to see that we can now with the help of Sri Lanka also work in other countries of south Asia. This is an excellent experience. So we have the first model of Estonia response to an attack to set up a cybersecurity strategy. And on the other hand, Sri Lanka gradually building up the whole environment in this field.
You mentioned public‑private corporation, a strong role of the private sector, and indeed, for that reason we also have private sector here on the table. They have a very important role to play. And I would like to give the floor to the next slide, to Andrew Cushman from Microsoft.
>> ANDREW CUSHMAN: Good afternoon. Thank you very much for your attendance. I'm Andrew Cushman. I'm a security strategy is gist in the trustworthy computing group at Microsoft.
I've been in the security group for about ten years. My role at this point is focused on helping governments implement security measures that build capability, and helping governments formulate security policies that are effective in achieving their goals.
Microsoft has significant experience in the cybersecurity space.
In the past I have also worked in the Microsoft security response center. I managed that group for two years. That's the group that's responsible for security updates on a monthly basis. Patch Tuesday.
That's the ‑‑ that's the technical side of security.
I also managed a team that was about hacker outreach.
So outreach to security researchers to understand what they know and how I can use that information to improve the products.
And that's a human dimension of security.
So at this point I bring all of that experience. I bring the technical experience, I bring the human dimension of experience, and I bring the non‑technical or the policy dimension of experience to bear on this problem.
I'm happy today to be able to represent the digital crimes unit, DCU, within Microsoft.
This is a group that is focused specifically on cybercrime. Because my roles previously have really been about security vulnerabilities and about policy and cybercrime is a bit different than that.
As Microsoft thinks about that strategy for combating cybercrime though, it is ‑‑ it's one that is based on innovation.
We take a look at the ‑‑ at the ecosystem, and we think about: How do we disrupt that through innovation.
We have innovation in the technical dimension. Innovation in the legal dimension. And then innovation in the ‑‑ in the ecosystem.
So you can think about that from a ‑‑ the experience I talked about earlier, technical, the human dimension, as well as the legal dimension.
So a couple of examples on the legal dimension.
There's the basics that you have to do. You know, there have to be criminal statutes and there has to be Harmonization. You have to do the basics but the strategies as well. We implied those in both the Waladac and the Rustock cases, in terms of using the existing legal framework in novel ways to attack command and control centers.
And, again, in the technical dimension it's about basics and it's about innovation.
The basics would be: We have a team that does malware analysis and creates signatures, and then supplies those signatures in the Microsoft security essentials suite to help clean up machines.
But as I talked about severing the head off the BOT, the command and control center that we did with Waladac and Rustock, that's a novel technical dimension to this.
And we also think about it from a holistic life‑cycle approach. And it's a multistakeholder approach. And this is both within Microsoft, because as a large organization, there are lots of different constituencies, lots of different players. And you heard that on the governmental side, it's the same in the private second.
So we have the digital crimes unit that's in one ‑‑ one division has a different Vice‑President, different minister than the Microsoft malware protection center, is in a different ministry or different Vice‑President, as is the trustworthy computing group.
So we have a virtual team that actually bridges those communities.
And then within the larger ecosystem we have academia, industry and certs that we collaborate with. Whether this is the University of Washington or with other protectors in industry or with protectors in the governmental or pseudogovernmental role because some certs are not ‑‑ not every cert is a governmental cert.
And then we think about this from a feedback perspective and an action.
One of the ‑‑ one of the ways that I describe my job is as a Program Manager, whether that's in a product team or in this case in the securities space, I'm a ‑‑ I'm a change agent. And part of my job is to go and catalyze or change the ecosystem. With each of the Bot takedowns that we did we analyzed well and we analyzed the challenges that we had and we Fed that back for the process to improve the next ‑‑ the next one.
Some of the kinds of changes that we are driving are that we now have from ‑‑ I'll talk just a little bit about the Rustock case, where we severed the head off of this BotNet. And then we had lots of data about infected host machines.
Host machines that were spread out across the globe.
We took that list of inspected hosts, and we provided those to certs around the world.
We established direct communication channels with them so that the cert in a country could actually know what IP addresses are infected and could then use the existing mechanisms within the country to go and help clean those up.
I would summarize the strategy that we have here in terms of it's ‑‑ it's a multistakeholder approach to take the tools away from the bad guys, to clean and prevent re‑infection.
And then to change the dynamic in the ecosystem.
So to ‑‑ to have a positively reinforcing cycle. And the only positively reinforcing cycle in the cybercrime ecosystem today is from the criminal side. We really need to have a positively reinforcing environment so that each change that government or industry or academia makes reinforces the positive that's happened from before.
Thank you.
>> ALEXANDER SEGER: Thank you, Andrew. We have been working very closely with Microsoft over the past few years and has been a very interesting and rewarding experience for us.
As you mentioned ‑‑ you mentioned BotNets on several occasions in your short presentation which we all know is probably the biggest single tool or the most damaging tool that is available to criminals these days.
And this multistakeholder approach to take the tools away from criminals is very important, but it's also important that once you have taken the tools away that you put them ‑‑ bring them to justice. And that's where then the cybercrime strategies and the criminal justice response comes into the picture.
I like also the term of change agents, we are all change agents so when you go back, change the world in your country from the end of this week after the ‑‑ after the IGF.
A lot if not most of the cybercrime happening is aimed at getting proceeds, getting criminal money. Taking away money from somebody else, fraud and so on. Therefore, it's very important that in all of this ‑‑ in all the cybercrime strategies we involve the financial sector, and, therefore, it's very important to have, from PayPal, Bill Smith here with us with a ‑‑ if somebody could push the next slide? Oh, another one.
Okay. So ‑‑ okay. Bill Smith from PayPal is.
>> BILL SMITH: Sure. I'm Bill Smith with PayPal. I ‑‑ I'm in a unit similar to the one Andrew just described, where I ‑‑ such a unit exists within PayPal in the larger group that I sit in, I sit next to these people and I'm amazed at the work they do and glad I don't have to do it.
I just get to go out and talk about it.
One of the things I was fortunate enough to do earlier this year was to work with two of my colleagues on writing a paper that's available on our website. The URL is down at the bottom there. Oh I see the wonderful features of formatting.
I spent a lot of time getting that to fit all on one line.
(Laughter.)
>> BILL SMITH: So if, Andrew, you could take that back to Microsoft and fix that, I'd really appreciate it. But I know that's not possible. So ...
Anyway, we came up with a ‑‑ so our paper's on cybercrime. It is a U.S.‑focused paper. The only reason, it's not because PayPal only cares about the U.S. is that we wanted to make some practical, real suggestions for things that could be done and attempting to do that on an international scale is actually quite difficult.
So rather what I'd want to do is focus on the principles that we outlined in the paper. There were ten of them. We managed to get the 11th one out of there. (Laugh).
And ‑‑ and talk about those a bit.
So our ‑‑ initially or the early part of the paper describes cyber issues or cybersecurity. In our view cybercrime actually is part of cybersecurity, considered in the same ‑‑ the same set of issues as are cyber terrorism, cyber espionage, cyber warfare.
In our view, those issues should be discussed largely in different venues where foreign ministers from the U.S. Department of state, perhaps, you know, military folks, are discussing those issues and that they have a different ‑‑ there are a different set of interactions that need to occur. We agree that they're very similar. There may be similar attack vectors, mitigation techniques, et cetera between cybercrime and those ‑‑ those other issues, cyber issues. But we believe if we're going to make real progress says on cybercrime to focus on that.
Number one involve the least regulatory change. We are not afraid of regulation but don't overregulate. So make laws that are effective and do what is necessary, not just find the fastest way to do something.
Ensure that laws that exist can be interpret in there ways which credibly allow participants to prioritize safety. And the participants here really are anyone that's attached to the Internet. Our view though is largely in companies. And in one of the significant issues we have as has been pointed out is that the criminals, the bad guys, they play by no rules. They will share anything and everything at will. And as a consequence they've a huge advantage over both law enforcement and the private entities that are attempting to mitigate ‑‑ mitigate crime.
And so we would encourage law ‑‑ changes in law that allow a freer exchange of information. Not ‑‑ you know, not infinite exchange but a freer exchange of information when it is done with the attempt to ‑‑ to mitigate crime or enhance cybersecurity.
That puts us on a playing field that's at least a little closer to level. And things are not so out of balance between the white hats and the black hats.
Make changes which reduce negative externalities in the overall ecosystem, there we're talking largely about but not only malware. If you have a machine that's infected it may not bother you, but you may be part of a BotNet which is then part of a distributed cyber attack. So you are causing harm to the network and so we think reducing malware and potentially regulatory change in that area would be a good thing.
The Internet clearly is global. That's obvious.
What may not be obvious is that a change needs to occur in each country and every country. More or less at about the same time. Otherwise we end up with safe havens, not for the good guys but for the bad guys.
That doesn't mean everything must be identical or always at the same time. You know, and same day. But if there are significant lags or the laws are significantly different, it makes it extremely difficult to mitigate.
And as I think has already been pointed out, most of the crime that we see or much of the crime that we see is transnational. It crosses borders.
Another piece of that is we need enhanced ‑‑ enhanced arrangement, I will say.
The 19th Century multi‑lateral agreements really don't function real well in the Internet age.
We need, and in particular, a lot of the things we see, we can't wait a day, a week, a month, a year, for ‑‑ for MLATs to take effect or requests that go through them and come back around. We need to take action in a minute, an hour, right? Truly in Internet time.
Another principle is: Avoid conflating intellectual issues. We believe strongly in all of these. We believe in the ‑‑ you know, that IP theft is an issue. It's a significant issue. People should be able to exercise free speech. They should be able to be anonymous.
We should respect privacy.
At the same time, if we always bring those in, at least the discussions I have participated in, we rarely make progress on what was supposed to be the topic of conversation, crime.
Instead we talk about how if we do this we might impinge here.
Or on intellectual property, we talk about, you know, ways to deal with those issues as opposed to what we talk about primarily in cybercrime, which is direct money theft or things like that, generally. Right?
The attack actually is going on against the customer. They're losing money. And it's hard money, not soft money.
Governments should not mandate nor manage technical controls.
I think there is a knee‑jerk reaction in some policy spaces to say: Well, here's this problem, and if we do this in the technical arena, we ‑‑ we solve the problem.
Unfortunately, the adversaries, our adversaries are extremely agile, and they have the ability to move quickly. So when we impose a technical constraint on them they either find the vulnerability in that or a work around to it very quickly. And they will also move faster than the legal system can and the judicial system.
So we need ‑‑ we need to be able to move more quickly, and we suggest against mandating technical controls.
Another one we think is obvious, find things that improve security and don't compromise privacy, okay, again we believe strongly in privacy but we do not believe that these are exclusive.
In fact we maintain there is no privacy without security.
Okay? If you aren't ‑‑ if you don't have secure systems you cannot have privacy.
Full anonymity on the Internet especially in e‑commerce and financial transactions nearly impossible. Certainly it's infeasible and for most any transaction that is a non‑trivial transaction, it's difficult to do anonymously.
Let's see. Nine is: Treat data usage for antifraud purposes as distinct from data for marketing purposes.
This one is specifically around: Do not track. That's receiving a lot of support.
We're actually kind of neutral on that, I would say. But we believe that if there is legislation or policies around tracking using cookies that there be a carveout for such tracking when it is used for fraud detection and similar things to mitigate cybercrime.
It's a ‑‑ it's very useful, and we would Haiti to see it go.
Lastly, the Internet governance organizations are part of the solution, not part of the problem.
So discussing things at the IGF, at ICANN at the RIRs they are part of the solution, they are not part of the problem, we don't need to take these issues elsewhere to discuss them. We can do it here and in other fora and that that's actually the best mechanism. If we go and invent something new to try to solve cybercrime, we ‑‑ we won't be making progress for years to come. Thank you.
>> ALEXANDER SEGER: Thank you. Very important elements here of the and we will try to reflect those in the revised version of the discussion paper later on.
You call for more efficient information exchange, and in that context in your paper you called the Budapest Convention antedeluvian.
>> BILL SMITH: We may have made a mistake with that.
>> ALEXANDER SEGER: There is a challenge of how we can make these provisions efficient. Constructive criticism. Very much. And the issue on privacy versus security, actually, most ‑‑ most of the cyber attacks are attacks on the privacy of people. Let's face it. So the more you do on cybercrime the more you enhance privacy if you look at it that way.
With that, we are almost through with the speakers, don't worry, there will be some time for discussion. I'm very pleased to have Zahid Jamil from Pakistan.
>> ZAHID JAMIL: Yes, I am from Pakistan, I'm an attorney there, and I have drafted translation on transactions and worked in cybercrime. I've got notes here but I have five minutes so I hope you will bear with me so I apologize for the speed if we have difficulties.
Now, we're talking about capacity building and in some sort of capacity building in my country and regional. And Jan who was talking about the south Asian initiative where the Council of Europe that provided that was an extremely helpful exercise where Parliamentitarians, business and even technical experts were down in Sri Lanka where we discussed many things in the workshop. But what are the areas of capacity building that we can sort of identify. So the first is legislative. In Pakistan we have the electronic transactions ordinance. There is the payment systems, electronic fund transfer to deal with that and the prevention of electronic crime ordinance. These are cybercrime based legislations. What we did with legislation was that we tried to get the best model available internationally. The best model accepted beside most countries, there was only one treaty in the world at the moment with regard to cybercrime. That's the Budapest Convention. So that was utilized as the basis for most of the legislation we did in my country and cooperating with other countries in our region to say a legislative capacity building. Look to the best. Don't look at something that's diluted. Look at the best available. And the advantage we found in the Budapest Convention with the Council of Europe: Harmonized definitions. Bill talked about that. If you have different definitions across the globe you will have difficulty trying to fight it. It is technologically neutral so it doesn't have is a specific identity theft or a spoofing section or clause, but it does have a technology neutral definition that allows you to address that issue. It provides safeguards and human rights protections and gives the procedural powers that law enforcement requires to be able to implement cybercrime stragegies. So that's the legislative part. That's procedural which also comes as part of the legislation as a package. And so that is something that also is something that you need the Parliamentitarians to be onboard and as I said reasonable meetings where the Council of Europe assisted in ex‑complaining to them what was needed was extremely useful. When I went back they were completely sold on this. We will be advocates within the legislature to get this to happen.
Now, with regard to investigators and forensic experts there was a training done in Pakistan, it was Microsoft as a private entity. They brought in expertise. The Council of Europe came in, I was one of the people who actually participated in that as well. And in that, you know, and for the past two years the FBI and the Council of Europe have been doing the trainings in the country. It makes a difference, I'll give you an example of why it makes a difference to law enforcement with a specific example. The second to last point but I'll come to that later.
The next thing is you need operational technical capacity building and skills to high‑tech crime units. They don't know how to deal with it, how to use computers, how to walk into a search and seizure environment. And they're supposed to take data out. We've seen several incidents where they are corrupting data or the data gets infected or the chain of custody is lost. And even countries like mine in judgments will say: Sorry, you know, this evidence has no value because the chain of custody was broken. And so those trainings to those law enforcement become highly vital.
Cooperation. Now, on cooperation I wanted to mention two, three points. One as you need to have a 24/7 contact point because cybercrime is not something that takes time off at night. It happens at night, globally, all the time. So you need to have somebody available within your country locally. Not just talking about international cooperation, who will be able to respond to some sort of cyber attack within law enforcement, not necessarily within cert but in law enforcement. Those capacity to set up help lines would be extremely important.
Interagency, domestic. In my country we have a Federal and provincial set‑up. The law enforcement at the provincial level says we don't get cooperation from the Federal level. Not sharing information. The bad guys are winning in the meantime. The interagency cooperation is at a minimum or doesn't exist. And then there's cooperation which is international and that can only happen if two things take place. One, legislation in that country provides for mutually legal assistance. All right. If I get a request from a country abroad I will process that. It will be a request from any other complainant and I will provide cooperation from my law enforcement to the other country. Now, it has to be on the basis of an international treaty. The only one we have right now is the Budapest Convention. I have a quote there, show you an example of what the Australians because they're about to ratify it. At a recent meeting I was briefed on an international police operation that smashed the largest child sex abuse case in history. Police agencies identified 70,000 members and rescued 230 children from horrific abuse across the globe. This successful police investigation into the site would not have been possible without cooperation between overseas agencies and online crime fighting capabilities. The Attorney General of Australia, are just last month or two months ago, this shows you the importance that it's not just enough to have a legislation on the ground and say we've done it as far as legislative procedures powers are concerned but also to understand that in order to have cooperation you need to be able to be part of an international framework or a treat oh. The only one right now is the Convention. Investigators asked when trained with regard to cooperation. I am an investigator in Pakistan. I know somebody's using either a Gmail or a Hotmail account of the and what I want to do is to preserve the data. So I want to make a request to an entity in the United States. How do I do that?
So the law enforcement has no currently if it's not signed up to the treaty which is the convention of ‑‑ the Budapest Convention has no legal mechanism by which to be able to ask for that in such a manner that it becomes an obligation of the country on the site to provide that cooperation because then it's up to the country to say, really? Okay, maybe, fine, but there's no frail work, no international convention, and this was the biggest problem that our investigators ‑‑ and this problem is shared across the globe ‑‑ face unless they have that convention or sign up to that international frail work.
Now, let me talk about certs and other people have talked about it so I'm going to say that that's important. It takes money, skill, and that's another thing to keep in mind with regard to building cybercrime strategies.
I did training for Prosecutors before I came here and it's incredible how some Prosecutors having, you know, they're older, they're not necessarily younger. Some may not understand how computers work. They can use a BlackBerry but when you ask for IP address and things they don't understand what they need to put into court and how to put into court to be able to effectively fight a cybercrime case. So ensuring the Judges as well as Prosecutors are trained in this the Department of Justice in my country has me doing training over the last two, what.5 years. Can I have the last slide.
>> THE MODERATOR: There is nothing.
>> ZAHID JAMIL: Private sector cooperation initiatives. If it hadn't been for Microsoft to partner with CoE and have advocates and attorneys present with law enforcement to train them this wouldn't happen. So private sector involvement and initiatives in developing countries take on a very, very important role because it's private to private cooperation and private to law enforcement cooperation that's really going to get us the results in fighting cybercrime.
We've talked about the regional outreach that is required. You know, south Asia, we had one with the CoE. I want to create a segue to the next speaker to talk about the convention and best practices. Commonwealth cybercrime initiative. Most Commonwealth countries have an advantage. They share the same common law. The purpose of this initiative is to use the model of Commonwealth law on cybercrime as a basis which is the same as the BS A model or it is taken from the Budapest Convention as a model as well. And using that modeler within Commonwealth countries and filling the gaps if we need to with other things and using that as a vehicle forward. So if you're a Commonwealth country I would ‑‑ I would request you to come to workshop tomorrow but I'll let Joe who's with the CI GF tell you more about that. Thank you so much.
>> ALEXANDER SEGER: Thank you, Zahid. Indeed, the capacity building side is one of the main changes actually that we have had and what the Commonwealth right now is preparing, the Commonwealth cybercrime initiative will be very much welcome.
Joe, if you could have 1 or 2 minutes on that because tomorrow there will be specific workshop on the questions so this is now a teaser for tomorrow.
>> THE PANELIST: Yes, and I don't have any slides, I'm sure, and it's really following on from the introduction of my colleague, Zahid, be mindful of this really did he say separate need for some capacity building on the ground. The Commonwealth has really devised this initiative to address this.
And the ‑‑ the aims ‑‑ the aims of this initiative is to help countries in realizing the capacity in order to address the issue of cybersecurity and cybercrime.
One of the things that I discovered from Alexander asked me to really take part in this afternoon is really I wasn't sure what I could add to this because I think much of what needs to be said has been said, but in the interim I had the opportunity to really look at the discussion paper in the counselors put together on cybercrime security. And advocate has really brought a dissemination of this paper as possible. I have found it very, very instructive.
And I see this really as a first step really for a lot of countries in really starting down this road in really developing a roadmap for really what needs to be done in terms of addressing this issue of cybersecurity and cybercrime. And I think enough has been said about the inextricable link between the two.
And really what the cybercrime ‑‑ what the Commonwealth initiative, you know, is intended to do is precisely to start off with really helping countries in the implementation of a legal template, that's giving them some foundation in law that will really put them on the road ideally to the Council of Europe Convention.
But really to provide the technical assistance that may be required in really equipping some of these countries with the appropriate technical environments to enable the monitoring, the investigation, the interventions, the ‑‑ that really may be ‑‑ that may be required.
And then at really a third level below that is to help really provide the human capacity that is required to support this.
The Commonwealth is an organization that consists of 54 member countries, but it has little by way of resources as an organization.
So by way of funds or people.
So the Commonwealth in this is really a catalyst for this initiative, and it can only really provide us assistance through partnerships with the number of entities that have the resources and the capacity to address this, such as the Council of Europe, the foundation and partnerships. I'll stop there, and as was mentioned this is the subject of a workshop tomorrow at 11 o'clock and I will be working with you to attend that. Thank you very much.
>> ALEXANDER SEGER: Thank you. Indeed will be an important capacity building initiative. Hopefully adopted soon and launched very soon. And we need ‑‑ we need that and have many more initiatives of that nature.
To summarize and Joe, thank you very much for referring to the discussion paper that we had prepared. I will not go through that now, because you can ‑‑ you can read it on the IGF website. And pleads, also, send me your comments on that, so that we can incorporate all of your views in it.
Roughly we have cybercrime strategies which deal with attacks against computer system, offenses by means of computer systems but they also have to deal with electronic evidence in relation to any crime. These cybercrime strategies would constitute crime prevention and criminal justice which would then go to the common law of human rights. Cybercrime strategies deal with critical infrastructure and other computer systems.
They are aimed at enhancing reliability, resilience, security, trust in ICT and all of that is aimed when you read the strategies at economic, and social and other interests and national security. And at all levels you see there are cross‑links they reinforce each other, a lot of positive overlap between cybercrime and cybersecurity even if some of the aspects from a different rationale and different finality. With that I would like to stop at this level now the discussion or the presentations and invite participants here to ask questions to any of the panelists and also the remote participants if there are any, please ‑‑ first one here.
>> THE PARTICIPANT: Hi. My name is Chris, I'm in the states. It's a shame that the gentleman from the State Department left. I thought his job neatly subpoenas this up. The U.S. Government and many other governments now are encouraging Internet freedom, censorship, circum‑Convention technology. And one of the main things they're funding is anonymity technology such as proxy services and virtual private network services that allow people to view the web anonymously online. These have been used activists to communicate anonymously. At the same time Pakistan just this last month forced all Internet service writers to start blocking these because they're not able to intercept the communications. The FBI in March of this year held out VPN services as a particular issue they wanted to address because these VPN first services are not keeping logs so they say that hackers and criminals are hiding behind them. I'm wondering for the folks on the stage are you finding that VPN services and anonymity services are being pointed out as a net good or a net bad? And how is the desire to encourage freedom around the world clashing with your desire to catch people who are using these services? Thank you.
>> ALEXANDER SEGER: Very good. So there are lots of die lactical perhaps, Zahid.
>> ZAHID JAMIL: Thank you, you mentioned Pakistan, the VPN is a regulation, I saw the press cuttings, but the regulation has been there for awhile, the last two years. It requires basically reporting if somebody is using a VPN. That's not right. I didn't have any part in writing that legislation, that's Telecom legislation. And you're right because it goes against privacies issues. People think of finding a constitutional petition in Court to handle that. Something else which may be interesting, I'd love people to hear this, that because the interior minister said I'm unable to get cooperation from Google and Microsoft and he mentioned another company as well saying if they don't cooperate with me I'm going to make sure that their representatives go to jail and hold them. And this is just the wrong way to handle this, because the reason why they can't cooperate is because that country my country hasn't signed on to the Budapest Convention. If they really want to get cooperation, that's what you do. You go on to the treaty and sign. It gives you the ability. You can't tell somebody outside your country I want your data there's no legal mechanism to do that, but thank you for making that point.
>> ALEXANDER SEGER: Indeed. And hopefully Pakistan will soon adopt also domestic legislation which then is precondition for international cooperation but also cooperation with international private sector partners on that.
Who is next?
>> THE PARTICIPANT: Thanks. I think this is a great panel and I would love to ask questions to other people but my question is going actually to Zahid as well. I have two questions. You shared your experiences when you implemented legislation and you mentioned that you used the Budapest Convention because it was the only one that was available. I was wondering in the end of your presentation you mentioned the Commonwealth model law in 2002 was something developed for Commonwealth countries. So I understand that at least for you there are options, and I was also interested whether ‑‑ we heard great presentations about identity theft, BotNets and other things which are things that have come up recently. I'd like to know if you have looked into legislation that addresses this, that are issues related to the crime which are not addressed in the Convention which is ten years old.
You mentioned no legal framework for international apart from cybercrime. You mentioned this case discussed by the aegis of the Pacific countries ‑‑ sorry of the Commonwealth countries. 80 countries involved in this operation. The Budapest Convention mentioned in the beginning has 30 European countries and the United States so obviously there are countries cooperating outside this framework. I understand because they have bilateral agreements, other frameworks they can use, for example when we consider child pornography and Organized Crime we can use the Organized Crime Convention which has 150 people. Maybe you can explain a little bit why it is impossible to use other instruments of corporation in cybercrime matters.
>> ZAHID JAMIL: Thank you. Yes. The Commonwealth model law is actually a good model but it's not a treaty. The advantage of the model is the model is framed and based upon the Budapest Convention. The specific instructions within the Commonwealth were that it should be mod he would on the Budapest Convention which is what we did. We followed that as a source document. That is not so we ignore any of those because they were already compliant. We went to source. Number one.
Two, remember, the convention is a one principles, doesn't actually dictate language. One.
Two. What it doesn't do is say that this is the maximum. It says it is the minimum because that the the minimum basis on which countries who are treaty members need to cooperate. So if you want to go ahead and add other specific provisions you're most welcome to do that depending on the country. So that capacity is there. With regard to BotNets other provisions in the law provide for that and it's covered in the Convention and it was covered in our legislation. In fact, BotNet attack was covered even before we even followed it in the earliest law, the electronic transaction ordinance. Which is one transaction, so we already covered that way before that seg.
>> MARKKO KUNNAPU: Perhaps also to mention, Estonia had massive attacks in 2007. And they had implemented the Budapest Convention before, but with regard to the level of sanctions there was an issue and then Estonia responded to that by having a specific provision, a new provision on denial of service attacks on this sort of system interference with different levels depending on the impact of such attacks.
>> ALEXANDER SEGER: Bill you have a comment.
>> BILL SMITH: First I wanted to apologize for Alexander, I reread that section of our paper, and it ‑‑ no, no, no, no. Our ‑‑ it was not clear. We actually are supportive of the Budapest Convention. We think more needs to be done, there need to be more signatories to it. That ‑‑ that it is an important framework, basically.
The issue ‑‑ what we were talking about in the MLATs are as an example in the 19th Century from one government you would send a letter up the chain. It would then come across the other side. It would go back down, and months later something might or might not happen.
That ‑‑ that is just ‑‑ we can't deal in that way. The ‑‑ the three‑year investigation with ‑‑ across 80 countries, things like that, that can work that way. And so frameworks and existing MLATs and bilateral agreements can work. The point we need to make is that in addition to those we need to do other things. We need faster responses. As an example distributed denial of service attack, when it hits, you have to be able to respond instantaneously phishing sites, the half‑life of one is 24 hours, if we don't get to the site in the first five we might as well forget it. So he if we're dealing were it a 19th Century MLAT agreement we'll never get anything done.
So it's ‑‑ we have to have lots more cooperation than we currently have. The treaties are good. The bilateral agreements are good. We just need to bring them into the 21st Century.
>> ALEXANDER SEGER: Thank you. And of course, we are hopefully also will have more ratifications very soon. Last week Switzerland ratified and today a decision was made to invite one country from West Africa, that is very important that that region also becomes involved. The decision was made this morning to invite one country from South Africa to join the Budapest Convention. It is not formal. I cannot tell you which one.
>> JAYANTHA FERNANDO: Without repeating what the previous speaker said, in response to the questions that were posed, I'd just like to give my perspective.
You know, various countries are faced with numerous challenges. And in addressing the challenges, they look at minimum standards that they can follow, and that's where we found the Budapest Convention to be interesting model despite the fact it may be several years old but I think the electronic neutral language provides the formula to build up on that template and that is what we did in Sri Lanka. This morning I read in the local paper spies tap legal phones and there is a new Bill discussed for that. So countries have their own problems. The way they deal with it is their problem or how they get away ‑‑ they may have their own home‑grown solutions in the way they get away, but eventually appropriate Checks and Balances I would think the model framework that we get from Budapest is a best example to follow. Thank you.
>> ALEXANDER SEGER: Thank you, Jay. I would like to come back to some ‑‑ I mentioned ‑‑ one second. But just to underline how sensitive the criminal justice process is. It was pointed out if your chain of custody is not clear and you present it in court the case will be dismissed. This is something which technology people don't always understand. It's difficult enough for lawyers. And this is very important, and, therefore, we need to have this rule of law criminal justice angle when today dealing with cybercrime to make sure these sometimes details but decisive details are fully understood.
And that you a question from the Remote Moderator radar.
>> THE MODERATOR: Okay. We have a question from the Caribbean to the communications union, and they are asking ‑‑ they are asking: Is there a specific model for the establishment of C certs particularly in developing countries, a sort of checklist and critical elements recommended approach. The question was directed mainly to Alexander of the Council of Europe. So ‑‑ but any panelist member is free to answer it.
>> ALEXANDER SEGER: Very good. The Council of Europe is not qualified to talk about certs. What we can do and what we cannot do, but friends doing this in Sri Lanka, can you reply to this question.
>> THE PANELIST: If I could have the email from the person who did send that question I would like to elaborate and provide the tools and the information we have in our website and any other documents that we can provide by way of elaboration, but if I may briefly answer? Every country may have its own mechanism of addressing it.
The way Sri Lanka did it was through a hybrid model of private public participation. And what we decided was to create the framework of a national cert. And under that, the gradual process of consultation is resulting in sector‑specific C‑Certs being established.
And in recent times you have also been collaborating closely with the collaborator and sign up to this type of a framework. But because of the need for greater localized collaborative activity we realize that we need to set up a banking C cert. We need to set up a teleC‑Cert and all that is going on, and those become a feeding factor for the national service to function. Some countries may have more of a private sector or a public‑private collaborative framework to run a national cert or may have a purely private sector cert. Some have all sorts of certs to the private sector.
>> ALEXANDER SEGER: Thank you. Sebastian from the Singapore Research Center.
>> THE PANELIST: We are discussing questions of general concept by the Internet users about the security and the crime that goes on in the cyberspace. But I think we are neglecting one issue of the capacity to counter cyber insecurity and cybercrime.
When you are talking about international instruments, when you are talking of local capacity, when we are talking of legislation, how capable law enforcement agencies, especially in the developing world can investigate cyber‑related crime, to easily detect it, to detect and investigate and prosecute it.
I think one of component of the strategies we may need to think about is the component of capacitiability. Thank you.
>> ALEXANDER SEGER: Thank you, and that, I think was the point ‑‑ meant by ‑‑ in the slides by Zahid about the Commonwealth initiative. The other kind of capacity building, but honestly, much, much more needs to be done in terms of capacity building from the training of law enforcement but also Judges and Prosecutors as pointed out to all other elements that we have to date. The problem is that the legal basis is the starting point. I've participated some years ago a fantastic training delivered by Microsoft in Bangkok for forensic investigators for Southeast Asian countries, it's about 5, 6 years ago. It was very interesting. On the fifth day and the last day of the event all the investigators said: This is wonderful. We learned a lot, but it's science‑fiction for us, none of us is a crime in our country. We are not allowed to investigate any of this. This has changed.
(Laughter.)
>> BILL SMITH: Yeah, Bill Smith. It's an excellent point. Actually in our paper for just the U.S. we suggest that, you know, law enforcement needs to be doubled or tripled. We think. At minimum, and even at that they will not be addressing all of the crime.
We point out that for a shoplifting, all right? If you are caught shoplifting, even a small amount of money, you know, goods that are worth a small amount of money, you probably will get prosecuted in some way, shape or form or there will be some deal cut in the United States.
In online theft it has to rise to the level of 25,000 U.S. dollars, 50,000 U.S. dollars, before the agency's will take it on, because there are so many cases.
So in our ‑‑ our belief is that in addition to increasing law enforcement, we also need to ‑‑ as private institutions, continue our efforts, and we actually are providing much of the information to law enforcement when cases are built, because either the ‑‑ the agency's don't have the expertise or we are the person's who detect the crime. Right? So we detect. We investigate what we see. And then turn things over.
So capacity building, absolutely. We need to, as has been said, we need law enforcement, judicial, et cetera.
But we also need to keep the private sector engaged. We'll never be able to turn this over to police the way real world crime is.
>> ALEXANDER SEGER: And the shop lifter would probably have had a mobile phone with him or her, and that will be seized by the police and given to the forensic investigators to prove that this person was at that particular moment when they ... So electronic evidence. It's not cybercrime, it's not a cybersecurity issue, but police officers, forensics investigators have to deal with many, many thousands devices that are dumped on their desk to investigate and analyze and provide the evidence.
Therefore, you need to train all police officers on how to deal with electronic evidence. You need to train all Judges and Prosecutors in the country. The capacity building need is enormous for that.
I had Zahid, and then Andrew.
>> ZAHID JAMIL: Just a very quick point. I think it's important to stress that it shouldn't be just a Flash in the pan. It needs to be institutionalized and it should be on a rolling basis because the attrition rate of people who actually get this training, become expert at this and they move into the private sector or elsewhere or if they're in a developing country move a broad is high. So you really need to invest a lot of money in this area.
>> ALEXANDER SEGER: Andrew?
>> THE PANELIST: Two comments, one is that this highlights, again, the need for a specific cybersecurity plan ‑‑ sorry, a cybercrime plan that's distinct from cybersecurity. Because as you author that cybercrime plan, then you say: How do I actually deal with this from end‑to‑end and what are the resources that I need to apply and where do I need to go and build capacity? That might get lost if you simply say cybercrime's going to be a piece of a cyber strategy.
And the second is that your comment makes me think about the experience at Microsoft, where security is now part of the culture, and every developer thinks about security as they're writing code.
You need to get to the point where security and cybercrime is a part of every ‑‑ is a part of every law enforcement's ‑‑ law enforcement officer's job, and part of that culture. So that they understand that. And to reinforce the point that Alexander was making. You will have specialists, but you also need to have that culture change within the breadth of the organization.
>> THE PANELIST: Also just a quick check, we also think that capacity building is really important. And this is something which also should be addressed in the national cybersecurity strategies, because you not only just plan different kinds of actions, activities, you can also just manage with limited resources. And for example, if you have strategy, if you have different kinds of priorities then these can be taken into account for example later when you've in the state budget planning process, just in order to locate necessary resources.
>> ALEXANDER SEGER: Okay. So resource ‑‑ cybercrime strategies will help you mobilize resources, therefore, it's a good incentive. Over there.
>> THE PARTICIPANT: I'm from Kenya. It's obvious that in Africa we lack the capacity or we need to develop the capacity and it's going to take time to really bring up that capacity. So I'm just wondering, is it possible that more developed sites in Europe and America are able to monitor the African space and the systems even remotely?
>> ALEXANDER SEGER: What do you mean.
>> THE PARTICIPANT: Given in Africa we lack the capacity to address these issues we automatically provide a safe haven for cyber criminals, so is it possible like somebody in Europe could be able to detect such activities and prevent them without necessarily coming to Africa?
>> ALEXANDER SEGER: Well, I'm sure ‑‑ I'm not ‑‑ I'm sure your government will be very unhappy.
(Laughter.
>> ALEXANDER SEGER: If Europeans were starting to do crime control in Kenya or elsewhere for that are matter. I think what we need to do is that the responsibility lies in the country to start with. Right? That is very important. And I'm sure, Andrew, you will support this.
>> THE PARTICIPANT: Or Microsoft will do it.
>> THE PANELIST: No, no, no, no, no, no, Alexander, that was not very nice of the thank you.
Yes. That responsibility does lie within the country, but the Internet is global. And it is ‑‑ there are organizations and companies today that already ‑‑ that already can tell you whether ‑‑ where ‑‑ where the most spam comes in or how many inspected web‑servers are in a specific IP range.
That information exists already.
So spam house or other black‑lists exist where you can go and get that information today.
>> THE PANELIST: Also to Andrew's point. Yes, it's possible to, I won't say monitor, but to ‑‑ we can pinpoint where crime is originating through IP addresses and things like that. But we cannot ‑‑ we can't make the leap and say, well, we're going to go prosecute in a different country. That's why we need the MLATs, the Budapest Convention, et cetera, where, you know, we will ‑‑ we will provide information, but the action needs to be taken locally.
>> THE PANELIST: And this goes back to the point that was made here about you can put the bars and the fences around your house, and you can put all the secured ‑‑ but if there's no penalty for breaking in? (Laugh) ...
And so some of that information exists, but if there are no consequences in the ‑‑ in the local geography ...
>> ALEXANDER SEGER: We have four more questions. One ‑‑ was it 1 or 2 questions? One question. Two questions.
Okay. Please, go ahead.
>> THE PARTICIPANT: Mine is not a question it's a comment. I work for an ITC security solutions provider in Kenya, and I have been in security for the last 11 years. I wanted to support what Andrew and Zahid were talking about with regard to capacity building. The biggest problem that we see in this market is the lack of awareness. And at the point people consider security in their organizations.
People are very fast to enable, but take ‑‑ it takes an incident for them to consider security as an issue.
And that's the biggest problem we see.
So if IGF can help in building awareness and ‑‑ people consider in security, it would help. And you find for example one country in the region has a central bank which is very proactive. Sent truly bank has given a regulation that by next year all financial institutions must have a forensic department.
All financial institutions are implementing forensic departments, but the biggest challenging we're facing is now the courts and the Prosecutors don't understand what that is. They investigate cases, take them there, they are just thrown out. So it's a big problem.
>> ALEXANDER SEGER: And the legal basis and then to have everybody along the criminal justice chain involved and trained to deliver. I think regarding awareness we shall all be grateful to Estonia for having been attacked in 2007.
(Laughter).
>> ALEXANDER SEGER: I think that was awake‑up call for many, many governments and that you see a lot of change after that happening in terms of cybersecurity strategies, in terms of cybercrime measures also but it would be much better to have a systemic approach like in Sri Lanka rather than waiting for another attack to happen. Your colleague had another question.
>> THE PARTICIPANT: Thank you. I would like to ask a question. First of all thanking the panelists for this clear distinction between cybersecurity and cybercrime. But I would like to hear a little bit about the preventive measures to take, because cybercrime, most of the time we look at it as reactive measures to react against an offense and so on.
But what are the preventive measures that can be taken?
In terms of awareness, for example, of end‑users, no more users, or other measures that can be taken.
And I would like also to ask if there are global collaboration mechanism that developing countries also can use to ‑‑ although it's not very mature, some legislation are not in place, need to be done, but what collaboration mechanism that's some of the countries that want to benefit can tap on and be able to use? Thank you.
>> THE PANELIST: Just a few comments. As comes to prevention on individual levels, and actually every individual can just join the cybercrime prevention process.
If they just update their computer software, download all the necessary patches in order to be updated. If necessary they should also use anti‑ware, there are a lot of tools which are completely free. This comes to business level or governmental level then governmental level definitely should be early warning and detection system that ‑‑ for example if governmental institutions see that something strange is going on in the cyberspace, for example, if they see that there's some sort of attack against web‑server, website then they could just notify the owners of the website and start ‑‑ join forces to fight these attacks.
As comes to let's say different preventive measures, then it's very technical but you can just increase the band‑width for Internet connection. You may have back‑up servers, you may have parallel Internet connections. So ‑‑ and these are the general preventive measures but still even if you have let's say two back‑up servers, both of them just could be damaged, and then the same applies if you have, say, parallel connections, you have to for seeable see action plans if something like that happens then what are your measures in order to mitigate possible consequences.
>> ALEXANDER SEGER: I think on the other question you could also approach the Commonwealth or Zahid and myself and we can tell you how to link up with the different initiatives that are underway.
We had one question here. The second last question.
>> THE PARTICIPANT: I am from South Africa, I would like to congratulate you for a very interesting discussion. Having said that, my question is very simple. Zahid mentioned that it is necessary to have a global instrument combat cybercrime, if I good detective you correctly.
I would like to know what are the views of the other panelists on that.
>> BILL SMITH: This is Bill Smith. We support that as well, I think, having ‑‑ if I understand the question correctly if we would like to see more countries signing on to the Budapest Convention.
We think there are some problems with it that will prevent certain nations from ‑‑ from becoming signatories. We would like to see those issues overcome. But we encourage it.
The ‑‑ the ‑‑ it is essential that there be cooperation around the world, because the nature of the crime ‑‑ it is transnational. So there has to be agreement if we're going to make significant improvement.
>> THE PANELIST: We, too, agree with that idea of global instrument. But in the area of criminal justice, it's so difficult to reach conclusion from an international perspective. And that's a decision I want to give. So let's without reinventing the wheel and from our perspective even we were discussing this in Pakistan and others from a regional perspectives we are looking at templates and frameworks which are available, which can meet international global best practices and norms. Thanks.
>> ALEXANDER SEGER: Thank you, South Africa participated in the Budapest Convention and hopefully there will be ratification in the near future.
Okay, there was one more question. Don't disappear. The question can still be asked.
>> MARKKO KUNNAPU: Budapest Convention, right now this is the only legally binding instrument. And as comes to the attacks against Estonia and information systems in 200 SEV then I can just give you a practical example. During that time we asked information from different countries and there was actually one country who refused to provide information to us, and they explained that they had no legal obligation to do that.
>> ALEXANDER SEGER: Okay. There was one more question.
>> THE PANELIST: Sorry, Alexander, I had a slight variation on that answer, and that is, that I agree that you need a global ‑‑ you need global interoperability. I don't know that there's a single framework that's going to work, but you need interoperability and you need dual criminality if you want to prosecute. And you need a framework for collaboration, if you want to ‑‑ if you want to prosecute cybercrime that happened in your geography but originated somewhere else.
>> ALEXANDER SEGER: Okay. Last but not least. Is the person still here? Yeah. Yes.
>> THE PARTICIPANT: Hello. Thank you very much for that to the panel.
I found a computer agency based in Nairobi. This you are talking about I think basically what we need to check first is the technicality. What our colleague, friend said from Microsoft. I think we need to look at the technical aspect first. Like those who develop the software. There should be the security part which prevent even the breaking into ‑‑ to have criminal activities on the cyber, that is what should be dealt with first. Then we go into, like we can enhance the networks which can be checking, and allotting the respective modules which can be like tsunami detectors, detect before the tsunami comes. We need to detect something like sniffers which detects the crime before it is taking place.
And I think when you mention about the capacity building to respective governments, you are doing capacity building to respective governments, and mainly I think it should be on either side, both sides, it should go to non‑governmental organizations to ‑‑ because the government cannot operational loan. It must operate through the organizations so that they work together.
Then we are in a global village. So when we want to make the policies we should work on these policies as we are in same village, and we want to make it ‑‑ let us not say that the other village is better than this village. Why don't we just make all the villages to be equal. Then we enjoy being in them. Thank you.
>> ALEXANDER SEGER: Thank you. This is very ‑‑ an excellent concluding remark for the whole workshop, capacity building stoke holder should cover everybody and we should all consider ourselves in the same village, and we should also be reasonable and we can all be reasonable as long as politics doesn't interfere. That's the problem. Very often. I think technical and practical solutions are there. It's now a question of making sure they are implemented and let's keep the political issues a bit outside, and deliver practical results and make an impact.
With that, thank you to all for bearing with us this afternoon. And an applause for the panel.
(Applause.)
>> ALEXANDER SEGER: And if you have any comments on the discussion paper, send them to me. I will make sure to reflect them.
(Session concluded 8:15 AM CT.)
********