Earlier this month, Russian authorities jailed three criminals who used distributed denial-of-service (DDoS) attacks to blackmail online businesses.
Ivan Maksakov, Alexander Petrov and Denis Stepanov were each sentenced to eight years for extorting more than £2m from UK-based online casinos alone, after threatening to hit sites with huge volumes of internet traffic that would result in lost custom.
According to prosecutors, the gang made more than 50 similar attacks in 30 countries in their six-month spree.
One firm, Canbet Sports Bookmakers, which refused to pay a £5,000 ransom, had its web site taken out of action by the hackers, costing £100,000 in lost business for its day of downtime.
At the time of the attacks, the National Hi-Tech Crime Unit (NHTCU) was still in existence, and passed information to Russian authorities to prosecute the criminals in a rare example of successful international co-operation on cyber crime.
But this high-profile example is the tip of the iceberg, says FBI supervisory special agent Mike Eubanks. He estimates that fewer than five per cent of international e-criminals are caught.
Eubanks, who works in the FBI’s Cyber Initiative and Resource Fusion Unit, says international cyber crime is a particularly difficult problem.
‘Each year in the US, $70bn (£37bn) is lost to cyber fraud, and the problem is getting bigger,’ he said. ‘Many of the criminals come from Russia, Ukraine and Romania. These people are specialists in malcode, as well as in covering their tracks. They communicate through email and chat forums.’
Eubanks says collecting evidence is also problematic.
‘In a computer crime the data is stale within weeks, and the evidence is in many different areas – personal PCs, corporate databases, all over the world – which makes it particularly difficult,’ he said. ‘The IT industry needs to work with law enforcement, and use it as a selling point.
‘The industry can look to see if it is experiencing crime that police are seeing, and vice versa. We need to put together a network that facilitates the sharing of data to analyse global trends.’
But this solution is a long way off, according to other law enforcers and industry experts.
David Aucsmith, senior director of the Microsoft Institute for Advanced Technology in Governments, says industry knowledge is not being used enough.
‘Co-operation is very important because industry is in a better position to know about crime than the police, and tends to have the expertise,’ he said.
‘Things are getting better, but reporting cyber crime globally is a confused mess. Companies often don’t know who to go to. There is always a contact, but finding that person is often difficult, and international co-operation needs to improve.’
Eric Freyssinet, cyber crime projects co-ordinator for the French Gendarmerie, agrees.
‘At the moment it is very difficult to exchange information between countries. And general victim companies are not ready to launch complaints about cyber attacks, which makes it very difficult to gather evidence,’ he said.
‘Only a few countries have ratified the cyber crime convention. But the level of international co-operation has become much better in the past two years. The EU is a very positive thing for us, and we have a clearing house for spam to exchange information with international ISPs and the public, which is the beginning of the co-operation process.’
Some 43 countries, including the US, have ratified the International Convention on Cybercrime. The UK has yet to ratify the document fully, which requires the implementation of the convention’s principles into national laws, although most already exist under UK law.
The convention is the only legally binding instrument that addresses computer-related crime specifically. It also aims to improve co-operation between different countries.
Andreas Mitrakas, legal adviser for the European Network and Information Security Agency (Enisa), says the convention could go further.
‘The convention makes significant steps towards defining crimes related to computer systems, but it does not require companies to retain data or modify their systems to facilitate interception,’ he said.
Some countries have already begun the recommended data retention schemes, but at the moment it is not clear if service providers have to retain all data or only that which does not infringe on privacy laws.
Sceptics believe that for the convention to be a deterrent, more states will have to sign up and abide by its mandates.
Simon Perry, member of Enisa’s Permanent Stakeholders Group, says that ‘problem countries’ have yet to sign up.
‘The failure to get international adoption of the laws allows the offshoring of the undesirable process,’ he said.
‘One of the best examples of this is the US Can-Spam Act: after that legislation was passed, the spammers simply routed their traffic through a portal in a different country.’
Requirements of the cyber crime convention
The convention requires signatories to:
* Define criminal offences and sanctions under domestic laws for four categories of computer-related crime: fraud and forgery, child pornography, copyright infringements and security breaches such as hacking.
* Establish domestic procedures for detecting, investigating and prosecuting computer crimes, and collecting electronic evidence of any criminal offence.
* Establish a rapid and effective system for international co-operation. The convention deems cyber crimes to be extraditable offences, and permits law enforcement authorities in one country to collect computer-based evidence for t hose in another. It also calls for the establishment of a 24-hour contact network to provide immediate assistance with cross-border investigations.
What do you think? Email us at: feedback@computing.co.uk
Related stories
reader comments