SPYWARE, TROJANS, KEYLOGGERS, and other types of malware are proliferating so fast on the Internet that they are starting to threaten the machinery of government, financial systems, and critical infrastructure. Cybercriminals can defy law enforcement efforts because they bridge so many jurisdictions and countries, and because they can easily conceal their identities and locations.
For instance, a person in Russia with a doctorate in computer science will write new malware, upload it to a server in China, and either sell it to criminals or use it to raid targets in the United States. These programs are written so skillfully and mutate so quickly that law enforcement and commercial Internet security providers struggle to keep up.
The problem is so severe that international cooperation between law enforcement agencies, prosecutors, and the private sector is needed to stem the onslaught, says a report from the Organization for Economic Co-operation and Development (OECD), the Paris-based international organization that advises developed countries.
“Current response and mitigation are mainly reactive,” says the report. Another problem, it says, is that law enforcement is providing “a fragmented local response to a global threat.”
Among the OECD’s suggestions are the creation of an international malware partnership to develop policy and share best practices; blacklisting of vulnerable Internet Service Providers (ISPs) to force them to invest in better security; and getting governments to use their IT purchasing power to make suppliers improve Internet security.
Among those already taking a tougher stand against cybercrime are the European Union, the United States, members of Asia Pacific Economic Cooperation (APEC), which has 21 member states, and Latin American governments.
But legal experts say it may be hard to achieve meaningful cooperation. “We need some definitions about what makes a really serious crime,” says Henrik Spang-Hanssen, visiting scholar in commercial and business law at the University of Vienna. Previous attempts to establish a global standard, such as the Council of Europe’s convention on cybercrime, have come to little because governments diverge so widely on their approach to crime. The United States has ratified the convention, but Germany, Italy, and the United Kingdom have not.
The existing ad hoc global network of Computer Emergency Response Teams could form the basis for closer and better ties between law enforcement agencies, says Anne Carblanc, one of the report’s co-authors. This would help improve intelligence-sharing, encourage joint investigations, and develop common evidentiary standards.
Another of the OECD’s suggestions is to establish common software security standards for government procurement agencies. This would motivate developers to improve the quality of their products. “These are specifications and requirements that can foster innovation in software to include security from the beginning and not as an afterthought,” says Carblanc.
This is a fine idea in principle, but NATO has already established widely adopted standards for military, government, and civilian use, says James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies (CSIS), in Washington, D.C. Lewis says OECD should consider adopting NATO’s Common Criteria, which have been built up over 20 years, have a network of certified laboratories, and have a series of ISO standards.
International rules and standards can be developed without expending a lot of resources or bureaucracy, says Carblanc. The model is to have a multi-stakeholder process in which international codes of practice would evolve spontaneously under the guidance of a body such as the OECD. “There will never be a fully standardized or homogenized world, but more commonalities can always be fostered,” she says.