5 minute read

I'm just back from the 1st INTERPOL NCRP Cybercrime Training Workshop and International Symposium on Cybercrime Response 2012, held in Seoul, South Korea. The joint INTERPOL and Korea National Police (KNP) conference was hosted by the KNP Cyber Terror Response Center (CTRC).

ICSR 2012 Agenda

The first day was a look at Law Enforcement (LE) communication networks, including INTERPOL, the G8 24/7 High Tech Crime Network1, and even more informal communication channels. The overall consensus seems to be that the more formal networks are too slow to deal with the requirements of international cybercrime investigation requests. This appears to be partially a limitation with the efficiency of the networks as well as the ability of receiving countries to process the requests either because of resource issues or laws (or lack of) in the requested country to deal with the investigation request.

It was determined that informal channels of LE communication are currently more effective since they bypass international bureaucracy. These channels appeared to be created mostly by networking (conferences, etc.), and luck.

There essentially seemed to be three camps: Formal communication networks like INTERPOL and G8 24/7, less formal networks created via bilateral agreements, and LE social networks (p2p). Each camp had success stories, and I know each has had failures.

The question is, how can the situation be improved? Criminal communication networks at an international level work much more efficiently than law enforcement networks. There are many reasons why, but what can be done?

The issue of trust in LE communication was brought up, where if you are requesting information or cooperation the person with whom you are communicating should be more than just a name on a list. This is an interesting point to me. If LE is given a list of contact points per country from a formal communication network, do they question the contact point? I think they would automatically trust the contact point via the reputation of the network referring them, even without meeting the contact personally. The issue comes when these contacts are slow or fail to respond to requests from the network. Trust, then, comes from showing you are reliable when something is requested, whether or not you physically meet the contact representative.

Another interesting point was the concept of "exercising" your team(s) in international request response. LE basically creates an incident response (IR) plan for international requests. Incident response is a huge topic in network security. If you read this article, for example, it is geared (at a high level) towards setting up an incident response plan. Each of the tips, however, could be directly transposed into international LE response. The discussed point of exercising your team would be the final testing requirement. Unfortunately, this is the phase that is often neglected, usually due to time and resources. In the case of LE, especially at an international level, it would be difficult to coordinate and perhaps even justify the time needed just for testing communication when it was not really requested.

The topic of international LE communication came down to looking at a few different questions (and I added a few): What exactly is the problem, and has a solution been identified? What type of information is needed? Who has legal authority? Have international procedures been established? Are all concerned bodies part of the procedure and willing to cooperate? How do we test the procedure? How do we measure success? Who is responsible for updates?

These questions are not exactly easy to answer, even within a single organization, and working with multiple organizations in multiple jurisdictions to find answers to these questions is even more difficult and time consuming. In my opinion, this is where providers of formal networks should be filling in the gaps. I should not expect my local investigators to create their own international networks, and unless this process is centralized then different procedures will be created, incomplete networks will be formed and there will be much duplication of effort.

The rest of the conference further discussed communication and law, examined current threats, and some gave case studies (success stories) involving international communication and collaboration between international law enforcement, private sector and sometimes academia.

Overall the conference is directed at practitioners. It did not get very technical nor theoretical, and could probably be understood by anyone regardless of their familiarity with cybercrime. Some cybercrime damage estimates were given, although how to accurately measure is a problem that was not addressed. The estimates looked impressively dramatic, but felt like the stats from different presentations did not relate to each other well.

Similarly, definitions used in each presentation were quite different for the same terminology. The group was composed of people from many different countries, all practitioners, but a lack of consistency in the use (and scope) of terms was an obvious communication problem, even for terms as general as "cybercrime". Sometimes nonstandard term usage made it difficult for me to know exactly what the speaker really meant. This made me realize that even in the same area of cybercrime investigation, we are speaking different languages. How do we expect to be able to communicate at a practical level when it is so difficult to accurately communicate our needs in a way that can be understood by everyone in the area?

Many case studies were given by law enforcement that dealt with international communication, but other than "we need more / better communication" I really did not see any actionable solution proposed beyond ad-hoc cooperation. From these great case studies and information from the private sector, I was still left with a feeling of where do we start?

Overall, I found the conference to be interesting. Topics were mostly on communication, but, unfortunately, with little actionable items discussed. Case studies are useful for understanding problems and potential solutions. Some slightly more technical presentations outlined how technologies can potentially be used to help law enforcement's current situation when dealing with cybercrime. The (potentially) most useful benefit of the conference, however, was the contacts made. There was not enough time to talk to everyone as much as I would have liked, but there appears to be potential in the group to help drive effective law enforcement communication on a global scale.

Image: FreeDigitalPhotos.net

1. The G8 24/7 High Tech Crime Network (HTCN) is an informal network that provides around-the-clock, high-tech expert contact points: IT Law Wiki