International Cooperation in Cybercrime InvestigationsOAS Regional Cyber Crime Workshop, April 2007e...

25
Computer Crime & Intellectual Property Section Computer Crime & Intellectual Property Section International International Cooperation in Cooperation in Cybercrime Cybercrime Investigations Investigations Albert Rees Albert Rees Computer Crime & Intellectual Property Section Computer Crime & Intellectual Property Section Criminal Division, U.S. Department of Justice Criminal Division, U.S. Department of Justice

Transcript of International Cooperation in Cybercrime InvestigationsOAS Regional Cyber Crime Workshop, April 2007e...

Page 1: International Cooperation in Cybercrime InvestigationsOAS Regional Cyber Crime Workshop, April 2007e Workshop, April 2007 9 Computer Crime & Intellectual Property Section Solutions

Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section

International International Cooperation inCooperation in

Cybercrime Cybercrime InvestigationsInvestigations

Albert Rees Albert Rees Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property SectionCriminal Division, U.S. Department of JusticeCriminal Division, U.S. Department of Justice

Page 2: International Cooperation in Cybercrime InvestigationsOAS Regional Cyber Crime Workshop, April 2007e Workshop, April 2007 9 Computer Crime & Intellectual Property Section Solutions

OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 2

Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section

A Criminal A Criminal Intrudes into Intrudes into

a Bank in a Bank in BangkokBangkok

Thai investigators discover attack came Thai investigators discover attack came from computer in Buenos Airesfrom computer in Buenos Aires

Argentinean Argentinean investigators investigators

discover attack discover attack came from came from BucharestBucharest

Romanian agents discover attack came Romanian agents discover attack came from Vancouverfrom Vancouver

Canadian Canadian agents agents make the make the arrestarrest

Page 3: International Cooperation in Cybercrime InvestigationsOAS Regional Cyber Crime Workshop, April 2007e Workshop, April 2007 9 Computer Crime & Intellectual Property Section Solutions

OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 3

Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section

The Challenges ofThe Challenges ofInternational Cybercrime International Cybercrime

InvestigationsInvestigations• Countries must:

– Enact laws to criminalize computer abusescriminalize computer abuses

– Commit adequate personnel and resourcespersonnel and resources

– Improve abilities to locate and identifylocate and identify criminals

– Improve abilities to collect and share evidence collect and share evidence internationallyinternationally

Page 4: International Cooperation in Cybercrime InvestigationsOAS Regional Cyber Crime Workshop, April 2007e Workshop, April 2007 9 Computer Crime & Intellectual Property Section Solutions

OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 4

Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section

CHALLENGE:CHALLENGE:

Enacting Laws toEnacting Laws toCriminalize Computer AbusesCriminalize Computer Abuses

Page 5: International Cooperation in Cybercrime InvestigationsOAS Regional Cyber Crime Workshop, April 2007e Workshop, April 2007 9 Computer Crime & Intellectual Property Section Solutions

OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 5

Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section

The Need to Make Attacks onThe Need to Make Attacks onComputer Networks a CrimeComputer Networks a Crime

• “Dual Criminality” usually necessary for two countries to cooperate on a particular criminal matter

• Dual Criminality forms the basis for:– Extradition treaties– Mutual Legal Assistance Treaties

Page 6: International Cooperation in Cybercrime InvestigationsOAS Regional Cyber Crime Workshop, April 2007e Workshop, April 2007 9 Computer Crime & Intellectual Property Section Solutions

OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 6

Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section

Overcoming theOvercoming theDual Criminality DivideDual Criminality Divide

• Countries must agree on what to criminalize – OAS Cybersecurity Strategy– UN General Assembly Resolution 55/63

• Effort to do so: Cybercrime Convention– A baseline for substantive law

• Countries must amend their laws to implement

Page 7: International Cooperation in Cybercrime InvestigationsOAS Regional Cyber Crime Workshop, April 2007e Workshop, April 2007 9 Computer Crime & Intellectual Property Section Solutions

OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 7

Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section

CHALLENGE:CHALLENGE:

Committing Adequate Personnel and Committing Adequate Personnel and ResourcesResources

Page 8: International Cooperation in Cybercrime InvestigationsOAS Regional Cyber Crime Workshop, April 2007e Workshop, April 2007 9 Computer Crime & Intellectual Property Section Solutions

OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 8

Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section

Law Enforcement NeedsLaw Enforcement Needs

• Experts dedicated to high-tech crime• Experts available 24 hours a day• Continuous training• Continuously updated equipment

– no longer a “flashlight and a gun”

•• Each countryEach country needs this expertise

Page 9: International Cooperation in Cybercrime InvestigationsOAS Regional Cyber Crime Workshop, April 2007e Workshop, April 2007 9 Computer Crime & Intellectual Property Section Solutions

OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 9

Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section

Solutions Are Not Always EasySolutions Are Not Always Easy

• Cyber security strategy must be formulated

• Difficult budget issues arise (even in the US)

• Requires commitment from senior officials

• Cooperation with the private sector can help

Page 10: International Cooperation in Cybercrime InvestigationsOAS Regional Cyber Crime Workshop, April 2007e Workshop, April 2007 9 Computer Crime & Intellectual Property Section Solutions

OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 10

Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section

CHALLENGE:CHALLENGE:

Improve Ability to Locate and Identify Improve Ability to Locate and Identify CriminalsCriminals

Page 11: International Cooperation in Cybercrime InvestigationsOAS Regional Cyber Crime Workshop, April 2007e Workshop, April 2007 9 Computer Crime & Intellectual Property Section Solutions

OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 11

Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section

The Problem of Locating and The Problem of Locating and Identifying CriminalsIdentifying Criminals

• Primary investigative step is to locate source of the attack or communication

–– WhatWhat occurred may be relatively easy to discover–– IdentifyingIdentifying the person responsible is very difficult

• Applies to hacking crimes as well as other crimes facilitated by computer networks

Page 12: International Cooperation in Cybercrime InvestigationsOAS Regional Cyber Crime Workshop, April 2007e Workshop, April 2007 9 Computer Crime & Intellectual Property Section Solutions

OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 12

Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section

Tracing a Communication Tracing a Communication

• Only 2 ways to trace a communication:

1. While it is actually occurring2. Using data stored by communications providers

Page 13: International Cooperation in Cybercrime InvestigationsOAS Regional Cyber Crime Workshop, April 2007e Workshop, April 2007 9 Computer Crime & Intellectual Property Section Solutions

OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 13

Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section

Tracing a Communication Tracing a Communication

• Infrastructure must generate traffic data

• Carriers must keep sufficient data to allow tracing

• Laws and procedures must allow for timely access by law enforcement that does not alert customer

• Information must be shared quickly

Page 14: International Cooperation in Cybercrime InvestigationsOAS Regional Cyber Crime Workshop, April 2007e Workshop, April 2007 9 Computer Crime & Intellectual Property Section Solutions

OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 14

Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section

Solving the Tracing Dilemma I: Solving the Tracing Dilemma I: Traffic DataTraffic Data

• Countries should encourage providers to generate and retain critical traffic data

• Law enforcement’s ability to identify criminals is enhanced by access to traffic data– Countries have taken different approaches to

balancing this need against other societal concerns – Industry will have views about appropriate retention

periods

Page 15: International Cooperation in Cybercrime InvestigationsOAS Regional Cyber Crime Workshop, April 2007e Workshop, April 2007 9 Computer Crime & Intellectual Property Section Solutions

OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 15

Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section

Solving the Tracing Dilemma II: Solving the Tracing Dilemma II: Law Enforcement AccessLaw Enforcement Access

• Legal systems must give law enforcement authority to access traffic data– For example: access to stored log files and to traffic

information in real-time

•• Preservation of evidence by law enforcementPreservation of evidence by law enforcement– Critical because international legal assistance

procedures are slow– Must be possible without “dual criminality”– Convention on Cybercrime, Article 29

Page 16: International Cooperation in Cybercrime InvestigationsOAS Regional Cyber Crime Workshop, April 2007e Workshop, April 2007 9 Computer Crime & Intellectual Property Section Solutions

OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 16

Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section

Solving the Tracing Dilemma III: Solving the Tracing Dilemma III: Sharing EvidenceSharing Evidence

• Countries must improve their ability to share data quicklyquickly

• If not done quickly, the electronic “trail” will disappear– Most cooperation mechanisms take months (or

years!), not minutes– Convention on Cybercrime, Article 30: expedited

disclosure of traffic data

Page 17: International Cooperation in Cybercrime InvestigationsOAS Regional Cyber Crime Workshop, April 2007e Workshop, April 2007 9 Computer Crime & Intellectual Property Section Solutions

OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 17

Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section

Solving the Tracing Dilemma III: Solving the Tracing Dilemma III: Sharing EvidenceSharing Evidence

• When law enforcement gets a request, it should be able to:

1. Preserve all domestic traffic data2. Notify the requesting country if the trace leads

back to a third country3. Provide sufficient data to the requesting country to

allow it to request assistance from the third country

• Countries must be able to do this for each other quickly, and on a 24/7 basis

Page 18: International Cooperation in Cybercrime InvestigationsOAS Regional Cyber Crime Workshop, April 2007e Workshop, April 2007 9 Computer Crime & Intellectual Property Section Solutions

OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 18

Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section

GG--8 24/7 High Tech Crime Network8 24/7 High Tech Crime Network

Page 19: International Cooperation in Cybercrime InvestigationsOAS Regional Cyber Crime Workshop, April 2007e Workshop, April 2007 9 Computer Crime & Intellectual Property Section Solutions

OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 19

Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section

CHALLENGE:CHALLENGE:

Improve Abilities to Collect and Share Improve Abilities to Collect and Share Evidence InternationallyEvidence Internationally

Page 20: International Cooperation in Cybercrime InvestigationsOAS Regional Cyber Crime Workshop, April 2007e Workshop, April 2007 9 Computer Crime & Intellectual Property Section Solutions

OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 20

Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section

Collecting and Sharing EvidenceCollecting and Sharing Evidence

• Will evidence collected in one country be admissible in another country’s courts?

• Potential for evidentiary problems– Collection of digital evidence– Tracing electronic communications across the globe– Computer forensics

• Current mutual legal assistance treaties may not accommodate electronic evidence

Page 21: International Cooperation in Cybercrime InvestigationsOAS Regional Cyber Crime Workshop, April 2007e Workshop, April 2007 9 Computer Crime & Intellectual Property Section Solutions

OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 21

Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section

Solutions for Collecting and Solutions for Collecting and Sharing Evidence Sharing Evidence

• Convention on Cybercrime – Acts as a Mutual Legal Assistance Treaty where

countries do not have one– Parties agree to provide assistance to other

countries to obtain and disclose electronic evidence

• Developing international technical standards– International Organization for Computer Evidence

Page 22: International Cooperation in Cybercrime InvestigationsOAS Regional Cyber Crime Workshop, April 2007e Workshop, April 2007 9 Computer Crime & Intellectual Property Section Solutions

OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 22

Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section

Unilateral Evidence Collection Unilateral Evidence Collection

• Publicly available information

• Obtaining electronic evidence with consent of owner– G-8 and Council of Europe acceptance

Page 23: International Cooperation in Cybercrime InvestigationsOAS Regional Cyber Crime Workshop, April 2007e Workshop, April 2007 9 Computer Crime & Intellectual Property Section Solutions

OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 23

Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section

Informal Cooperative MeasuresInformal Cooperative Measures

• Investigator to investigator

• Advantage: fast

• Disadvantages: – Frequent domestic legal restrictions on

providing assistance– May be difficult to locate an investigator who

can and will provide assistance

Page 24: International Cooperation in Cybercrime InvestigationsOAS Regional Cyber Crime Workshop, April 2007e Workshop, April 2007 9 Computer Crime & Intellectual Property Section Solutions

OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 24

Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section

Other Cooperative MeasuresOther Cooperative Measures

• Joint investigation

• Some US points of contact in your country– FBI Legal Attaché (LEGATT), an FBI agent– Department of Justice Legal Attaché, a prosecutor– Immigration & Customs Enforcement (ICE)– Secret Service (USSS)

• INTERPOL and similar organizations

Page 25: International Cooperation in Cybercrime InvestigationsOAS Regional Cyber Crime Workshop, April 2007e Workshop, April 2007 9 Computer Crime & Intellectual Property Section Solutions

OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 25

Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section

FOR MORE INFORMATIONFOR MORE INFORMATION

Albert Rees

+1 (202) 514-1026

[email protected]