International Cooperation in Cybercrime InvestigationsOAS Regional Cyber Crime Workshop, April 2007e...
Transcript of International Cooperation in Cybercrime InvestigationsOAS Regional Cyber Crime Workshop, April 2007e...
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
International International Cooperation inCooperation in
Cybercrime Cybercrime InvestigationsInvestigations
Albert Rees Albert Rees Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property SectionCriminal Division, U.S. Department of JusticeCriminal Division, U.S. Department of Justice
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 2
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
A Criminal A Criminal Intrudes into Intrudes into
a Bank in a Bank in BangkokBangkok
Thai investigators discover attack came Thai investigators discover attack came from computer in Buenos Airesfrom computer in Buenos Aires
Argentinean Argentinean investigators investigators
discover attack discover attack came from came from BucharestBucharest
Romanian agents discover attack came Romanian agents discover attack came from Vancouverfrom Vancouver
Canadian Canadian agents agents make the make the arrestarrest
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 3
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
The Challenges ofThe Challenges ofInternational Cybercrime International Cybercrime
InvestigationsInvestigations• Countries must:
– Enact laws to criminalize computer abusescriminalize computer abuses
– Commit adequate personnel and resourcespersonnel and resources
– Improve abilities to locate and identifylocate and identify criminals
– Improve abilities to collect and share evidence collect and share evidence internationallyinternationally
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 4
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
CHALLENGE:CHALLENGE:
Enacting Laws toEnacting Laws toCriminalize Computer AbusesCriminalize Computer Abuses
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 5
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
The Need to Make Attacks onThe Need to Make Attacks onComputer Networks a CrimeComputer Networks a Crime
• “Dual Criminality” usually necessary for two countries to cooperate on a particular criminal matter
• Dual Criminality forms the basis for:– Extradition treaties– Mutual Legal Assistance Treaties
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 6
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
Overcoming theOvercoming theDual Criminality DivideDual Criminality Divide
• Countries must agree on what to criminalize – OAS Cybersecurity Strategy– UN General Assembly Resolution 55/63
• Effort to do so: Cybercrime Convention– A baseline for substantive law
• Countries must amend their laws to implement
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 7
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
CHALLENGE:CHALLENGE:
Committing Adequate Personnel and Committing Adequate Personnel and ResourcesResources
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 8
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
Law Enforcement NeedsLaw Enforcement Needs
• Experts dedicated to high-tech crime• Experts available 24 hours a day• Continuous training• Continuously updated equipment
– no longer a “flashlight and a gun”
•• Each countryEach country needs this expertise
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 9
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
Solutions Are Not Always EasySolutions Are Not Always Easy
• Cyber security strategy must be formulated
• Difficult budget issues arise (even in the US)
• Requires commitment from senior officials
• Cooperation with the private sector can help
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 10
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
CHALLENGE:CHALLENGE:
Improve Ability to Locate and Identify Improve Ability to Locate and Identify CriminalsCriminals
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 11
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
The Problem of Locating and The Problem of Locating and Identifying CriminalsIdentifying Criminals
• Primary investigative step is to locate source of the attack or communication
–– WhatWhat occurred may be relatively easy to discover–– IdentifyingIdentifying the person responsible is very difficult
• Applies to hacking crimes as well as other crimes facilitated by computer networks
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 12
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
Tracing a Communication Tracing a Communication
• Only 2 ways to trace a communication:
1. While it is actually occurring2. Using data stored by communications providers
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 13
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
Tracing a Communication Tracing a Communication
• Infrastructure must generate traffic data
• Carriers must keep sufficient data to allow tracing
• Laws and procedures must allow for timely access by law enforcement that does not alert customer
• Information must be shared quickly
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 14
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
Solving the Tracing Dilemma I: Solving the Tracing Dilemma I: Traffic DataTraffic Data
• Countries should encourage providers to generate and retain critical traffic data
• Law enforcement’s ability to identify criminals is enhanced by access to traffic data– Countries have taken different approaches to
balancing this need against other societal concerns – Industry will have views about appropriate retention
periods
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 15
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
Solving the Tracing Dilemma II: Solving the Tracing Dilemma II: Law Enforcement AccessLaw Enforcement Access
• Legal systems must give law enforcement authority to access traffic data– For example: access to stored log files and to traffic
information in real-time
•• Preservation of evidence by law enforcementPreservation of evidence by law enforcement– Critical because international legal assistance
procedures are slow– Must be possible without “dual criminality”– Convention on Cybercrime, Article 29
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 16
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
Solving the Tracing Dilemma III: Solving the Tracing Dilemma III: Sharing EvidenceSharing Evidence
• Countries must improve their ability to share data quicklyquickly
• If not done quickly, the electronic “trail” will disappear– Most cooperation mechanisms take months (or
years!), not minutes– Convention on Cybercrime, Article 30: expedited
disclosure of traffic data
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 17
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
Solving the Tracing Dilemma III: Solving the Tracing Dilemma III: Sharing EvidenceSharing Evidence
• When law enforcement gets a request, it should be able to:
1. Preserve all domestic traffic data2. Notify the requesting country if the trace leads
back to a third country3. Provide sufficient data to the requesting country to
allow it to request assistance from the third country
• Countries must be able to do this for each other quickly, and on a 24/7 basis
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 18
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
GG--8 24/7 High Tech Crime Network8 24/7 High Tech Crime Network
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 19
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
CHALLENGE:CHALLENGE:
Improve Abilities to Collect and Share Improve Abilities to Collect and Share Evidence InternationallyEvidence Internationally
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 20
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
Collecting and Sharing EvidenceCollecting and Sharing Evidence
• Will evidence collected in one country be admissible in another country’s courts?
• Potential for evidentiary problems– Collection of digital evidence– Tracing electronic communications across the globe– Computer forensics
• Current mutual legal assistance treaties may not accommodate electronic evidence
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 21
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
Solutions for Collecting and Solutions for Collecting and Sharing Evidence Sharing Evidence
• Convention on Cybercrime – Acts as a Mutual Legal Assistance Treaty where
countries do not have one– Parties agree to provide assistance to other
countries to obtain and disclose electronic evidence
• Developing international technical standards– International Organization for Computer Evidence
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 22
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
Unilateral Evidence Collection Unilateral Evidence Collection
• Publicly available information
• Obtaining electronic evidence with consent of owner– G-8 and Council of Europe acceptance
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 23
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
Informal Cooperative MeasuresInformal Cooperative Measures
• Investigator to investigator
• Advantage: fast
• Disadvantages: – Frequent domestic legal restrictions on
providing assistance– May be difficult to locate an investigator who
can and will provide assistance
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 24
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
Other Cooperative MeasuresOther Cooperative Measures
• Joint investigation
• Some US points of contact in your country– FBI Legal Attaché (LEGATT), an FBI agent– Department of Justice Legal Attaché, a prosecutor– Immigration & Customs Enforcement (ICE)– Secret Service (USSS)
• INTERPOL and similar organizations
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 25
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
FOR MORE INFORMATIONFOR MORE INFORMATION
Albert Rees
+1 (202) 514-1026