Tuesday, June 22, 2010

Tackling the Problem of Cyber Crime

The Australian Parliament has released "Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime". The report does not take into account Internet and security functions already in place in government. The report recommends assigning existing functions to agencies which do not have experience while ignoring those with expertise and a role assigned by existing legislation.

The major recommendation of the report is to establish an "Office of Online Security" in the Department of Prime Minster and Cabinet. It is not clear how this role would differ from the Internet security related bodies already formed, or why it should be in the Prime Minister's department, rather than one of the agencies which has expertise in the Internet security.

The report also recommends the Australian Communications and Media Authority detect malware compromised computers. It is not clear why ACMA is recommended for this role, over agencies which have expertise in Internet security. The report further recommends ACMA support emergency response functions of government, although this function is already assigned to the Department of Defence in the Telecommunications Act.

The 294 page report is available in PDF, as one 4204Kb file and as separate chapters. A HTML version is "coming soon".
List of recommendations

3 Research and Data Collection

Recommendation 1

That the Australian Government nominate an appropriate agency(s) to:

  • conduct a stock take of current sources of data and research on cyber crime;
  • develop clear national definitions and procedures for the collection of data on cyber crime; and
  • negotiate clear agreements between government agencies and industry on the sharing and protection of information for research purposes.

Recommendation 2

That the Australian Government nominate an appropriate agency(s) to collect and analyse data, and to publish an annual or bi-annual report on cyber crime in Australia.

5 Domestic and International Coordination

Recommendation 3

That the Australian Government establish an Office of Online Security headed by a Cyber Security Coordinator with expertise in cyber crime and e-security located in the Department of Prime Minster and Cabinet, with responsibility for whole of Government coordination. The Office is to take a national perspective and work with State and Territory governments, as well as federal regulators, departments, industry and consumers.That the Australian Government establish a National Cyber Crime Advisory Committee with representation from both the public and private sector to provide expert advice to Government.

Recommendation 4

That the Australian Government, in consultation with the State and Territory governments and key IT, banking and other industry and consumer stakeholders, develop a national online cyber crime reporting facility geared toward consumers and small and medium sized businesses. This model should include the following features:

  • a single portal for standardised online receipt of cyber crime
  • reports across a wide range of cyber crime types (e.g. malware,
  • spam, phishing, scams, identity theft and fraud);
  • a 24/7 reporting and helpline;
  • no financial minimum to be applied to cyber crime reports;
  • systematic data collection that allows data to be aggregated;
  • referral to appropriate authorities and cooperation on the disruption of cyber crime and targeted prosecutions;
  • free access to scanning software to detect malware;
  • public information about cyber crime types and preventative
  • measures to increase online personal security;
  • e-security alerts tailored to the needs of ordinary consumers and
  • small and medium sized businesses; and
  • analysis of cyber crime methodologies and trends or cooperation with another body to perform that analysis.

Recommendation 5

That the Federal, State and Territory police forces establish an E Crime Managers Group to facilitate the sharing of information and cross jurisdiction cooperation.

Recommendation 6

That the Australian Government, in consultation with the State and Territory governments, industry and consumer organisations, develop a national law enforcement training facility for the investigation of cyber crime.

Recommendation 7

That the Australian Government consult with major IT security vendors, academia and key industry stakeholders to develop:

  • options for establishing a coordinated public-private capacity to provide real time operational information on a wider range of
  • cyber crime types that impact on Australian consumers;
  • an ‘intelligence hub’ that facilitates information sharing within and across industry sectors and provides:
  • longer term analysis on cyber crime methodologies across a range of cyber crime types;
  • education on the preservation of digital evidence; and
  • support to law enforcement agencies for targeted prosecutions in Australia and overseas.

6 Criminal and Law Enforcement Framework

Recommendation 8

That the Federal, State and Territory Attorneys-General review the existing computer and identity fraud provisions and, if necessary, introduce or amend provisions to ensure consistency across all Australian jurisdictions.

Recommendation 9

That the Federal Attorney-General, in consultation with State and Territory counterparts, give priority to the review of Australian law and practice and move expeditiously to accede to the Council of Europe Convention on Cybercrime.

Recommendation 10

That Australia’s cyber crime policy strategically target the underground economy in malicious IT tools and personal financial information; the disruption of botnets and the identification and prosecution of botherders.

Recommendation 11

That the Commonwealth, State and Territory governments establish a national working group on cyber crime to maintain an ongoing, dedicated mechanism for the review and development of legislative responses to cyber crime. That the working group take a whole of cyberspace perspective and consider relevant IT industry, consumer protection and privacy issues as well as the criminal law.

7 Protecting the Integrity of the Internet

Recommendation 12

That the Australian Communications and Media Authority further increase its access to network data for the purpose of detecting malware compromised computers. This should include active consideration of how to increase access to network data held by global IT security companies and, in consultation with relevant departments, whether legal protections to address commercial, regulatory and privacy concerns are desirable.

Recommendation 13

That the Australian Communications and Media Authority consider how best the Australian Internet Security Initiative network data might be used to support the threat assessment and emergency response functions of government.

Recommendation 14

That the Australian Communications and Media Authority take the lead role and work with the Internet Industry Association to immediately elaborate a detailed e-security code of practice to be registered under the Telecommunications Act 1997 (Cth). That the code of practice include:

  • an obligation that the Internet Service Provider provides basic security advice when an account is set up to assist the end user to
  • protect themselves from hacking and malware infections;
  • a mandatory obligation to inform end users when their IP address has been identified as linked to an infected machine(s);
  • a clear policy on graduated access restrictions and, if necessary, disconnection until the infected machine is remediated;
  • the provision of basic advice and referral for technical assistance for remediation; and a requirement that acceptable use policies include contractual obligations that require a subscriber to:
    • install anti-virus software and firewalls before the Internet connection is activated;
    • endeavour to keep e-security software protections up to date; and
    • take reasonable steps to remediate their computer(s) when notified of suspected malware compromise.

Recommendation 15

That the Australian Government, in consultation with the Internet industry, review the scope and adequacy of s.313 of the Telecommunications Act 1997 (Cth) to promote Internet Service Provider action to combat the problem of malware infected machines operating across the Internet.

Recommendation 16

That a more integrated model for the detection and removal of malware, built on the Australian Internet Security Initiative, be implemented. The new scheme should involve the Australian Communications and Media Authority, Internet Service Providers, IT security specialists, and end users in a more tightly coordinated scheme to detect and clean malware infected computers.

Recommendation 17

That the Australian Communications and Media Authority be funded to develop a system that can obtain data on compromised web pages from various sources (including developing an internal capability). This data be collated and provided as daily aggregated reports to Internet Service Providers identifying infected web pages residing on their networks. That in addition to Internet Service Providers, domain owners and hosting companies also be included in the new scheme.Recommendation 18

That the system for reporting and detecting compromised web pages proposed in recommendation 17 be supported by a registered industry code that outlines industry procedures for dealing with infected websites. That the Australian Communications and Media Authority be empowered to enforce the provisions of the registered code, including, for example, where there is a need to direct a service provider to remove malicious content. That Internet Service Providers and hosting companies who act on reports of infected websites be indemnified against claims for losses. Recommendation 19 That the Australian Communications and Media Authority and the Internet Industry Association review the Spam Code of Practice to assess the effectiveness of current industry standards for the reporting of spam. That serious consideration be given to obliging Internet Service Providers to include the Australian Communications and Media Authority’s SpamMatters program as part of their email service to subscribers.

Recommendation 20

That the Australian domain name registration industry be subject to a code of conduct that is consistent with the Anti-Phishing Working Group Best Practices Recommendations for Registrars. The code of conduct should:

  • enumerate the type of information that should be collected during the domain name registration process by the registrar, that would
  • help to preserve evidence and assist law enforcement authorities;
  • identify processes that should be put in place to identify fraudulent activity before the domain name registration takes effect; and
  • provide clear procedures for responding to requests for rapid take down of fraudulent sites and sites that host malware.

Recommendation 21

That the Minister for Broadband, Communications and the Digital Economy make a reference to the House of Representatives Standing Committee on Communications to inquire into the regulation, standards and practices of the domain name registration industry in Australia.

8 Consumer Protection

Recommendation 22

That the Australian Government ensure that:

  • remedies available under the new Australian Consumer Law can be effectively asserted against perpetrators outside Australia; and
  • xxix the Foreign Judgments Act 1991 (Cth) be amended to allow for the reciprocal registration and enforcement of non-money judgments made under the Australian Consumer Law.

    Recommendation 23

    That the Treasurer amend the Australian Consumer Law to include specific protections against the unauthorised installation of software programs: the reform should target the unauthorised installation of programs that monitor, collect, and disclose information about end users’

  • Internet purchasing and Internet browsing activity;
  • the authority to install a software program must be based on informed consent; and
  • to obtain informed consent the licence/agreement must require clear accessible and unambiguous language.

Recommendation 24

That the Australian Competition and Consumer Commission, in consultation with manufacturers and distributors of personal computers, mobile phones and related IT devices such as modems and routers, develop information standards to:

  • address the e-security vulnerabilities of these products and the provision of e-security information to consumers at the point of sale; and
  • require that the information is presented in a manner that is clear and accessible to a non-IT literate person.

Recommendation 25

That the Treasurer direct the Productivity Commission to conduct an in depth investigation and analysis of the economic and social costs of the lack of security in the IT hardware and software products market, and its impact on the efficient functioning of the Australian economy. That, as part of its inquiry, the Productivity Commission address the merits of an industry specific regulation under the Australian Consumer Law, including a scheme for the compulsory independent testing and evaluation of IT products and a product labelling scheme.

Recommendation 26

That the Treasurer consult with State and Territory counterparts with a view to amending the Australian Consumer Law to provide a cause ofxxx action for compensation against a manufacturer who releases an IT product onto the Australian market with known vulnerabilities that causes losses that could not have reasonably been avoided. Recommendation 27 That the manufacturers of IT products adopt a best practice approach that ensures products are designed to prompt and guide end users to adopt more secure settings. That the Australian Government monitor industry practice in this regard, and promote international standards that put a higher priority on security through product design.

9 Privacy Measures to Combat Cyber Crime

Recommendation 28

That the Office of the Privacy Commissioner use the full extent of its powers to ensure that overseas organisations that handle the personal information of Australian citizens and residents are aware of, and adhere to, their obligations under the Privacy Act 1988 (Cth).

Recommendation 29

That the Office of the Privacy Commissioner expedite the adoption of an approved privacy code of practice for members of the Australian Internet industry, including smaller Internet Service Providers. Recommendation 30 That the Office of the Privacy Commissioner encourage government agencies and commercial organisations to undertake regular audits to identify risks to personal information in both new and existing projects and policies.

10 Community Awareness and Education Initiatives

Recommendation 31

That the Department of Broadband, Communications and the Digital Economy, in consultation with relevant agencies, industry and community organisations, develop a nationally coordinated strategy for the education of consumers:

  • that the strategy cover all aspects of cyber crime including
  • malware, identity theft, identity fraud and scams; and includes clear benchmarks against which the effectiveness of education initiatives can be clearly evaluated and publicly reported on to Parliament.

Recommendation 32

That the Stay Smart Online and SCAMwatch websites be linked to the national cyber crime reporting centre referred to in recommendation 4.

Recommendation 33

That the Department of Broadband, Communications and the Digital Economy implement a public health style campaign that uses a wide range of media to deliver messages on cyber security issues, technical precautions and appropriate user behaviours.

Recommendation 34

That the Department of Broadband, Communications and the Digital Economy support the development of IT literacy training that includes cyber security and is available to the community as a whole. ...


From: Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime, Crime, Standing Committee on Communications, House of Representatives, The Australian Parliament, Report of the Inquiry into Cyber Crime, Parliament of Australia, 21 June 2010

No comments: