AustLII Home | Databases | WorldLII | Search | Feedback

Australian Federal Police - Platypus Journal/Magazine

You are here:  AustLII >> Databases >> Australian Federal Police - Platypus Journal/Magazine >> 2000 >> [2000] AUFPPlatypus 3

Database Search | Name Search | Recent Articles | Noteup | LawCite | Author Info | Download | Help

Editors --- "fraud@internet.com.au" [2000] AUFPPlatypus 3; (2000) 66 Platypus: Journal of the Australian Federal Police, Article 3


fraud@internet.com.au

The role of the Australian Federal Police in the investigation of high-tech crimes

The rapid expansion of the Internet and the rise of associated criminal activity facilitated by an unparalleled access to information systems on a global scale, have been the subject of many media reports and much speculation in recent years. Among these new crimes are computer hacking, denial of service attacks, unauthorised access to information, on-line fraud and potentially, cyber-terrorism. Recently, the massive distributed denial-of-service attack on major US web portals refocussed the public's attention on the disruption that may be caused if web security is breached.

2000_300.jpg

But the heightened level of awareness must be accompanied by increased cooperation between the private and public sectors in both identifying and dealing with such threats, says the AFP's Director of Technical Operations Federal Agent John Geurts in the following report presented at the Australian Chapter of the American Society for Industrial Security Conference ‘Fraud — The New Frontiers' in Canberra last year. The conference was opened by the Minister for Justice and Customs, Senator Amanda Vanstone, and attended by international and Australian law enforcement and private sector experts.

The AFP does not commit itself solely to the investigation of reported crimes but also takes a leading role in the prevention of crime and the mitigation of its impact on the community. But in today's technological environment, many of the issues we now face do not fall within the commonly accepted purview of a law enforcement agency.

Considering this, the technological and public policy environment facing the AFP, its role in ensuring the integrity of the business and financial sectors, and the initiatives needed to ensure that it retains an appropriate computer crime and computer forensic capability need to be addressed. However, the private sector also must play its role in reporting cyber-crimes to the relevant authorities, so that a complete assessment can be made of the threats and vulnerabilities posed by the Internet.

The Internet

The Internet is the medium for increasing the range and content of computer based communications. The growth of the Internet is estimated to be doubling somewhere between every 100 days and every 12 months. Between 1996 and 1998 the number of adult Australians with access to the Internet at home increased from 262,000 to 4.2 million. Within Australia, two companies dominate the Internet market, Ozemail with 27 per cent of the market and Telstra Big Pond at 20 per cent. The rest of the market is fragmented between another 640 Internet Service Providers (ISPs).

The Internet is said by some commentators to be anarchic in that there are insufficient, if any, controls over many of the issues that concern regulators and investigative authorities alike. The main issue from an investigative perspective for a transaction involving the Internet is one of the basic proofs of any offence, that is, identity of the offender or suspect. From a law enforcement perspective, failing to adequately prove the identity of the perpetrator of a crime committed via the Internet, or by other information-technology means, has serious consequences for the conduct of any subsequent investigation or prosecution. It is on this basis that alternative evidence sources, including forensic computer analysis, must form an integral feature of any response to an incident or crime.

The view that the Internet is anarchic has some merit if anarchy relates to the anonymity the Internet affords users. However, any argument discrediting the structural basis of the Internet would be unsubstantiated. The widespread success of the Internet is based on the use of common data communications protocols, each with its own features and structures, and which need to be understood by those who conduct investigations into Internet crimes. Some media reports recently have suggested that the success of the Internet is becoming its greatest threat. The number of users now accessing the Internet is causing increased delays and failure of systems to cope with the extra load but even considering this, the Internet is a long way from failing.

While there has been intense public debate about computer hackers and their impact on the public and private sectors, the AFP has been involved in relatively few hacking investigations over the past five years, and would question the disparity between the level of public debate and the number of incidents reported to law enforcement agencies.

A question which should be asked is: ‘Are high-volume, low-level hacking attempts a portent of global catastrophe, or merely the high-tech equivalent of someone rattling a locked door?'

e-Commerce

While the Internet is the medium, electronic commerce or e-Commerce is the activity that may have a greater impact on society. e-Commerce has the potential to reshape society through its ability to develop new business models. Industry analysts predict that e-Commerce, which involved transactions of $7 billion during 1998, is expected to grow to $300 billion globally by 2002. The Australian Government predicts e-Commerce will grow by a factor of ten by the year 2000, and keep growing. The current size of e-Commerce can be determined through industry analysis. In an industry survey involving 55,000 Australian and 27,000 international Internet users, 25 per cent had shopped on-line more than once, with another 13 per cent having shopped on-line once only. Australian on-line shoppers spent some $139 million on-line in the 12 months to July 1998. The largest product categories were books, music and software. Twenty-two per cent of Internet users identified concerns with the security of financial transactions as their primary concern. A total of 528,000 Australians have shopped on-line at least once, with 88,000 Australians regularly using on-line banking facilities.

The use of technology often gives an appearance of legitimacy to what would otherwise be a simple fraud. The Australian Securities and Investments Commission (ASIC) clearly illustrated how easy it is to fool on-line investors with their Millennium Bug insurance site earlier this year, which persuaded 233 people to part with more than $4 million. This ASIC experience shows that in Internet surveillance and law enforcement, it is unwise to categorise ‘Internet Crime' as being simply a responsibility for police agencies. Law enforcement, regulatory and private sector communities must all forge new working relationships to deal with the challenges posed by the Internet.

The alternative environment within e-Commerce which we are yet to come to grips with fully are those cases where an e-Commerce vendor is the subject of a crime. This could occur in instances such as an external hacking attack, an internal fraud, or an external fraud (for example, false credit card details).

It may appear that the latter scenario has the least impact on an e-Commerce provider because of process and verification controls. However, this could pose a greater risk with respect to automated sales, or inventory and dispatch systems, in that the Internet allows high volume/low value transactions that may not be captured by automated scanning and verification routines. It may be easy to detect ten $1,000 frauds, but would one thousand $10 frauds be as easily detected? The multiplier effect of the Internet is certainly seen in e-mail spam attacks, which may allow for thousands of e-mails to be routed through a third-party server for distribution worldwide. I am confident we will also see it in e-Commerce fraud. In these cases, the multi-jurisdictional nature of the crimes will necessitate closer cooperation between law enforcement and private industry, otherwise the enforcement regime will be ineffective.

Rate of change

The exponential rate of technological change can be seen in the increase in the size of data storage systems. Where a law enforcement examination of a computer hard drive in 1990 involved 50,000 pages of text, a contemporary examination would involve between 5 and 50 million pages of text. The increasing size of data storage systems in computer systems challenges the limited time and financial resources available to law enforcement agencies for examining these systems. AFP statistics reveal the average capacity of data storage media seized for analysis has risen from 35 megabytes in 1991 to 3,445 megabytes (3.4 Gb) in 1999. The 1999 figure excludes a single seizure of 2,815,000 megabytes (2.8 Tb) requiring restoration before analysis. The average size of seized data storage media is less than the capacity of contemporary data storage media. This suggests most computer systems from which electronic evidence is obtained are not state-of-the-art, but are on average one to two years old. Computer equipment used by a broad range of criminals is reflective of computer equipment used within the general society.

The graph below highlights the constant rate of growth of data storage media analysed by the AFP since 1991. But even with average seizures currently approaching 3.5 Gb, many of us have far greater capacity drives. A stock-standard computer that may be purchased from any retailer, such as Harvey Norman, is presently configured with a 6 Gb hard drive, with drives up to 13 Gb affordable for many power-users today.

2000_301.jpg

This increase in the amount of data being seized has a corresponding impact on both the equipment required and methodology used in the capture and analysis of electronic data.

Commercially driven intelligence environment

The community's understanding of the risks posed by computer-related crime is primarily shaped by commercially influenced intelligence, which supports a significant industry in computer security. According to the very promoters of this event, the American Society for Industrial Security, the United States computer security industry grew at an average rate of 17.3 per cent between 1992 and 1996, and is expected to grow at an average rate of 22.5 per cent over the next four years. The quality of this intelligence needs to be critically assessed. The commercial interest of computer-related crime is both an advantage and a hindrance to law enforcement. The computer security industry provides technological solutions to avert the threat of computer-related crime, which can reduce the level of referrals to law enforcement for investigation. On the negative side, the commercially driven intelligence environment can increase the general level of insecurity within society.

In short, both the law enforcement and computer security communities have inter-dependencies with respect to computer security and reported incidents. This revives an age-old question: does the fact that crimes are not being reported indicate that enforcement has been successful and the crimes are not being committed, or does it just indicate that the crimes are occurring and not being reported? This is the predicament facing law enforcement today. While we are able to strategically position ourselves to meet this emerging crime threat, and are in fact doing so, there comes a time when we must critically assess if our strategy was correct in terms of the level of crime being reported.

The ongoing debate can be simplified by looking at a very simple threat and response matrix, as shown below.

2000_302.jpg

My understanding from discussions with international corporate entities who do not report ‘routine' hacking attempts to law enforcement or computer security agencies, is that the majority of computer hacking incidents consist of low-skilled, unsuccessful attempts to penetrate fire-walls around computer installations. Figures for some international corporations are in the thousands for the number of attempts made (pinging) per day and fall into this category. This can be attributed to relatively unskilled computer hackers using routines downloaded from the Internet to set up automated attacks, which in reality, pose more of a nuisance than a threat.

In terms of information assurance and risk assessment, the greatest threats would be posed in the low-capability, high-impact area of the matrix, where simple routines potentially could cause major harm to an entity. Once risks such as these are identified, removing that particular vulnerability may be as simple as the capability of the attacker suggests. Similarly, major corporations would not expend a great deal of effort in the high-capability, low-impact area of the matrix. Their risk management strategies would preclude expending resources on these vulnerabilities at the expense of ameliorating the high-impact vulnerabilities.

Governmental and law enforcement environment

We are witnessing the emergence of a new environment in which crimes must be prevented, detected, investigated and/or prosecuted. It will not be a simple task based on the ‘traditional' values which have shaped our laws, the judiciary and law enforcement and which have served the community for more than a century.

Currently, between 70 and 80 per cent of the AFP's workload in computer crime may be categorised as requiring ‘routine' evidence recovery techniques. The increase in the levels of data storage media requiring analysis needs the support of innovative strategies to facilitate the analysis while maintaining the evidentiary value of the results. The AFP wants all operational investigators to have a basic understanding of computer search and evidence recovery techniques and is implementing a national training course to facilitate this while computer search and evidence recovery kits are now in each of its major offices. This strategy will lessen the burden on our computer crime teams and specialist electronic forensic support personnel in releasing them to undertake higher order analysis or research and development tasks.

New communication media and new modes of economic activity are challenging traditional views of the role of law enforcement within society. This is a result of the Internet itself, which, in many ways, is designed to resist centralised control. The Internet's ability to transcend national boundaries, its speed of operations, and its speed of change have prompted many to question the ability of governments to regulate and enforce laws relating to activity on the Internet. The response by law enforcement to the challenges posed by computer-related crime should be developed in the context of these limitations.

Changes in society's views of law enforcement are reflected in the low rate of both people and organisations admitting to being the victims of computer-related crime. Throughout numerous surveys relating to computer-related crime in the US, Australia and Europe, there is a high disparity between survey results and referrals to law enforcement. It is estimated that more than 90 per cent of all detected computer fraud remains unreported. Commercial considerations such as the availability of technical solutions and possible negative commercial effects are considered the primary reason for the lack of reporting. A further reason could be a general lack of confidence in law enforcement's ability to overcome the challenges posed by computer-related crime. This lack of confidence in law enforcement is often perpetuated by the private sector in an effort to further commercial interests. The AFP has seen an increased rate of referrals in the past 10 years, which is probably still short of the levels of crime discussed in the media.

2000_303.jpg

The automated ‘pinging' attacks discussed earlier are one example of the importance of looking at the facts when discussing issues as emotive as computer crime. While not wanting to devalue the major impact computer crime can have or the importance of raising awareness of such crime, we should not be swayed merely by those who would have law enforcement chasing every would-be hacker in this country. Using this example, it would seem that either the AFP's experience is indicative of the real threat, or private enterprise is not yet reporting the true state of affairs.

International law enforcement environment

Given the trans-jurisdictional nature of computer-related crime, international cooperation will provide an essential tool in the development of law enforcement responses. The future law enforcement activities of many public and private sector organisations may be determined by the nature of international cooperative activities with similar organisations overseas. These activities will be determined by improved technologies allowing greater intelligence exchange and greater coordination capacity to direct transnational law enforcement operations.

Within the international law enforcement community, a framework for coordinated international law enforcement is emerging. The framework currently involves two major initiatives:

24-hour contact points

The first initiative involves two separate regimes. Both Interpol and the G8 Sub-Group on High-Tech Crime and Computer Emergencies have established points of contact with computer crime response centres. Such centres are normally contactable on a 24-hour basis and would be responsible for responding to requests for real-time computer crime investigations. In the case of the G8 contact points, all participating countries have agreed that the 24-hour response centres should only be used for genuine emergencies, with normal communications and evidentiary channels to be used for routine requests.

The AFP, through both the 24-Hour Response Centre and the Interpol National Central Bureau in Canberra performs this function. Referrals for investigation are then forwarded either to State police or to AFP regional offices for action. Similar centres have also been established inside the G8 (Canada, France, Germany, Italy, Japan, Russia, United Kingdom and United States).

This initiative is a response to two of the characteristics of Internet use and e-Commerce. Firstly, the Internet and e-Commerce are by nature trans-jurisdictional. A business transaction may involve a service provider in one country, a customer in a second country, a transaction in a third country and the records of the transaction in a fourth country. Secondly, the nature of e-Commerce can result in evidentiary records of the conduct of these transactions only being available for a short period, perhaps 24 hours. To reconstruct the transaction, thus proving a crime, requires the gathering of evidence from numerous countries within a short timeframe.

As e-Commerce and international law enforcement cooperation develops, agencies such as the AFP will be called upon to perform numerous investigations aimed at quickly obtaining small quantities of data, which will later be used to construct a brief of evidence in other countries. The numbers of this response type (electronic evidence recovery investigations) will be dependent upon both the growth and nature of global electronic business models, and the developing capabilities of law enforcement agencies in many countries.

The multiplicity of law enforcement agencies and legal systems involved is likely to impede the level of cooperation necessary to address Internet and e-Commerce crime issues. For example, in Australia our Mutual Assistance legislation allows evidence to be collected for overseas agencies only after the written approval of the Attorney-General. It would be desirable then to seek appropriate changes to the Act so that evidence could be collected without such approval.

National Information Infrastructure

The second initiative involves concepts relating to national infrastructure protection. The vulnerabilities of computer systems, the obscure nature of hacking and the increasing reliance of governments and business upon information systems have caused a radical rethink of modern concepts of warfare. The United States military believes its military dominance of the battlefield could lead to a tactical change in warfare away from military hardware and towards information systems. In identifying a possible change in tactics, the US began to examine the vulnerabilities of their own information systems. This process has led to a fusion of defence, national security intelligence and law enforcement concerns regarding computer-related crime.

The US Government established the National Infrastructure Protection Centre in February 1998 in response to the growing dangers posed by high-tech sabotage and cyber-attack to sectors such as banking, finance, communications, information technology and energy. Defence, security intelligence and law enforcement personnel operate the centre and the major threat is seen as being externally sourced hacking into computer systems. The rationale behind the centre is for law enforcement to investigate hacking incidents to determine whether the incidents are criminal, or elements of an information warfare strategy. Similar assessments, regarding threats to national infrastructures, have been made in Canada and the United Kingdom.

Within Australia, an assessment of the likely threats to our national information infrastructure has been conducted. A significant finding of the assessment was the low level of awareness, among both government and industry, of the type and level of threats posed to their information systems. Further efforts have been made through an interdepartmental committee to develop a strategy for addressing possible threats to Australia's information infrastructure. In Australia, it has been proposed that the AFP, the Australian Security Intelligence Organisation, the Defence Signals Directorate and the Commonwealth's Protective Security Coordination Centre will each play a major role in the reporting, analysis and response mechanisms for the range of potential threats to the information infrastructure.

While protecting national information infrastructures is not a subject of international law enforcement cooperation, activities relating to information infrastructures will generate a level of referrals for international investigation, which through the concept of reciprocity will require cooperative assistance.

Where to for the AFP?

Computer crime and associated activities will continue to receive a high level of attention from the AFP. We now have computer crime teams in Brisbane, Canberra, Melbourne, Perth and Sydney. The AFP's current Electronic Forensic Support Team in Canberra will be re-structured to create a central Computer Forensic Facility to service the increasing demand for forensic analysis from within the AFP, and from our law enforcement partners. This facility will be supported by state-of-the-art computer technology and draw on the services of specialist computer professionals who are otherwise engaged in research and development activities for the AFP.

The AFP has a full-time Intelligence Collection manager for computer crime, who will ensure linkage between the operational and strategic issues relating to computer crime. It continues to be a member of the Inter-Departmental Committee for the Protection of the National Information Infrastructure and associated Consultative Industry Forum, as well as the Research Group on the Law Enforcement Implications of Electronic Commerce. Through these forums, the AFP will seek closer consultation with both public and private sectors to address the issues we face with the Internet and the opportunities it brings for fraud.

However, it must be emphasised that those who encounter Internet crime should ensure it is reported to the appropriate authorities, be they state or federal. We simply cannot provide support if the full extent of the Internet crime problem remains hidden.


AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.austlii.edu.au/au/journals/AUFPPlatypus/2000/3.html