Information Security News mailing list archives
Who Should Fight Cybercrime?
From: William Knowles <wk () C4I ORG>
Date: Thu, 1 Jun 2000 14:00:03 -0500
http://wired.com/news/politics/0,1283,36566,00.html by Katie Dean 3:00 a.m. Jun. 1, 2000 PDT As the world's top politicians, lawmakers, and business types argue and bleat over what must be done to stop the horrible, world-stopping threat known as cybercrime, a group of engineers who built and preside over the Internet's backbone are debating whether they should get involved. At the core of the discussion: Politicians generally don't have the technical understanding to make the informed decisions that could become law. On the flip side: Engineers are neither politicians nor police. Hence the debate among members of an Internet Engineering Task Force mailing list: Should engineers come up with their own solutions to fight cybercrime and push them forward? "Technical reality always trumps political blather everywhere that matters," wrote Vernon Schryver, setting the tone for the discussion. Jacob Palme, a computer science professor at the University of Stockholm, launched the email debate about a week ago. "Should IETF do anything to fight the increasing incidences of Net criminality?" he wrote to the list. "Can we do anything? Can the protocols, which IETF manages, be modified so as to make it easier to fight virus distribution, mail bombing, ping attacks, and the other ways in which people are harassing the Internet?" His motivation was simple. "It's obvious that criminal use on the Internet is becoming more and more of a problem," Palme said. And because the Group of Eight nations met two weeks ago in Paris specifically to discuss solutions to the threat of cybercrime -- and U.S. Attorney General Janet Reno has been visible whenever major websites are attacked -- it's definitely a timely debate. The upshot is that the Internet has such a complicated construction, and the world's countries have such widely different attitudes and laws on policing, that it would be virtually impossible for a group of engineers to promote a solution. But there is a nagging belief that government leaders are in way over their heads, and therefore probably won't be able to decide on anything constructive. For example, Scott Bradner, a senior technical consultant at Harvard University, spoke at G8 and came away less than impressed with the level of discussion. "There was not a small amount of misunderstanding about how the Internet works," Bradner said. "A lot of the speakers didn't have a clue." Added Steven Bellovin, a network security researcher at AT&T who also has participated in the email debate: "There's a serious misunderstanding in many of the governments of the world in what you can and can't do on the Internet." G8 attendees were well aware, however, of the increase in high-profile cyber-attacks, such as the "Love Bug" email worm. Statistics also point to increased incidents of cybercrime. The Computer Security Institute reports that 70 percent of computer systems used by Fortune 500 companies and government organizations have recorded unauthorized use of some sort, compared to 42 percent in 1996. "We've seen an increase in the use of the Internet as a point of attack," said CSI Director Patrice Rapalus. At the G8 conference, representatives called for a standard of traceability. This is technically impossible "with the way the Internet works today," Bradner said. The volatile issue of wiretapping also is being debated on the email list. For example, Bellovin said, governments do not understand that the Internet cannot be wiretapped in the same way as a telephone. In a traditional phone network, authorities can trace who makes the call and where it is going. With the Internet, every time someone dials up, different IP addresses send packets of data, making traceability difficult. Nevertheless, politicians "want the same model to apply," Bellovin said. In addition, the number of different jurisdictions that a packet passes through when it is traveling over the Internet is another barrier. "The U.S. has one set of rules, France has one set of rules, and Germany has one set of rules," said Harvard's Bradner. "Because there is not an international agreement on a particular set of rules -- and in certain places, the rules are contradictory -- we can't come up with a standard." Nevertheless, Palme believes the IETF can -- and should -- do more to help the political powers arrive at solutions. "It may be possible that the IETF as an organization can modify standards so that it becomes easier to catch cyber-criminals," Palme said. "I think every router can know where the packet comes from and where it goes," he said. "Using that information, you should be able to track criminals." But routers are not designed to recognize where the packets are coming from, Bellovin said. And logging all the traffic that moves through these routers would be difficult, wrote Schryver. "Searching a 1,000 TByte database on the fly, especially if it is merely a primitive sequential log, would be a serious challenge." And others pointed out that policing is not the IETF's responsibility. "It's not the network's job to do the job of law enforcement," Bellovin said. Attempting to build backdoors -- intentionally designed shortcuts around a security system -- that are only accessible to police would ultimately weaken Internet security, he added. Palme believes that part of the problem is that people do not want to help the police because they are afraid that police will abuse the technology. "Internet people seem to be an anarchistic group very unwilling to accept any kind of government control," he said. The difference could be cultural, Palme added. "People in America seem more negative toward helping the police than people in Europe," he said. So what can be done? Several posters believe that the efforts should concentrate on the "end systems" -- computers and software. Instead of making the system more glitzy and user-friendly, companies like Microsoft should focus on security. Engineers also are asking questions about the IETF's Guidelines and Recommendations for Security Incident Processing working group, which provides guidelines and recommendations for security incident-response teams. "It's a start; we've proved that getting anywhere in this direction causes a great deal of discussion, and that expectations vary greatly," wrote Harald Alvestrand. "The group is still open, and welcomes volunteers." *-------------------------------------------------* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *-------------------------------------------------* ISN is sponsored by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Who Should Fight Cybercrime? William Knowles (Jun 01)