Who Should Fight Cybercrime?

[William Knowles <wk () C4I ORG>]

http://wired.com/news/politics/0,1283,36566,00.html

by Katie Dean
3:00 a.m. Jun. 1, 2000 PDT

As the world's top politicians, lawmakers, and business types argue
and bleat over what must be done to stop the horrible, world-stopping
threat known as cybercrime, a group of engineers who built and preside
over the Internet's backbone are debating whether they should get
involved.

At the core of the discussion: Politicians generally don't have the
technical understanding to make the informed decisions that could
become law. On the flip side: Engineers are neither politicians nor
police.

Hence the debate among members of an Internet Engineering Task Force
mailing list: Should engineers come up with their own solutions to
fight cybercrime and push them forward?

"Technical reality always trumps political blather everywhere that
matters," wrote Vernon Schryver, setting the tone for the discussion.

Jacob Palme, a computer science professor at the University of
Stockholm, launched the email debate about a week ago.

"Should IETF do anything to fight the increasing incidences of Net
criminality?" he wrote to the list. "Can we do anything? Can the
protocols, which IETF manages, be modified so as to make it easier to
fight virus distribution, mail bombing, ping attacks, and the other
ways in which people are harassing the Internet?"

His motivation was simple.

"It's obvious that criminal use on the Internet is becoming more and
more of a problem," Palme said.

And because the Group of Eight nations met two weeks ago in Paris
specifically to discuss solutions to the threat of cybercrime -- and
U.S. Attorney General Janet Reno has been visible whenever major
websites are attacked -- it's definitely a timely debate.

The upshot is that the Internet has such a complicated construction,
and the world's countries have such widely different attitudes and
laws on policing, that it would be virtually impossible for a group of
engineers to promote a solution.

But there is a nagging belief that government leaders are in way over
their heads, and therefore probably won't be able to decide on
anything constructive.

For example, Scott Bradner, a senior technical consultant at Harvard
University, spoke at G8 and came away less than impressed with the
level of discussion.

"There was not a small amount of misunderstanding about how the
Internet works," Bradner said. "A lot of the speakers didn't have a
clue."

Added Steven Bellovin, a network security researcher at AT&T who also
has participated in the email debate: "There's a serious
misunderstanding in many of the governments of the world in what you
can and can't do on the Internet."

G8 attendees were well aware, however, of the increase in high-profile
cyber-attacks, such as the "Love Bug" email worm.

Statistics also point to increased incidents of cybercrime. The
Computer Security Institute reports that 70 percent of computer
systems used by Fortune 500 companies and government organizations
have recorded unauthorized use of some sort, compared to 42 percent in
1996.

"We've seen an increase in the use of the Internet as a point of
attack," said CSI Director Patrice Rapalus.

At the G8 conference, representatives called for a standard of
traceability. This is technically impossible "with the way the
Internet works today," Bradner said.

The volatile issue of wiretapping also is being debated on the email
list.

For example, Bellovin said, governments do not understand that the
Internet cannot be wiretapped in the same way as a telephone.

In a traditional phone network, authorities can trace who makes the
call and where it is going. With the Internet, every time someone
dials up, different IP addresses send packets of data, making
traceability difficult.

Nevertheless, politicians "want the same model to apply," Bellovin
said.

In addition, the number of different jurisdictions that a packet
passes through when it is traveling over the Internet is another
barrier.

"The U.S. has one set of rules, France has one set of rules, and
Germany has one set of rules," said Harvard's Bradner. "Because there
is not an international agreement on a particular set of rules -- and
in certain places, the rules are contradictory -- we can't come up
with a standard."

Nevertheless, Palme believes the IETF can -- and should -- do more to
help the political powers arrive at solutions.

"It may be possible that the IETF as an organization can modify
standards so that it becomes easier to catch cyber-criminals," Palme
said.

"I think every router can know where the packet comes from and where
it goes," he said. "Using that information, you should be able to
track criminals."

But routers are not designed to recognize where the packets are coming
from, Bellovin said.

And logging all the traffic that moves through these routers would be
difficult, wrote Schryver. "Searching a 1,000 TByte database on the
fly, especially if it is merely a primitive sequential log, would be a
serious challenge."

And others pointed out that policing is not the IETF's responsibility.

"It's not the network's job to do the job of law enforcement,"
Bellovin said.

Attempting to build backdoors -- intentionally designed shortcuts
around a security system -- that are only accessible to police would
ultimately weaken Internet security, he added.

Palme believes that part of the problem is that people do not want to
help the police because they are afraid that police will abuse the
technology.

"Internet people seem to be an anarchistic group very unwilling to
accept any kind of government control," he said.

The difference could be cultural, Palme added.

"People in America seem more negative toward helping the police than
people in Europe," he said.

So what can be done?

Several posters believe that the efforts should concentrate on the
"end systems" -- computers and software. Instead of making the system
more glitzy and user-friendly, companies like Microsoft should focus
on security.

Engineers also are asking questions about the IETF's Guidelines and
Recommendations for Security Incident Processing working group, which
provides guidelines and recommendations for security incident-response
teams.

"It's a start; we've proved that getting anywhere in this direction
causes a great deal of discussion, and that expectations vary
greatly," wrote Harald Alvestrand.

"The group is still open, and welcomes volunteers."


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".