Globalizing the Fight Against a Hostile Internet
During my visit to Moscow last week, Kaspersky Lab CEO Eugene Kaspersky waxed poetically about the need for a global law enforcement agency to police the Internet against criminals and hackers. In his estimation, the Internet never will be free of threats so long as hackers are able to launch attacks against international targets from safe havens in their home countries.
Kaspersky isn’t the only security executive calling for such an international cyber-security agency. McAfee CEO Dave DeWalt told partners and customers at his company’s Focus conference in October that more international cooperation and a global police force is needed to combat the rising tide of threats and attacks against every aspect of the digital world.
It’s ironic that Kaspersky, a Russian, would call for the creation of cyber-police when his own government opposes the notion of cross-border jurisdiction of hackers and cyber-criminals, as called for in the European Cybercrime Treaty.
But Kaspersky and DeWalt are essentially correct in that most successful hackers perpetrate their crimes not against domestic targets but rather against targets in other countries that would have a hard time—if any chance at all—of prosecuting suspected cyber-criminals. Consider the case of Gary McKinnon, the British citizen accused of hacking dozens of U.S. Navy systems in pursuit of UFO evidence. He was traced and caught in 2002 and is currently under indictment by U.S. authorities, but remains on British soil as he continually challenges extradition. (Last week, McKinnon lost his latest round, but his lawyers plan another appeal, saying he wouldn’t survive the U.S. prison system.)
Even if local authorities are willing to investigate and prosecute cyber-crimes, many countries’ domestic laws are inadequate to the task. Think back nearly a decade to what remains the worst computer virus to ever hit the Internet – LoveLetter. Onel de Guzman, a computer science student in the Philippines, “accidentally” released the virus, and within 24 hours it was infecting tens of millions of Internet-connected machines. The amateurish code made tracking the virus to its source relatively easy, but de Guzman walked free because he hadn’t broken any of the existing laws.
Over the weekend, the Obama administration reversed U.S. policy and opened dialogue with Russia on curbing the militarization of the Internet. The talks, which Russia has been proposing for several years, would limit nations from developing offensive weapons in cyber-space and aim to curb rogue, terrorist use of the Internet for disrupting commerce and communications. (It’s kind of ironic that these talks are happening, since the original Internet was designed by the U.S. military as a redundant communications system in the event of nuclear war.) These talks, some observers say, could lead to an international cyber-crime treaty.
Is there a model in which governments could root out hackers and cyber-criminals without violating sovereignty? In the U.S. such a model exists between states prosecuting child pornographers. Several states, such as Connecticut, require computer technicians to report evidence of child porn and other malicious materials. A similar model could be employed in which governments deputize security solution providers, VARs, hosting companies and ISPs to find, report and, in some cases, investigate hacking and criminal activity. It would then be up to prosecutors to press charges locally or allow extradition.
So the question is this: Would you be willing to be a deputy sheriff in the global effort to police hacking?
About the Author: 