A month ago, I was awoken at 1 o'clock in the morning by a call from my ex-wife. Did I know, she asked, where our 19-year-old daughter was? My ex-wife was due to give our daughter a lift to the airport for an early flight, but she hadn't turned up at the apartment. I went to my daughter's room at my place to discover her bag unpacked and passport on the floor.
Concerned, I hacked into her Facebook account by guessing her password. Once into the account, I put out a message to her friends asking them to let me know where she was. This actually worked (it is amazing how many young people are on Facebook at 2:30 on a Monday morning).
My daughter was mortified that I had hacked her account. She was torn between feeling guilty for having caused the problem and outrage that I invaded her privacy.
If we had been living in the United States, under a recent amendment to the Computer Fraud and Abuse Act (CFAA), my daughter could have brought criminal charges against me for “exceeding authorized access.” So in order to ensure my daughter's safety, I would have risked a criminal record and a possible 3-year jail sentence.
The raft of cybersecurity legislation now being presented to parliaments around the world highlights how the very genius of the Internet – interconnectedness – is also its Achilles heel. The Web's cross-border character is an intrinsic part of its nature. But the world's major cyberpowers – the United States, Canada, Western Europe, Russia, China, India, Israel, the Baltic states and Brazil – are having great difficulty working together to fight malfeasance on the Web. The legal issues are too complex and levels of trust much too low. And what may be acceptable online behaviour in one country, may be unacceptable in another.
For example, the FBI and the U.S. Secret Service regularly make use of sting operations to track down criminals. In one case, DarkMarket was a Web forum where cyberthieves could buy stolen credit card details, the latest viruses and even tutorials on how to become proficient in the latest cybercrime techniques. One of its five administrators was an undercover FBI agent. But most of his targets lived outside the United States, so the FBI sought to enlist the support of other police forces in order to track them down.
However, Canada and the European Union have much stronger data-protection provisions than does the United States. Problems arose immediately because of the different policing cultures and what under local legislation the police can or cannot do. In the case of DarkMarket, the FBI needed absolute discretion in their investigation but required the assistance of the German police. This failed and eventually led to the exposure of the FBI officer, in part because the German cops had to tread much more carefully than their American counterparts for fear of violating the suspects' civil liberties.
Courts in Germany are very reluctant to sanction any intrusion onto private or commercial networks for historical reasons. In the U.S. and Canada, however, cops regularly pose as underage children to see if they will be “groomed” by pedophiles.
If a German police officer were to do the same and the suspect asked him, “Are you a cop?”, he would be obliged to say, “Yes,” which rather defeats the purpose.
Most cybercriminals are smart and they are as well briefed on the legalities as the cops themselves. One of the most successful European cybercriminals I interviewed in researching my book was quite open: “I never touch American cards,” he said. “If I were to do so, I would be placing myself under U.S. jurisdiction and American cops are much less forgiving than the Europeans.” Incidentally, he said he considered Canadians to be more European in this respect.
But although there are hiccups in co-operation among the United States, Canada and Europe because of the different policing cultures, this is nothing compared with the difficulties in trying to establish working relationships with some other countries, including one which over the past decade has been a great incubator of cybercrime.
Russia is a paradox on the Web. The FSB (successor to the KGB) has developed a suitably Orwellian tool called SORM-2 that offers it full oversight over the country's Internet. Internet service providers in Russia are obliged to send a copy of every single byte that zips in, around or across the net, so everything that happens in Russian cyberspace is stored in vast digital deposits available to FSB officers 24/7.
One might therefore assume that Russia represents an implacably hostile environment for cybercriminals. Yet the Russian Federation has become one of the great centres of global cybercrime. The strike rate of the police is lamentable while the number of those convicted barely reaches double figures.
The reason, while unspoken, is widely understood. Russian cybercriminals are free to clone as many credit cards and hack as many bank accounts as they wish, provided the targets of these attacks are located in Western Europe and the United States. A Russian hacker who started ripping off Russians would be bundled into the back of an unmarked vehicle before you could say KGB.
In exchange, of course, should the Russian state require the services of a hacker for launching a cyberattack on a perceived enemy, then it is probably best for the hacker to co-operate.
And that is exactly what happened in 2007 and 2008 when major cyberattacks were launched against the critical national infrastructure of Russia's two neighbours, Estonia and Georgia.
It is possible that criminals instigated the attacks but highly unlikely. More probably they were either paid to launch them or they were leaned on by the authorities to participate in these acts of patriotism.
Nobody believes that the world's major cyberpowers will ever be able to fashion a treaty aimed at developing a co-ordinated response to cybercrime. However, as criminal activity and other threats begin to rise in Russia, China and elsewhere, the time is ripe for the West to reach out to the East in the hope of establishing some basic principles in order to reduce the Web-based threats we all face, regardless of our geo-strategic interests.