Combating the $100 billion high-tech ‘black economy’
Government and industry organistions are working together to limit the impact of identity fraud.
Rapidly growing online crime including identity theft, credit card fraud and espionage– much of directed against the finance, banking, government and retail sectors – has seen the development of a $100 billion-plus black economy affecting Australia and the rest of the world.
Increasing concern over the number of attacks against Australia’s essential information communications technology (ICT) systems has seen the Australian Government and industry pouring hundreds of millions of dollars into prevention, response, mitigation and alerting services.
The global ICT industry is talking not only of cyber attacks having reached ‘cold war’ level, but many experts are warning that we are rapidly approaching a state which could be described as ‘information warfare.’
The new CEO of global information security specialist, McAfee Inc, David DeWalt, told a recent US conference that cyber-crime had become a $105 billion business which was more lucrative than the illegal global drug trade. Other estimates have put the cost over $150 billion.
Speaking globally, he stressed that law enforcement’s ability to find, prosecute, and punish criminals in cyberspace was not keeping up with developments by lawbreakers.
“If you rob a 7-11 you’ll get a much harsher punishment than if you stole millions online,” he said.
“The cross-border sophistication in tracking and arresting cyber-criminals is just not there.”
Source of the attacks
Although it is extremely difficult to trace the source of the attacks, analysts say that a mix of criminals, foreign intelligence agencies, hackers and even terrorists, is behind them.
The UK’s domestic spy chief recently warned British business leaders that China has been carrying out state-sponsored espionage against vital parts of the British economy.
The director-general of MI5, Jonathan Evans, wrote to 300 chief executives and security heads at banks, accountancy and legal firms late last year warning them they were under attack from ‘Chinese state organisations’ via the Internet.
China has strongly denied the allegations.
Today’s reality is that major corporations, small and medium sized business, banks, retailers and communications service providers, including the major telcos, are involved in a continuing war against cyber criminals and others intent on stealing money, information and disrupting services.
Banks are progressively upgrading credit cards with high-security embedded microchip technology.
Chip credit cards can store encrypted confidential information which can help protect the card against counterfeit fraud. Each transaction generates a different ID, making the counterfeit production of the card more difficult. It does not use any additional personal data.
Safeguards to protect customer information
The chief executive of the Australian Bankers’ Association (ABA), David Bell, told ASM banks used a combination of safeguards to protect customer information such as employee training, privacy policies, security and encryption systems.
Speaking of online banking, he said: “Banks have systems in place to constantly monitor transactions and if a transaction is identified as suspicious, it will be investigated to ensure there is no breach of security.
“Occasionally, this may involve a bank staff member contacting you to verify a transaction.
“Bank customers are protected from loss in genuine fraud cases. Account holders are not liable for losses resulting from unauthorised transactions where it is clear that user has not contributed to the loss.
“There is usually an investigation by the bank to determine how the fraud has occurred.”
Mr Bell said banks were continually seeking security enhancements especially for online banking, such as an on-screen keypad which is designed to prevent the incidence of keystroke logging fraud by removing the need for a keyboard to enter in passwords.
Another involved two-factor authentication, which required two independent authentication steps for a customer to access Internet banking. This included use of a device known as a security token, which looks like a pager but includes security features making it difficult to forge, and tying it in with the bank which issues it.
In a recent report funded by the Australian High Tech Crime Centre within the Australian Federal Police, the Australian Institute of Criminology warned that rapid changes in technology could actually facilitate technology-based crime.
This was happening at a time when there was limited law enforcment capacity to investigate high volumes of high-tech crime, it said.
AIC director, Dr Toni Makkai, said:“The most likely areas in which opportunities for illegality may arise include fraud, identity-related crime, computer viruses and malicious code, theft of information, dissemination of objectionable material online, and risks of organised crime and terrorism.”
Changes in government use of technology to allow the public to conduct transactions securely, including participation in democracy, were also a factor.
The report suggested strategies which could reduce the risk of exposure to high-tech crimes, including industry developing more secure hardware and software and increased sharing of information between public and private sectors.
It also suggested the use of police taskforces to respond to particularly complex technology-enabled crimes and improved sharing of information and intelligence across jurisdictional borders, both within Australia and globally.
As well as the AFP’s Australian High Tech Crime Centre, a large number of other Australian Government agencies employing hundreds of people are at the forefront of the fight against high-tech crime.
They include the Defence Signals Directorate, the new Department of Broadband, Communications and the Digital Economy(formerly the Department of Communications, Informational Technology and the Arts), the Australian Government Information Management Office (AGIMO) and the Australian Communications and Media Authority.
Sitting over all of the agencies is a new whole-of-government interdepartmental committee, the E-Security Policy and Coordination (ESPaC), chaired by the Attorney-General’s Department.
ESPaC consists of all of the agencies mentioned above plus the Department of Prime Minister and Cabinet, the Office of National Assessments and the Department of Defence.
E-Security National Agenda
It was set up following the finalisation of a major update of the Australian Goverment’s E-Security National Agenda last year.
Following the update, E-security for business, home users and government agencies is being upgraded with measures totalling $73.6m over four years to counter rising threats, including more and increasingly sophisticated attacks on Australia’s electronic infrastructure.
Within the Defence Budget, an extra $380m has been earmarked over 10 years to improve the signals intelligence collection capability of the Defence Signals Directorate, with an emphasis on counter-terrorism and tighter security for government communications across all agencies.
The Government has also been examining the development of a business centre to allow IT security information to be shared quickly and effectively between Government and critical infrastructure organisations.
The Australian Federal Police has been allocated $15.6m over four years to augment its ‘technology-enabled’ crime fighting capabilities.
Because of increasing concern about online attacks against it, the Australian Government last year became a member of AusCert, the national Computer Emergency Response Team for Australia.
The Government’s own agency, GovCERT, also issues regular alerts about e-security threats and how to deal with them.
There is also an IT Security Expert Advisory Group and the Computer Network Vulnerability Assessment Program.
ASIO provides threat assessments
The owners and operators of Australia’s critical national ICT infrastructure, most of which is in the hands of the private sector, also receive advice and help through the Trusted Information Sharing Network (TISN). ASIO provides threat assessments and other intelligence information to them and a range of government clients.
The Information Infrastructure Protection Group (IIPG) addresses issues relating to the exploitation and security of the national information infrastructure.
It is probably true to say that with something as big and complex as the ICT industry, some overlap is inevitable, but each of the organisations mentioned handles different aspects of the equation ranging from investigation, law-enforcement and cyber-surveillance to delivery of services and advice to industry and government agencies.
Global internet security corporation, McAfee, in its latest Virtual Criminology Report on current and emerging global cyber security trends, predicts a rise this year in highly resilient viruses like the Storm worm and attacks on new technologies, such as VoIP and social networks.
McAfee spoke of targeted malware aimed specifically at government agencies and contractors.
About the author: Ernie Davitt is the National Affairs Editor for Australian Security Magazine.