The Council of Europe hosted this week its 4th annual Octopus Conference against Cybercrime in Strasbourg. Nearly 300 experts, government and law enforcement officers from 70 countries gathered to exchange views, advices and good practices to help mitigate the growing threat of cybercrime.
Council of Europe has been deeply involved in this battle for years. It managed to reach a broad consensus to implement the only international legally-binding text on these issues: the Convention on Cybercrime (also called the Budapest Convention) that was established in 2001 and entered into force in 2004. It has been ratified by 24 countries today, the last one being Germany. One of the biggest achievement of this convention is to reduce the legal loopholes that use cybercriminals to escape arrest and prosecution.

The second phase of an ambitious Project on Cybercrime running until mid-2011, has been announced during the Conference. The Council of Europe received so far funding from Romania, Microsoft and McAfee for example. But it noted that more resources will be needed in the near future.

The program of this event was indeed very dense, with nearly 70 distinct presentations. Even if this conference was restricted to public and private individuals working on this field, some of the presentations and a draft summary are available to the public on the Octopus website.

Oktapodi is one example of a friendly, harmless Octopus.


But the Deputy Secretary General of the Council rather compared these smart animals to cybercriminals :

Ladies and Gentlemen, according to marine biologists, the common octopus, or octopus vulgaris, can distinguish the brightness, size, shape, and horizontal or vertical orientation of objects. It is intelligent enough to learn how to unscrew a jar and is known to raid lobster traps. The kind of octopuses that operate in the murky waters of cybercrime are common criminals, so they are both vulgar and vulgaris. They are also intelligent, but they raid more than simply lobster traps. They prey on our children, they attack our communication systems, our vital infrastructure, they represent a threat to our economy, to our security. This is why we need to be smarter and faster than they are. This is why we are here today.

Here are the key points that have been discussed to try to address this situation:

Money laundering

The need to "follow the money" (and difficulties to do so for law enforcement) have been reassessed and initiatives in this area have been presented (for example in Ireland and South Africa). FATF also encouraged countries to apply their recommendations on the topic. Examples of mobile payments, prepaid phone cards, online gaming or virtual worlds money laundering issues have been presented.
A new definition of Financial Institutions was promoted, to help reduce the problem of the jurisdiction-free online payment systems such as WebMoney.

Reporting cyber crimes

A closed session was dedicated to present the process in place for the national G8/Council of Europe Points of Contact cybercrime units. Cyber crimes are vastly under-reported and causes and solutions to improve this fact were discussed. Europol mentioned that a platform to report cyber crimes would be opened for the public early next year.
The Child porn issue seems to reach the broadest consensus, but also the most advanced initiatives and tools (Child Exploitation Tracking System, i-DASH, INHOPE, etc.).
APWG invited the assistance to adopt an universal format to share information on cyber crimes through the XML protocol.

Public Private Partnerships

This topic has indeed been one of the key issues raised, particularly by Microsoft. It expressed views that contacts between law enforcement and private companies (particularly to the financial sector and ISP community) should be facilitated. The example of the MAAWG or London Action Plan on the spam issue was provided.
This event is indeed an unique occasion for participants to establish partnerships of all kind either person-to-person or in more "public" fashion (Microsoft and 2CENTRE, AFF Coalition, etc.).

Social Networks

Everybody agreed that social networks introduce new risks and opportunities of exploitation for cybercriminals. Their massive adoption and recurrent lack of security measures in these online communities represent big challenges for the anti-cybercrime community.
VOIP

The (il)legality of VOIP protocols was the subject of a strong stance by a company called Bitek. The presenter advised the audience to enforce regulation at the national telecom authority level to ban P2P protocols (and use their software to do so).

Cloud computing

A workshop discussed the way cloud computing will bring new challenges in the near future. One of the presenter urged law enforcement agencies to use documented case of such jurisdiction problems to illustrate the need for regulation. (It is funny to notice that the AV industry tries to fight the threat of cloud computing with more... cloud computing).

Legal issues

A lot of countries expressed their interest in joining the CoE Convention and presented the next steps of their application process.
The ISP industry expressed its difficulty to comply with the various laws related to cyber crimes. A need for clarification is needed, as conflicts sometimes occur between data retention and privacy rights (particularly with transnational cloud computing). But disharmonious laws could also hinder the fight against cybercrime. A broad "Internet Regulation" was lobbyed by the Internet Governance Forum, and Kaspersky for example.
Growing collision between cyber crimes and real-life crimes was also mentioned. The examples of debit cards provided by Entropia and linked to accounts from virtual worlds or the www.liveshot.com ("remote hunting") experiment show the challenges ahead (for the regulator and the law enforcement agents).

International cooperation

This was the other big topic covered by the conference. Guidelines from the European Commission in 2008 represent the best recommendations to date to establish such partnerships. The whole audience also agreed that the process of Mutual Legal Assistance agreements need to be fasten. Joint Investigation Teams (between French or US and Romanian investigators and prosecutors) are and will continue to be set up.


Personal comments :

I really enjoyed Eugene Kaspersky's presentations. He first warned the audience to distinguish terrorism using Internet as a communication mean to cyber-attacks conducted by terrorists through online networks (such as utilities). He also predicted that only professional cybercriminals would survive in the mid-term, as a "war" between cybercriminals starts (I recalled such "competition" by the recent Tigger/Syzor trojan, that removes 20 other malware families installed on the infected host).
He also express the possibility that these criminals could collect massive amount of money that could enable them to lobby against Internet Regulation.
But on my side, I see territorial sovereignty and national interests more likely to resist international regulation of Internet. I thus noted that a few countries expressed fears about ingerence from foreign states in cybercrime investigations.

Recent example on banking secrecy

The example of the recent crackdown on banking secrecy shows that political and media pressure may be more efficient than legislation in some cases. Indeed the G-20 threatens to set up a blacklist of tax heavens in order to push these countries to relax their banking secrecy laws. This list might be set up at the next April 2nd meeting. Switzerland, Austria, Luxemburg, Liechstenstein, Monaco, etc. already announced easing international cooperation and transfer of information on fears to be included on the list.

Don't forget the CERTs !

I finally wanted to reassess that CERTs and CSIRTS' community represent an important "on-the-ground" stakeholder dealing daily with cybercrime incidents. The CSIRT community is a rather solid information exchange hub. As such I regret they had this time so little involvment in these discussions.