PUNTA CANA -The use of surveillance tactics by law enforcement in the performance of precisely targeted criminal investigations is still widely accepted and supported by much of the global public. The water gets murky and support evaporates altogether when allegations emerge that law enforcement is deploying blanket-style surveillance to spy on everything everywhere all the time.

This line of reasoning is widely held on both ends of the spectrum. On the one end, cryptography expert and privacy advocate Bruce Schneier said as much – though certainly not for the first time – in a panel discussion at Kaspersky Lab’s Security Analyst Summit (SAS) yesterday. Way on the other side of the spectrum, General Keith Alexander, the director of the National Security Agency and supervisor of what may be the most thorough surveillance apparatus ever conceived, echoes the same sentiment nearly every time he is asked to speak about his agency’s surveillance efforts.

Troels Oerting is the head of the emerging European Cybercrime Centre (EC3), a joint cybercrime task force under the authority of Europol, and he said essentially this in a briefing at the Kaspersky Lab Security Analyst Summit as well. Where Oerting differs from nearly everyone though, is that he was forthright enough that he is concerned about encryption.

As companies react to surveillance revelations, he said, they are increasingly adopting strong encryption and making it harder for people of his ilk to do honest, well-meaning police work.

Unfortunately, he explained, we live in an increasingly complicated world. Within five years, he went on, there will be some 40 billion devices transmitting various sorts of information about us over the Internet. As the concept of cybercrime as a service has emerged, the barrier for entry into cybercrime has lowered significantly and the ease with which almost anyone can make illicit money online has increased dramatically.

IPv6 is unimaginably massive and will only complicate matters further. The number of things that can connect into this new Internet with unique IP addresses is so vast that Oerting attempted to demonstrate by counting on his fingers the number of times he would need to multiply one billion by one billion in order to arrive at the exponentially dizzying number.

Admitting that the police can’t combat cybercrime alone, he asked the audience who is in charge of the Internet. Attendees called out all the usual suspects: the United States, the National Security Agency, the users. But the reality, Oerting claims, is that the Internet Corporation for Assigned Names and Numbers (ICANN), the non-governmental organization tasked with assigning IP addresses to machines and Web properties, wields the most power.

Behind one domain, he said, you can park tens of thousands of IP addresses. This makes the work of law enforcement incredibly difficult and is among the reasons why law enforcement must rely on cooperation from ICANN to sort out what data belongs to which people.

“I don’t believe we can protect ourselves out of this,” he said. “We need to hunt down the wolves.”

He went on:

“We like to put people in jail, because this is our job.”

The EC3 is a work in progress. It is designed to be a joint cybercrime task force with various national, private, and academic partners in the Internet security and finance sectors. It’s expansion is well under way, but it’s efforts are to prevent, protect, disrupt, and recover against intrusions, financial theft, and child pornography will kick off in earnest sometime in the next two years.

Six countries will allocate resources to the EC3, likely with help from the FBI. The EC3, he said, will create and pursue their own cases and investigations utilizing intelligence gathering and sharing to pro-actively fight cybercrime.

In terms of cybercrime, Oerting suggested that there is no such thing as too much law enforcement. He brushed off the idea that there would be investigational competition between Europol and Interpol, telling the audience that there is more than enough cybercrime for all law enforcement agencies to share.

Oerting’s presentation painted a grim picture of the challenges that law enforcement faces in the cyber space, but he is ultimately optimistic:

“We will get it right,” he said, “and humanity will survive the Internet.”

Categories: Government, Web Security

Comments (4)

  1. John from NL
    1

    Companies can be forced to reveal keys for criminal investigations, unlike private persons, who usually can only be forced to reveal keys in case of a “national security” issue. What is Troel’s real problem?

    Reply
  2. Old Bull Lee
    3

    Law enforcement dumps most cybercrime cleanup on financial institutions. LE is more worried about victimless crimes (gotta seize that drug $) and copyright violations.

    Reply
  3. Anonymous
    4

    The cop says his ilk enjoy putting people in jail, because that’s their job. Funny, I thought it was to protect civilians.

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>