EC3 Head Paints Bleak Cybercrime Picture


Troels Oerting, head of Europol’s EC3, explains the extreme difficulties law enforcement faces when investigating and prosecuting cybercrime at Georgetown Law’s Cybercrime 2020.

WASHINGTON D.C. – Everyone has the right to privacy, said Troels Oerting, head of the Europol’s European Cybercrime Center (EC3), at Georgetown Law’s Cybercrime2020 conference yesterday. However, he went on, if you break your contract with society, that right can be taken away.

Oerting noted that in the physical world, it is well established that a person’s right to privacy can be removed if that person is suspected of a crime. This, he said, needs to apply in the online world as well. This need is complicated now that law enforcement has lost the battle against encryption, he said, because it is far easier and cheaper to encrypt than it is to decrypt.

U.S. law enforcement has been making a similar, albeit more desperate case against encryption in recent months, claiming – quite dramatically – that encryption could lead us to dark places. Oerting certainly acknowledges the difficulties law enforcement faces when it comes to dealing with encrypted communications, but his is a more pragmatic approach, painting a far broader and pitiable picture of the investigative struggle against cybercrime.

Only four percent of the Web is indexed by search engines, Oerting explained. The Deep Web, on the other hand, accounts for 96 percent of the Internet. This, of course, is where much of the crime takes place. Beneath the Deep Web is that Dark Net, which is inaccessible to law enforcement, he said.

It’s not just traditional cybercrime by computers on computers, Oerting said. Perhaps more troubling is cyber-facilitated crime that takes place in the real world but is enabled by the Internet.

In one example, Oerting explained that a Colombian drug cartel imports its cocaine into Antwerp Harbor in Belgium, which is Europe’s third busiest port. In one known case, the cartel hacked the computer systems at the port to ensure that their cocaine-filled shipping container didn’t get randomly screened by customs and also to unload the container near the port exit so that it would be among the first removed from Antwerp Harbor.

That example in on the macro-scale. For the individual, you can merely log into Tor, surf to a criminal marketplace and anonymously buy drugs or guns. The buyer and seller pay a fee to the manger of the platform, and the mailman – or perhaps a drone in the not-too-distant future – delivers whatever you paid for. While Oerting recognizes the universal right to privacy, he says there is no link between privacy and anonymity.

Problematically, the real gangsters aren’t doing the hacking themselves. Sophisticated cybercriminal organizations develop hacking tools like legitimate companies in the software as a service industry. They then license them either to low-level criminals or to more organized real-world criminal groups. Oerting believes there are a small number of coders with the requisite talent to build the tools deployed in the cyber-world, and he believes that law enforcement agencies can track those coders down, arrest them and make a huge difference.

However, these criminal use “bullet-proof” cloud hosting services located in countries that are uncooperative or at best simply incapable.

We live in a global environment. We are all victims and the U.S. can not fix this problem alone.

Governments are certainly exacerbating the problem. They perform three hacking functions: steal intellectual property; conduct espionage; and they learn how to attack power grids so they can switch off lights in the case of war before they send their troops in on the ground. It’s one year on average before government hacking tools become criminal hacking tools. The silver lining here is law enforcement watches government cyberattacks and are more prepared when the criminals adopt nation-state hacking methods, Oerting said.

Government-on-government hacking is inevitable. However, the international community must create a division between fighting cybercrime globally and fighting nation-state hacking, he said. In the physical world there is proximity between criminal and crime scene, jurisdiction clarity and adequate resource allocation of police depending on crime level where they are located. Online there is no geographic proximity between criminal and crime and no clear jurisdiction.

Anyone can be a criminal online. In the real world, crime is personal; online there is a psychological mindset that makes it seem like you are stealing something from nothing. Much in the way that people lose their humanity in the comments section, Oerting said that people commit crimes online they would never commit in the real world.

“How do we as humans change as we go online?” Outing asked. “We must do more research about this.”

Offline, he went on, it’s one crime at a time. Online one criminal can attack one million computers in 20 seconds as they sleep.

“Prosecuting is based on a 100-year-old system of crime and was probably very good at catching chicken thieves.”

Oerting says the EC3 has created a joint cybercrime action task force that he describes as version 2.0 of international police cooperating. They are more aggressively working with companies (full disclosure: Kaspersky Lab, the sponsor of Threatpost, is one of those companies).

However, Oerting is the first to admit there is a long way to go. We need to create standards abroad so we can effectively fight cybercrime in its natural, global environment, he says. Security has to be built in by design and consumers have the right to know what is inside an application, much in the way consumers has the right to know what is inside the food they eat.

“We must hunt down the wolf,” Oerting said. “We live in a global environment. We are all victims and the U.S. can not fix this problem alone.”

Scrambling to DEFCON 8 every time something bad happens is not the answer. Maintaining the sustained ability to fight cybercrime is.

If we don’t fight for Internet security now, Oerting warned, then it will end up being protected only by the digital equivalent of Blackwater, available only to the rich.

“We have a combine task here.

*Image from Security & Defence Agenda flickr photo stream licensed under creative commons.

Suggested articles

jokers stash takedown

Joker’s Stash Carding Site Taken Down

The underground payment-card data broker saw its blockchain DNS sites taken offline after an apparent law-enforcement effort – and now Tor sites are down.