Throwback Thursday, Cyber Edition #5
By Phil Reitinger
Law enforcement’s efforts to prevent cybercrime go back farther than many realize. Along anti-botnet and takedown operations like Coreflood, a number of forward-thinking police and prosecutors saw what was coming and recognized the need to use law enforcement capabilities and authorities as tools to prevent cybercrime, not to just punish or deter it.
On December 10, 1997, the Justice and Interior Ministers of the Group of Eight nations issued a Communiqué on high-tech and organized crime. The Communiqué was and remains a foundational document, describing the issues at the time and forecasting future efforts such as the Budapest Convention, and the creation of the National Infrastructure Protection Center in the United States at the FBI, led by Michael Vatis, just two months later. The Communiqué and its annex address many law enforcement challenges that remain today, including attribution of criminal hackers, international coordination and evidence gathering, and ensuring that appropriate legal penalties exist for criminal activity. But that is not all the Communiqué does.
First, the Ten Principles attached to the Communiqué start with one of the greatest challenges we still face: “There must be no safe havens for those who abuse information technologies.” This may sound like a “law enforcement” principal, and it is, but “no safe havens” is much more. It is a call to action for nations to develop norms regarding online conduct, so that our efforts do not fritter away in ceaseless bickering rather than action. “No safe havens” is, like the later speech of Jacques Chirac, a call for the rule-of-law online, so that all people and entities are accountable for obeying the same rules, fairly applied. There is a lot work remaining on this point.
Second, even in 1997, the Ministers recognized that a critical law enforcement responsibility would be prevention of cybercrime. The US Attorney General at the time, Janet Reno, said of the Communiqué: “Finally, we have vowed to work jointly and cooperatively with industry–which plays such a crucial role–to devise new solutions making it easier for us to detect, prevent and punish computer crimes.”
The Ten Principles also noted that legal systems must protect the confidentiality, integrity, and availability of data and systems, and that information and telecommunications systems should be designed to help prevent and detect network abuse. Of course, this language is in part about ensuring there are offenses to investigate and prosecute, and access to evidence for those purposes, but it is about prevention of crime as well.
There can be little doubt that law enforcement plays a critical role in prevention of online crime. Our legal systems describe our norms for behavior, and law enforcement actions deter anti-social activity and reinforce those norms. Law enforcement authorities provide among the best means to gather threat intelligence and determine who is and should be held responsible – attribution. And law enforcement, through its investigations, can learn of previously unknown victims of cybercrime and notify them to prevent further harm and enable remediation. In Britain, it has been a core principle since the establishment of professional police that success is measured in the lack of crime, not in the number of arrests.
Which leads me to the Global Cyber Alliance. I am sometimes asked why two of GCA’s three founders – the District Attorney of New York County, the City of London Police, and the Center for Internet Security – are law enforcement entities. I have been asked why law enforcement cares about prevention of cybercrime.
Because law enforcement has cared about prevention since the dawn of crime. That’s why.