I recently had the pleasure of talking with Raoul Chiesa, OPST, OPSA, and ISECOM Trainer, about international perspectives on cybersecurity issues.
Mr. Chiesa is a Senior Advisor on Strategic Alliances & Cybercrime Issues at the Global Crimes Unit for the United Nations Interregional Crime & Justice Research Institute, a Member of the Permanent Stakeholders Group at the European Network & Information Security Agency, and is also the founder of @Mediaservice.net, a security advisory company.
"The very first time I heard about the InfoSec Island Network, I said to myself: Geez, another blog or whatever on Information Security...more sponsors, gadgets, etc..." Chiesa quipped.
"Then I began to read your articles regularly, and have since become a big fan of what The Island is accomplishing. I'm really proud to have this chance to tell your audience about my opinions, and about my work with UNICRI."
We are equally proud to have this opportunity to share Mr. Chiesa's vast experience and expertise with the Infosec Island community.
Q: When did UNICRI begin to address international cyber security issues?
A: Anthony, first of all I must state the usual disclaimer that, in this specific case, applies both to the UN and to ENISA. The opinions represented here are my personal ones and do not represent nor reflect in any case the United Nations, UNICRI's and/or ENISA's and European Commission's views on these topics.
The United Nations Interregional Crime & Justice Research Institute began to address cybercrime-related issues around 2005. At that time I was hired as a teacher at UNICRI's International Law Master on Emerging Crimes, and that was the very first time that somebody was training UN students on "hackers and computer crimes".
I would also like to underline how the "hacker" term to me is a positive one, and that it has been really interesting to dig into the hacking world and the IT underground along these years, and focusing on those real criminal actions and organized crime, which is moving towards the hacking scene.
While training at UNICRI I met Dr. Stefania Ducci, a Criminologist Ph.D: who taught me criminology while I was showing her the world I used to belong to, the hacker's world.
HPP is the biggest research project ever conducted on "hackers", with the intent to get a real snapshot of this exciting and dynamic underground that is often linked to InfoSec players good and bad, to State-sponsored attacks and industrial espionage, as well as international money laundering and the so-called "Underground Economy". That's how we got to the 9 "Hackers profiles".
Q: Is the UNICRI focused more on cyber criminals or state-sponsored actions?
A: UNICRI is not focused on a specific issue. I would say that we are interested in any kind of new criminal activity that impacts on our Member States (MS), meaning 192 countries all around the world. The Institute was created to serve and to assist the MS, and its mission is "Advancing Security, Serving Justice, Building Peace."
Obviously we are observing the most recent incidents (2007-today) related to State-sponsored attacks, as well as the evolution of some hacker profiles, as well as the raising links with organized crime.
The Unit in which I am involved (GCU - Global Crimes Unit) is composed of security researchers and advisors, criminologists, sociologists and those with a law-related background. What is so great is that we are all working against cybercrime by using our backgrounds and experiences in order to deliver unique solutions to the problems.
Working everyday with wonderful people such as Mrs. Francesca Bosco, Fani Farmaki, Marco Musumeci, Dr. Angela Patrignani and Mr. Ioan Landry gives me the drive I need to continue on the topic even when life's day-to-day issues that regularly pop up, like budget limitations or ideas that can't be deployed immediately.
The Institute is project-based, meaning that we can carry on a project only when there is an (externally supplied) budget for it. That's also why HPP states a "0-budget" level: we are working on it for free, pro-bono, for the last five years, (ab)using of our Friday evenings and the time over the week-end...Of course, it's something you do when you believe in the goals set forth by the project...
Q: Can international law really keep pace with the dynamic nature of the threats?
A: In my humble and personal opinion the answer to this question is no, laws are not enough. This realization also emerged from our HPP surveys, questioning more than 1200 hackers from all around the world. The specific question in this case was "do you have the perception of the illegality of your actions?", to which the answer was YES.
But pay attention, this is just the beginning...When the question was "Is there a deterrence effect driven-by the laws (against hacking and cybercrime), convictions suffered by other hackers (friends of yours) or convictions suffered by themselves", the answer was NO.
The reply was "I don't care" rather than "they will never bust me" or "I'm smarter than you" (which reminds me of someone who used to say "My Kung-Fu is better than yours"...).
Also relevant is the effect was from "technical difficulties" (Firewalls, IDS/IPS, "cool" Operating Systems, etc.) which would stop just a few categories of attackers, such as the youngest and inexperienced (Wannabes, Script Kiddies, Crackers sometimes), while not posing an obstacle to many other profiles.
Q: Does a sovereign nation's right to defend the integrity of its borders extend to cyber space?
A: My answer to this question is a personal one, which does not necessarily reflect those of UNICRI. This is an essential debate that only jurisdictions and policy makers will be able to define correctly.
You know, whenever we are talking about sovereign nation's right to defend a State, somewhere another State will feel threatened. Let's take as an example the so-called "extraordinary retention" from the US Government. Is this right to defend the USA - and the entire world, allies and not - from a global threat?
In my personal opinion the answer is yes, it is correct to try everything in order to defend a State and its' Citizens. But, at the same time, when these actions are done in order to defend a State they may impact another State which would define them as "illegal actions. So, who's got the answer, which is on the "right" side? I really don't have a final answer.
Also, we should pay a lot of attention when talking about defending from attacks in the "cyberspace". Let's take as an example the famous incidents from Estonia and Georgia, or obviously the latest Chinese cases:
How can a Government be 100% sure that "the people" sitting in front of those monitors and keyboards where from Russia or China? How can an Emergency Response Team - or a Governmental, or Military Red Team - exclude the scenario that somebody hacked into a box in - let's say State ABC - then jumped back on State XYZ?
What I mean is that these kinds of scenarios may reflect and impact on diplomatic incidents among Governments, and we can't simply rely on log files. We should instead analyze the tools used, the attack MO (Modus Operandi), and we should definitely run deep forensic analysis...
Q: Does the UNICRI notion of cyber defense include options for a vigorous cyber offense?
A: We are neither a State nor a Government, so we simply do not follow any one Government's strategies on cyberwar. What we are certainly doing here at our HQ is to analyzing everything that has gone public, as well as facilitating information sharing among the Member States.
In order to accomplish this mission, we often work and co-operate with entities such as APWG (Anti-Phishing Working Group), GCSC (Global Center Securing Cyberspace), CLUSIT (Italian Information Security Association), OWASP, ISECOM, Team Cymru, as well as LEAs such as Interpol and Europol, private security companies and, of course, worldwide CERTs and PSIRTs.
Q: What about counterattacks against non-aggressing third party nations, whose systems are involved in attacks, should they be fair targets?
A: As I commented above, in my personal opinion this would represent a huge mistake. Counter-attacking let's say Italy, just because some Italian companies are a part of a botnet, to me isn't the correct answer... and it's illegal, at least under Italian legislation.
Surely, botnets must be eradicated, there's no doubt about this, and international co-operation (LEAs, CERTs/PSIRTs, ISPs, Associations, private and public companies) is the real answer.
As far as I know, there's something similar going-on in these days, and we will be able to see if that may well represent a real, final answer, by a few months. No doubts, these actions must be authorized by the law and Governments, otherwise the "counter-attack" would just make me feel like one of the bad guys by doing something illegal, unjustified, that breaks the law somewhere, in State A and/or in State B, and along all those States (meaning, different laws) across those two entities.
Q: Should business entities have similar options available when responding to foreign based cyber attacks?
A: My personal thoughts lead to "no", definitely not... Business entities should rely on National's Bodies, Institutions and Intelligence Agencies, which should be available to protect and defend the Nation's "know-how" and Intellectual Property (IP), especially when talking about industries.
Whenever a private company engages in information warfare, troubles are on the way. Take as an example the very well known "Telecom Italia/SISMI" affair, as well as the Vodafone Greece scandal. Private companies should not engage in these kinds of activities, since it would just be like a dictator setting up his own private army.
The power of a State lies in its own history, its citizens, its productivity, creativity and design, as well as its capability of creating quality goods. We are living into a globalized world. You know, it always comes down to money. When I'm among fellow geeks, we often muse that the world might be a better place without it...
The real problem with cybercrime and attacks related to IP is so simple: they are not stealing anything, they are copying the information. And, as we all know by now, "Information is Power".
Q: What about those nations who may portend to be in compliance with international agreements yet harbor and tolerate criminal networks?
A: Those nations are responsible for the failure to mitigate cybercrime-related issues, economic loss and troubles to private citizens and private companies, as well as fueling organized crime.
From a 100% personal point of view, I just can not understand why LE agencies do not fix this - when the crime we're talking about is not committed in their own country - while on the other side they often do cooperate whenever the same crime is running in their own country. It seems weird to me, to say the least!
Q: What role should governments play in the mitigation of cyber crime?
A: Governments definitely should play a key role. On the other hand, Governments from all over the world should really cooperate much more closely with experts and associations such as ICANN, APWG and CERTs.
They are the people that fight cybercrime every single day, and IMHO, a radical synergy should be built among all of these players, including the infosec-related companies (AV, security vendors, security consulting companies and the big players).
Q: What role should business and the free market play in mitigation efforts?
A: Simple: they should deal with one another more often. I really don't see the benefit of each AV vendor running its own "labs", and each vendor giving out a different name to the botnet of the day or to the latest Trojan "from April 2010"...it's stupid.
Yes I know, that's "the business", the competition and the free market...but just try to imagine how much stronger and faster a joint-analysis and conclusion performed by all the key market players would be.
This is something AV companies are trying to understand, asking to the end-user to send to their HQ a new pattern. Nevertheless, this isn't done in a centralized way, meaning that each AV company runs its own process. And, as usual, the bad guys are faster than we are.
Q: Between government regulatory efforts and free market innovation, which do feel should the lead and which the supporting role?
A: Given thousands of years' worth of lessons, here we are talking about democracy. And democracy states that Governments should be the leaders in fighting every type of crime, while market innovation (private companies rather than open-source philosophy: that's the same to me, even if obviously I am on the free market and open-source solutions side) should play a supporting role.
Q: What is the single biggest threat to cyber security today?
A: The people. That is, the end-users, and the lack of information sharing among countries, as well as the bureaucracy, lack of knowledge, skills and resources in emerging economies.