In my usual tech news wanderings, I came across news of yet another series of malware incidents discovered to be infecting Android users.
What’s funny is despite the limited government policies we have on regulation to detect, and prosecute the people behind these malware attacks, they just keep happening.
Look, as a self-professed lover of technology, I can appreciate those who study long and hard how to engineer programs and design hardware that make my life easier. I can even appreciate the occasional Anonymous-backed Denial-of-Service attacks on the occasional public excrementory-orifice of a donkey (think about it, it’ll come to you…oh and hey guys, Rush Limbaugh needs your attention…again). But I will NEVER understand those who use their powers for evil. When you can be a hero and seen as a true innovator, you choose to create things that can literally shut down a company (losing money, jobs and overall hurting the economy), this, I cannot grasp.
In reading about the recent malware, it prompted me to drudge up and update and expand an essay I drafted last last year, because it seems as we speed through our technological automation, some form of regulation is needed to protect against would-be cybercriminals; people, who should for all intents and purposes be heralded as technogods, but instead settle for being technojerks.
In April 2011, Sony, the electronics corporation, voluntarily shut down its PlayStation Network after the company reported an “external intrusion” aimed at accessing customer data (Morris, 2011). The shutdown was aimed at isolating the weakness in security and preventing customers from using the service for more than six weeks while it worked to fix those security issues. Sony executive Kazuo Hirai called the attacks a “wake up call,” as he estimated the company’s losses at $173 million (Lee, 2011). The shutdown not only affected the gaming services, but also impeded customers’ ability to use other services connected to the PlayStation Network, to include Netflix and Hulu video services. The latter two companies being so affected, they issued monthly credits to all customer accounts for the denial of service. To add insult to injury, Sony continued to be hacked after all services were restored in June.
One would be hard pressed not to agree with Hirai about this incident being a “wake up call.” In February, The FBI’s Internet Crime Complaint Center (2011) released its annual statistics report, which showed an increase in cybercrime that has “affected millions across the country” (para. 6). Reported incidents ranged from non-delivery of paid merchandise online to hacking and identity theft, all of which increased between 13-14 percent from 2009. Identity theft alone carries more than just the consequences of using a person’s identification to obtain things like credit cards and other financial assets. According to the Virginia Beach government Web site (2011), an identity theft victim is faced with years of recovery in clearing their name of anything ranging from bogus debt to even arrest warrants for non-appearance in court proceedings because a criminal used a victim’s name rather than his or her own.
As our Internet dependency continues to rapidly increase, people must realize what it has meant to have true freedom in cyberspace. We have opened ourselves up to public scrutiny through use of social media Web sites like Facebook; we share ideas, thoughts and expressions; and we are able to truly document and archive the events of our lives. But, because we have made ourselves so readily available online with the world at large, the downside is that where criminals were once easily – if only hypothetically so – identifiable in the real world and could be tracked and apprehended by law enforcement, such is not the case in cyber space. It is because of the anonymous nature of the Internet and its rapidly evolving technology that criminals are able to circumvent the few laws that are in place that punish such criminal activity. It is therefore in our best interests to create a centralized law enforcement agency that integrates both technological experts and publicly appointed figures, and will have a forum to address public concerns in way that is conducive to privacy, but will also have strict guidelines when tracking cyber criminals.
The Problem: Regulation in a total freedom environment
Time reporter Randy James briefly outlines some of the major milestones of Internet crime in his article “A Brief History of Cyber Crime” that was published on Time’s Web site in June of 2009 as President Obama announced his Cyber Command initiative to protect government information assets. James points out that as long as there has been the Internet, “vandals, troublemakers and criminals have sought to exploit it” (para. 3), essentially saying it’s been a problem since the beginning. James notes the first notable exploits being the alleged manipulation of AT&T’s computerized phone systems in the 1970s that allowed “phone phreaks” to make free long distances calls. Kevin Mitnick rose to cyberfame in the 1990s when he reportedly caused millions of dollars in damage through wired fraud, phone switchboard hacking (to make free phone calls) and wiretapping into academic and corporate institutions like Motorola, Nokia and Sun Microsystems before being arrested by the FBI in 1995 (James, 2009 para. 3).
In the late 1990s and early 2000s, the “Melissa” virus shut down Internet mail servers with spam mailing, while the “ILOVEU” virus caused millions of dollars in damage as it infected users’ computers and overwrote important files with a copy of itself. James attributes the widespread attention to these “expanding cyberthreats” as the starting point for multi-billion dollar anti-virus and anti-worm protection software industries (para. 3). SPAM emailing has also attributed to the rise in cybercrime. In 2009, the Radicati Group, which is a technology marketing research firm, estimated that of the 210 billion emails sent per day in 2008, 70-72 percent were most likely harmful SPAM (Condon, 2007).
There are several laws and agencies currently in place that define the different acts of cybercrime and criminals, track incidents, and prosecute apprehended cyber criminals. Notably are the CAN-SPAM Act of 2003 that regulates SPAM emailing, mostly with regards to direct marketers while simultaneously defining the types of emails that would be considered criminal; and the E-Government Act of 2002 and the Federal Information Security Act of 2002, both of which fall under the Homeland Security Act aimed at protecting government assets and technology. Older laws such as the Communications Assistance for Law Enforcement Act, which mandates that communication technology be developed with the ability to grant access to law enforcement agencies (e.g. “wiretapping”) to monitor alleged criminal activity, also lend themselves overall to the government’s information security posture.
With all these laws and agencies in place cybercriminal activity is still on the rise and causing major damage as seen with the Sony PlaySation Network shutdown. Retired Vice Admiral Herbert A. Browne (2005), CEO of the Armed Forces Communications and Electronics Association which specializes in advancing professional knowledge and relationships in the fields of communications and information technology, argues that this is the result of a lack of a more centralized means for the government to regulate online activity (para. 6). Opponents of government or other bureaucratic agency regulation argue that the few laws in place are more than enough and anything more would constrain the freedom of cyberspace.
In December 2012, the issue of Internet regulation was front and center as the Federal Communications Commission voted 3-2 to a “net neutrality” rule that would force Internet Service Providers to treat all data as equal, barring them from giving preferential treatment to paying customers in such areas as search engines and online stores (Stelter, 2010). An example would be if a Comcast Internet customer decided to do a Web search of competitive Internet providers like Cox or AT&T and the user’s Comcast-hosted search engines filtered, blocked or made harder to find links to those competitor Web sites. Another example would be if a company paid money to Comcast to ensure that their Web site would be among the first in a search engine query. The firestorm that erupted in the net neutrality issue pitted the government against the general public who claimed Internet freedom was being threatened and that the rule itself “would have the perverse effect of inhibiting capital investment, deterring innovation, raising operating costs, and ultimately increasing consumer prices” (McDowell, 2010, para. 5). This is directly related to the issue of how to combat cybercrime in that proponents for full Internet freedom accused the government of exercising too much control over something that should see little or no government interaction.
In a commentary article for International Relations and Security Network (ISN) entitled “The Shadow of Cyber Regulation” (2011) author Jonas Rey, a former network analyst, notes that government efforts to secure cyberspace could lead to a “fragmentation” of Internet itself. Rey explains this fragmentation with an example of an Italian citizen who could no longer connect to a North Korean Web site “without having to ‘cross’ political borders” (para. 6). Instead, there would be an “Italian” Internet connected to a “North Korean” Internet, where the Italian user would have to first connect to the Italian net which would then request access to the North Korean server. Rey further explains that this could entail the need for digital “cyber passports” effectively eliminating online anonymity and such concepts already have the support of people like president Obama. Rey also explains that if governments like the U.S. were to enact such policies, they would essentially be mirroring the totalitarian practices of countries like China, which has already isolated itself from the rest of the world in cyber space (Rey, 2011, para. 6).
Proposal: Publically-elected enforcers
With the public demanding full Internet freedom, and the government wanting to secure cyberspace for the use by all, the solution then would be to bring together all actors in the fight for Internet freedom. A government-backed centralized agency consisting of publicly appointed figures as well as representatives from all areas of information technology development should be created under one roof with the same set of laws to monitor online activity and pursue discovered illegal acts. Public figures would be active in the monitoring and tracking process and would publish findings and observations on a public Web site whose goal is to counter the secrecy often associated with the work of government agencies. The public representatives should be people with extensive knowledge in the field of information technology, but also able to communicate changes in the technology and the actions of the agency to a public that is assumed to not have such knowledge. Their term would be relatively short, possibly two years, mostly because the eyes on the system should change as often as the technology does. In terms of jurisdiction, the number of representatives would vary by state population and the number of Internet users as determined by Internet service providers, and the monitoring staffs would be trained in the same way real world police officers are in that they will be subject extensive background checks and receive publicly scrutinized, constantly updated training on the technology and tactics used by cyber criminals. The thing to remember is the more we live our lives online, the more we need to mirror real world practices in order to protect ourselves.
The next challenge then would be to define and subsequently restrict what and how much monitoring should occur. Clearly, reading personal emails is going too far, but presence on questionable Web sites would send computer-regulated red flags to the agency to determine if the person is pursing illicit activity. This kind of monitoring already exists under the Patriot Act for individuals suspected of terrorist activity and I am simply proposing that it be opened up to everyone in a way that is not secret, everyone knows monitoring is taking place, but that no action is going to take place if a person just happens to find themselves at a questionable Web site. The other kind of monitoring would be reactive in that if a corporate, governmental or other kind of database or Web site is breached, there will already be people watching the systems, and thus, will be able to immediately respond with tracers and other such technology that will enable them to pinpoint the location from which cyber criminals are operating. Working with local law enforcement rather than for it will prevent the agency from invoking too much power over Internet users and arresting them every time they accidentally find themselves on Web sites known to support criminal activity. By this, if a cyber criminal is identified, the agency will simply notify the jurisdictional law enforcement precinct, the activity taking place and let the precinct take it from there.
The important thing to emphasize is that no one cares what Web site people are visiting, or what they are saying because they have the freedom of expression, but that the monitoring is simply a way to identify people who are breaking the law much in the same way the a cop driving on the road is monitoring drivers for adherence to road laws. The main concern here then is privacy. The first argument against something like this is “I have a right to my privacy.” What some people fail to realize is just as they walk outside the door of their home into the public, they are doing the same thing when they trek the World Wide Web. Thus, they are opening themselves up to public scrutiny. They are given the freedom to choose where they go and what they do all the same. The point is there should be no difference between going outside in the real world, and going outside in the cyber one. We need “information super highway” cops to protect our increasingly online way of life and what I’m proposing is way that everyone has an opportunity to choose who the regulators can be and connect them with the creators of the technology to lend an expert voice on policies and methods.
The second issue to address would then be the global issue. How do we regulate cyber space without becoming fragmented as Rey suggests would be the result of pure governmental regulation? Rey proposes a simple solution that nations have participated in throughout most of human history, the use of a treaty. The treaty he suggests would create a governing body that “would not be motivated by political interests” (Rey, 2011, para. 8). I would infuse his suggestion with my own by offering that the local agency under my proposal fall under the jurisdiction of the international body, thus, connecting all Internet societies and standardizing their regulatory policies and practices. To visualize this cooperation, one need only to imagine the ocean. When people go to the beach (decide to get online) they swim, buy or rent boats (computers) to traverse the big blue (cyber space). Local waters are governed by the respective country, but as people head further out into the ocean, they leave the jurisdiction of that nation and head into international waters, sometimes even finding themselves along the coasts of other nations. Navigational “rules of the road” dictate that a buoy or marker on one country’s coast is the same as any other, the same goes for signals, horns, flags or any other means of communication. But how did these rules come about? By means of a cooperation of nations through formal and informal agreements, treaties, and other such arrangements that are respected by navigators (well, most of them, Somali pirates not withstanding).
Cyber space is now just as much a part of our world as the ocean. The navigators of cyber space respect its power. But for those who do not, whether from this country or another, or wish to do harm, what I propose is means that everyone can be involved in making sure the Internet remains the useful tool it was always meant to be and not one that hurts us.
The tricky balance between regulation and freedom
Initially, I began this discussion with the mindset that full government control would be necessary to regulate cybercrime. But as it turns out, this was just lazy. Placing the burden on someone else so I would not have to think about it and give up my freedom as the price for the convenience was wrong. There should be an organization that regulates the Internet, but it should be made up of publicly appointed figures, subject matter experts and technical experts, giving them a means of entertaining public opinion so that we can secure ourselves without giving up freedom. The first steps to implementing a proposal like mine would be to outline the responsibilities, requirements, and expectations of the people selected to work for this agency. Once the positions are outlined, public election would subsequently select the individuals in charge, while the lesser positions would be applied for like any other job, with both the taxpaying public and Congress (who is in charge of public money) periodically scrutinizing both the people in the agency and the program itself, making changes as needed.
The fact of the matter is that in the fight to maintain full Internet freedom, the unintended side effect has been the government’s limited means of tracking and apprehending cyber criminals because the government is met with heavy resistance every time it tries to create a law that enables it to try and maintain security. People have been so blinded by their anti-governmental regulation dogma that they fail to see the full price of Internet freedom. We are slaves to anti-virus and theft software companies and still we suffer hacks, malware, and computer meltdowns as the result of a virus that was secretly downloaded by an innocent looking email. Self-regulation does not work as seen by Sony’s expensive shutdown, which was just one of a myriad of cybercrime cases this year, and full government control is something everyone is clearly against. So the best solution would be one that brings the two worlds together in which the people can work with the government to protect both the Internet and their online freedoms.
Browne, H. (2005). Government must step up and lead cyberspace homeland security. Afcea.org. Accessed from http://www.afcea.org/signal/articles/anmviewer.asp?a=620&print=yes
Communications Assistance for Law Enforcement Act, Pub. L. No. 103-414, 108 Stat. 4279, codified at 47 USC 1001-1010. (1994). Accessed from http://www.techlawjournal.com/agencies/calea/47usc1001.htm
Condon, R. (2007). “Get smart to counter hacker attacks.” Computer Weekly 55. Accessed from http://find.galegroup.com.ezproxy.umuc.edu/gtx/infomark.do?&contentSet=IAC-Documents&type=retrieve&tabID=T003&prodId=CDB&docId=A162631004&source=gale&srcprod=CDB&userGroupName=umd_umuc&version=1.0
E-Government Act of 2002, Pub.L. 107-347, 116 Stat. 2899, 44 U.S.C. § 101, H.R. 2458/S. 803 (2002). Accessed from http://www.gpo.gov/fdsys/pkg/PLAW-107publ347/content-detail.html
Federal Information Security Act of 2002, 44 U.S.C. § 3541. (2002). Accessed August 6, 2011, from http://www.law.cornell.edu/uscode/44/3541.html
Internet Crime Complaint Center. (2011). IC3 2010 annual report on crime released. IC3.gov Media. Accessed from http://www.ic3.gov/media/2011/110224.aspx
James, R. (2009). A brief history of cybercrime. Time.com. Accessed from http://www.time.com/time/nation/article/0,8599,1902073,00.html
Lee, A. (2011). Before hacks, Sony laid off employees responsible for security lawsuit. Huffington Post Online. Accessed from http://www.huffingtonpost.com/2011/06/24/sony-hack-layoffs-lawsuit_n_883788.html
McDowell, R. (2010). The FCC’s threat to Internet freedom. Wall Street Journal Online. Accessed from http://online.wsj.com/article/SB10001424052748703395204576023452250748540.html
Morris, C. (2011). Hackers take down Sony’s PlayStation Network. CNBC.com. Accessed from http://www.cnbc.com/id/42750388/Hackers_Take_Down_Sony_s_PlayStation_Network
Rey, J. (2011). The shadow of cyber regulation. ISN Insights. Accessed from http://www.isn.ethz.ch/isn/Current-Affairs/ISN-Insights/Detail?lng=en&id=130385&contextid734=130385&contextid735=130106&tabid=130106&dynrel=4888caa0-b3db-1461-98b9-e20e7b9c13d4,0c54e3b3-1e9c-be1e-2c24-a6a8c7060233
Stelter, B. (2010). F.C.C. Is Set to Regulate Net Access. New York Times Online. Accessed from http://www.nytimes.com/2010/12/21/business/media/21fcc.html?ref=netneutrality
VBgov.com (2011). Consequences of identity theft. City of Virginia Beach Web site. Accessed from http://www.vbgov.com/vgn.aspx?vgnextoid=ce77b4023704c010VgnVCM1000006310640aRCRD&vgnextchannel=537f54cf18ad9010VgnVCM100000870b640aRCRD&vgnextfmt=default