PARIS: Nearly a year after Estonia weathered an onslaught of cyberattacks, its name has become a rallying cry for countries pressing to streangthen global cooperation between governments and private Internet service providers to combat computer crime. But some privacy advocates and computer experts remain wary of such efforts.
On Tuesday, the Council of Europe plans to introduce guidelines to aid computer crime investigators, building on a cybercrime treaty that has been signed by 43 nations, including the United States. A controversial proposal would require service providers to give the authorities a list of the types of information that they could offer.
On Wednesday, NATO will present a strategy for countering computer attacks at a meeting for heads of state in Bucharest, with a proposal to create a central cyberdefense authority.
“The attacks on Estonia – directed at services on which Estonian citizens rely – could happen anywhere,” said James Appathurai, a NATO spokesman. “The only way to defend against them is through multinational, multilateral cooperation.”
That kind of military talk concerns privacy advocates and computer experts, who fear that private companies will be pressed into service to police users as part of these strategies.
“One of the great consequences of all of this is that an agenda is created for a society that is under surveillance,” said Peter Sommers, a senior research fellow at the London School of Economics and author of “The Hacker’s Handbook,” written under the pseudonym Hugo Cornwall. “And in the panic, we lose the quality of control.”
Sommers added, “You can talk yourself into the threat of terrorism or cyberterrorism that has no relationship to the actual risk you face.”
At the Bucharest summit meeting, the NATO authorities will seek final approval for a plan to emphasize international cyberdefense training programs, an information alert system and the development of a central authority to coordinate cyberdefense.
The civilian and military authorities in Estonia are rushing to complete a NATO center for digital defense in the capital, Tallinn. The center, in an old military barracks, is designed to be an international academy that brings together experts from Western countries to analyze cyberthreats and develop counterstrategies.
The United States, Germany, Italy and Spain have signaled that they will take part in the center under an accord that is expected to be signed in May. About 50 technicians and scientists will be recruited to work on strategies for detecting and foiling attacks.
“Today it is quite easy to organize these attacks, and these criminals know very well that there are not enough regulations and not enough laws,” said Estonia’s foreign minister, Urmas Paet, who lobbied for an international center in his country and more cooperation. “It’s difficult to investigate and also to punish.”
Estonia is also participating in the Council of Europe’s cybercrime conference, contributing €50,000, or $79,000, to finance cybercrime training programs along with Microsoft, which has donated $560,000.
The Council of Europe, where 47 member nations work to promote human rights, is urging more countries to sign its cybercrime convention. It was the first international treaty to define cybercrimes from child pornography to computer fraud and network security violation.
The council is now trying to raise public and private cooperation with guidelines for investigators to make information requests to a 24-hour emergency contact network of service providers to obtain quick, efficient responses from them.
Margus Kolga, director general of security policy for the Estonian Ministry of Foreign Affairs, said the guidelines were essential because current relations between law enforcement and service providers were based on informal ties.
Kolga said that when Estonia came under attack last spring, most Internet service providers cooperated with local investigators, but there were exceptions, notably from ISPs in Russia, the suspected origin of the cyberattacks. The help of private companies is vital, Kolga said, because “criminals use certain channels to do things.”
“And through cooperation with the ISPs, those channels can be blocked and the information flow can be redirected,” Kolga said. “And then it’s possible to keep things operating.”
They can also help, he noted, in the most difficult part of an investigation by providing information that may identify anonymous hands on a keyboard.
Experts say one of their most difficult tasks remains the determination of whether they are looking for the handiwork of a hacker, a national government, a company or a mix of all three.
The ISPs have not raised major objections to the guidelines, but there are a few controversial proposals that they expect will be eliminated during the council’s conference, said Michael Rotert, a vice president of EuroISPA, a trade organization for the largest Internet providers in Europe.
“These guidelines will give a certain set framework that can be applied without interfering with national laws such as a 24/7 hotline,” Rotert said, adding that the companies opposed direct interference, like Scotland Yard investigators in Britain calling a German company with a demand for information.
Rotert said he expected at least one proposal to be deleted at the conference. “They want the service providers to tell them what data is available,” he said. “That should be the other way around.”
Marco Gerke, who led a working group of 25 computer experts that devised the guidelines over the last six months, said the framework was designed to set up a format of standard, written requests to help overcome the often uneasy relationship between investigators and service providers.
“Cooperation between law enforcement and ISPs is very difficult,” he said. “Law enforcement has a view of what they want to get, but by the book they’re not allowed to get it. So this can lead to conflicts for a service provider that wants to protect the rights of the customers.”
Paet, the foreign minister of Estonia, said he hoped that more countries would support the various international agreements to create “a legal, concrete framework.” But it may not improve matters in the long term with Russia, which, along with nations like Georgia, Turkey and Liechtenstein, has not signed the Council of Europe’s cybercrime treaty.
By Doreen Carvajal
Published: March 30, 2008
Source: International Herald Tribune