Australian Federal Police (AFP) assistant commissioner Neil Gaughan has had investigation after investigation met with frustration, and now, he says, it's time to go on the offensive.
Speaking at the Association and Communications Events Cyber Security Summit 2012 in Sydney this morning, Gaughan said that the AFP won't be able to prosecute its way out of the cybersecurity problem. He expressed his frustrations with the traditional mode of catching criminals.
"We live in a world where the global nature of technology enables criminals to exploit a truly transnational environment. High-tech crime offences have been evolving against a relatively static legal framework and, although work is at hand is to address the current legal framework we're operating in, I strongly argue that reform in this area is way too slow," he said.
Even cases that would be simple to remediate locally if they had taken place offline are taking years, due to cross-jurisdictional restraints.
"We've been investigating a cyber intrusion into a small to medium enterprise [and] it's taken us three years. We're still a fair way away from resolution, based primarily on the fact that the offenders are located in another jurisdiction, and for us to exchange information is a slow and dangerous process."
Gaughan said that the AFP is having some success in its investigations, but that there needs to be a fundamental shift in how law enforcement deals with cybercrime.
"Disruption needs to be more of a focus. We still need to investigate and lock the odd person up, but I think most ... would rather a process whereby law enforcement came in, obtained the relevant intelligence, took down overtly or otherwise the offending server to enterprise and then moved on."
Gaughan pointed to Microsoft's high-profile actions against the owners of various botnets as an example of the disruptive course of action that the AFP needs to learn from.
"I'm not saying that law enforcement want to go down the aggressive path that Microsoft did, but I think there's some lessons to be learned there about how they did that particular activity."
One area that Gaughan touched on was the debate over whether organisations should take matters into their own hands, and strike back if the attacker is known.
"The chances of you being prosecuted in eastern Europe for taking [offensive actions] are pretty negligible, but I'd be seeking some legal advice before I hit send. There's some argument that the only type of defence is offence, so you've got to strike early, perhaps."
One of the most useful actions that the government can take to help the AFP would be to provide access to information via a data-retention scheme in order to build investigations, as is currently being proposed. Gaughan said that without it, the AFP's ability to track online criminals is severely hampered. He also said that the debate on the matter has been skewed.
"Without data-retention laws, law enforcement cannot work out criminal associations. My team won't have a starting point about who downloaded child [abuse material] and the NSW Police won't know who the last contact of a person who ended up in George Street was, because the telcos won't be required to keep that information.
"There'll be an inability for police, in some circumstances, to respond to life-threatening situations and certainly very limited opportunity to conduct organised crime investigations. If we can't obtain the relevant information to assist us in our investigations, we can't even move down the disruption phase. That's why in my view, data retention is a must."
Gaughan also clarified that the proposed laws would cover "metadata" only; the "records of a telephone call, or internet protocol information ... totally separate to the contents of the communication".
Under the proposed scheme, Gaughan said that law enforcement would have a better idea of "who called who, when and on what number [and] who was using that particular IP address when it downloaded known child-abuse material ... or used a [specific] Facebook account to bring the child for sex or promote terrorist activity".
AAPT and Anonymous
Gaughan also took time out to address Anonymous' recent attacks on Melbourne IT and AAPT, which both occurred in response to the proposed data-retention laws. He stated that there are numerous ways of getting a point across without breaking the law.
"You can post on blogs, you can actually comment on news sites and you can also actually follow normal processes: put a submission into a parliamentary enquiry or something like that, if you feel so hard about a particular activity," he said.
Gaughan also addressed claims by Anonymous that their access to AAPT's data is the same as law enforcement having the data.
"Law enforcement has significant governance around what we do with people's information. We are governed by the [Australian] Privacy Principles. The question I ask is who governs Anonymous? What are they doing with the information that they have stolen from Melbourne IT?"
He also pointed out that the theft of AAPT's data had little to do with the proposed data-retention scheme.
"AAPT, regardless of whether there's data-retention laws or not, will still need to keep that data, because they still need to bill their clients."