Legislation to help foreign nations cooperate on fighting cybercrime is misguided and misses the point, according to the Asia-Pacific director of the Global Institute for Cyber Security and Research, Dr Craig Wright.
Speaking at Informa's inaugural Cybercrime Symposium in Sydney today, Wright said that legislation was the worst thing Australia has ever done to fight against crimes committed online.
The key instrument in cooperating with other nations has been widely recognised as the Council of Europe's Convention on Cybercrime. In order to accede to the convention, Australia passed the Cybercrime Legislation Amendment Bill 2011, but Wright criticised the legislation, stating that its provisions were too slow and that it failed to address the lack of open and transparent sharing of vulnerabilities.
While the convention is meant to help other nations by putting in place measures such as data retention, so that local evidence could be provided to foreign nations, Wright said that even if 90 per cent of the world's nations participated, the process was too slow.
"It can be two years before we get information even with this Bill, which means forget it. Two years later, half the time people don't have logs [and] everything is stale."
He said that the legislation also doesn't address the current culture of keeping vulnerabilities quiet, which he didn't believe was stopping criminals from finding vulnerabilities.
"We have a lack of sharing. We like to think that keeping [vulnerabilities] from the bad guys is going to help us ... [that] the bad guys won't have the vulnerabilities, therefore they don't do it. Well, guess what? They have them already."
Furthermore, Wright said that there was a lack of technical consideration in Australia's new legislation and that measures such as carriers being required to hold data could be easily bypassed due to the options available to sophisticated criminals.
"We say 'Oh, we should start monitoring and tracking data and carriers should pay for this'. It sounds great in principle, until you realise that all we need to do is go to an SSL-enabled website and we can't monitor anything that happens."
Wright said that cybercrime should not have been considered separately to traditional crime, since fundamentally, it didn't matter if the crime occurred online or not.
"Common law legislation is very wide. When we start putting legislation in place, what we do is block things into: only if it occurs this way or only if it occurs that way. It creates loopholes.
"The worst thing we did was create any cybercrime legislation at all. If we left it at theft, if we left it as fraud, it would have been far simpler because who cares whether a computer's involved. At the end of the day, fraud is fraud, theft is theft."
But while Wright disagreed with the effectiveness of the Bill, he did say that legislation did have its place.
"At the moment, here in Australia, sharing between states and federal police is terrible, let alone internationally. We all sit on our own information and won't share it. So as soon as we start thinking about opening all of that up some way, we'll actually be better. If we want legislation, it should be about opening data, not about how we punish people."