'

Security Q&A: Nigel Phair

As a federal agent and founding member of the Australian High Tech Crime Centre (AHTCC), Nigel Phair has a good sense of the intersection between law and industry and the problems of tracking cybercrime across national borders.

As a federal agent and founding member of the Australian High Tech Crime Centre (AHTCC), Nigel Phair has a good sense of the intersection between law and industry and the problems of tracking cybercrime across national borders.

Nigel Phair

Nigel Phair (Credit: ZDNet Australia)

Phair has spoken often of the need to empower law enforcement and develop legislation to help fight cybercrime, and was instrumental in the development of the now mature online investigations unit within the Australian Federal Police. He now works as a consultant for the Surete Group and is director of the Centre for Internet Safety.

Name: Nigel Phair

Position: Director of the Centre for Internet Safety, consultant for the Surete Group.

Education: Master of Law, Master of Public Policy and a Bachelor of Administrative Leadership.

Career: Spent more than four years in the AHTCC when the unit was only a collective group of agencies, and has worked within the Australian Federal Police (AFP) on organised crime. He has worked with major banks and telecommunications providers as a consultant. He published the book Cybercrime: The Reality of the Threat in 2007. He is also a senior fellow in the Centre for Transnational Crime Prevention at the University of Wollongong and lectures in the Australian Graduate School of Policing.

ZDNet Australia: Why did you enter the information security industry? What do you find most interesting about it?

Nigel Phair: I was asked to by the AFP, and I found it extremely interesting. It was a greenfield industry back in the day and it is still greenfield now. It is a constantly changing environment and there is still so much more to do.

What is the most pressing issue and what can be done to fix it?

The security of end users is the most pressing issue, and how to fix it is an almost impossible answer. There is no silver bullet, we need a range of procedures, policies and systems, but also education and a development of information security culture among end users.

What role does government play in protecting end users?

Governments have a role to play in all parts of our lives and so they do on the internet. The online environment is no different than the real world, so the government should act the same as it does in the real world in terms of enforcement and regulation.

What should be the role of state and federal police in policing online?

Just like you would go to the local police station or consumer affairs agency for real-world problems, so you should in online. You would go to the police if someone put a rock through the front window of your business, same if it has been hacked.

So you draw parallels between online security and most aspects of real-world security?

Absolutely.

Do state and federal police need more resources?

It's tough one that concerns resources. It needs to be weighed against the need to provide for things like education. For instance, if you take the question of resources in the context of beat police, do you need one on every corner? It's a balance.

On ZDNet Australia's Patch Monday podcast, you said data retention could provide evidence beyond reasonable doubt.

You need data retention because investigations aren't always done in real time, often they start afterwards. You need some period of data retention to make evidence available. What that is, and how long to have the data retained, is an interesting question.

Are there parallels in the real world that can be drawn to determine how long to retain data?

Couldn't say. Criminal history is expunged after 10 years, but I don't think we need to retain data for that long. It needs to be enough, balanced against the need to dispose of data.

In general, it seems that online evidence collection is a messy business.

Yes it is, particularly when you look at what form evidence is held in, and who holds it. There are all sorts of privacy issues that apply to it, who should hold it, who should protect it, or have access to it. Also what severity of investigation do you need to get access to a certain type of data, such as an indictable offence, or a summary offence, they are the sort of questions that are difficult to answer at times.

What do you see the role of internet service providers is in online policing? They seem to be in a logical point for interception and data retention, and seem well placed to assist on issues from policing to piracy.

Sure they are, but it's a tough question. I think they should be playing a more prominent role, but they are specially referenced in the EU Convention on Cybercrime as a mere conduit of traffic. Time will tell.

Some people hold a notion that the internet is somehow more free than other forms of communication. What do you think?

No, I do not think it is more free because people still have to be held responsible for what they do online. Take music — 99 per cent of people who download music from the internet wouldn't go to a record store and steal a CD, so what makes them think they could do this online?

I am intrigued about how SSDs (solid state drives) can interfere with write blockers and was pegged as somewhat of a earth-shattering blow to investigations.

I don't think it is earth-shattering at all. Technological advancements come and go, but you need to look at research in the cold light of day and corroborate it against other research. You often see reports claiming doom and gloom, but it comes down to corroborating because you never rely on a sole source for evidence. So if it doesn't work or gets locked out by courts, you have other avenues.

Is there a silver bullet to fix the problems in law enforcement across international borders?

We might not agree with sentencing provision of other jurisdictions but that is their sovereign right to choose. There needs to be a lot more talk and work on the real-time flow of cross-border of evidence, and there needs to be more assistance to the jurisdictions that don't have the resources to conduct their own investigations to make sure they don't become a haven for cyber criminals.

I would expect there would be parallels to real-world crimes in this sense?

Absolutely, so while we talk about signing these cybercrime treaties etcetera, we need to give assistance to these jurisdictions, their police, citizens and internet service providers. It must be concerted and long term.