Francesca Bosco, UNICRI Programme Officer, United Nations Interregional Crime and Justice Research Institute, talks about hackers, cybercriminals, profile crackers, cyberwarriors, cyberspies and organized criminal groups.
HACKERS AND CYBERCRIMINALS
I set off working many years ago on a project called Hacker Profiling. It was around 2004-2006 and we developed, we tried to apply the technique of profiling to the world of hackers and try to understand the difference between hackers and cyber criminals and on the other hand also to develop some sort of profiles of the cyber criminals. It's interesting because we tried to have clearly a scientific approach so that with anonymous questionnaires involving institutions, private sector companies, law enforcement agencies such, as well as exponents of the independent security researchers community. We developed some profiles where for example we had the script kiddies, we had the cracker, and we had some profiles they were guest, meaning that we didn't have enough scientific knowledge but from the interviews that we were carrying out there were some profiles emerging like for example the cyber spies, the cyber warrior. The fact that there might be more and more involvement from member states in the cyberspace also when it comes to offensive technique. And this is the world that we're facing today meaning that today we have one important aspect is that we have less and less what is called the lone hacker basically but we have more and more involvement of organized criminal groups of two forms: one more I would say purely virtual organized criminal groups: groups that get together and they carry out one or a set of attacks and just maintaining their activity in the virtual world and then we have also groups that are called hybrid groups where we have connections for example with more traditional forms of organized criminal groups and activities. Think for example about drug trafficking, about weapons trafficking, unfortunately human trafficking as well and we have a more and more links. I give a practical example there is a famous case of at the port of Antwerp where a drug trafficking gang was unable to hack the monitoring system of the port of Antwerp and hired hackers in 2015 for carrying out their criminal plan and they were able to tip off a set of containers full of drugs thanks to this. So on one hand for sure the attackers are more and more organized. They are thinking in terms of businesses. They are really organized like businesses with hierarchical structures of with specific roles assigned to a part of this business scheme and therefore we need also to think, when we need to think about fighting and preventing in terms of like criminal organizations. We are facing more and more involvement of actors that are more difficult to identify. I'm thinking about non state actors or on the other hand also state actors and the problem that we see is that in cyber space due to some specific characteristic of the internet and of the new technologies it's very difficult one important thing which is attributions. So it's very difficult to attribute a certain attack to a certain actor or to the source of the attack. Therefore we have a link among the different actors and it's much more difficult to define a clear line. In my view still up organized criminal activity is the most worrisome in this moment.
SECURITY VS PRIVACY
We're seeing an increased interest from member states and also at the international level to understand how to better protect our societies. And clearly the first reaction especially confronted to high escalation in sophistication and also danger of the risk posed by cyber-attacks especially when thinking about critical infrastructure and on the other hand also the risk of emerging threat actors, thinking about for example terrorist groups. The reaction of member states is to increase the level of surveillance that is needed, or the level of technological intrusions that you need for carrying out an investigation can be done safeguarding the privacy of the citizens: absolutely yes. The European Union is going in this direction and has a very clear in mind the importance to find the right balance. The practical example of a right balance is to involve in the discussions related also to national security issues: for example civil society organizations and private sector companies that are producing the technologies, and security experts. This is extremely important as well as human rights experts because we need for the first time in history a more realistic approach also when we deal with national security and this is an important aspect. The second aspect is for example oversight of the agencies that are collecting data and therefore this goes back to the importance of having solid regulations in place at the national state level but also having an umbrella framework when it comes to the European Union to have the concept of data protection and protection of fundamental rights as the main guiding principles. Recently in the first months of 2018 the UN special rapporteur on the right to privacy produced the annual report and he was specifically mentioning the need for member states to carry out the data gathering and to implement the surveillance technique always with respect to privacy and fundamental rights.
INTERNET OF THINGS
100 percent security doesn't exist, and we have to face it. Every system every device is vulnerable. What we can do is to increase the level of security and as mentioned before it is by working on processes, on people, and on technology. One of the biggest challenges we are having nowadays is the world of all interconnected devices, what is called the internet of things, or internet of everything. And we are definitely going more so and so towards the direction of having really everything interconnected even devices that that we've never thought before. I always give the example of objects that we have in our houses so, for example fridges, toasters, that have the ability now to be connected for example through an app with our phone. The problem that we have here is that we have to secure the fridge, the app, the phone, and the connection among the three and therefore we are kind of opening what is called the surface of attack because criminals might be interested in exploiting the different points of the connection and even more so when we have to think about securing our society. Another important aspect is the supply chain aspect. We had in the last years bigger trends of attacking, of worrisome attacks against for example critical infrastructure industrial system. Also a worrying aspect is that the supply chain to arrive or to produce a certain good or a certain service is also made of different steps that might have a different level of security involved and also made of different IOT devices that might have a different level of security integrated into the device. There's another problem--what is called the go to market problem meaning that we are running we're all running to have the best technological advancement of whichever device on the market quick and fast. The problem that we're facing is that to do that unfortunately security is always considered as a last point or as an additional point at the end of the process. We really have to think in terms of security by design. We have started thinking in terms of some privacy by design but another step will be thinking in terms of security by design especially of these objects that will be more and more in our life and that through the connection with these objects clearly our data will reach the wider internet.