Saturday, May 16, 2009

Organized Cybercrime Response or Vigilante mobs?

I was flying back from the OWASP 2009 Europe conference in Krakow yesterday and with 17 hours of travel I had several moments to think on different topics.

One of the topics I was doing some in-depth thinking about followed on from several questions that were raised following my talk "Factoring malware and organized crime in to Web application security"

Over the last couple of years we've seen some fairly serious responses by industry and interested others in building support mechanisms focused on tackling organized cybercrime. Some of these movements have been focused on a very specific threat - such as the Conficker Working Group - while others have been more generic grass-roots responses such as McAfee's Cybercrime Response Unit.

There are a couple of problems though:
  1. Judging illegal behaviors/activities based upon your own countries legal system.
  2. When does a movement of concerned entities become a vigilante mob?
International Law & Values
Now I'm certainly no international lawyer and would never admit to being one, but as a person who has lived/worked/emigrated to multiple countries around the world and spent multiple years in each country getting familiar with their cultures, legal systems, taxes and social ethics, what I can say is that no two countries are particularly alike - even the ones you think would be.

Sure, there are a lot of overlaps at various levels, but the combination of subtle differences results in quite a marked difference in world outlook.

Granted, as far as it comes to things such as hacking tools, most people have a basic understanding that a tool in one country may be classified differently in another - e.g. writing and distributing a hacking tool is legal, while actually using it against an unauthorised host is illegal.

I think most people understand the concept and probably think of it a bit like "there are countries that allow citizens to carry automatic handguns, then there are countries that only allow semi-automatic handguns, then there are countries that limit the number of bullets allowed in a handgun, and then there are countries that don't allow hand-guns at all" - which country that has that particular law is probably unknown to the vast majority of people - but they understand the concept.

Unfortunately what most people fail to grasp are the ethics and social norms that surround or dictated that particular law and, in my opinion, that's the element you really need to understand when looking at responses to the anti-cybercrime movement.

When I see and hear about these anti-cybercrime organizations and their "call to arms" in combating the threat, it worries me that they are basing their response (and anger) upon their own legal framework and countries ethics (as much as that statement "country ethics" makes sense). The laws most western countries would like to see that could aid the fight against cybercrime within or against their own country need to driven in a different manner if they are to be supported and enacted within other countries - and to do that you really need to understand the local countries culture and ethics - because failure to do so merely results in misdirected hot-air.

Vigilante Mobs
The discussion of country-specific ethics and culture leads me to also consider the question "when does a coordinated response become a vigilante mob?"

I have several concerns with the way some anti-cybercrime groups have appeared over recent years and approach their topic with single-minded intensity. It's the kind of drive I'd classify as being in the realm of religious fervor - with all the negative connotations that entails.

By all means, work with and support your local (i.e country) law enforcement teams in combating the threat against your organization or customers. But if you're thinking of taking the law in to your own hands and targeting (what you'd label as) cybercrime being operated in other countries - then you'd best think long and hard about the fact that the laws and ethics you're operating under are most likely not the same as those you're targeting - as you become part of a vigilante response to a threat.

Which, in my mind, draws further parallels to the religious troubles around the world. Only now perhaps we're looking at fanatic factions of an online anti-cybercrime religion.

No comments:

Post a Comment