In the past decade, cyber crime has grown from the nuisance
of the cyber smart hacker into an organised transnational crime committed for
vast profit and often with devastating consequences for its victims. A
sophisticated underground economy provides the IT tools to commit these crimes and
the market for stolen identities and financial information.
In the technological world of cyber crime it can be easy to
forget the human cost of the theft and deception inflicted on innocent people. We
are reminded of the human cost by our constituents who face the emotional
devastation and lasting financial consequences of the crimes perpetrated
against them.
There has been an exponential
growth in the volume of malicious software and the sophistication and
adaptability of cyber crime techniques. In the face of these trends, the
Committee believes the expectation that end users should or can bear the sole responsibility
for their own personal online security is no longer a tenable proposition. We
need to apply the same energy and commitment given to national security and the
protection of critical infrastructure to the cyber crime threats that impact on
society more generally.
A key message throughout this inquiry was that a more
integrated, coordinated and concerted effort is required to combat the cyber
crime that victimises ordinary consumers and private businesses. This requires
a commitment to cooperation, strategic thinking and a cyber space perspective to
overcome the silos of traditional institutions.
The Committee does not accept that the Internet is a kind of
unpoliced ‘wild west’ − the Internet is a global communication medium
that is subject to the same laws as the offline environment. It is true that technology
enables criminals to obscure their identity and victimise people in different
countries. It is equally true that technology allows us to trace perpetrators,
to preserve, aggregate and analyse digital evidence, and to coordinate global enforcement
action.
Through a nationally led and coordinated policy, as well as
regulatory and law enforcement effort, Australia can deliver a more effective
and strategic response to this problem. By necessity this has to be a joint
public-private effort because the architecture of the Internet and the IT
technology is in private hands. While the capacity to negotiate and create
international agreements between nations is in the hands of the State.
The private sector, especially IT manufacturers, Internet
Service Providers and web hosting companies, and the Domain Name Registrars and
Resellers, all bear some corporate social responsibility to promote the
integrity of the Internet. There is also a vast quantity of intelligence data
that can be better shared between the public and private sector.
To this end the Committee has recommended that the interests
and needs of consumers and business generally be elevated in the national Cyber
Security Strategy. Some of the concrete steps that can be taken immediately
include:
These new institutional arrangements should be supported by
a stronger commitment to detect botnets, remediate infected computers and deal
with compromised and fraudulent websites. This will require additional funding
to support the Australian Communications and Media Authority.
The current strategy puts an emphasis on education and
community awareness but seems to lack the coherence or clear benchmarks for
success that might be expected for such an important priority. A clearly
articulated national community education e-security strategy, including broader
public campaigns, will help to promote more e-security awareness among the
general public.
The private sector must also play its part. The Internet
industry has to accept that commercial gains also carry social responsibilities.
IT manufacturers also need to give a higher priority to security through better
product testing, design and the provision of information to support informed
consumer choices.
The reality of modern life is that information and
communications technologies are a part of our everyday existence − the
complexity and global reach of the Internet age can seem overwhelming but we
should not lessen our commitment to protecting personal privacy or ensuring
that informed consent and choice remain the central principles when transacting
online.
Online businesses and public agencies must observe
Australia’s prohibitions against the over collection of personal information.
The public also has a right to know if their personal information has been
compromised because of a security breach.
On behalf of the Committee, I wish to thank the agencies, IT
companies, peak bodies and the consumer groups who gave us substantial and well
considered evidence. We also thank the State Governments who recognise this is
an important national and international issue and are seeking ways to cooperate
across jurisdictions to deal with this problem.
Finally, I also wish to thank my Committee colleagues who
participated in this inquiry with enthusiasm for a difficult subject and with a
commitment to bipartisanship. Members regularly hear the stories of their
constituents seeking advice on where to take their complaints or how to protect
themselves in the future. This first-hand experience and the cases we heard about
during the inquiry served to remind us of the importance of tackling this
insidious problem.
The House of Representatives Standing Committee on
Communications shall inquire into and report on the incidence of cybercrime on
consumers:
|
.auDA
|
.au Domain Administration
|
|
419 scam
|
See ‘Advance-fee fraud’
|
|
ABA
|
Australian Banking Association
|
|
ABS
|
Australian Bureau of Statistics
|
|
ACC
|
Australian Crime Commission
|
|
ACCAN
|
Australian Communications Consumers Action Network
|
|
ACCC
|
Australian Competition and Consumer Commission
|
|
ACFT
|
Australian Consumer Fraud Task Force
|
|
ACMA
|
Australian Communications and Media Authority
|
|
Advance-fee fraud
|
A scam where the victim hands over money in the hope of
realising a significantly larger gain
|
|
Adware
|
A type of software which directs advertisements at users
and in some cases gathers personal information
|
|
AFP
|
Australian Federal Police
|
|
AGD
|
Attorney General’s Department
|
|
AHTCC
|
Australian High Tech Crime Centre
|
|
AIC
|
Australian Institute of Criminology
|
|
AIIA
|
Australian Information Industry Association
|
|
AISI
|
Australia Internet Security Initiative
|
|
ALRC
|
Australian Law Reform Commission
|
|
Anti-virus software
|
Software to prevent, detect and remove malware
|
|
APCA
|
Australian Payments Clearing Association
|
|
APWG
|
Anti-Phishing Working Group
|
|
ASCCA
|
Australian Seniors Computer Clubs Associations
|
|
ASIC
|
Australian Securities and Investment Commission
|
|
ASIO
|
Australian Security Intelligence Organisation
|
|
ATO
|
Australian Taxation Office
|
|
AusCERT
|
Australian Computer Emergency Response Team
|
|
Backdoor
|
A hidden access point which permits a computer to be
remotely accessed by another computer
|
|
Blacklist
|
A list or register of persons or computers who are denied
access to a network or computer system
|
|
Bot
|
A malware-infected computer that can be remotely controlled
over a network
|
|
Botherder
|
See ‘botmaster’
|
|
Botmaster
|
The controller of a botnet
|
|
Botnet
|
A network of bot computers that can be simultaneously
controlled from a central point
|
|
ccTLD
|
Country Code Top Level Domain, a domain name denoting where
a website is registered (such as ‘.au’)
|
|
CERT Australia
|
Computer Emergency Response Team Australia
|
|
Cloud computing
|
Computing where users can access programs, processes and
information on-demand over the Internet, without such resources being
installed on their own computer
|
|
CLPC
|
Cyber Space Law and Policy Centre
|
|
CNP Fraud
|
Card Not Present Fraud, online credit card fraud committed
with stolen information only without the need for the physical credit card
|
|
Computer offences
|
Criminal acts of a technical nature such as hacking, DDoS
attacks and malware intrusions
|
|
CTN
|
Consumer Telecommunications Network
|
|
Cyber attack
|
An attempt to undermine or compromise a computer system or
the user of such a system
|
|
Cyber crime
|
A range of crime types including computer offences, online
banking and credit card fraud, and online scams
|
|
Data breach
|
The unauthorised disclosure, release or loss of secure
information to an insecure environment
|
|
DBCDE
|
Department of Broadband, Communications and the Digital
Economy
|
|
DDoS
|
Distributed Denial of Service, a method by which botnets
flood a computer system with information thus damaging or shutting down the
system
|
|
DNS
|
Domain Name System, the system that translates
user-friendly web addresses into IP addresses
|
|
DNS hijacking
|
The act of subverting a computer to contact a fake DNS
server instead of a legitimate DNS server
|
|
DNS spoofing
|
The act of replacing a genuine IP address in the DNS with
a fake IP address
|
|
DNSSEC
|
Domain Name System Security Extensions
|
|
Domain
|
See ‘Domain names’
|
|
Domain hijacking
|
The act of taking control of a domain name by stealing the
identity of a domain name owner
|
|
Domain Owner
|
The registrant of a particular domain name
|
|
Domain Registrar
|
An accredited organisation that manages the registration
of particular domain names
|
|
Domain Reseller
|
An organisation that on-sells the rights to use particular
domain names
|
|
Domain names
|
A hierarchical series of codes that combine to form unique
web addresses (See ‘gTLD’ and ‘ccTLD’)
|
|
DSD
|
Defence Signals Directorate
|
|
E-security
|
The protection of computer systems from technical threats
|
|
ESPaC
|
E-Security Policy and Coordination Committee
|
|
FBI
|
US Federal Bureau of Investigation
|
|
FCCG
|
Queensland Police Fraud and Corporate Crime Group
|
|
Firewall
|
A part of a computer system or network that blocks
unauthorised access
|
|
gTLD
|
Generic Top Level Domain, a domain name generally denoting
the nature of a website’s owner (such as ‘.gov’)
|
|
Hacker
|
A person who illegally accesses, controls or damages other
computer systems
|
|
Honeypot
|
A dummy computer, program or email account set up to
attract and deflect cyber attacks on a system
|
|
HTCOC
|
High Tech Crime Operations Centre
|
|
HTTP
|
Hypertext Transfer Protocol, a protocol that enables
computers to exchange data with web page hosts
|
|
ICANN
|
Internet Corporation for Assigned Names and Number
|
|
ICPEN
|
International Consumer Protection and Enforcement Network
|
|
ICT
|
Information and communications technology
|
|
Identity crime
|
The theft or misuse of another person’s identity
|
|
Identity fraud
|
The illegal assumption of another person’s identity for
purposes of fraud
|
|
Identity theft
|
The theft of personal information
|
|
IIA
|
Internet Industry Association
|
|
IP Address
|
Internet Protocol Address, a number that identifies a
device on a network
|
|
ISP
|
Internet Service Provider, a company that provides access
to the Internet
|
|
IT
|
Information technology
|
|
ITU
|
International Telecommunication Union
|
|
JBFSIT
|
Joint Banking and Finance Sector Investigations Team
|
|
Keystroke logger
|
A hidden program which illegally records each key that is
pressed on a computer’s keyboard
|
|
LEA
|
Law enforcement agency
|
|
Malware
|
A generic term for software designed to damage or subvert
a system
|
|
Money mule
|
A person who launders money via internet banking and wire
transfers to online criminals
|
|
NBN
|
National Broadband Network
|
|
Nigerian scams
|
See ‘Advance-fee fraud’
|
|
NSW
|
New South Wales
|
|
NT
|
Northern Territory
|
|
OECD
|
Organisation for Economic Co-operation and Development
|
|
Banking fraud
|
Fraud committed to illegally remove money from another
person’s bank account
|
|
Credit card fraud
|
Fraud committed using stolen credit card information
|
|
OPC
|
Office of the Privacy Commissioner
|
|
OVPC
|
Office of the Victorian Privacy Commissioner
|
|
Peer-to-peer
|
A form of decentralised network where computers can
exchange information directly with any other computer
|
|
Phishing
|
The act of assuming the online identity of a legitimate
organisation to trick users into divulging information or to commit fraud
|
|
PM & C
|
Department of the Prime Minister and Cabinet
|
|
QPS
|
Queensland Police Service
|
|
Romance scam
|
A scam where victims hand over money to fraudulent
participants on online dating websites
|
|
Rootkit
|
A set of programs designed to hide malware infections on a
computer
|
|
SA
|
South Australia
|
|
SME
|
Small or medium sized enterprise
|
|
SOCA
|
UK Serious and Organised Crime Agency
|
|
Spam
|
Unsolicited bulk email messages
|
|
Spamtrap
|
A dummy email address used to attract spam (See
‘Honeypot’)
|
|
Spyware
|
A program that illegally records data such as computer
screen images, stored data and details on internet browsing activity
|
|
TISN
|
Trusted Information Sharing Network for Critical
Infrastructure Protection
|
|
Toolkit
|
Off-the-shelf style, user-friendly malware packages
|
|
Trojan
|
Malware which appears legitimate but in fact contains
hidden malicious functions
|
|
UK
|
United Kingdom
|
|
US
|
United States of America
|
|
Virus
|
Malware contained within a ‘host’ program which spreads by
inserting a copy of itself into other programs
|
|
WA
|
Western Australia
|
|
Walled garden
|
Restricted network access to isolate infected computers
from other computers on a network
|
|
Whitelist
|
A list or register of persons or computers who are
permitted access to a network or computer system, to the exclusion of those
not on the list
|
|
Worm
|
Self-replicating malware which transmits across a network
without a host program
|
|
WPISP
|
OECD Working Party for Information Security and Privacy
|
|
Zombie
|
See ‘Bot’
|
|
|
|