frameworks

This page highlights Australian and international online security and information crime frameworks. It also identifies key government, business and academic bodies.

It covers -

• introduction
• OECD policy frameworks
• the CyberCrime Convention
• the Australian regime
• global agencies
• Australian and New Zealand government bodies
• other governments
• industry organisations
• academic and professional bodies
• standards

     introduction

[under development]

     OECD policy frameworks

[under development]

     the CyberCrime Convention

In April 2001 the Council of Europe released a draft CyberCrime Convention (C3), aimed at harmonising laws across the 41 Council states and open to other countries such as Australia and Japan. The Convention was signed in Budapest by several EU states, Canada, South Africa and the US in November 2001. Japan has indicated its intention to sign the Convention; Australia is likely to follow.

The Convention has three major features:

1 It includes a list of crimes that each member country must include in its statutes. It requires criminalization of offenses such as hacking, the production, sale or distribution of hacking tools, and child pornography. It also features what in some jurisdictions is an expansion of criminal liability for intellectual property violations (Articles 2-11).

2 It requires each participating nation to grant new powers of search and seizure to its law enforcement authorities, including the power to require an ISP to preserve a citizen's internet usage records or other data, and the power to monitor a citizen's online activities in real time (Articles 16-22).

3 It requires law enforcement in every participating country to assist police from other participating countries by cooperating with 'mutual assistance requests' from police in other participating nations 'to the widest extent possible' (Articles 23-35).

It has been widely criticised as draconian. The TreatyWatch advocacy group, for example, claims that the treaty should be rejected because it lacks meaningful privacy or civil liberties protection, is far too broad , lacks a 'dual criminality' requirement for cooperation with the police of other nations, protection for political activities is too weak, threatens to further unbalance intellectual property law, would give police invasive new surveillance powers, contains an overly broad criminalization of hacking tools and was drafted in a closed and secretive manner.

However it has gained some support from the G8 (ie the major financial/industrial powers) following advice from the Subcommittee on High Tech Crime (SCHTC) and the 1997 Carnegie Group report on Misuse of International Data Networks, reflected in the 2000 Ministerial Conference on Combating Transnational Organised Crime. 

G8 ministers issued the usual resounding statements: "the ability to locate and identify Internet criminals through different systems is critical to deterring, investigating, and prosecuting crime that has an electronic component," recommending the creation of "faster or novel solutions should be developed and that government and industry must work together to achieve them." 

Participants agreed to the following elements for any solution: ensuring the protection of individuals freedoms and private life; preserving governments' ability to fight high tech crime; facilitating appropriate training for all involved; defining a clear and transparent framework for addressing cybercriminality; ensuring free and fair activities, the sound development of industry; and supporting effective industry initiated voluntary codes of conduct and standards; and assessing effectiveness and consequences.

A side Protocol to the Convention, covering online Hate sites and vilification, is being developed.

     the Australian regime

[under development]

     global agencies

[under development]

     Australian and New Zealand government bodies

Within Australia numerous bodies grapple with technology, commercial and government policy issues. Among those worthy of notice are the AIC, GPKA, ISRC and CLC. The web has been a marvellous opportunity for federal and state/territory bureaucrats to issue papers, develop guidelines and otherwise roll digital logs. 

The Government Public Key Authority (GPKA) deals with government aspects of PKA. The Commonwealth's Project Gatekeeper, with the same name as the very bad computer in a recent Hollywood dot com exploitation flick, resulted from the 1998 National Authentication Authority Discussion Paper and the Strategy for an Australian National Electronic Authentication Framework, the detailed report by the National Public Key Infrastructure Working Party.  

The Commonwealth Department of Communications, Information Technology & the Arts (DCITA) - which embraces the National Office for the Information Economy (NOIE) - concerns itself with 'policy' questions, leaving much of the legislation and the mundane enforcement (bureaucrats are nothing if not conscious of status) to the Attorney-General's (A-G's) Department and specialist bodies such as the Australian Broadcasting Authority (ABA) and Australian Federal Police.  

The latter, understandably, have a strong ethos of digital 'stranger danger' - give us more money, more cars, more computers to catch the villains (tho their success hitherto is uncertain, to say the least).  

The Department of Industry, Science & Resources (DISR), a wet patch in a dry climate, somewhat ineffectively spruiks the local encryption hardware/software industry.

The Australian Taxation Office (ATO), the Privacy Commissioner and Australian Customs Service (ACS) are among other significant government agencies squabbling over bits of the digital pie.  Comments on their role and operation appear in the Taxation and Privacy guides on this site.

Australia’s National Electronic Authentication Council (NEAC) has released two reports - Legal liability and e-transactions and E-commerce security - that include recommendations for developing B2B ecommerce. 

     other governments

In the US the events of 11 September 2001 spawned a range of new security bodies, complicating an already complicated map. A starting point is the National Infrastructure Protection Center (NIPC) and its Critical Infrastructure Assurance Office (CIAO), established in 1998 but apparently to be superseded by the Homeland Security Office. In October 2001 NIPC released a view (PDF) of threats to the national information infrastructure from 'hacktivism'.

In early 2000 the cybercrime unit in the US Department of Justice released a useful report on The Electronic Frontier: The Challenge of Unlawful Conduct Involving the Use of the Internet.  

Like its 1997 report on The Availability of Bombmaking Information, the Frontier document provides a perspective on online v offline behaviour and enforcement. The Justice Department has also released a report on Cyberstalking: A New Challenge for Law Enforcement and Industry.

In the UK the Internet Crime Forum (ICF) serves as a bridge between ISP industry and law enforcement agencies.

In the US the events of 11 September 2001 spawned a range of new security bodies, complicating an already complicated map. A starting point is the National Infrastructure Protection Center (NIPC) and its Critical Infrastructure Assurance Office (CIAO), established in 1998 but apparently to be superseded by the Homeland Security Office. In October 2001 NIPC released a view (PDF) of threats to the national information infrastructure from 'hacktivism'.

In early 2000 the cybercrime unit in the US Department of Justice released a useful report on The Electronic Frontier: The Challenge of Unlawful Conduct Involving the Use of the Internet.  

Like its 1997 report on The Availability of Bombmaking Information, the Frontier document provides a perspective on online v offline behaviour and enforcement. The Justice Department has also released a report on Cyberstalking: A New Challenge for Law Enforcement and Industry.

In the UK the Internet Crime Forum (ICF) serves as a bridge between ISP industry and law enforcement agencies.

     industry

[under development]

The Australian IT&T Security Forum is an industry body that brings together major suppliers of information technology & telecommunications security products and applications.

     academic and professional bodies

The Information Security Research Centre (ISRC) at Queensland University of Technology conducts research into cryptology, smart cards and other fields. It also provides training courses for government and business.

The Australian Institute of Criminology (AIC) has sponsored a number of conferences on internet crime and security.

The Communications Law Centre (CLC), as the name suggests, is concerned with the Internet and other communications law. It's a non-government body affiliated with the University of NSW.

Infowar has a discussion forum and media service about infowar and security concerns, albeit with little critical evaluation.  

The Institute for the Advanced Study of Information Warfare (IASIW) includes an exhaustive online bibliography. The Electronic Privacy Information Center offers a smaller collection of Critical Infrastructure Protection Resources.

The Federation of American Scientists has an excellent collection of links on infowar, security and hacking.

US information warfare analyst Dorothy Denning's site at Georgetown Uni has a large collection of papers and links.  

The Forum on Risks to the Public in Computers & Related Systems (RISKS), under the auspices of the Association for Computing Machinery (ACM), has a wealth of information about dangers.

     standards

The OECD's 1992 Guidelines For The Security of Information Systems (GSIS), aimed at raising awareness and underpinning a policy framework. 

In Australia the guidelines have been reflected in Australian/New Zealand Standard AS/NZS 4444.1:1999 on Code of Practice For Security Management and AS/NZS 4444.2:2000 on Specifications For Security Management Systems issued by Standards Australia (SA). 

The Australian Communications Electronic Security Instructions 33 (ACSI33) issued by the spooks at the Defence Signals Directorate (DSD) is aimed at the federal bureaucracy but is of general interest.




    next page  (crypto)