Документ взят из кэша поисковой машины. Адрес оригинального документа : http://iisi.msu.ru/UserFiles/File/bayern2009/malisevic.doc Дата изменения: Mon Apr 2 16:24:10 2012 Дата индексирования: Fri Feb 28 20:27:54 2014 Кодировка:

Combating terrorist use of the Internet / Comprehensively Enhancing Cyber
security - The OSCE experience

Remarks by Nemanja Malisevic
Asst. Programme Officer / CTN Co-ordinator,
OSCE Action against Terrorism Unit

Introduction

On behalf of the OSCE Action against Terrorism Unit (ATU), it is a pleasure
and an honour to address an audience as distinguished as this and I would
like to thank the organisers for bringing me here to talk about the OSCE
experience in combating terrorist use of the Internet and enhancing cyber
security.

I will begin by highlighting the OSCE's comprehensive approach to security
and how it applies to the organization's counter-terrorism activities. Then
I will speak about terrorist use of the Internet and explain the OSCE
mandate for combating this threat. I will briefly cover our past activities
in this thematic area with a special emphasis on recent activities aimed at
promoting a comprehensive approach to enhancing cyber security. I will
close by offering some concrete options for consideration.

The OSCE's comprehensive approach to security

As many of you know, the OSCE's efforts to counter terrorism reflect the
Organization's comprehensive approach to security which encompasses the (1)
politico-military, (2) the economic and environmental, as well as the (3)
human dimensions of security.

Our counter-terrorism activities address conditions conducive to the spread
of terrorism - as such, they are preventive. At the same time we also focus
on improving security and capacity building.

As will become clear, this of course also applies to our work on combating
terrorist use of the Internet. We are increasingly aiming to focus our
efforts on comprehensively enhancing cyber security and I will argue that
such an approach is our best option in achieving the long-term goal of
making cyberspace as safe and secure as possible

The threat of terrorist use of the Internet

Before I get to that, however, a few words about terrorist use of the
Internet:
How do terrorists use the opportunities provided to them by this medium?

The Internet has become a strategic instrument for terrorists. Its use by
Al-Qaeda as well as other terrorist groups such as the ETA, FARC, Hamas or
Hezbollah for activities such as identifying, recruiting and training new
members, collecting and transferring funds, organizing terrorist acts, and
inciting terrorist violence is extensively documented.

Time is short, so I will not go into details. Suffice to say that, on the
whole, the Internet has become a key tool in the terrorist toolkit. In
addition, use of computer systems and the Internet as weapons for cyber-
attacks is a growing concern.

However, there is disagreement among experts about how likely a cyber
attack by terrorists is. In particular, some are arguing that terrorist
groups, at this point in time, have neither the resources nor the skill
necessary to conduct large-scale cyber attacks, i.e. attacks which would
disrupt critical infrastructure or critical information infrastructure in a
significant way.

At a recent conference I attended one of the speakers noted that predicting
the future is a losing battle. If you get it right, nobody remembers. But
if you get it wrong nobody forgets.

I will, therefore, not aim to predict the future but I would like to steer
your attention to the following concerns:

Although there has not yet been a major cyber-attack conducted by
terrorists, we must never forget that cybercrime is continuously
increasing. There are people out there who constantly develop new ways to
abuse information technology and cyberspace.

Granted, most are criminals or pranksters rather than terrorists. But, what
these people have done and continue to do is set precedents.

This means that the relevant expertise is available and it is growing, both
in terms of depth and dissemination. It means that terrorists can acquire
this expertise, through money, violence or the threat of violence, or even
their own diligence. Whichever path they choose the problem remains the
same because as with every other type of expertise - eventually those who
have it will want to use it.

At a recent conference we organised, my esteemed colleague George Sadowsky,
one of our speakers, put it in the following terms: "Terrorists are getting
a free ride from cybercriminals"

And let us be very clear: Terrorists are already abusing cyberspace for
profit, akin to "ordinary" cyber-criminals. We all know that Younis Tsouli,
better known as Irhabi007, jailed in July 2007 in the UK, was, in addition
to his cyber-activities in support of Al-Qaeda, also engaged in credit card
fraud.

There is another concern here: The current economic situation has already
led to many qualified people losing their jobs in all walks of life. This
includes people with considerable IT skills. An expert from one of the
world's leading anti-virus companies told me the other day that there is
great deal of anxiety that, if the current economic crisis continues, there
may well be unemployed IT specialists who will seek remuneration for their
skills from other sources, potentially even criminal or terrorist ones. We
need to keep this in mind.

It is true that thus far, terrorists have traditionally relied on physical
attack such as bombings and assassinations. There is no need to elaborate
on the potential reasons for this, I am sure we have all heard many
different arguments.

Let us however not forget that terrorism is not only about killing. It is
about inflicting harm on any number of people to scare a much larger
audience, including governments, in order to influence them into taking or
abstaining from certain policies or actions. It is about forcing people to
change their way of life.

This is exactly what large-scale cyber-terrorist attacks resulting in
substantial economic damage could achieve, in particular if they were
coupled with some bombs.

I said earlier that I would not be predicting the future. But I would like
to underscore that, and this is in line with a very large number of cyber
security experts with whom I have spoken over the past 18 months, the
biggest threat is a combined real-world/cyber attack

It is only a question of time.

It is only a question of time until cyber-terrorists end up using
techniques pioneered by cyber-criminals and hackers not only to communicate
or make a profit but to either increase the effect of a more traditional
terrorist tactic or cause large scale damage to the information
infrastructure or critical infrastructures in general.[1] The potential
for, but not limited to, economic damage is immeasurable.

To those who argue that a terrorist attack on critical information
infrastructure or the Internet itself is unlikely because terrorists
themselves depend on it I would like to point out the following: Relying on
terrorists not attacking an infrastructure they themselves depend on is
very, very risky - just look at civil aviation or public transport.

OSCE Mandate for combating terrorist use of the Internet

What is the OSCE mandate for combating terrorist use of the Internet and
enhancing cyber security?

Participating States have agreed on a broad mandate to deal with the above
threats. It rests on three main pillars relating to combating terrorist use
of the Internet (MC.DEC No. 3/04 and MC.DEC No. 7/06), the promotion of
relevant Public-Private Partnerships (MC.DEC No. 5/07) and a comprehensive
approach to enhancing cyber security (FSC.DEC/10/08).[2]


It is not necessary on this occasion to delve into the specifics of the
aforementioned decisions. However, I would like to emphasise one issue: One
of the OSCE decisions, among other things, calls on participating States to
consider becoming party to and to implement their obligations under the
existing international and regional legal instruments, including the
Convention on Cybercrime (2001) and on the Council of Europe Convention on
the Prevention of Terrorism (2005). As you know, both instruments are open
for accession by non-members of the Council of Europe.

However, some OSCE participating States, have been calling for the
elaboration of another international instrument dealing specifically with
terrorist use of the Internet. This is of particular importance in relation
to a much overlooked issue, namely, Article 27 Paragraph 4a of the
Cybercrime Convention which allows for a requested party to refuse
assistance if "the request concerns an offence which the requested Party
considers a political offence or an offence connected with a political
offence". Such a "political exception clause" is always, always
problematic.

Importantly, the Convention on the Prevention of Terrorism does not allow
for such a political exception (Article 20, paragraph 1). Moreover, it
criminalizes public provocation to commit a terrorist offence (Article 5)
as well as recruitment (Article 6) and training for terrorism (Article 7),
which, as you all know, are some of the key reasons why terrorists use the
Internet.

In theory, therefore, both instruments together - and only together -
provide a good framework for countering terrorist use of the Internet. In
reality, however, many states face certain challenges in becoming parties
to these conventions. This is illustrated by the fact that the last time I
checked, less than a dozen countries worldwide were party to both these
instruments.

Clearly, more work needs to be done here, and maybe my good colleague from
the Council of Europe will elaborate on this issue in her speech.

Past and recent activities

What has the ATU done to combat this threat?

Thus far, the Unit has organised and facilitated four OSCE wide events and
one national training workshop on this issue since 2005. Taken together,
these events have brought together in excess of 600 experts from more than
50 countries.

In view of the time constraints I would like to only highlight the two most
recent events, which took place in February and March of this year
respectively:

At the request of Serbia, on 25-26 February 2009, and funded through
Spanish extra-budgetary contributions, we organized a National Expert
Workshop on Combating Terrorist Use of the Internet / Comprehensively
Enhancing Cyber-security, in Belgrade, Serbia. The first event of its kind,
this workshop was intended to raise awareness on concrete steps to
strengthen cyber security, the impact (including the economic impact) of
potential attacks and to showcase pertinent defensive measures, including
lessons-learned and relevant best-practices.

On 17-18 March 2009, we facilitated the OSCE Workshop on a Comprehensive
OSCE Approach to Enhancing Cyber Security, in implementation of FSC
Decisions 10/08 and 17/08. The overall aim was to increase the awareness of
the OSCE participating States regarding concrete steps that can be taken to
comprehensively strengthen cyber security, to explore the potential role
for the OSCE in a comprehensive approach to enhancing cyber security and to
identify concrete measures for possible follow-up action by all the
relevant OSCE bodies.




A comprehensive approach to cyber security

Why is a comprehensive approach to cyber security so important?
- Because there is only one cyberspace.

The cyberspace used by all of us for our work is the same used by us in our
free time; is the same used by kids to play videogames; is the same used by
many to shop online. It is, also the very same cyberspace used by
cybercriminals and well as terrorists.

It is, therefore, not surprising that different cyber perpetrators use the
same or similar types of cyber attacks, even if their own backgrounds, aims
and motivations may differ.

Yet when it comes to countering the criminal and terrorist abuse of
cyberspace all too often resources, expertise and legal frameworks are
still very much divided.

It is crucial for the international community to systematically address
this issue sooner rather than later. Not least because growing dependence
on information technology and increasing interconnection of critical
(information) infrastructures has made a secure cyberspace vital to the
functioning of a modern state. Cyber security should be an intrinsic part
of any state's national security considerations and planning.

Plans to safeguard a state's critical infrastructure and in particular
critical information infrastructure should from the outset consider the
relevant cyber threats and put in place the necessary measures so that they
can be dealt with in a timely manner.

With cyberspace under virtually continuous attack, increased use of the
Internet by organized criminal and terrorist groups and the fact that
cyberspace is intrinsic to a state's national security, a comprehensive
approach is the only viable option for national authorities and the
international community to ensure long-term and sustainable cyber security.

Future activities

Looking ahead, what activities has the ATU planned to further deal with
these issues?

First of all, let me emphasise that combating terrorist use of the Internet
and enhancing cyber security will remain an area of focus for the OSCE and
the ATU.

Building on the success of the Belgrade workshop, the ATU will seek to
further raise awareness of issues pertaining to cyber security by
organizing additional networking and training workshops in co-ordination
with the private sector, civil society, academia and other international
organizations.

We also plan to increasingly use the OSCE Counter-Terrorism Network (CTN)
to distribute relevant information, lessons learned and best practices.

At the March workshop I previously mentioned, expert participants suggested
many more potential tasks and directions in which the OSCE might want to
steer its cyber security work. These suggestions are currently being
considered by the OSCE participating States and we expect to receive
further guidance in the months to come.




Some concrete options for consideration

Let me now turn to some concrete options to combat terrorist use of the
Internet and comprehensively enhance cyber security.

What I usually do at this point is share my own views or the views of the
ATU. Today, however, I would like to take advantage of our recent Belgrade
workshop and share with you some of the suggestions and recommendations
made by experts there:

. International co-operation is crucial. Cyber-threats are common
threats and can only be resolved globally. Countries should establish
and maintain reliable and knowledgeable contacts, in particular as
many investigations into cyber crimes and cyber threats are highly
time sensitive. In addition, a reliable framework should be
established regulating the co-operation in cyber investigations, which
would allow for the timely seizing of evidence. On the whole, there
should be better co-ordination with regard to defining all relevant
cyber security terms and concepts.

. Information is a strategic resource and the growing interconnection
and interdependence of critical information infrastructures has made a
secure cyberspace vital to the functioning of modern countries and the
world economy. Cyber security is, therefore, crucial to national
security and all countries should draft national cyber security
strategies. There needs to be systematic co-ordination of all
strategies, players and policies pertaining to enhancing cyber
security.

. All countries should establish specialised Computer Emergency Response
Teams (CERTs) and continuously train their staff in the latest trends
and developments pertaining to cyber security. Specialized Units
within law enforcement agencies should be established and provided
with the necessary means and standardized training for the
investigation of serious criminal offenses committed through the
Internet. Moreover, law-enforcement agencies should establish
mechanisms to systematically share information, best practices and
lessons learned.

. Critical infrastructure protection should take into account physical
threats as well as cyber threats. In addition, states should be very
careful in what they designate to be a "critical infrastructure". Such
a designation should be based on expert research. Focus should be
placed on preparing accurate risk assessments. Otherwise costly
resources would be wasted. Overall, stricter regulation of cyberspace
may be necessary with regard to critical infrastructure protection. In
addition, particular focus should be placed on countering the threat
posed by "insiders" - cyber-measures may not be enough to counter this
particular threat.

. The importance of Public-Private Partnerships (PPP) was underscored.
The expertise as well as technical knowledge available from the
private sector should to be sought and utilised in a systematic
manner, including whenever new legislation is drafted in this area.
Otherwise there is a risk of any legislation being obsolete from day
one. Additionally, ISPs should designate one contact point for
interaction with law-enforcement agencies. On the whole, clear and
direct reporting lines for security responsibilities should be
established.

. Discussions about technology should be separated from discussions
about the crimes themselves. For example, propaganda for murder could
constitute a crime, but not necessarily the technology used to
disseminate this propaganda. Overall, there should not be an over-
reliance on technology. Technology cannot replace well trained people.
Online problems may not always have online solutions. While attempting
to stay ahead of the technology-vulnerability curve, countries should
not disregard tools, which were used prior to the IT-revolution.

. Raising awareness and educating the individual Internet user is
essential. The human user remains the weakest link in terms of cyber
security. More debate is needed with regard to user liability in cases
of extreme negligence. Contemporary IT systems are so powerful that a
certain degree of responsibility should be expected from their users.
Moreover, it is crucial to educate and raise awareness of juries
tasked with trying cyber perpetrators. Information and training should
be made available in this regard.

. Online terrorist threats should be better prioritised, in particular
in terms of monitoring terrorist online presences. Although there are
many websites related to terrorist groups, the number of significant
ones - i.e. those, which warrant to be monitored on a daily basis -
remains small. Moreover, the threat from terrorist online training
materials may be exaggerated. Focus should instead be placed on
countering the use of the Internet to radicalise or finance terrorism.
Additionally, the Internet should be used to encourage and promote
disruptive arguments within terrorist organizations.

. Existing laws pertaining to cyber security should be harmonised and
implemented. However, there was no agreement on whether existing
international and regional legal instruments, including the Convention
on Cybercrime (2001) and on the Council of Europe Convention on the
Prevention of Terrorism (2005), provide a legal framework adequate for
dealing with modern threats to cyber security or whether new specific
instruments may need to be adopted for this purpose.

. The overall focus should be on prevention and defence, rather than on
repression. Data protection and security issues should be balanced.

All these suggestions made by experts at our Belgrade workshop are
relevant, but I would like to pick out and underscore one point: All of the
above will mean little without the support and understanding of the general
public. It is here that the fight against cyber-terrorism, cybercrime, or
any other kind of cyber-threat for that matter, will be decided.

Let us not forget that many forms of cyber-crime take advantage of - and
often even depend on - the fact that many Internet users do not take all
possible precautions to make their machines and accounts as secure and as
impenetrable as possible. The recent "Conficker" worm, which infected
10Million PCs in 4 days, is a case in point. It was able to spread so
rapidly because users had not installed a security update, which had been
readily available.

Every unprotected computer is a weak link, essentially begging to be
exploited. As a result, educating the public is essential. In particular
because there are many easy steps that each and every user can take to stop
their computers and accounts from being hacked or hijacked, or at least
make it much more difficult for all criminals, whatever their motivation,
to do so.

Similar to looking out for yourself and your neighbours in the real world,
it is something that everybody can do to not only protect themselves but
also their cyber-neighbours i.e. other Internet users. In whatever small
way, it is a contribution everybody can make to the global struggle against
criminal and terrorist use of the Internet.

We need to do a better job at "selling" this idea to the public and it is
here that regional organizations such as the OSCE and the Council of Europe
can be of particular use.

Summary and concluding remarks

In conclusion, it is clear that the threat posed by terrorist use of the
Internet is growing. In particular, there is an increasing concern
regarding combined real-world and cyber attacks. To address these issues
continued international co-operation is crucial and in this respect,
international and regional organizations can play a key role.

There is only one cyberspace. Looking around the room, even though we might
be based in many different countries, the cyberspace we work in is one and
the same. An attack on this cyberspace, any attack, whatever its background
or motivation is an attack on all of us as it affects us collectively as
Internet users. A comprehensive approach to enhancing cyber security is
therefore the only reasonable way forward.

It is the only way to achieve the long-term goal of making cyberspace as
safe and secure as possible - and to ensure that it remains that way.

Thank you for your attention.
-----------------------
[1] This concerns in particular electrical power systems, telecommunication
systems, gas and oil storage and transportation, banking and finance,
transportation, water supply systems and emergency services. (M. Gercke
(2008), Cyberterrorism: how terrorists use the Internet.


[2] MC.DEC/3/04 (of 7 December 2004) inter alia voices participating
States' concern as to the extent of use of the Internet by terrorist
organization and decides that participating States will exchange
information on the use of the Internet for terrorist purposes and identify
possible strategies to combat this threat, while ensuring respect for
international human rights obligations and standards, including those
concerning the rights to privacy and freedom of opinion and expression. It
tasks the Secretary General to organize in 2005, in co-operation with
Interpol and other interested international organizations, an expert
workshop to exchange information on the extent of this threat, as well as
on the existing legal framework and institutional tools, and to consider
concrete measures to enhance international co-operation on this issue.

MC.DEC/7/06 (of 5 December 2006) inter alia voices particular concern with
regard to hacker attacks and decides that participating States intensify
action notably by enhancing international co-operation on countering the
use of the Internet for terrorist purposes, and calls on participating
States to consider taking all appropriate measures to protect vital
critical information infrastructures and networks against the threat of
cyber attacks as well as consider becoming party to and to implement their
obligations under the existing international and regional legal
instruments. It further recommends participating States to explore the
possibility of more active engagement of civil society institutions and the
private sector in preventing and countering the use of the Internet for
terrorist purposes. It tasks the Secretary General to promote, notably
through the OSCE Counter-Terrorism Network, the exchange of information on
the threat posed by the use of the Internet for terrorist purposes,
including incitement, recruitment, fund raising, training, targeting and
planning terrorist acts, and on legislative and other measures taken to
counter this threat.

MC.DEC/5/07 (of 30 November 2007) inter alia recognizes the significance of
PPPs in countering terrorism and invites participating States as well as
the OSCE Partners for Co-operation to exchange pertinent information and
best practices. It tasks the Secretary General and OSCE institutions to
continue to promote the involvement of the private sector (civil society
and the business community) in their counter-terrorist activities, where
relevant and appropriate.

FSC.DEC/10/08 (of 29 October 2008) inter alia recalls MC.DEC No. 3/04 and
MC.DEC No. 7/06 and decides to organize an OSCE Workshop on a Comprehensive
OSCE Approach to Enhancing Cyber Security, to be held on 17 and 18 March
2009, in Vienna, with the participation of relevant international
organizations. It requests the OSCE Secretariat to support the organization
of this workshop conducted with a view to (1) increasing the awareness of
the OSCE participating States regarding concrete steps that can be taken to
strengthen cyber security; (2) exchanging information on national practices
with regard to cyber security between the OSCE participating States and
relevant international actors/organizations; (3) showcasing potential
defensive measures, lessons learned and relevant best practices; (4) and
focusing on a possible role for the OSCE in such a comprehensive approach
to enhancing cyber security, and identifying concrete measures for possible
follow-up action by all the relevant OSCE bodies.