By Stanley Tromp, National Post,
______________
Canadian police are
struggling to combat business crime in the cloud computing world, an elusive and
little-controlled realm that criminals can exploit to steal money and personal
identities, and in which foreign governments can collect trade secrets.
These were the findings of a
July 2011 internal "early warning assessment" by the RCMP criminal intelligence
branch. It was obtained by the Financial Post under the Access to Information
Act, although small sections were withheld.
The report noted the security
risks were rising quickly
as more and more businesses and people adopted the cloud for their information storage and that many
traditional law enforcement practices could be significantly impaired.
Cloud computing refers to the use
of remote-based Internet servers for mass information storage. It is reshaping
the future of computers (the need for large drives and storage space is greatly
reduced) and cutting costs for businesses of all sizes.
But with the tantalizing cost
savings and convenience, comes risk
of criminal exploitation. When a third party provides software and storage
space, businesses should know that security controls will be turned over to the
service provider, the RCMP
said.
"The idea of storing
information in jurisdictions where privacy laws are lax, and where governments
have the authority to monitor and collect data without court order or
permission, is cause for alarm as trade secrets, and personal and sensitive
information, may be at risk,"
the report said.
Five risks of the cloud world were noted:
* Hackers who seek and trade
personal information hit Amazon, CitiGroup, Google,
Honda, Sony and others last year. Besides exploiting the anonymity, criminals
might also develop encryption that will make cloud data unreadable even by the host server.
* Servers will host masses of
personal information that could be stolen by fraudsters, or be used to launch
mass marketing fraud
campaigns.
* Criminals are always
looking for new ways to communicate among themselves and with clients. For
instance, Verizon is rolling out instant messaging video conferencing and fixed
mobile calls through a cloud-based
system.
* Organized crime groups
might set up their own cloud,
to launder proceeds of crime, or as a legitimate investment. The cloud operators would also be
able to tip-off their clients if police request data.
* By uploading images to cloud severs from generic free
hotspots, people who trade in child exploitation images will have new ways to
hide and share it. These pictures can be simply viewed, for they do not need to
be downloaded.
Hasan Cavusoglu, an associate
business professor at the University of British Columbia and an Internet crime
expert, mostly agrees with the RCMP
warnings on criminal risks.
"But we should not forget that the battle between good guys and bad guys
on the Internet is like an arms race. Security researchers and practitioners
will also get better in response."
With new security and privacy
risks, it is very difficult
and time-consuming for ordinary people to protect their computer systems, Prof.
Cavusoglu added. "On the other hand, by and large, the cloud providers provide much
better security to your data because ensuring security and privacy is their
core function, and without it they will not exist."
The RCMP noted three challenges for police. First, data
might not be found on hard drives or media seized at the criminal's home or on
his or her person, for it might be on a site outside the country.
Second, police will confront
many cloud servers that
host multi-client and tenant data. Getting control of this medium, and
collecting and preserving digital evidence, will be harder, and challenging for
the traditional rules of evidence.
Third, police will need
international co-operation to gain access to data abroad. Criminals might use cloud services in countries that
give little or no help to Canada.
In response, the RCMP listed some "proactive
opportunities" to combat the problem, writing that Canadian police forces
could learn more about new technologies, and partner with the tech industry and
with other police around the world. As well, policymakers could be informed of
new crimes and loopholes, keep laws up to date, and give police the needed
legal tools.
One start is the Council of
Europe's Convention on Cyber Crime, which gives states the legal tools to
investigate and combat cyber-crime. Although 40 states have signed it,
including Canada in 2001, this country has not yet ratified it, and is looking
at legislative changes before proceeding.
__________________________