Cloud shrouds fraud risk: RCMP; Secrets at risk

By Stanley Tromp, National Post, 13 Feb 2012



Canadian police are struggling to combat business crime in the cloud computing world, an elusive and little-controlled realm that criminals can exploit to steal money and personal identities, and in which foreign governments can collect trade secrets.

These were the findings of a July 2011 internal "early warning assessment" by the RCMP criminal intelligence branch. It was obtained by the Financial Post under the Access to Information Act, although small sections were withheld.

The report noted the security risks were rising quickly as more and more businesses and people adopted the cloud for their information storage and that many traditional law enforcement practices could be significantly impaired.

Cloud computing refers to the use of remote-based Internet servers for mass information storage. It is reshaping the future of computers (the need for large drives and storage space is greatly reduced) and cutting costs for businesses of all sizes.

But with the tantalizing cost savings and convenience, comes risk of criminal exploitation. When a third party provides software and storage space, businesses should know that security controls will be turned over to the service provider, the RCMP said.

"The idea of storing information in jurisdictions where privacy laws are lax, and where governments have the authority to monitor and collect data without court order or permission, is cause for alarm as trade secrets, and personal and sensitive information, may be at risk," the report said.

Five risks of the cloud world were noted:

* Hackers who seek and trade personal information hit Amazon, CitiGroup, Google, Honda, Sony and others last year. Besides exploiting the anonymity, criminals might also develop encryption that will make cloud data unreadable even by the host server.

* Servers will host masses of personal information that could be stolen by fraudsters, or be used to launch mass marketing fraud campaigns.

* Criminals are always looking for new ways to communicate among themselves and with clients. For instance, Verizon is rolling out instant messaging video conferencing and fixed mobile calls through a cloud-based system.

* Organized crime groups might set up their own cloud, to launder proceeds of crime, or as a legitimate investment. The cloud operators would also be able to tip-off their clients if police request data.

* By uploading images to cloud severs from generic free hotspots, people who trade in child exploitation images will have new ways to hide and share it. These pictures can be simply viewed, for they do not need to be downloaded.

Hasan Cavusoglu, an associate business professor at the University of British Columbia and an Internet crime expert, mostly agrees with the RCMP warnings on criminal risks. "But we should not forget that the battle between good guys and bad guys on the Internet is like an arms race. Security researchers and practitioners will also get better in response."

With new security and privacy risks, it is very difficult and time-consuming for ordinary people to protect their computer systems, Prof. Cavusoglu added. "On the other hand, by and large, the cloud providers provide much better security to your data because ensuring security and privacy is their core function, and without it they will not exist."

The RCMP noted three challenges for police. First, data might not be found on hard drives or media seized at the criminal's home or on his or her person, for it might be on a site outside the country.

Second, police will confront many cloud servers that host multi-client and tenant data. Getting control of this medium, and collecting and preserving digital evidence, will be harder, and challenging for the traditional rules of evidence.

Third, police will need international co-operation to gain access to data abroad. Criminals might use cloud services in countries that give little or no help to Canada.

In response, the RCMP listed some "proactive opportunities" to combat the problem, writing that Canadian police forces could learn more about new technologies, and partner with the tech industry and with other police around the world. As well, policymakers could be informed of new crimes and loopholes, keep laws up to date, and give police the needed legal tools.

One start is the Council of Europe's Convention on Cyber Crime, which gives states the legal tools to investigate and combat cyber-crime. Although 40 states have signed it, including Canada in 2001, this country has not yet ratified it, and is looking at legislative changes before proceeding.