Francesca Bosco about growing cybercrime, ML/AI and governmental regulation of cybersecurity
Francesca Bosco, UNICRI Programme Officer, speaks about growing cybercrime, ML/AI and governmental regulation of cybersecurity.
Francesca Bosco, UNICRI Programme Officer, speaks about growing cybercrime, ML/AI and governmental regulation of cybersecurity.
Francesca Bosco is Program Officer at UNICRI, the United Nations Interregional Crime and Justice Research Institute. She earned a law degree in International Law and joined UNICRI in 2006. She is responsible for cybercrime and cybersecurity related projects, both at the European and at international level. She has been researching and developing technical assistance and capacity building programs to counter the involvement of organized crime within the field of cybercrime, as well as examining the legal implications and future scenarios of terrorist use of the internet and cyberterrorism. Furthermore, she is researching and developing projects on the misuse of technology, encompassing current and future challenging areas such as artificial intelligence, blockchain, supply chain security, big data, ICS/SCADA security and robotics. She is also involved in various other UNICRI programs related to preventing and countering violent extremism, violence against women, human trafficking, environmental crimes, counterfeiting, corruption.
Below are expert questions and topics explored by Francesca in details:
1. How international organizations help fighting international proliferation of cybercrime?
Cybercrime is a broad concern which has transformed over time as the forces of digitalization and globalization have shaped modern society. In some cases, it can involve malicious actors from across the globe, working both independently and in tandem, and at times alongside transnational organized criminal groups or extremist organizations. With that said, cybercrime is a diverse phenomenon. Threats can emerge from individuals, small groups, sophisticated organizations, as well as from nation-states or non-state actors – and the appropriate response depends upon an informed and proactive legal, investigative, and enforcement strategies by the relevant actors. Insofar as cybercrime activities are typically transnational in nature, cooperation between nations and (perhaps more importantly) with international organizations and companies, is a critical component in combating the phenomenon.
This means that international organizations have a unique opportunity to aid in the ongoing efforts of UNICRI and other UN organizations in addressing the issue. As the UN Secretary General Guterres stated at the May 2018 Commission on Crime Prevention and Criminal Justice, “Cybercrime is an area in which there is much work to do and no time to waste…All parts of the UN system… will have to work closely together, and with partners from across civil society, the business sector, academia and of course above all governments” to solve this problem. Building on the legacy of the UN GGE - United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, the issue of internet and communication technology security – by state and non-state actors - and the international cooperation to resolve the issue is taken very seriously at the highest levels.
In this way, collaboration is the future of combating the international proliferation of cybercrime. Through Intergovernmental Organizations, Private-Public Partnerships, and alongside stakeholders in Non-Governmental Organizations and academia, cooperation can give us the tools to address this evolving threat. By raising the prevention and investigative expertise levels worldwide, we can meet these challenges together.
2. What are the biggest challenges you face when confronting digital offences and cybercrime?
There are a number of challenges when it comes to understanding, preventing, and responding to digital offences and cybercrime. First and foremost, we don’t always agree on what we’re talking about. The lack of standard definitions within and across states can impede an understanding of 1) how prevalent these illegal behaviours are and 2) how effective measures to prevent or combat them may actually be. Related to this, digital offences can (and often do) go undetected by the victims until well after an attack has taken place. In the past, cases of well-publicized breaches have taken years before the full scope is known and announced. In other cases, victims may not know until a credit card is opened in their name.
In cybercrime, a successful criminal is typically one who goes undetected. When the goal is obtaining data or financial information, success is born of secrecy. The signs of a digital offence can be hard to detect even by experienced users, so comprehending the damages and costs is tricky.
In light of all this and compounded by developments in technology which give greater access to encryption and anonymity, the attribution of digital offences to specific actors is quite difficult.
Beyond individual users, it is important to also consider the risks and threats unique to corporations and governments which provide important safety and services to their customers and citizens. Due to the volumes of data that they obtain, use, and maintain, these organizations are frequently the targets of sophisticated attacks. The reason? In the digital world, data is power. Advanced threats can capitalize on social engineering and emerging technologies (e.g. machine learning and artificial intelligence), to result in a truly astounding risk to the privacy and safety of millions of users.
Taken together, continuing efforts to improve the investigation, attribution, and cooperation in the wake of attacks are very important and deserve attention at the local, regional, and multinational levels.
3. Do you observe a growth of cyber gangs backed by organized crime?
Briefly, yes. The growth of cyber gangs backed by organized crime fits into a broader pattern of proliferation among organized criminal groups and the crime-terror nexus. We have seen in recent years that these groups – specifically those who participate in various forms of cybercrime - have been integrated into the overall transnational criminal landscape. Perhaps most strikingly, one case involved the hacking of a shipping control terminal at major port to facilitate the illegal trafficking of narcotics, cash, and arms. More generally however, the integration and contracting of cyber gangs for the purposes of organized crime capitalizes on known tools such as ransomware and malware to obtain and monetize victim data. Notably, this has occurred among transnational organized crime groups as well as within terrorist organizations such as D’aesh and al Q’aida.
Organised criminal groups have also been found to integrate cybercrime behaviours into their more traditional repertoires in fairly innovative ways. EUROPOL and other enforcement bodies suggest that organised criminal groups have participated in online credit card fraud and other cybercrime financing tactics to specifically facilitate offline trafficking of individuals and narcotics.
4. Do you think that regulations such as GDPR can improve the overall security and privacy in the Internet?
One of the perennial concerns about security and privacy online has been the user awareness of the risks and threats. In many cases, users just don’t know what data they are providing to websites, and how (and how long) they are permitted to use, distribute, and keep it. Many obligations envisaged by the GDPR were already present, but the level of enforceability radically changes now. For example, many businesses and organizations dealt with personal data, but the legal or regulatory obligation to advise users of the collection of certain types of data was not properly enforced. A key part of the accountability obligations under the GDPR is the DPIA (Data Protection Impact Assessment). When a data processing involves the use of new technologies, considering the nature, the object, the context and the purposes of the processing, it can present a high risk for the rights and freedoms of the people. Therefore, the data controller shall perform an assessment of the impact of the envisaged processing operations on the protection of personal data (GDPR Article 35).
This obligation, together with the Data Breach one (GDPR Article 33), compel companies to carry out a serious risk assessment when the nature of data and of processing endanger the fundamental rights of the data subject.
For the typical user, the GDPR is an excellent measure, ensuring a more advanced privacy, transparency, and accountability scheme for all organizations. Additionally, the revocation of permission, right to be forgotten, and disclosure clauses take strides in giving the power back to individual users. To the initial point, the adoption of the GDPR by organizations operating in member states of the EU and those who interact with such organizations vastly improves the overall knowledge and awareness of privacy and security in the online sphere. Companies collecting personal data must identify not only the purpose of such data collection, but also whether the data will be transferred, if, and how it will be stored, as well as the individual’s right to access, rectify, or erase data – all in plain language. In short, users must engage directly with the privacy and security concerns that could have easily been concealed or bypassed in the past.
Generally, it allows us to better ensure individual privacy, it gives an earnest deterrent to claims by individuals when organizations are not compliant, and frankly, to better understand the scope of data security issues, given the mandatory breach window of 72 hours.
5. Would you agree that a free service, such as social network, can never be totally free and PII is the price one has to pay?
The use of online services, including free social networks, has become part and parcel to engaging with the hyperconnected digital world from business to academia and the social sphere. Naturally, services such as social networks benefit from this, and in many cases promote themselves based upon the number of users and availability of services and targeting that they can provide. This, of course raises the concern of privacy – to what degree is user data serving as component of a product in the marketing of such services?
In a resolution from 23 March, 2017, the United Nations Human Rights Council alongside the office of the Special Rapporteur on the right to privacy addressed this issue and highlighted a number of important provisions related to the topic. In the resolution, it was suggested that “states take effective measures to prevent the unlawful retention, processing, and use of personal data stored by public authorities and business enterprises”, noting that metadata (which is often marketed as ‘de-identified’) “can be no less sensitive than actual content of communication” itself. Further, the issue of free and explicit informed consent was raised – namely in the context of the “collection, process, and sharing of personal data” in the digital age. I bid the mass collection of information on users of free social networks
Recently, with the rollout of the GDPR this May, the EU and other states which have adopted these and similar privacy regulations have enabled consumers to limit the degree to which their information is treated as a product without their knowledge and affirmative consent, and even allows them to withdraw consent.
More directly, when considering whether to start, or continue having an account with one of these social networks, it is important to understand what kind of data are collected, how these data are used, and if (and under what conditions) these data can be sold to third parties. In short, while it can be arduous, it is important to read the terms and conditions in order to be an informed user.
6. Can AI and Machine Learning bring more benefit in good hands or harm being used by cybercriminals?
It is important to remember that these technologies are just tools whose impact is often determined by the person or organization wielding them. Artificial Intelligence (AI) has taken massive strides in even the last few years. Alongside more complex machine learning algorithms, these tools have added to the sophistication and computing power that individuals an organizations can bring to bear – for good or for ill. Broadly, through the capacity to learn, AI augments an actor’s ability to detect patterns, rapidly and automatically process information, and perform sophisticated analyses to reprioritize potential next actions.
As it can be applied to defensive implementations, AI and machine learning are excellent tools for achieving cybersecurity needs. When integrated into a cybersecurity regime, AI can be used to detect patterns in botnet use, rapidly and automatically process data on potential intrusions or attacks, and analyze probing behaviours by potential intruders. In short, successful integration of AI security strategies represents a potential bulwark against a variety of threats.
Recent reports have suggested that malicious actors can take advantage of these tools in three principal ways: expanding existing threats, introducing new threats, and changing the typical character of cyber threats. 21By automating tasks, some previously labor-intensive forms of cybercrime such as spear phishing become substantially easier to execute. Similarly, adaptive and automated hacking becomes a far more serious threat as more individuals are able to run reactive programs and scripts which capitalize on system vulnerabilities. Additionally, with the broad deployment of cyber-physical systems (i.e. autonomous vehicles, micro-drone swarms) in civilian and military spheres, penetration of on-board AI systems and subversion of infrastructure and weapon systems represents a serious risk.
With that said, these same technologies can serve to protect, and aid investigators and white-hat security professionals in ensuring the security of critical systems, information, and states. To this end, UNICRI recently opened a Centre for Artificial Intelligence and Robotics at The Hague in the Netherlands. To achieve this mission, the Centre has hosted a variety of workshops, conferences, and expert meetings, facilitating a variety of training and mentoring programs to stakeholders, policymakers, and academics alike.
In addition to this Centre, the ITU has hosted an annual conference alongside United Nations agencies (including UNESCO, UNICEF, and UNICRI) titled the “AI for Good Global Summit”. Seeking to identify practical applications of AI and supporting strategies to improve the quality and sustainability of life, collaborative efforts such as this demonstrate the potential of AI for good and to solve critical development goals.
On balance, since states and multinational organizations tend to be slower to adopt these cutting edge technologies, we have perhaps a bit more room to innovate in this field.
7. How big is the problem of online stalking, harassment and hate speech among kids and teenagers?
In a few words, broad and serious. In the last few decades, we’ve seen a significant growth in cyber bullying, cyber stalking, and online harassment. Perhaps unsurprisingly given access and dependence on technology in the modern social world, these types of bullying have actually been outpacing more traditional forms of stalking and harassment as well, suggesting that these issues deserve a more critical eye. To provide some context, the United States Department of Education in 2017 found that nearly 580,000 students reported being bullied online or by text. Now, while those numbers are decreasing in the US, victims of cyberbullying reported more serious negative outcomes – skipping school, avoiding school activities or places, and even carrying a weapon to school. Outside of the US context, a recent study from the UK found that over 34% of teens, age 12-15 have seen hate speech online in the last 12 months. Troublingly, for both cyberbullying and exposure to hate speech among kids and teens, other research has found a disproportionate impact on girls and members of vulnerable social groups such as minorities and the LGBTQIA community. In working to achieve UN SDGs #5 and #10 which seek to promote gender equality and reduce inequalities respectively, there is a clear need to find effective means of reducing incidence and severity of these behaviors, as well as empowering victims of cyber bullying and hate speech.
To counter these troubling trends, groups like the No Hate Speech movement, with committees throughout the world, have promoted a positivity and awareness campaign, while the EU and other partners have sought legal countermeasures to remove hate speech and sanction IT companies which promote or allow the widespread dissemination of hate speech to their platforms which include millions of teenagers worldwide.
Beyond this, UNICRI has advanced an initiative to reduce the use of hate speech called PRISM, or “Preventing, Redressing, and Inhibiting hate Speech in new Media” – a project funded by the Fundamental Rights and Citizenship Programme of the European Commission. Through the PRISM program, UNICRI brought together stakeholders, policymakers, and law enforcement to address issues of racism and anti-discrimination, legal frameworks for dealing with hate speech and hate crime, as well as information on investigating these problems – with an emphasis on victim assistance.
8. What is your advice to families to minimize digital risks of their households and children?
Many of today’s digital risks can be minimized by following a few key practices at home and ensuring that your kids do the same:
- Keep Your Firewall Turned On: A firewall helps protect your computer from hackers who might try to gain access to crash it, delete information, or even steal passwords or other sensitive information. Software firewalls are widely recommended for single computers.
- Change Default Passwords: Many products, from Internet Modems and Routers to devices connected via the Internet of Things (IoT) have a common off-the-shelf password when they are first purchased (i.e. “password”, “00000”, “1234567”, or “BrandName”). When setting up your devices, be sure to change the default password to something more secure to minimize the risk of possible interference or hacking.
- Install or Update Your Antivirus Software: Antivirus software is designed to prevent malicious software programs from embedding on your computer. If it detects malicious code, like a virus or a worm, it works to disarm or remove it.
- Install or Update Your Antispyware Technology: Spyware is just what it sounds like—software that is surreptitiously installed on your computer to let others peer into your activities on the computer.
- Keep Your Operating System Up to Date: Computer operating systems are periodically updated to stay in tune with technology requirements and to fix security holes. Be sure to install the updates to ensure your computer has the latest protection.
- Be Careful What You Download: Carelessly downloading e-mail attachments can circumvent even the most vigilant anti-virus software. Never open an e-mail attachment from someone you don’t know, and be wary of forwarded attachments from people you do know. They may have unwittingly advanced malicious code.
- Turn off your computer: With the growth of high-speed Internet connections, many opt to leave their computers on and ready for action. The downside is that being “always on” renders computers more susceptible. Beyond firewall protection, which is designed to fend off unwanted attacks, turning the computer off effectively severs an attacker’s connection—be it spyware or a botnet that employs your computer’s resources to reach out to other unwitting users.
- Talk with your children: Ensure that you are having age-appropriate conversations about what is, and is not OK when using the internet. In today’s environment, children and teens are spending hours of unsupervised time on internet-connected devices and without the means to understand what constitutes safe browsing and how to spot the dangers of malware, suspicious sites, inappropriate and illegal content, or malicious actors, they are at much higher risk to cyber victimization.
9. How can global cybersecurity companies support your prominent efforts at UNICRI?
When ratified by the member states at the New York summit in September 2015, the Sustainable Development Goals were introduced as a way in which all countries, regardless of development, could participate in moving toward a more egalitarian, sustainable, and forward-thinking world. With what we’ve discussed today, there are clear areas in which global cybersecurity companies can contribute to advancing these, from gender equality to reducing inequalities on local and global scales. In building on over a decade of work by UNICRI in this field, structures and partnerships for bringing us closer to these goals is possible. Indeed, by supporting our efforts to reduce the incidence and impact of cybercrime, global cybersecurity firms help move the progress bar along toward achieving these goals.
More specifically, to date, we have been working with a variety of local and global entities to form meaningful public private-public-partnerships (PPPs) designed to assess the needs of, and provide solutions to cybersecurity related challenges. Collaborating through UNICRI and our local partners and missions allows organizations to capitalize on our experience and bring to scale locally developed solutions to cyber-problems.
Beyond PPPs, UNICRI has an ongoing initiative for the development of a Knowledge Centre based in Geneva called “Security Improvements through Research, Technology, and Innovation”, or SIRIO. Using the SIRIO programme, we seek to address emerging security and future risks, map technology innovations to match security needs, and raise awareness and inform policy-makers of the available resources. In this, we address the thematic areas of supply chain security, critical infrastructure, cyber-space, big data, blockchain, and biotechnology. In short, SIRIO represents the tip of the spear in translating research to policy, and turning again to guiding research with the needs of policymakers.
Finally, organizations wishing to support other areas of work should consider partnerships with UNICRI toward the dissemination of relevant work-products and trainings such as PRISM (Preventing, Redressing and Inhibiting hate Speech in new Media) - which aids in making the cyber world a safer and more welcoming place to all individuals.