Challenges for the London Action Plan

2012-01-01

Wout de Natris

De Natris Consult, The Netherlands
Editor: Helen Martin

Abstract

In 2004, the US Federal Trade Commission and the UK’s Office of Fair Trading organized a workshop in London in which 27 international organizations participated. They established an informal cooperation network: the London Action Plan (LAP). Wout de Natris describes some of LAP's early successes and the challenges it now faces.


In October 2011 the London Action Plan (LAP) held its annual workshop in Paris. Collaboration with the Messaging Anti-Abuse Working Group (MAAWG) meant that attendees were able to engage in more in-depth sessions with industry members and law enforcement representatives. However, with spam figures dropping while fraud and other forms of cybercrime continue to rise, the perceived significance of spam is in decline. LAP faces several challenges in 2012 that it must address in order to remain relevant. But before I present the challenges, an introduction is in order.

London Action Plan

The implementation of the 2002 EU ePrivacy and Electronic Communications directive (2002/58), along with similar laws in other parts of the world, effectively dealt with the extreme nuisance of unsolicited electronic advertising, or spam. Anti-spam and malware enforcement agencies were established around the world and the need for cooperation became apparent. In 2004, the US Federal Trade Commission and the UK’s Office of Fair Trading organized a workshop in London in which 27 organizations from around the world participated. They established an informal cooperation network: the London Action Plan. A mission statement was published: ‘The purpose of this Action Plan is to promote international spam enforcement cooperation and address spam-related problems, such as online fraud and deception, phishing, and dissemination of viruses. The participants also open the Action Plan for participation by other interested government and public agencies, and by appropriate private sector representatives, as a way to expand the network of entities engaged in spam enforcement cooperation.’ [1]

The Plan promoted cooperation and the sharing of data between different agencies, but it also promoted public-private cooperation at a time when it wasn’t trending. Several early partners came from industry.

Early successes

One of the group’s early successes was information sharing. In the first set of cases involving cross-border enforcement, New Zealand, Australian and US agencies (The Department of Internal Affairs, Australian Communication and Media Authority, and the Federal Trade Commission) each took action against the prolific spammer Herbal King [2] and its mastermind, Lance Atkinson. Toni Demetriou, a senior investigator with the Anti-Spam Compliance Unit of New Zealand’s Department of Internal Affairs, says: ‘International cooperation was essential in getting a result in Operation Herbal King. The FTC was able to provide technical information, making it possible for us to identify the defendants and obtain evidence.’ The various cases resulted in fines and strong injunctions.

Dollarrevenue [3] was another example of a LAP success. The case was brought by the Dutch OPTA (Onafhankelijke Post en Telecommunicatie Autoriteit [Independent Post and Telecommunications Authority]). By building its case based on data obtained from the FTC through the data-sharing provisions of the SAFE WEB law [4], OPTA was able to stop this source of malware, and levied a 600,000 euro fine.

The mere fact that there was a LAP membership list made contact much easier for enforcement officers. Other LAP initiatives also helped members achieve the shared goal of fighting spam. For example, LAP’s data-sharing template helped standardize information requests and case referrals between agencies. Extensive training also led to the sharing of best practices and techniques for the participating agencies, e.g. on the lessons learned from cross-border cases or on potential cooperation with industry partners. LAP also promoted interaction with industry by co-organizing its annual workshop with the MAAWG meeting in 2007 and with Germany’s annual eco anti-spam event – which included a Microsoft anti-fraud day – in Wiesbaden in 2008.

Hugh Stevenson, the FTC’s Deputy Director for International Consumer Protection, sees a direct relationship between the LAP network and his agency’s ability to prosecute spammers: ‘Spam doesn’t respect national borders, so law enforcers must find ways to work across them. LAP brings together the enforcers on the spam beat, as well as important private partners with a common interest in tackling the problem. Through training, information sharing, and ongoing contacts, we can all do far more together than we ever could on our own.’

However, the scene has changed over the past three years. The relationship between agencies has not intensified and several challenges for LAP have come to light.

Challenges for 2012 and beyond

With the rise of criminal activity on the Internet the focus has shifted away from spam, making spam enforcement a less essential topic and potentially leading to budget restraints as governments and agencies set different priorities.

Is this the correct way forward? To my mind it is not. LAP members can make a huge difference in fighting cybercrime, but they need to overcome several challenges. This can be done by capitalizing on what makes the LAP model of cooperation and knowledge and data sharing so unique.

Collecting high-quality data

Several spam and malware enforcement agencies have spam reporting centres. Inviting major ISPs and anti-virus companies to share their data with these centres leads to higher quality meta data. Evert Jan Hummelen, OPTA Deputy Head Consumers, Numbers and Chair’s Office, who is responsible for the anti-spam and malware team, states: ‘OPTA is constantly seeking information to improve its data position with respect to spam and malware. The first results from international cooperation and data sharing are now becoming visible.’ By making the analysed data transparent, anonymity and hiding on the Internet becomes harder for spammers and attackers alike. For example, data on senders, infected computers, abused IP resources and hosting becomes available. By inviting selected industry partners and banks to share their data, and showing them the added value, more data will become available in 2012.

Cooperation with different enforcers and industry

As spam, fraud and malware have become virtually indistinguishable, different forms of enforcement have come into view. Toni Demetriou explains: ‘Part of the challenge is realizing and understanding that each law enforcement agency works within a specific area. Police work within criminal law, and spam regulators/enforcers and consumer protection organizations work within civil or administrative law. Each has their own set of investigative tools and levels of proof that have to be provided to the legal system. Industry works with contracts and abuse clauses in those contracts. So the challenge is to overcome any legislative and jurisdictional barriers to legally and effectively share information and evidence in a timely and effective manner.’ So who is best equipped to take on a specific case? All three entities have proven to be successful, for example, in taking down botnets. Coordination between them and the use of each one’s unique powers will make a major difference where tackling cybercrime is concerned.

Coordination is not commonplace, so where do we start? My suggestion would be to look at sharing and analysing data first. Then distribute the results, and from there work towards coordination. Also LAP could demonstrate the full potential of its members to other enforcement agencies through presentations at relevant events, e.g. at an eCrime meeting or at Europol and Interpol high-tech crime meetings.

The need for more countries to become actively involved

In order to be successful in fighting spam, fraud, malware and cybercrime, more countries need to become actively involved. In other words, more resources need to be put into enforcement agencies and the training of officers in this line of work. Within the EU this could be achieved by giving a form of coordinating power to ENISA, as OPTA suggested in 2009 [5], or by opening up the coordinative powers of the EU Cyber Crime Center (to be) to all agencies involved in enforcement on the Internet. On a worldwide scale this could be achieved through active involvement in the Council of Europe’s Octopus programme and conference.

Whatever the challenge, it will be LAP’s members that need to push for results at the aforementioned organizations. It will not be the other way around.

Conclusion

There are options available for LAP to prove its worth and make a difference, but it will take ambition, effort and resources. At the end of 2011 LAP faces a choice between obscurity and new successes. The comprehensiveness of the Plan puts LAP in a unique position to make a difference in the fight against spam, including all the harm that comes from the crime associated with it. The near future will show whether it is able to live up to this potential. If LAP is able to forge the necessary cooperation with old and new partners, I have no doubt that it will.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.