Address to the Australian Institute of Company Directors
Commissioner Mick Keelty APM
Adelaide
Thursday, 7 August 2008
(Check against delivery)
Thank you very much. And thank you for the invitation to be here.
If I could acknowledge the president, Alan Hewitt, and Peter Siebles. Thank you for having me here. And I would also like to acknowledge my fellow Commissioner Mal Hyde. And it would be obvious to some people in the room, but not necessarily obvious to everybody, that Mal and I are very good colleagues and it’s a good occasion, for me to Mal, to thank you for your personal support to me since I became commissioner back in 2001.
I’d also like to acknowledge the Kuarna people, the traditional owners of the land on which we are having this meeting this afternoon, and acknowledge their elders, past and present, and their connection to the land.
Well, in policing you make your own luck. And as luck would have it I’ve turned up here on a day where the Olympics are about to start and people are talking about a ticketing fraud scam over the Internet. And typical of private enterprise, my KPMG colleagues reminded me, or raised with me before the speech, about another scam that’s been on the news this morning that involves the arrest of 11 people in Boston for phishing the details of over 40 million people in that part of the United States. So I can tell you that it’s a 12 months investigation, 11 people have been arrested, and at this point in time it’s isolated to the Boston area of the United States. But it is very relevant to what I want to talk to you about today.
And what I want to talk to you about is the crime of committing offences on the Internet and how it’s actually changing the way we’re doing policing. And I think, if we think back just a couple of years, maybe five years, perhaps 10, but certainly five, we would never have imagined just how much of a role the Internet will play in our daily lives. We might have thought about the computer at the workplace, we might have thought about the early versions of laptops, but we probably didn’t think about cafe chains having wireless Internet access. We might not have thought about the new iPhone where you can actually access – or the BlackBerry – where you can access your emails in a mobile and wireless capability.
So it has actually changed the way our lives operate. And I think at the outset it is important to remember that the Internet is a positive instrument. It is something that has connected a lot of people who would otherwise never have been connected. It allows the efficiency of financial transactions and commercial transactions in a way that we never would have had before, and it’s provided to people who would otherwise be very isolated in their world the opportunity to connect with other people around the world. And in terms of research and the sharing of knowledge of scientific and medical research, it has been one of the greatest inventions that we could ever imagine.
In fact, I was last year at the launch by Telstra of its new 3G technology, and one of the examples they gave in the launch – and I’m not sure if anyone here was at the launch – but one of the examples they gave was here in Adelaide at one of the hospitals where doctors can walk up to patients and download the data that they need from patients and upload that on the system by the bed, the same system which the patient can use to access the Internet, the same system which the patient can use to send and receive emails. So the convergence technologies are obviously the way of the future. And clearly we’re seeing some of that now with the release by Apple of its new phone version two weeks ago.
But as with many things in life, unfortunately there are people who like to take advantage of these systems and are now committing crimes on the Internet that are affecting each and every one of us in various ways. And I’ve got to say I was touched by the level of governance at the beginning or the opening of the session here today where we actually declared that if we hand up our business cards that there could be another use to which they’re put. And I think that’s something that probably only happens in Australia.
In one sense our honesty and our integrity is in fact an opportunity for others to exploit, because it’s not necessarily – those values are not necessarily shared right across the world. And of course in crime and crime types and talking about how crime is committed, you’re always looking for the vulnerable spot or the weakest link. And good governance is great, but you’ll hear me talk, if not today, certainly in days to come, about – it’s great to have regulatory systems in place for our economy, but there is another economy that works with organised crime that we actually can’t regulate or don’t have visibility to regulate. And we need to tap into that. And it was mentioned in the opening that I chair the Asia/Pacific Group on Money Laundering and it’s one of the focuses of the 32 member countries – or, sorry, I should say 37 member countries of the Asia Pacific Group.
But of course the Internet provides an opportunity for criminals to commit crimes undetected with a level of anonymity that previously they would not have had available to them. And just something like what I mentioned at the outset about the arrest in Boston, identity fraud or identity theft has devastating implications for the individuals involved because once their identity has been stolen, it is a tremendously difficult thing and inconvenient thing to then go about everyday life, because we become so reliant upon credit cards and alternative remittances, or alternative means of remittance, that if you lose our credit cards or credit card details, it just is such a huge inconvenience today for everybody involved and it’s also a threat to national security.
Evidence shows that organised crime groups have begun to really embrace identity fraud as a means of committing other types of crime. For example, the September 11 terrorists all had operated with false identities quite successfully over long periods of time living in the United States before they committed their atrocious acts. And of course the Internet has been responsible as a driver for globalisation. So in some senses it’s been responsible for developing countries to be far more successful, but also for undeveloped countries to actually try and compete, or at least grow and start to compete on an equal basis. So the good and the bad come together in a sense, that the rich get richer and the poor need to be brought along, otherwise we’ll leave them behind in the wake.
That’s created online communities and what we call social networking sites, where people in the real world can log on and interact with other members. Social networking sites can be lots of fun. There even are environments for learning: universities, for example, swapping information and research so quickly through discussions in chat rooms on social networking sites.
But criminals have also identified these social networking sites as an opportunity for them to meet to discuss issues and to actually plan crimes. And as of December 2007, 75 per cent of Australia’s population is online. And so you can imagine what that’s generating behind the scenes in terms of social networking sites. Crimes committed on the Internet though are no different to other types of crimes. There is a person who is responsible for committing this crime. What becomes difficult for us is to prove the identity of the person because of the anonymity that the Internet presents.
The Internet has four key attributes that make it ideal to commit crime: it has global connectivity; it provides anonymity, as I mentioned; it provides a lack of traceability in a lot of cases; and it provides a world full of valuable targets. And Microsoft earlier this year issued a white paper entitled Establishing End to End Trust. And it suggested that computer users often have little or no knowledge about their own computer systems, including what programs are running on their computer and who they are dealing with on the Internet. And such a lack of awareness by computer users provides cyber-criminals many opportunities to commit crimes.
Unfortunately a consequence of cyber-crime is that individual users and businesses can lose faith in the ability of the Internet to provide a safe and secure means of communication and commerce. And of course that’s an issue for all of us in the AICD or even in companies, dare I say it, like KPMG, when you’re focussed on order and governance. It really does sort of start to raise questions about what people understand about what they’re doing online. You might have seen in May this year we were part of a global taskforce that was responsible for the execution here in Australia, with our state and territory counterparts, of some 200 or so search warrants on individual computer users, mostly in their homes, not their businesses.
That was a child pornography ring that was operating on a global basis. And how it operated was, a person hacked in to the website of a government – a foreign government – to their weather website. I’d equate it to – if we want to this afternoon find out whether it’s going to rain in Adelaide this afternoon, and I know you’ve had lots of it. But when you go into the weather site for the ABC, for example, this foreign government has a similar system. And on that weather site was posted 95 individual images of child pornography. And that site was accessed in 76 hours by 12.5 million people around the world. And unfortunately for us, a quantity of those people were from Australia. And of course that resulted in that operation.
But for 12.5 million people to access that site that would otherwise be anonymous. And certainly the owners of the website – the weather website – had no idea this material had been planted on there. It’s an example to us that – we all use computers ‑ once you connect to the global Internet, you are connecting to a lot of interoperable computers that have other things attached to them. And it’s becoming more and more of a problem where people don’t understand the need for security around their own systems.
The incidents of online fraud in Australia have risen by nearly 60 per cent in the past year alone. And in May 2008 the Australian Payments Clearing Association released figures which indicate the number of fraudulent Internet payments, known as Card-Not-Present Transactions, grew from 112,000 to 190,000 for the 12 months to 31 December last year. And they’re for cards issued in Australia. And that represents a climb of nearly 60 per cent, from $31.7 million last year – at the beginning of last year – to $53.4 million by the end of the year.
And phishing, which is the process of fraudulently attempting to obtain personal information about someone, such as their username, their passwords or their credit card details, it’s becoming far more prevalent. Last year phishing attacks in the US rose significantly, with losses of $3.2 billion recorded to US agencies. And in the 12 months ending August 2007, 3.6 million adults in the US lost money through phishing attacks, compared with 2.3 million the previous year.
Australia’s figures are not easy to obtain, but we believe that they are, at least at the pro rata level, or if not, exceed the pro rata level of what’s been the experience in the United States, mainly because of our take-up rate of the technology here. You may have heard also that in 2004 in the US, the US Federal Trade Commission filed a lawsuit against a suspected phisher. The defendant was a Californian teenager, and he had created a web page designed to look just like the America Online website, which was used to trick people into supplying their credit card information. Does it sound familiar?
Now, the Beijing Olympics’ matter is one that commenced in Phoenix, Arizona. The perpetrator domiciled the United Kingdom and obviously is located elsewhere at the moment. But it just demonstrates to you the power of creating a false web page and how people will quickly provide their details to that web page.
And one of the things that we’ve done in the AFP through the Australian High Tech Crime Centre, that all of the states and territory police provide assistance to and resources to, is to partner very early in the piece with business. All of the major banks are represented there. Credit Union Australia is represented there. The Defence Signals Intelligence is represented there. So when we actually embarked upon that we were not quite sure how the private sector would react to being all in the one room in the one place, particularly when Internet banking had only just commenced. And the competitive difference between one bank and another is, in I guess my unprofessional policing terms rather than economic terms, is very small. And of course there was a lot of pressure on the banks to be in, but there was a lot more pressure on not being in. And we’ve been able to shut down some false websites and some denial of service attacks very quickly really through the cooperation of the banks and the private sector by having them there.
I just want to point out to mums and dads in the audience that whilst I’m talking about cyber crime and the Internet, that you ought not discount the mobile phone. Most of us don’t conceive the mobile phone to be a computer, but in fact it is, particularly with the 3G technology. It can receive and send emails, more importantly, it can send and receive photos and it can send and receive data. And you know where I’m heading with this. It is a vulnerability that mums and dads need to be aware of, just as they’re aware of what kids are doing online in the day‑to‑day use of the computer they have at home.
One of the things we’ve done in the AFP is, we’ve actually brought on children to help us. We’ve got a young person attached to our high tech crime area, and earlier this year, at the beginning of the year, we put together a number of schools. We did it as a sample in Canberra. We put 20 schools together and we listened to kids telling us how they do the things they do online and what are the most attractive things that they do. In fact we asked the kids, “How would it be, in your mind, that we should police the Internet with you?” And they gave us quite a few ideas.
That translated to, about four weeks ago we sent 10 children to London, from years 9 to years 12, to be part of a group of 150 young people from around the world. And we’re moving towards October this year, where we want to put a submission to the United Nations on how to protect children online. And the best way to do that of course, in our eyes, was to actually engage the children in telling us what’s attractive and what’s not, online. And I’ve got to tell you, it’s turned the minds of our investigators around completely 180 degrees because they were going down a traditional investigation and a traditional path of how they police in the streets or in the community, to a new way of doing business online.
And we do consider being in partnership with business as a vital tool to what we’re doing here. We launched earlier this week, on Monday, the National Missing Persons Week. And two of our major partners on National Missing Persons Week are MySpace and YouTube. Because, of the 35,000 people who go missing each year, 20,000 of those are young people. And whilst 95 per cent of them are found within the first 24 hours to 7 days, there’s still a large proportion, about 1600, who go missing for the longer period.
And kids being kids and technology being technology, one of the ways we want to try and get these kids to contact home is through the Internet, which a lot of them will use and will have access to through Internet cafes. So doing that sort of partnership is important. Equally as important is policing online. Earlier this year I met with Google in the United States, Silicon Valley, and rather than talk about regulation, we’ve been talking about partnerships and how do you police online.
Google’s mission statement is, to supply all of the world’s information to all of the world, it’s as simple as that. To supply all of the world’s information to all of the world. And I was saying to someone – to Eric, I think it was – last time I was in Adelaide I gave a speech across the road at a Flinders University presentation and the speech was about future crime. And I talked about botnets and I talked about robotics and I got castigated in the press. I also talked about climate change. But the atmosphere, if I can say it that way, was very different.
It’s the robots that are being used by Google to prevent being hacked. And it’s the robots of other users around the world that are trying to attack Google. So it’s quite an interesting set of circumstances that they’re trying to deal with. But when you think about that, all of the world’s information to all of the world, it’s quite an inspiring mission statement. If you want to the place, and I don’t know if you have, I apologise if people here have been there, but it’s a campus in Silicon Valley and it’s about 4000 people on the campus. And I’ve never seen so many smiling, happy, creative faces in all my life. If I could have bottled it, I would have brought it back with me. It’s just a – that’s their environment.
We’ve partnered with MySpace. In fact we’ve got one of our former executives with MySpace. We’ve got one of our executives doing a 12 month stint with Microsoft in the US, because we believe Microsoft will be visionary in terms of where they’re going to take the next level of cyber development. And I think these sort of relationships are the way of the future for policing, where once upon a time policing was a bit reticent to partner with the private sector.
We’ve seen nation states actually attacked through cyber attacks. The small country of Estonia, which is one of the most sophisticated countries in terms of use of the Internet, the whole government was on the Internet, the whole commercial sector was on the Internet, the community take-up rate on the Internet was something in the 90 per cents, and yet they were attacked and hacked and brought to their knees through denial-of-service. Now, clearly it related to what we would call Russian organised crime. And it was in retaliation for something that the Estonian government decided to do that upset people in Russia. And so nation states become quite vulnerable when their increased reliability of the Internet is how they do their business.
Australia is by no means immune in this regard. We really have to think about what we have online and how we’re protecting it. We’ve got everything from small gadgets to power stations to air traffic control. So many things are operated through computers now that the need and the desire and the efficiency of maintaining their operability becomes paramount. And so denial-of-service makes us vulnerable. And we need to make sure that we have the latest means by which to create firewalls, but also the latest means by which to audit and understand what has gone missing.
You know, when stocktakes used to happen and you could physically count things, when you talk about stocktaking and markets. Second Life – I gave a speech about 18 months ago in The Hague and I talked about Second Life, and someone asked me a question about whether it was related to Christianity. But Second Life – and I’ve been to Linden Labs and I was remiss because I didn’t have my own business card with an avatar on the back. But the latest statistics out of Linden Labs are that 13 million accounts are registered with Second Life. And Second Life has thousands of virtual shops where members are purchasing and spending up to US$1.7 million per day.
And one of the examples we talked about when I was at Linden Labs was somebody who had established a sunglass company on Second Life – rather meaningless in one sense – and was charging the equivalent of 25 cents to purchase a pair of fashion sunglasses. And of course as everyone when in Second Life and thought it was important to get a pair of sunglasses, when you start to talk about volume, you know, suddenly you’ve got a very viable business operating in Second Life.
There’s a game – I don’t know if people in the room are familiar with it; I’m sure some will be – called World of Warcraft. Now, World of Warcraft has 30 million registered users around the world. That’s bigger than Australia’s population. And they’re interacting right around the globe each and every day.
We’re working with the FBI, in a positive way, to open up a police station in Second Life, so that where kids get into trouble or people get defrauded, that they can come to the virtual police station and we can start dealing with the issue. And there are people who actually know – there are young people in parts of the world now, who know no other social interaction other than this virtual interaction, which is why someone came up with the idea of the Wii, the active way to interact to get kids off the seat and start playing games in a real life way but in the virtual world. And it is changing our life and changing the way that we conduct ourselves.
Last year a 23-year-old Moroccan born resident of the UK was found guilty of incitement to commit acts of terrorism and he was sentenced to 16 years imprisonment. His crimes were committed entirely over the Internet. He used several pseudonyms, all of which were variations of a word called Hirabi 007. Hirabi is the Arabic word for terrorist, and 007 of course is obvious. His online activities included setting up websites and various web forums that supported al‑Qaeda. And he and his two co-conspirators financed their activities with stolen credit cards. They were found to be in possession of 37,000 credit card numbers and were ultimately linked to more than 2.5 billion euros.
So the leverage capacity that is there is quite phenomenal. And it’s becoming clear to us the criminals who use cyber communities as places to meet and plan crimes are becoming quite skilled in hacking and executing their attacks.
We don’t want to frighten everybody away from the Internet. And one of the things that we’ve been very active in doing is lobbying the government to actually understand the nature of this, that as we increase business and as we the increase personal use of computers, we have to have a measure of understanding about the impact on our community. So in May last year the government announced funding of $73.6 million over four years for new measures to address the three priorities they saw in e-securities’ national agenda: the first being reducing e-security risk to Australian government information and communication systems, going back to that Estonian example I mentioned earlier; reducing e-security risk to Australian’s national critical infrastructure, which I mentioned earlier; and enhancing the protection of home users and small to medium enterprises, from electronic attacks and fraud.
In fact you may be aware that the Attorney-General and the Minister for Broadband, Communications and the Digital Economy recently announced a whole of government review of e-security. And we will be working with the Attorney-General’s Department to contribute to that review.
In closing I will just say that government and businesses in the online world will continue to use data in massive forms, forms that we really didn’t understand five to 10 years ago, and unlawful access to information systems will result in the destruction and/or manipulation of data and it will seriously effect online trust, which is why we’ve got to build, in my view, the partnership to give people the confidence to use the Internet for the positive purposes for which it can be used. And there’s no doubt that technology has the ability to increase economic growth, as I mentioned, but there’s nobody in the room who doesn’t understand or appreciate the fact that technology also has the potential to stunt development or create crime risks. And I think that prevention is far better than cure. And I think the opportunity to be here and be with business and raise the issues is an important one and one that we should continue into the future.
Thank you very much.