I participated in an interesting discussion last week at ENISA’s Expert Group on Barriers to Cooperation between CERTs and Law Enforcement. Such cooperation seems most likely to occur with national/governmental CERTs but I’ve been keen to avoid recommendations that they be given special treatment, not least because of the risk that such treatment might actually create barriers between them and other CERTs. The need for cooperation is recognised by both sides but seems surprisingly hard to achieve.
It seems that a fundamental problem may be the ways in which the communities naturally transfer information. CERTs tend to concentrate on problems within their own constituencies and to send information about other constituencies to the CERTs for those constituencies. Information generally flows proactively into the constituency where the problem is. At least when seeking prosecutions, law enforcement authorities tend to work in the opposite direction – after an event has occurred in a particular part of the Internet, asking the relevant CERT to provide information about its own constituency. It’s not surprising that processes set up to transfer information in opposite directions have problems lining up. A further difficulty arises if the information is needed as evidence, because there are still different legal formalities about how evidence needs to be collected, preserved and documented. In some countries evidence that does not meet the local standard is unusable.
An easier area to start with may be Law Enforcement’s increasing role in disrupting criminality (for example through the UK’s Serious Organised Crime Agency). For this, agencies are interested in information/intelligence, rather than evidence. The distinction may not always be clear – one of the most often cited reasons for not sharing information with law enforcement is a fear of loss of control, particularly that information shared in confidence may end up becoming public as evidence in a trial. A number of projects have addressed this, from the UK’s National High-Tech Crime Unit Confidentiality Charter (unofficial copy) to the NISCC Traffic Light Protocol, which is useful as a simple bridge between the different classifications used in public and private sectors. Organisations that have developed Memoranda of Understanding with regular partners reported that the process itself was very useful in building both trust and understanding.
Another key concern is that law enforcement may be unable to reciprocate in any information sharing. Information about current investigations clearly needs to be kept confidential until it is used in a trial, perhaps years later. However letting CERTs know that information they provide is useful will help them both to justify effort spent on sharing and guide what information it might be valuable to share in future.
It was felt that both of these issues would be helped by promoting the idea of “information exchange”, rather than “disclosure” or “sharing” that might be seen as either uncontrolled or one-way.
Finally there still seems to be a problem in expressing what sort of information would actually be of interest to law enforcement rather than overwhelming them. Law enforcement are concerned with crimes, incident responders are concerned with network policy violations, but both can only deal with the subset that are “interesting”. Every attempt by a virus to infect a computer is both a crime and a policy violation, but neither a CERT nor a Law Enforcement Agency could possibly deal with every one individually. The need to explain to each other our subconscious “that’s interesting” filters may be one of the harder barriers to overcome.
Any exchange of information clearly needs to be done in accordance with the law. In the UK the position for network information is relatively clear: for information about the use of a network law enforcement can order disclosure using a notice under section 22 of the Regulation of Investigatory Powers Act 2000, for other personal data a network operator may disclose it under section 28 or 29 of the Data Protection Act 1998 if persuaded that it is necessary and proportionate for national security or crime prevention purposes respectively. However as in ENISA’s study on information exchange between CERTs, it seems that variations in national data protection laws and their interpretation – particularly in their treatment of Internet identifiers such as IP addresses – can cause significant uncertainty and problems. Since 2009 there has at least been a statement in EU law (though not always reflected in national transpositions) that responding to network and computer incidents is a legitimate reason for processing personal data where this is necessary and proportionate; this is strengthened in the proposed Data Protection Regulation. Unfortunately the inconsistencies may be even greater when dealing with law enforcement agencies because current European law does not require their national data protection provisions to be harmonised. Even the revision of the Data Protection framework seems unlikely to resolve this issue, as law enforcement will still be treated separately, so common data exchange agreements satisfying the data protection requirements of all parties may be the best approach for the foreseeable future.