IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

Google Ads



Stefan Kronqvist
Chief, Computer Crime Unit
National Crime Investigation Department

before a hearing 
of the

Subcommittee on Government Management, 
Information, and Technology

July 26, 2000

Computer Security: 
Cyber Attacks - War without Borders


The Information Technology Crime Unit at the Swedish National CID is processing some 500 cases yearly. Of these cases about 50 per cent are Internet-related. Practically all Internet cases have an international component. Some of the forensic cases referred to our Unit also contain international ingredients. Consequently, the answer is approximately 50 per cent of the total case load. For obvious reasons the local and regional IT crime agencies have a lower rate of cases with international links.

For a good many years the National CID has enjoyed a state of close and comprehensive cooperation with the FBI. Cooperation with the Legal Attache Offices, formerly in London, now in Copenhagen, is functioning very smoothly and rationally. We are very grateful for the professional commitment with which our cases are treated by Legal Attache Robert Patton in Copenhagen. In the specific field of IT crime we also maintain good contacts with several members of the FBI in various functions. To mention one of several examples there is an exchange of practical work experience for the staff members of the FBI Laboratories and the NCID IT Crime Unit. Investigators have been visiting each others organisations to exchange experience and study work at the respective units.

We have had several investigations where we worked with the FBI. Perhaps the best known would be the E911 case in which our IT Crime Unit cooperated with the FBI in an effort to trace and identify a Swedish suspect who by means of illegal telecommunication periodically blocked the E911 lines in a major area in Florida. One element of this cooperation was to set up a tracking team of Swedish and US telecommunications operators. This was a rather complex operation which could not have succeeded without the professional skill and dedication of the units and investigators involved. The E911 case was very instructive, not least because the perpetrator posed a threat to infrastructure functions. FBI Director Louis Freeh described the incident as "a dress rehersal for a national disaster".

The most important thing would be to have IP addresses logged and make sure that they are stored and kept in a readable and searchable condition. As to Internet Service Providers it is important that the information is technically quality-proof, for instance that system clocks, etc., are correct. Sometimes the question arises whether or not to keep a system open in order to be able to trace an ongoing intrusion. My advice in these cases is always to weigh up the pros and cons in terms of potential damage and investigative interests.

At the present time a series of three-week methodology-orientated courses are being arranged over a period of two years for a totalof 120 IT crime investigators, a number of prosecutors included. The course is an extention of a three-month basic technical training course given last year. Available at international level since 1993 re training courses for European IT crime investigators organized by the ICPO-Interpol. There has been a proposal to provide international training in cyber intrusion detection. Besides methodology and technical subjects, such a training course could also contain instructive information about international regulations and contact channels.

In our opinion there is a differences of attitude towards a working relationship on the part of the private sector, often depending on the gravity of the crime. In cases where great values have been lost or are in danger of being lost the private sector is often prepared to cooperate. The willingness of companies to report crimes or assist investigations involving a third party is also dependent on whether they fear they may invite criticism of their own internal IT security. The Swedish National Crime Prevention Board recently publicized a poll on IT crime in medium-sized businesses and organizations which confirms this situation.

The specific act of cyber intrusion is long since a criminal offence under Swedish law. What is now being discussed are the legal coercive means of detecting, monitoring and tapping telecommunicaitons to and from suspect criminals. These matters are currently being reviewed by the Swedish Ministry of Justice. The purpose is to adapt regulations to modern computer and telecommunication technology.

The major problem we are facing in coping with Internet crime is that of obtaining access to useful information from foreign Internet Service Providers and responsible Web managers. Normally, the provider asks for a court order, subpoena or other formal domestic disposition before information is supplied. Such a decision must be preceded by an international letter rogatory, a time-consuming procedure as we all know. It is my understanding that certain criminal operators are well aware of this. One way of addressing these problem that suggests itself would be international agreements to release subscriber information and logged IP addresses to the law enforcement authorities in another country without the requisite of a formal letter rogatory request. The transmission of information would be handled via special contact points in order to secure authority and make sure that the information does not fall into the wrong hands.

Regulations requiring anyone conducting business or organizational or related activities on Internet to possess the ability and knowledge to provide adequate information to law enforcement agencies to assist criminal investigations. Some kind of authorization or licencing of Internet operators might be a possible alternative. You may probably not get to the actual criminals that way but what do they care about regulations anyway?

The Swedish Government is presently in the process of setting up a national Computer Emergency and Critical Incident Response Function. At the present moment opinions vary as to how such a function should be organized and operated. The Swedish police hold the view that such an agency should be managed by the police or at least contain a manifest law enforcement element. An organization without police participation would be without the powerful information and contact channels accessible to the police. Also, there is the risk of not being able to protect important third party interests. It has further been argued that such a function should not be permitted to access information from the private sector if businesses face the risk of ending up in an undesired criminal investigation because a crime was reported to the police. It will therefore be extremely interesting to take note of the experiences of the NIPC.

Short description of the National CID and the IT Crime Unit

Under the organization of the Swedish police force the National Criminal

Investigation Department is the central responsible authority for operational police activities with the exception of those subordinate to the Swedish Security Service and the Economic Crimes Bureau. The responsibilities of the National CID include criminal intelligence service, certain qualified criminal investigations and support to the local police authorities. The National CID is functioning as central level coordinator of the combat against organized crime.Further, the National CID is responsible for operational international police cooperation and serving as National Central Bureau of the ICPO-Interpol and National Europol Unit.

The IT Crime Unit of the National CID has instructions to maintain and develop national support activities in order to assist the local police authorities in surveilling and investigating IT crime. The unit provides training, methodology and technology development and also carries out operational activities by conducting house searches and interviews and analysing seizures and, also, by tracing and identifying persons who use Internet and its services and functions as targets or means in the commission of crime. The unit serves as contact point for international police cooperation in this specific subject field. A year ago the IT Crime Unit introduced a 24-hour service, one reason being that Sweden had joined the G8 Network of 24-Hour Contacts for High-Tech cases.

Brief summary of Swedish legislation on Computer Crime

Most IT-related crimes are provided for under traditional penal law. However, there are special provisions for computer intrusion (breach of daa secrecy) Penal Code, Chapter 4, Section 9c, computer fraud (PC, Chapter 9, Section 1) and the Copyright Act on computer programmes and the legislation on liabilities referring to electronic bulletin boards. The recently updated legislation on personal integrity (Personal Data Act) is highly apdated to the modern IT society.

The legislation on Criminal Porcedures is being revised for adaption to modern technology. The same is the case with the special legal provisions on the confiscation of property and assets. For instance data cannot be independently seized and forfeited, this procedure can presently be applied only to material objects.

IWS Mailing Lists

Mailing Lists Overview