OECD calls for global anti-malware partnership

Canada is among a number nations that have signed but not ratified a treaty on harmonizing cybercrime laws around the world, an influential economic organization has pointed out in a new report calling for more government and private sector co-operation against malware.

The Organization for Economic Co-operation and Development (OECD) report, issued Friday, calls malware a critical security threat to organizations and consumers who rely on the Internet.

“A strategy for a global partnership against malware is needed to avoid it becoming a serious threat to the Internet economy and to national security in the coming years,” say the authors.

In fact it calls malware “a multi-million dollar criminal industry.”

“Today, communities involved in fighting malware offer essentially a fragmented local response to a global threat.” Unfortunately, it notes, “no single entity has a global understanding of the scope, trends, development and consequences of malware and thus the overall malware problem is difficult to quantify. Data on malware are not consistent and terminology for cataloguing and measuring the occurrence of malware is not harmonized.”

It would help if governments, the IT community and businesses formed what it calls an “anti-malware partnership” to raise awareness, improve legal frameworks, strengthen law enforcement, improve the measuring of malware, find ways to address vulnerabilities in software, as well as offer economic incentives for research and development on weapons to combat malware and to create standards, guidelines and good practices.

Among the recommendations, it urges Internet service providers and domain name registrars develop common codes of national and international practice to help stop the spread of computer viruses, spam and spyware. It also urges more action by governments to attack the problem, including a demand they ratify and sign the Council of Europe’s Convention on cybercrime. While 22 OECD countries have signed the document since 2001 promising to work to harmomize cybercrime laws, only eight have ratified it. Canada signed the document on Nov. 23, 2001.

A spokesman for the federal justice department was asked for comment but did not reply by deadline.

Among those that have ratified the convention is the United States, where it has been in force since January, 2007, as well as Bulgaria, Croatia, Cyprus, Finland, France, Hungary, the Netherlands, Norway and Ukraine. Other countries that have signed but not ratified include Britain, Japan, Germany and Ireland. Russia has not signed the convention. The report also calls on governments to foster the development of more secure software products, and to work with the private sector increase research and prevention activity.

The report was a co-operative venture created by an OECD committee on information security and privacy, the Asia Pacific Economic Co-operation group for a June 17 meeting of officials from OECE countries in Korea on the future of the Internet economy.

Tom Copeland, chairman of the Canadian Association of Internet Providers and head of a Coburg, Ont., service provider was away and could not be reached for comment.

But a spokesman for Telus said the service provider “agrees that the fight against malware will take a global effort.” Shawn Hall, the company’s senior communications manager, said Telus is involved in initiatives with IPSs and other industry players around the world, including Industry Canada’s Cyberprotection Working Group, the Microsoft Security Response Alliance and Virus Information Alliance.

Telus also works to educate its customers, whom the report blames for running unprotected PCs online. That’s partly some people aren’t adequately informed about how to securely manage their computers, say the reports authors. Hall said Telus tries to spread the word about security in customer newsletters, but some people do what they want. For example, he said, while the telco makes sure wireless access points it sells have WEP protection is turned on, some purchasers turn it off.

A spokesman for Bell Canada said in an e-mail interview that the telco takes online security very seriously and remains committed to combating abuse on the Internet. In recent years it has worked on several international best common practices through the Messaging Anti-Abuse Working Group of providers and makers of security products as well as with Industry Canada.

“Bell believes the recommendations by the OECD continue in this spirit and we support a collective approach to the development of an international codes of practice to help stop malware,” the statement said.

Much of the 106-page report, which is aimed at politicians and senior government policy-makers, is old hat to people in the information technology industry. It explains how malware works and that it can be used for everything from denial of Internet service to blackmail. “Malware has evolved into “mass market” money-making schemes because it offers such a profitable business model,” it says simply.

“The cost to malicious actors continues to decrease as freely available email storage space increases. Further, the use of botnets makes it easier and even cheaper to send malware through e-mail. Today’s criminals often have access to cheap techniques for harvesting email addresses as well as easy access to malware and outsourced spamming services. Anti detection techniques are constantly evolving to make it cheaper to operate, and malicious actors can easily switch ISPs if their activity is detected and their service terminated.”

From a law enforcement standpoint, the money made through illicit malware activity is increasingly hard to trace, the report notes.

The problem is international. It quotes from a 2007 report by anti-virus maker Sophos that 53.9 per cent of all malicious Websites observed are hosted in China, followed by 27.2 per cent in the U.S. ranks. Overall, malware on Web pages accounted for 52.8 per cent of incident reports by mid-2007 received by the United States Computer Emergency Readiness Team (US-CERT).

It also mentions that one problem is an increase in software with security holes. “Secure software development could be encouraged,” it says, noting “governments could maximize their influence as buyers of software by requiring more secure software products as part of their procurement process.”

Victims are not only individuals and organizations, the report says, but also ISPs and domain registrars who lose revenue and reputation if they become associated with suspicious online activity. Given the widespread nature of malware and its increasing level, it is beyond individuals or even businesses to deal with the threat, says the report, which is why it urges governments, law enforcement agencies, ISPs and IT security companies to come together in an alliance. To some degree they are already, the report admits, but they are always catching up to the perpetrators.

“The communities involved in fighting malware, whether governments, businesses, users, or the technical community, need to improve their understanding of the challenges each of them faces and co-operate – within their communities and across communities – to address the problem,” says the report. Furthermore, their co-operation must occur at the global level. It is not enough for one country or one community to effectively self organize if others do not do so as well.”

Related Download
A Guide to Print Security for Canadian Organizations Sponsor: HP
A Guide to Print Security for Canadian Organizations
IT security vulnerabilities are a growing cause for concern for organizations trying to protect their data from printer breaches.
Register Now