RIPE NCC Law Enforcement Meeting, London 12 March 2015
Executive Summary
The RIPE NCC recently held its seventh meeting for Law Enforcement Agencies (LEAs) in partnership with the British National Crime Agency (NCA) and the other RIRs. The purpose of this meeting was to discuss trends and developments that might impact the operations of LEAs and to gather the global law enforcement community's perspective.
A number of key points arose throughout the day:
- The RIPE NCC highlighted that much of the information that LEAs required was publicly available and did not require a Dutch court order
- The room agreed that the current multi-stakeholder model of Internet governance was preferable, but felt that LEAs and governments needed to engage more effectively within the existing structures
- The relatively slow adoption of IPv6 and the spread of IP address sharing technologies such as Carrier Grade NAT will increasingly create issues around identifying specific end users
- LEAs felt that cooperation with the private sector is extremely important and could improve greatly, but it was also understood that this came with additional costs.
With around 90 attendees, the RIPE NCC would like to thank NCA for its help in putting together the day. The RIPE NCC looks forward to continuing its engagement with the global law enforcement community.
Meeting Report
The RIPE NCC, together with the other RIRs and the National Crime Agency (NCA), recently organised our seventh dedicated meeting for Law Enforcement Agencies. These meetings are organised alongside the e-Crime congress, which draws participants from across the global LEA community.
The day was opened by Dr Jamie Saunders (NCA), head of the National Cyber Crime Unit, who stressed the need for public-private cooperation in effectively combatting cyber crime, using expertise from both sides and learning from each other to better understand the threat and develop longer-term solutions to design out crime.
This was followed by a presentation from Jochem de Ruig (RIPE NCC), who explained the function of the RIR system and the relationships that exist between the RIRs and other Internet institutions such as ICANN and the IETF – highlighting their respective roles and the need for the LEA community to engage with these organisations according to their specific areas of authority and individual roles within the Internet governance ecosystem. In response to a question on whether law enforcement could obtain Internet resources, it was highlighted that any organisation, including law enforcement agencies, can become a member of the RIPE NCC and request resources. It was also pointed out that any changes in policy would need to be carried out using the PDP and assistance was offered to help draft any proposals in order to get the policy development process started.
In reference to the IANA Stewardship Transition, Axel Pawlik (RIPE NCC) explained the current relationship between ICANN and the RIRs and the MoU that is signed between them.
Paul Hastings and Greg Francis (NCA) gave a presentation on the importance of Internet Governance and the need for law enforcement to understand the Internet Governance structure. Paul led the room in a short exercise to debate the merits of a multi-stakeholder model against a statist approach led by nation states. The conclusion of the room was that the multi-stakeholder model was preferable, but states and law enforcement agencies need to engage more effectively within the existing multi-stakeholder structures.
After setting the scene, Jonathan Flaherty (NCA) presented on an international project to map out criminal Internet infrastructure, pointing out that while the activities may be controlled from one jurisdiction, the computers and network infrastructure being used are often located in a number of different countries and therefore subject to a range of different jurisdictions and legislation. He stressed the importance of using publicly available datasets such as the RIR databases and tools such as RIPEstat in these investigations to obtain information more efficiently than through the use of legal cross-border requests for assistance (MLATs). He said it was clear that international policing collaboration was key to stopping cyber crime, and noted that the UK has excellent working relationships worldwide.
Marco Hogewoning (RIPE NCC) then presented some more details about the tools and public datasets that were used in this investigation, pointing out that only in very rare occasions would a subpoena to the RIPE NCC reveal more relevant information than the data that is available from public sources. He said the RIPE NCC was available to teach the law enforcement community how to use these tools and to help them with specific questions they might have. He also explained some recently added RIPE Database features such as the availability of historic information and gave an overview on how LEAs can report information about incorrect or falsified data to the RIPE NCC. In response to a question, Marco and Jochem explained why the RIPE NCC only accepted Dutch court orders as a legally valid means of requesting non-public data.
In the afternoon, Professor Ian Walden of Queen Mary University led the room in an exercise where participants were asked to suggest improvements in legislation, policy or procedures that could help in preventing or disrupting criminal activities.
A range of solutions were discussed and most touched on effective cooperation between law enforcement and private sector. Some participants mentioned the need for improved due diligence at the level of the registries and their members. In reply to a comment that private companies did not always have access to appropriate resources to do this verification, several agencies offered assistance with evaluating suspect cases within their jurisdiction.
It was also mentioned that industry partners could improve on sharing data about comprised systems, as some companies treat this information as proprietary or confidential rather than notifying the responsible operators and allowing them to clean up any infected hosts.
Looking at future developments, it was mentioned that the widespread use of Carrier Grade NAT (CGN) and other forms of IPv4 address sharing in response to the slow adoption of IPv6 were still a challenge. While there is still confidence that sufficient logging will allow the identification of individual users, the lack of clear standards and differences in data retention legislation will have a considerable impact on the efficiency of law enforcement operations.
Some of the participants were surprised to learn that IPv6 coverage in some countries is now well over 10%. Nigel Titley (RIPE NCC Executive Board) mentioned that as the amount of spam sent across IPv6 is increasing, it is likely that cyber criminals are not for behind. It was noted that all five RIRs have expertise and capacity building resources to help LEAs prepare for IPv6.
Leslie Nobile (ARIN) and Kevin Meynell (APNIC) provided the audience with some information on inter-RIR resource transfers, following a question regarding cross-registry data quality and consistency.
In response to the recent increase in DDOS attacks, several participants stressed the need for more outreach about preventive measures such as BCP 38. Another issue was raised regarding the safety of devices inside end users' networks such as wifi access points and Internet-enabled equipment like television sets that often have weak security or known vulnerabilities. A suggestion was raised to organise an awareness campaign aimed at these end users.
It was suggested to also investigate the possible legal liability of users and operators that fail to take appropriate security measures to protect their network from being used to conduct these attacks or facilitate criminal activities.
Concluding the day, Dr Saunders said that one significant point from the session was that LEAs supported the multi-stakeholder mode and were finding ways to work more effectively within this model. He also highlighted the need for LEAs to work with industry partners to implement proposals to the Internet governance structure that will make the Internet safer. These proposals would need to be politically, commercially and technically viable.
Attendance
Attending on behalf of the RIRs and community
Axel Pawlik – RIPE NCC
Jochem de Ruig – RIPE NCC
Andrea Cima – RIPE NCC
Athina Fragkouli – RIPE NCC
Sandra Gijzen – RIPE NCC
Antony Gollan – RIPE NCC
Marco Hogewoning – RIPE NCC
Nigel Titley – RIPE NCC Executive Board/Co-Chair RIPE Database Working Group
Brain Nisbet – Co-Chair RIPE Anti-Abuse Working Group
Leslie Nobile – ARIN
Kevin Meynell – APNIC
Countries and organisations which participated in this meeting:
United Kingdom
Australia
Belarus
Bosnia and Herzegovina
Bulgaria
Chile
France
Germany
Ghana
Hong Kong
India
Indonesia
Japan
Moldova
Netherlands
Romania
Serbia
South Africa
South Korea
Sweden
Switzerland
Thailand
Ukraine
USA
Vietnam
Europol
Interpol