Chapter 5

Operational challenges and vulnerabilities

5.1        Law enforcement agencies across Australian and international jurisdictions are confronting a range of similar operational challenges that derive, in part, from the global reach of cybercrime and associated technology.[1]

5.2        The Department of Home Affairs (DHA), Attorney-General's Department (AGD) and Australian Border Force (ABF) summarised the challenges and opportunities of new and emerging ICTs for Australian law enforcement.

The evolving digital environment provides criminals with new avenues to commit a range of serious and complex crimes, including terrorism, firearms and drug trafficking, human trafficking and child sexual abuse. Extremist individuals and terrorist organisations are increasingly using social media and other online tools to facilitate and promote their activities. Similarly, online platforms provide unprecedented connection and storage for the easy sharing, promotion and discussion of child sexual abuse material. New technologies are also making these crimes more complex for law enforcement agencies to investigate. The use of cyber elements for criminal purpose is growing, creating unprecedented risks for both individuals and businesses...New technologies also provide the potential for improved investigative and operational outcomes. The goal is to ensure law enforcement agencies are well-positioned to harness these opportunities, by being nimble and 'ahead of the curve', as well as being capable of tackling new challenges as they arise.[2]

5.3        Dr John Coyne similarly discussed the challenge for Australian law enforcement agencies:

Divining future developments in technology—and their law enforcement implications—is no easy task: the art of the possible is changing almost daily. The last 15 years of technological advancement is a mere sample of the potentially staggering change that will confront policy makers as we approach 2030. How well governments respond to this change will be dependent on agility in policy development, technology adoption and programme implementation. The big challenge for Australian law enforcement agencies relates to how they create the culture and capability development structures to support rapid innovation to protect citizens in a constantly changing landscape.[3]

5.4        The Cyber Security Research Centre (CSRC) observed that, whilst Australia's intelligence and law enforcement agencies are carrying out outstanding work:

...Australia's emerging national capacity to cope with the pace of change and to counter threats and criminal activity conducted in Cyberspace remains under-developed, uncoordinated and dispersed. There is a pressing need to maximise and build on current expertise dispersed around the country so that Australia is better prepared to face the challenge of countering the malicious misuse of cyber technology.[4]

5.5        This chapter will consider these operational challenges in the context of:

Geographical and jurisdictional constraints

5.6        A key challenge is that, while cybercrime is conducted on a global scale, Australian law enforcement is constrained by geography and jurisdictional reach. This is exacerbated by the fact that commercial entities and criminal offenders operate 'in the digital landscape rather than the geographic or jurisdictional landscapes'.[5]

5.7        In other words, unlike other forms of crime, cybercrime has 'no local flavour'. Data collected by the Western Australia Police Force (WA Police), for example, shows that 30−40 per cent of cybercrime offences are committed by international offenders, and that victims and offenders reside in the same jurisdiction in only seven per cent of cases.[6]

5.8        This has significant implications for law enforcement, as DHA, AGD and ABF explained:

Crimes can be committed across state and national borders, with the perpetrator located in one jurisdiction and the victim in another. This makes investigations more protracted, expensive and reliant on cooperation between multiple jurisdictions. Investigations into less serious cross-border crimes, where the impact on the victim may be relatively small, become less viable. Regardless of the jurisdiction in which a crime is committed, evidence is frequently located offshore due to the range of international companies now supplying communications services to Australians—for example, over the top voice and messaging applications, email and cloud storage.[7]

5.9        Similarly, the Australian Criminal Intelligence Commission (ACIC) and Australian Institute of Criminology (AIC) noted that technology has 'dissolved borders that previously protected victims from offshore offenders'.[8] The availability of technology to reduce law enforcement visibility of serious and organised crime groups' activities has impacted on how law enforcement agencies undertake their work.[9]

5.10      Detective Inspector Tim Thomas, Assistant Divisional Officer for Technology Crime Services, WA Police, explained the approach when the victim of a cybercrime resides in a different jurisdiction to the perpetrator:

The simple reality for us is very straightforward. We've already given you the statistic that seven per cent of offences have the offender and the victim in the same jurisdiction. The question is: what do we do when they're not in the same jurisdiction?...when we're faced with a very common scenario—say we have a victim in Western Australia who has lost $2,000 in some kind of online fraud, which is very common, and the offender is in another country—we've got two choices: to focus on the offender and try and achieve something or to basically do nothing. So we choose to focus on the offender.[10]

5.11      Detective Inspector Thomas noted that Australian law enforcement uses a national cybercrime management protocol model, although the model is not necessarily well understood or supported across the jurisdictions:

We have been using this model in Western Australia for three years and we give direct communications to our victims. We tell them exactly what the situation is and what the policing objective is, and we've found that the public are very receptive to this. They understand that the online environment is different to the traditional environment and they understand that the objective of preventing the offender from continuing to offend is, in some cases, the only valid approach that can be taken.[11]

5.12      Mr Matthew Loeb, Chief Executive Officer, ISACA, pointed out that law enforcement agencies are hampered by the lack of international agreements that enable cybercrime to be investigated across multiple jurisdictions:

I believe the No. 1 biggest challenge here is that even if we can track perpetrators in other places there it is a limitation to enforcement of the criminals because of lack of treaties and legal understandings between nations. Believe it or not, that is also true inside the US—the laws of one state differ from the laws of the other and the interpretations can vary.[12]

5.13      Detective Inspector Thomas John Shillito (John) Manley, Officer in Charge of the Victorian Joint Anti-Child Exploitation team, Victoria Police, stated that the challenge for the Five Eyes Alliance is in finding a more efficient way of coordinating cybercrime-related law enforcement activities across the member countries. He noted that the mutual assistance legislation is cumbersome, having been developed to deal with the world before computers, and law enforcement agencies may pursue alternative paths to facilitate an investigation:[13]

From my perspective, when it comes to mutual assistance, if we could somehow work out a better way of doing things within the Five Eyes group, that would be hugely helpful—some arrangement where perhaps we had a national Australian warrant, or warrants, depending on what was required, that each law enforcement agency would submit so the international jurisdiction wouldn't have to deal with a whole range of warrants from different states; some national warrant for us to get what we want. The production of that warrant would then cause the internet service provider or whoever in that Five Eyes country to automatically provide the data. That would be really useful. There has got to be some simpler way of doing business.[14]

5.14      Digital Industry Group Incorporated (DIGI) stated that existing international standards for requesting data from jurisdictions other than the United States are outdated and in need of modernisation:

Efforts are underway to develop new international agreements between like-minded governments which both respect the rights of the individual and provide for the legitimate interests of public safety agencies.[15]

5.15      Dr Adam Molnar, Vice Chair, Surveillance Committee, Australian Privacy Foundation, argued that Mutual Legal Assistance Treaties (MLATs) should be preserved but 'reconfigured [so that they] actually address the new reality of not just cross-border lawful access requests but also the idea of computer network operations':

I think some of our colleagues have taken a more narrow view of the role of MLATs in relation to cross-border data access requests to private companies in overseas jurisdictions and some of the rules around disclosing that information, but that's only a more narrow vision of how law enforcement is currently operating across international jurisdiction.[16]

Workforce skills and capabilities

5.16      The issue of law enforcement agencies attracting and retaining suitably skilled staff was an issue that arose throughout the course of the inquiry.

5.17      Mr Loeb stated that, whilst law enforcement agencies may realise the positive benefits of ICTs in their work, their workforces need to be 'grounded in technology and possess a level of expertise that enables them to leverage these technologies to spot criminal activities'.[17]

5.18      Mr Alexandru Caciuloiu, Cybercrime Project Coordinator, Southeast Asia and the Pacific, United Nations Office on Drugs and Crime (UNODC) Regional Office for Southeast Asia and the Pacific, made a similar point:

As crime gets more specialised and more technological, law enforcement needs to become tech savvy. Law enforcement needs to understand the internet, how technologies work and how to leverage these technologies for the criminal justice process. That involves a lot of knowledge, staff that have very good understanding and training in this area, and also a lot of specialist tools that are very expensive.[18]

Specialist staff

5.19      Several submitters highlighted the challenges associated with recruiting suitable staff and maintaining ICT skills and capabilities in Australian law enforcement agencies, within a rapidly changing ICT environment, although the DHA, AGD and ABF noted that '[t]his is not a challenge faced by law enforcement in isolation'.[19]

5.20      When asked about recruitment by the AFP and ACIC, and their ability to attract technology experts, Dr Coyne remarked:

The short answer to that is in some cases we are, but overall the system doesn't encourage that. Also, the very nature of employment and law enforcement has changed. If you look towards the latest future strategy for the Australian Federal Police, they highlight this. Operationalising that strategy is incredibly difficult. For instance, take the case of obtaining a data scientist. If the AFP wanted to obtain a data scientist and wanted them to be a sworn police officer, they would have to put that person through 12 months at the academy, bring them out of the police academy, give them two years of investigative experience and then return them to being a sworn data scientist. That's clearly not workable. The models that we have for bringing people into the Public Service are flawed in the same way. It's incredibly difficult, at a time when data scientists or forensic accountants are in great demand, to get them to move from our major cities, like Sydney or Melbourne, and take up a job for less money in the Australian Public Service. That is incredibly difficult. This is where we have to revisit these models and look at alternative approaches.[20]

5.21      The CSRC pointed out that, whilst there are currently concentrations of cyber-related expertise within both government and non-government agencies across Australian jurisdictions, law enforcement responses are dispersed and this fragmentation is undermining the ability of agencies to cope with the pace of technological developments. It argued that there should be a better way of coordinating across national, state and territory government agencies, police forces and areas of cyber expertise: 

The national picture...remains one of fragmentation and disaggregation. Resources are scarce—in terms of funding and skilled personnel. There is a severe shortage of cyber experts and cyber-trained investigators within both government and industry. This situation is exacerbated by the relentlessness speed with which the cyber environment evolves; cyber criminals have generally been able to adapt to this evolution and change tactics more quickly than investigative agencies. If not effectively countered, cybercrime will continue to become even more pervasive and public confidence in the efficacy of Australian law enforcement investigations and regulatory compliance measures will diminish. Failure to address cybercrime effectively will also lead to a loss of confidence for businesses operating online in Cyberspace.[21]

5.22      The CSRC also highlighted the importance of concentrating expertise, noting that there are a number of potential non-government partners with cyber security capabilities, including academic centres of excellence and research centres specialising in cyber security and cybercrime studies, as well as specialist advice available from the private sector producers of technologies exploited by cybercriminals:[22]

One of the principal benefits is, if you concentrate your expertise, you have a much, much better chance of keeping up with the pace of technological change which is occurring in this sector. If we owe it to our law enforcement to have the best tools available, then this is one potential way of getting there—that is, approaching it on a national basis.[23]

5.23      The CSRC recommended the establishment of a single Commonwealth-led cooperative entity, providing expert cybercrime investigative support services to government, national security and law enforcement agencies. The CSRC argued that such '[n]ational cooperative arrangements would constitute a critical mass of expertise able to operate on a scale that is too difficult and too expensive to achieve in a myriad of small under-resourced cybercrime capabilities spread around the country.'[24]

5.24      The CSRC explained that the proposed entity would not duplicate the roles of existing agencies, but rather that participating agencies would second expert cyber-investigative staff to contribute to investigations conducted by their parent agencies, leveraging common technical skillsets, methods and technologies concentrated in the new entity.[25] Such an entity should also be able to draw on the expertise of the Australian Signals Directorate which, under the Intelligence Services Act 2001, is currently limited in its capacity to contribute to Australian law enforcement investigations.[26]

5.25      WA Police noted that specialist ICT-related services such as decryption, chip-off forensics, and some covert services 'will always exceed the resources of a single jurisdiction' and, like the CSRC, recommended the creation of 'centres of capability which are resourced and structured to supply some level of national service'.[27]

5.26      DIGI outlined the 'single point of contact' (SPOC) model, adopted in the United Kingdom (UK), intended to ensure that all law enforcement officers are equipped with the necessary tools and information for tackling crimes involving an online element:

These designated SPOCs sit within each constabulary and are trained experts in how to obtain, interrogate and analyse digital information which can be instrumental in modern day investigations. The digital industry can focus their training efforts in a much more effective and targeted fashion, and officers within each constabulary have internal experts to draw on to ask questions, sanity check investigatory options and channel data access requests through. This model came about through a recognition that it could be challenging to ensure that all law enforcement officers are equipped with the necessary knowledge and experience in requesting, interpreting and applying electronic data to an investigation. Recent advances in technologies such as encryption, cloud computing, connected devices, Big Data analytics, artificial intelligence, and virtual reality have presented law enforcement agencies with new methods and tactics for tackling crimes that involve an online element. Given the speed with which emerging technologies and platforms evolve, the SPOC model also makes it easier to keep officers up to date with the latest investigative tools and information.[28]

5.27      The UK National Crime Agency (NCA) has also sought to enhance its workforce through the use of 'volunteer crime-fighters' called 'NCA Specials'. NCA Specials are recruited 'because of their specialist, niche expertise and skills that are rarely available within law enforcement, but that are of huge value in the fight against serious and organised crime'.[29] Cyber security is an area of expertise sought by the NCA in prospective NCA Specials.

5.28      NCA Specials:

are part time, unpaid NCA officers and are Crown servants by virtue of being employed by the NCA to exercise the functions of a Crown body; they are not civil servants. They are unpaid employees, working under a contract of employment, and under the direction and control of the NCA Director General, exercising authorised NCA functions personally.[30]

5.29      NCA Specials are appointed by a panel comprising business representatives and the NCA Specials and Volunteers Manager, which assesses applications 'against any skills gaps identified where a niche specialism (which is impracticable to fill through conventional employment) can enhance the agency's capability'.[31] NCA Specials are security vetted and subject to the same conduct and confidentiality regime as NCA officers.[32]

5.30      ISACA discussed leveraging existing talent and incentivising people with technological aptitude to become involved in law enforcement work. Mr Loeb stated:

...we have to be realistic about the investments we make. When I say 'investments' this time, it's not just financial investments; it's thinking about how we leverage the knowledge and resources of people who are either directly or indirectly engaged in cyber related activities, particularly in the prevention side. By that I mean when we look at the talent, it will help us in the long term that we're moving into an era where we have digital natives coming into the workforce who demonstrate greater technological aptitude than older geezers like me. They'll come with an aptitude to learn faster and be more adept at embracing these things, but how do we leverage the talent we have in the interim?

Part of this relates to law enforcement and security personnel in general. We need to find ways of incentivising people with the proper technological aptitude to get involved. We're seeing that if you demonstrate technological aptitude, you can do some of this security work simply by being trained.[33]

5.31      Mr Loeb also gave the example from 2017, where ISACA firms:

took 55 people of non-traditional, non-technological backgrounds and put them through security training. At the end of 10 weeks of this security training, people whose professions included beauticians, bartenders, morticians and psychiatrists quickly became employed in cyber related positions. The lesson from that is not, 'Let's put all the beauticians through security training,' but that we need to be open to leveraging the capabilities of people who are already good at this to train people who have an aptitude for it. You can parallel those working on the technological side with those working on the law enforcement side. We have to be open to that.[34]

5.32      Following recommendations contained in Australia's Cyber Security Strategy, the Australian government allocated an additional $20.4 million to the Australian Federal Police (AFP) for the period 2016−20 to place liaison officers overseas and to recruit personnel with the technical skills required for cybercrime investigations.[35]

5.33      Mr Neil Gaughan, Deputy Commissioner, Operations, AFP, noted that investigators have been embedded, not only with the Australian Cyber Security Centre, but also with Australia's cyber security counterparts in other countries, contributing to the development of relevant skills:

That has been invaluable. Not only do we get notification of real-time threats and intelligence exchange in a real-time process but, more importantly from my perspective, it's upskilling our people. The people we currently have in those two locations are world's best in relation to investigations of cybercrime, and they'll come back when their term is up and be able to pass those skills on to our people here.[36]

5.34      He noted, however, that the AFP faces challenges in retaining skilled personnel because of competition for those specialised skills from other Commonwealth agencies as well as from private industry.[37]

Specialist training

5.35      Some tertiary institutions offer advanced training courses or accredited high level degrees, but there are difficulties in matching these specialist training options with the precise training and education needs of government agencies. The CSRC recommended that a national approach to cyber training is needed, including collaboration with academic centres of excellence and private sector producers of technologies that are being used by cybercriminals.[38]

5.36      The ACIC and AIC acknowledged the Australian government's recent announcement to establish two new tertiary qualifications aimed at building a national industry of cyber security professionals, and to help protect business from cybercrime. However, they argued that there is a need to also recruit and retain personnel trained in cyber-forensics as well as cyber criminologists with expertise in the 'threat environment' and knowledge of the latest international approaches to prevention and control of cybercrime.[39]

5.37      DHA, AGD and ABF stated that:

There is also evidence that Year 11 and 12 students in Australia show a lack of interest in STEM (Science, Technology, Engineering and Mathematics) careers and ICT. This may lead to a smaller pool of graduates when recruiting for technologically capable professionals in the medium to long term.[40]

5.38      WA Police advised the committee that 'law enforcement agencies of Australia defined their common, technology crime skill requirements in a set of documents which have been endorsed by the nation's Commissioners of Police'.[41] Those documents:

address future need by describing the technology crime skills required from constable level to specialist level, thereby enabling police agencies to develop an interoperable technology crime capability which scales to technology use in the community in a practical and cost effective manner.

The documents were created to address the absence of relevant training in the marketplace, by providing academia and training vendors with a blueprint of need.

Experience has demonstrated that a cohesive national approach is required to gain and retain the attention of the marketplace.[42]

5.39      Dr Coyne stated that new models are required for recruiting technology specialists into law enforcement agencies. He discussed the Australian Taxation Office's strategy over approximately 20 years of:

bringing in cadets in the ICT industry. They're roughly in their last year of university, they work part-time within the organisation, they have a return-of-service obligation—for want of a better term—and they deliver cutting-edge young people in the workforce. That's one example of an approach. But the bottom line...is that what we really need is to take a much more flexible and imaginative approach to staffing issues. That comes from a loosening of arrangements around the Public Service and the employment arrangements for organisations like the AFP and the ICAC. Without that, we simply will not train those people.[43]

ICT capabilities

Rapidly changing technologies

5.40      A key challenge for law enforcement is the ability of agencies to keep up with the rapidity and constancy of changes in cybercrime technology and methods of criminal activity. As the rate of technology development accelerates, policing and other law enforcement agencies must engage with it effectively before its use becomes widespread amongst criminal entities.[44]

5.41      The CSRC noted, for example, that:

...the use of Ransomware as an extortion tool is estimated by one source to have increased 2000% in the last two years as the new generation of cyber criminals increasingly resemble traditional organised crime syndicates.[45]

5.42      Mr Nathan White, Senior Legislative Manager, Access Now stressed that the inevitable speed of technological change puts the emphasis on improving law enforcement's ICT capabilities:

...with quantum computing and artificial intelligence, we can't stop technology, we can't stop research and we can't stop human development. We can pass laws that might slow it down or make it harder for people to use—we can do that, sure. But eventually these technologies are going to be out there. People who want them are going to be able to get them. What I would rather do is spend my time not slowing down technology but speeding up law enforcement.[46]

5.43      DIGI noted that law enforcement agencies are increasingly adopting new and emerging ICTs during investigations, citing examples such as the operational use of 3D technology to create a virtual model of a crime scene that can be used for later examination and analysis.[47]

5.44      Mr Guy Carlisle, Chief Information Officer, Northern Territory Police, Fire and Emergency Services, pointed out that new and emerging ICTs should be viewed as an opportunity to improve policing capabilities:

I think ICT across government needs to be seen more as an enabler or a multiplier and not just treated as a cost centre, where projects and things are about 'How do we save money?' or 'How do we reduce police?' as opposed to 'How do we enable police enforcement or provide more capability to police?' I think we also need to take more of a risk based approach to technology. For example, triple 0 and dispatch services need to be rock solid and should never use bleeding-edge or leading-edge technology, whereas other operations such as intelligence services or disruptive operations can adopt leading-edge technology.[48]

5.45      WA Police pointed out, however, that current legislation limits law enforcement from using some technology despite these technologies being available to safely disable the threat. They noted that the Customs (Prohibited Imports) Regulations 1956, for example, prohibits the importation of signal jammers and drone jammers into Australia unless exempt, and the Radio Communications (Prohibited Device) (RNSS Jamming Devices) Declaration 2014 may prohibit drone jammers in Australia because of their capacity to jam GPS signals. WA Police argued that legislative reform may be required to enable law enforcement to use such technologies for law enforcement purposes.[49]

Financial constraints

5.46      The rapid pace of change in cybercrime technology means that the life cycle of ICT systems for law enforcement purposes is 'drastically reduced'. Dr Coyne argued that there is an urgent need for increased investment in ICT capabilities:

Current acquisition requirements, as outlined within relevant Department of Finance guidelines, no longer meet law enforcement needs. And under certain circumstances may impede law enforcement agencies from acquiring much needed capability. Traditionally law enforcement has employed a 'grow your own' approach to subject matter expertise and capability development. In the current operating context law enforcement will need to engage more frequently with the idea of acquiring capabilities and subject matter expertise on an ad hoc contracted basis. The research and development budgets for law enforcement, especially with respect the development of ICT capabilities needs to drastically increase. While government is unlikely to regain its 'technological edge' it can work with partners and develop niche capability.[50]

5.47      Mr Loeb similarly discussed the importance of governments investing in new and emerging ICTs for law enforcement:

The primary objective of law enforcement requires staying one step ahead of the criminal. To ensure a safe, prosperous and forward focused Australia it remains imperative that the country continues to invest in ensuring the law enforcement community has the very best ICT technologies.[51]

5.48      Ms Amie Stepanovich, United States Policy Manager and Global Policy Counsel, Access Now pointed to the importance of investing in research and education about the tools and technologies available to law enforcement:

There are many tools and technologies available to law enforcement...investing in research of those tools and education of law enforcement, and making sure that there are proper frameworks in place is a significant, important step that we should be talking about and moving forward on.[52]

5.49      Dr Coyne warned that the longer-term impact of efficiency dividends on national security agencies has led to a 'delicate equilibrium of cuts and "just in time" policy initiatives'.[53] For law enforcement agencies such as the AFP, budget policies have required them to offset new policy proposals from within existing budgets, resulting in a 'continuous erosion of funding' for existing programs. He argued that the wider impact of such policies has been to reduce the capacity of Australian law enforcement agencies to engage in international engagement and cooperation.[54]

Ageing and inconsistent systems

5.50      The ACIC, which is responsible for maintaining a national database of criminal information and intelligence, relies on the ageing Australian Criminal Intelligence Database (ACID) and Australian Law Enforcement Intelligence Network (ALEIN).

5.51      The ACIC and AIC argued that these are 'bespoke systems' that are no longer fit for purpose, and do not meet the modern business needs of law enforcement and intelligence agencies:

Maintenance and implementation of new ICT and capabilities is expensive and difficult in an environment of declining budget allocations. New ICT builds can often cost in excess of double the amount of agency annual appropriations. This highlights the need for dedicated funding in order for law enforcement agencies to remain effective against the emerging technologies being utilised by serious and organised crime groups, who often have access to large sums of money which allows them to take on new technologies as they appear...Funding cycles and governance frameworks are essential to maintain accountability but could be structured to be more flexible and agile to allow agencies to be in the best position to respond to changes.[55]

5.52      The ACIC and AIC pointed to the 'interoperability issues' between Australian law enforcement ICT systems, noting that further investment in ICT architecture will enable agencies to implement connectivity solutions so that they can share data with Australia's jurisdictional partners.[56] The ACIC and AIC also noted these 'interoperability issues' exists with systems and services developed by the Commonwealth for use by state and territories or the private sector in response to a particular event or incident:

Cultural shifts are necessary to ensure support from all parties when attempting to deliver national ICT systems and services. Systems and services need to be built on a national level to maintain pace with emerging technologies and to fully utilise the technologies readily available across all levels of government and also the private sector.[57]

5.53      In this context, the ACIC outlined its plans for a National Criminal Intelligence System (NCIS) that will address some of these challenges, giving Australia's law enforcement and intelligence agencies the 'first truly national and unified picture of criminal activity'.[58]

Securing electronic evidence

5.54      Digital evidence is like any other evidence in that it must be 'admissible, authentic and accurate'.[59] According to the International Association of Prosecutors—Global Prosecutors E-Crime Network (GPEN), the biggest challenge of cybercrime for law enforcement is to understand the criminal activity and then to prove it:

The anonymity of the technology involved makes it harder to trace people. The borderless nature of the internet makes it harder to track the defendant or obtain evidence quickly from other jurisdictions. The complexity of ICT crimes such as hacking, malware, ransomware, phishing, viruses, worms, Trojans, spyware, identity theft, distributed denial of service attacks (DDoS), social engineering, online stalking, harassment and child abuse images amongst others. Add to this the veracity of evidence and how it is obtained, and you can see how it can lead to lengthy arguments at court between expert witnesses. The volume of the evidence collected, and stored further creates implications for search and seizure procedures and the consequent duties of disclosure. In addition to this the legislation used to prosecute such offences often lags behind the technological developments.[60]

5.55      GPEN noted that electronic evidence may be the only way that a law enforcement agency can link a criminal act to a 'real person', but gathering this evidence poses particular difficulties for law enforcement:

...particular forms of electronic evidence might no longer be found in possession of the ICT criminals themselves. Rather, that evidence can be found with the Internet Service Providers (ISPs), electronic communication providers and Cloud storage providers. These companies may not be incorporated or represented in the country where the crime is being investigated. And if they are, they may have stored the relevant data abroad or even distributed over multiple data storage facilities in a number of countries.[61]

5.56      DHA, AGD and ABF outlined the challenges for Australian law enforcement agencies in securing electronic or digital evidence:

While electronic evidence is often vital to the successful investigation and prosecution of a range of offences, the process of accessing this evidence can be complex and protracted. Difficulties include identifying where the records are held and taking appropriate steps to have them preserved. Obtaining records from overseas-based ISPs can also cause delay and be affected by jurisdictional challenges.[62]

5.57      Dr Coyne similarly highlighted the challenges facing law enforcement agencies in collecting and analysing evidence as a result of the increasingly complex nature of cybercrime:

Law enforcement investigations will become increasingly complex and lengthy due to the increased sophistication and technological capabilities of criminal conspiracies. Global supply chains and complex business structures are making evidence collection equally more difficult. While data analytic capabilities are increasing, law enforcement is faced with growing information flows which are difficult to store and analyse.[63]

5.58      Dr Coyne called for a greater emphasis on developing the capacity of intelligence professionals to collecting intelligence and on investing in alternative 'collection disciplines' in 'our future [telecommunications interceptions]-dark world':[64]

For 30 years, law enforcement agencies have truncated the management of their intelligence and evidentiary collection through a default preference to TI. With the degradation of this capability, those responsible for tasking the collection of criminal intelligence and evidence must now consider alternative collection capabilities. They must also seek to employ traditional intelligence capabilities in increasingly innovative and imaginative ways. Government needs to encourage its various law enforcement agencies to place greater emphasis on alternative evidence collection methods and collection planning.[65]

Data management

5.59      The collection and management of data relating to cybercrime is often overlooked, yet it remains central to successful law enforcement and provides a 'roadmap' for future strategies.[66] The committee received a range of evidence relating to data, including:

Increasing volume and complexity of data

5.60      The rapidly increasing volume and complexity of digital data presents significant data collection and management challenges for law enforcement. According to one analysis, the digital universe is doubling in size every two years and the amount of digital data created and copied will reach 44 trillion gigabytes by 2020.[67]

5.61      Indeed, in 2007, the Information Commissioner's Officer in the UK described the challenge of increasing data volumes facing it as akin to looking for a need in a haystack while the haystack is being made larger and larger, stating '[t]he simple acquisition of more and more information does not actually mean that people make better judgements'.[68]

5.62      The Data to Decisions Cooperative Research Centre (D2D CRC), established in 2014 to address the 'Big Data challenges' facing Australia's national security agencies, pointed to the impact on legislative and regulatory frameworks of this increasing volume and complexity:

...our research has found that changing technology has rendered some of the existing law and policy regarding use of such technology law enforcement agencies outdated or confusing, creating challenges for information sharing and use of open source data by law enforcement agencies. The complexities of enhanced data analytics similarly create governance challenges, requiring appropriate attention to governance capacity and capabilities.[69]

5.63      Ms Tania Churchill, Director, Enterprise Analytics, Australian Transaction Reports and Analysis Centre (AUSTRAC) pointed to the importance of matching data that may be held by different agencies:

We recently did a big data-matching project with the Department of Human Services that showed the effectiveness of using specialist expertise from both agencies and the power of matching in this instance our financial data with welfare data and using that to find welfare fraud. That was a hugely effective exercise. At the moment we're looking at expanding the matching algorithm that we developed so that we can start to match data with other agencies—for instance, Home Affairs. We've also talked to AFP—those kinds of areas—because, while each of the agencies here have highly specialised datasets that are very valuable in their own right, it's when you start to bring them together that you see a perspective of criminal behaviour that you generally can't see when you're looking at one slice of data by itself.[70]

5.64      The CSRC drew attention to the increased use of cyber transactions between government and citizens, making most government departments and agencies potential targets of cybercrime. The CSRC argued that agencies responsible for cybercrime investigation will increasingly be required to assist other government agencies to protect their data and clients.[71]

5.65      The D2D CRC recommended a series of legislative measures that may address the big data issues facing law enforcement agencies, including:

5.66      Alternative measures to assist law enforcement agencies to manage the increasing volume of data put to the committee included:

Accountability and privacy issues

5.67      Drs Monique Mann, Adam Molnar, Ian Warren and Angela Daly, Australian Privacy Foundation, Digital Rights Watch Australia, Electronic Frontiers Australia, and Future Wise expressed concern that the expansion of data collection and information sharing by law enforcement and security agencies has not been matched with an expansion in independent oversight of policing activity.[74]

5.68      They argued that the new data-driven approaches to policing, involving the widespread collection of information, implementation of data-led decision making, and the use of algorithmic profiling, have had unintended consequences for human and due process rights. They contended that, in policing contexts, law enforcement agencies require greater accountability and regulation involving digital data collection and information sharing, such as has occurred in the European Union through the new General Data Protection Regulation:

These processes are not neutral, and there is the potential for bias and discrimination to become inscrutable and incontestable with increased barriers to transparency via a potentially false veil of objectivity provided by computerisation...In striving for increased efficiency through automation, procedural and due process safeguards may be undercut. New forms of 'automatic justice' are challenging the traditional model of criminal justice where divisions between surveillance, adjudication and punishment are eroding with new forms of surveillance and automated decision-making that remove humans entirely. Here, 'black-box' decision-making creates a lack of transparency in how policing decisions are being made by machines.[75]

5.69      Dr Molnar stated that the obligation to store metadata that may indicate sensitive personal information should be subject to the same judicial authorisation requirements as content.[76] Dr Mann added that the European Union had ceased data retention schemes because they were found to present 'a disproportionate interference with individual human rights'.[77]

5.70      Drs Mann, Molnar, Warren and Daly recommended that new rules should be developed for digital evidence collection and exchange to assist prosecutions whilst preserving due process and human rights. For example, a judicial warrant should be required to enable law enforcement to access telecommunications information, on the basis that the current data retention scheme is 'at odds with international precedent'.[78]

5.71      In this context, Ms Churchill noted the challenge of combining data lawfully:

...if you're going to use a specific piece of data in an administrative decision, an investigation or a prosecution, you've got to have complete visibility of the provenance of the data—in a legal sense—how was the data collected? And was there a lawful reason to use the data?...[T]hat's a real challenge for our legislative frameworks.[79]

5.72      Dr Lyria Bennett Moses, Project Leader, Law and Policy Program, D2D CRC, highlighted the importance of having a common data governance framework across jurisdictions, and the need for greater public awareness of how data is collected and used by law enforcement:

...the difficulty with the current legislative regime is that it's too complex for the public to understand. Even if you told the public everything about how the current law operates, I think you'd just confuse them. It's important...that the public understand. Because the legislation is complex and hard, it is not easy for the public to understand what's going on. In an earlier project...we spoke to agencies and asked them to identify the laws that were relevant to the use of big data for national security and law enforcement and we also asked civil society organisations and others the same question. What was really interesting was that they didn't give the same answers. These were often people who were in the area, but they still had a very different sense of what the laws were.[80]

5.73      Dr Bennett Moses pointed to the process in the UK in developing the Investigatory Powers Act 2016 (UK) which involved 'extensive public engagement around what agencies should and shouldn't be allowed to do' (see Chapter 4 for discussion about the UK consultation process). She suggested that Australia needed to undertake a similar public engagement process.[81]

Biometric data and facial recognition systems

5.74      In late 2015, the Council of Australian Governments announced that members had agreed to establish a National Facial Biometric Matching Capability as part of a package of legislative and practical measures to further strengthen Australia's nationally-consistent approach to 'countering the evolving terrorist threat and help make Australians safer'.[82]

5.75      Drs Mann, Molnar, Warren and Daly argued that this system represented an example of 'function creep', where information collected for one purpose (such as licences and passports) may be used for secondary purposes beyond the scope or conditions of its original collection, without individuals being aware of or consenting to these secondary uses.[83]

5.76      They noted that a study of this new approach to policing in the Los Angeles Police Department had indicated that widening the 'criminal justice dragnet' reinforced discrimination and disadvantage by targeting 'risky' individuals or groups already marginalised, and had resulted in individuals seeking to avoid surveillance by avoiding all contact with institutions, such as social services, that use such methods.[84]

5.77      In November 2018 Mr Michael Phelan, Chief Executive Officer, ACIC, advised the committee that the contract to develop the Biometric Identification Services (BIS) had been terminated in June 2018 based on a cost-benefit analysis of the project. Mr Phelan stated that:

...for identification purposes in this country, there are three pieces of work that are acceptable in a court of law to identify someone: DNA, fingerprints and eyewitness testimony. Facial recognition is not at that stage, so it's important that we actually have a doctrine about how you're going to use facial recognition—whether it's going to be used for forensic purposes, whether it's going to be used by police officers at the coalface, whether it's going to be used by detectives, whether it's going to be used in the intelligence area. I would submit that all of that needs to be worked out before we spend any money on a system. That's the process we're going through collectively with law enforcement at the moment.[85] 

5.78      The Law Council outlined the privacy and data security issues relating to the use of biometric data and facial recognition systems for law enforcement purposes, and recommended that the Australian government should consider the following when developing its future strategies in this area:

Obtaining information from banks

5.79      Law enforcement agencies commonly seek account holder information from an Internet Service Provider (ISP) or from a bank. Whilst the legal process for obtaining information from ISPs (authorised by telecommunications legislation) is effective, the process of obtaining information from banks (requiring the swearing of an Order to Produce or equivalent authorised by an external judicial authority) is not.

5.80      According to the WA Police, this is due to the increasing volume of investigations compounded by recent civil litigation that has resulted in the banking industry requiring an Order To Produce on every occasion:[87]

Since the information obtained by both processes is essentially the same the WA Police recommends legislative reform be conducted to harmonise the information supply laws of the financial industry with those of telecommunications industry. In the absence of this change police will require additional resources to meet the required volume of order to produce processes.[88]

Personal safety and the Internet of Things

5.81      As explained in Chapter 1, the Internet of Things (IoT) describes the networking of physical devices, vehicles, buildings and other items that use electronics, software, sensors, actuators and network connectivity to collect and exchange data.[89]

5.82      Cybercriminals are increasingly using the 'seemingly innocuous' IoT to deploy a range of devices and applications that hide the identity of the user by separating online identity from online activity. The CSRC noted that such devices often have weak security and permit access to an individual's or company's wider network.[90]

5.83      The South Eastern Centre Against Sexual Assault and Family Violence (South Eastern CASA) highlighted the implications that insecure IoT devices have for women and children who may be subject to violence:

For those who do not have either direct physical access to a device or knowledge of passwords, IOT devices are notoriously insecure and easy to hack. The prevalence and severity of the use of technology like phones and computers for violence against women is well documented.[91]

5.84      The ACIC and AIC noted that IoT devices are created for automation and efficiency rather than security. They submitted that the lack of agreed security guidelines in creating IoT devices introduces significant risk to individuals and businesses targeted by organised and serious crime groups, particularly where connected devices can alter the real-world environment such as in medical devices, door locks, cars, central heating systems, air conditioners and refrigerators.[92]

Protecting privacy and preventing domestic abuse

5.85      A significant emerging challenge for law enforcement is that, whilst internet-enabled devices such as mobile phones are already being used to stalk and monitor current or ex-partners, the IoT offers the opportunity for a range of new devices designed for legitimate purposes to be used to perpetuate violence against others. South Eastern CASA, for example, submitted that such internet-enabled devices are 'notoriously insecure and easy to hack':

While people are becoming more aware that spyware can be installed on things like computers or phones, who would think that someone could be monitored via their fridge?...Using these devices an abuser could gather knowledge of a victim's day to day activities and personal habits remotely. This could be a powerful tool for coercive control and emotional abuse.[93]

5.86      South Eastern CASA also pointed out that detecting and gathering evidence of such abuse requires a victim to have a sophisticated knowledge of technology in order for law enforcement agencies to act. In addition, most current options for law enforcement agencies, such as an Apprehended Violence Order (AVO), were created to protect the victim from physical contact but do not offer protection against monitoring or stalking using internet-enabled devices.[94]

5.87      DIGI similarly discussed the inadequacy of law enforcement options that were created and implemented before the invention and ubiquitous adoption of the internet. DIGI advised that its members conduct regular training and outreach with law enforcement agencies, but highlighted the need for more education and training that ensures law enforcement personnel understand that 'crimes committed online should be treated and investigated in the same way as physical crimes':[95]

Recently, Instagram (a DIGI member) was alerted to advice given by a police officer to a distressed mother whose daughter was being told to kill herself via Instagram. A police officer at her local station informed her that there was nothing that could be done despite the facts that (a) there are criminal laws prohibiting the use of carriage service to threaten, intimate or harass a person, (b) this type of conduct clearly violates Instagram's policies and will be promptly removed when Instagram becomes aware of it, and (c) Instagram has a well established process for responding to authorised law enforcement requests for data.[96]

5.88      South Eastern CASA suggested a number of practical reforms that are required in order to make internet-enabled devices secure against technologically-facilitated violence, including:

Public awareness

5.89      Ms Lizzie O'Shea and Ms Elise Thomas stated that 'consumers have a reasonable expectation that messaging platforms and storage systems for personal data will be kept secure, including through the use of strong encryption'.[98] However, there remain relatively low levels of public awareness about cybercrime.

5.90      Detective Inspector John Manley, Officer in Charge of the Victorian Joint Anti-Child Exploitation Team, Victoria Police, noted that raising public awareness of the risks associated with cybercrime is important but takes time:

I know there has been a lot done by the federal and state government agencies to educate people, but, at the end of the day, you just wonder how much of it sinks in. I think this is a generational thing. I think people will learn over time. A lot of the people that have been scammed are people who haven't grown up with a computer in their home—they're older people, in a lot of cases—and they trust people.[99]

5.91      ISACA reflected that the pace at which new technologies are introduced is part of the challenge and that public education plays an important role in resilience against cybercrimes:

it's not necessarily the new technologies that are the ultimate challenge but the pace at which these technologies are being introduced. So what happens is that we, as societies, also have trouble keeping up with the necessary laws, policies and regulations to keep them in check. So while we try to figure that out, the cybercriminals are still advancing. I think that's why we have to do more on the education side to make sure that the stakeholders beyond the public sector take their accountabilities to supporting the safety of our society very seriously and do what they need to do to educate people and make sure that all enterprises are implementing the proper practices in order to ensure the maximum resilience against these cyber related crimes.[100]

Committee view

5.92      The committee acknowledges that there are significant and ongoing operational challenges and vulnerabilities for law enforcement agencies in relation to combating the criminal use of new and emerging ICTs. These include:

Geographic and jurisdictional constraints

5.93      A key feature of cybercrime is its international and borderless nature. For that reason, law enforcement agencies investigating cybercrime are routinely required to liaise and work with their international counterparts. 

5.94      Throughout the course of the inquiry, the committee heard from a range of stakeholders, including law enforcement agencies and academics, that MLATs in their current form can be cumbersome, time consuming and not fit for purpose (see also discussion in Chapter 3).

5.95      The committee is aware that the MLAT process is not something Australia alone can resolve, and the committee acknowledges there have been some relevant changes in the US with the enactment of the CLOUD Act and subsequent moves to reach bilateral agreements in relation to accessing data.

5.96      However, the committee is of the view that the Australian government should evaluate the current MLAT process and identify how that process might be modified to better suit cybercrimes so that law enforcement investigations are not hindered by time delays or the inability to access data located outside Australia.

Recommendation 3

5.97      The committee recommends that the Australian government evaluates the current Mutual Legal Assistance Treaty process and identifies:

Workforce skills and capabilities

5.98      The committee is concerned by the evidence it received in relation to the challenges facing Australian law enforcement in recruiting and retaining sufficiently skilled staff with relevant ICT expertise. The ability of law enforcement agencies to offer pay and conditions comparable to those available in the private sector is one of those challenges.

5.99      The committee is attracted to the approach adopted in the UK by the NCA in employing NCA Specials (see paragraphs 5.27-5.29). The ability to engage contracted volunteers from the private sector with discrete expertise, subject to the same security vetting, confidentiality and code of conduct requirements as sworn personnel, and on a specific 'as needs' basis offers a dynamic and flexible means of addressing some of the workforce capability challenges facing Australian law enforcement. The committee also suggests that having such volunteer experts working side-by-side sworn officers would have the beneficial effect of simultaneously upskilling law enforcement personnel.

5.100         The committee agrees with the proposition put by the CSRC and others that there are significant benefits to be achieved from aggregating and concentrating cyber expertise. The committee believes that there is a need for a multi-agency approach to ICT workforce planning that builds a workforce with the necessary skills to respond and adapt to new and emerging technologies. The committee also welcomes the suggestion from Dr Coyne, reflecting on the ATO's approach, of recruiting ICT 'cadets' straight from university.

Recommendation 4

5.101         The committee recommends that the Australian government explores a range of approaches for improving the information and communications technology (ICT) skills and capabilities of the law enforcement workforce, including:

ICT capabilities and resources

5.102         The committee heard evidence about the limited accessibility, search functionality and incompatibility of current Australian law enforcement ICT systems. It acknowledges that the ACIC's proposed National Criminal Intelligence System (NCIS), to be implemented over four years from 2018−19, aims to support collation and sharing of criminal intelligence and information across state, territory and Commonwealth law enforcement.

5.103         Whilst the NCIS seeks to address some of the challenges of establishing and maintaining ICT capabilities, the committee considers that dedicated agency funding may also be needed, in addition to existing annual agency appropriations, with sufficient flexibility to enable law enforcement agencies to respond to the escalating challenges of cybercrime.

5.104         In any event, it is evident to the committee that there will need to be ongoing government investment in ICT infrastructure if law enforcement agencies are to maintain connectivity and share data with their jurisdictional, intelligence and Five Eyes Alliance partners.

Recommendation 5

5.105         The committee recommends that the Australian government explores suggestions from law enforcement agencies and cybersecurity experts for improving information and communications technology (ICT) capabilities and resources, including:

Data management

5.106         The committee heard that law enforcement agencies are facing challenges as a result of the rapidly increasing volume and complexity of digital data that they are required to collect, store, access, analyse and/or share.

5.107         The committee heard a range of suggestions from law enforcement agencies and cybersecurity and data experts about practical measures that could be implemented to improve data collection and management. Measures such as hybrid storage strategies and the use of AI and other advanced analytical techniques to sort and filter large volumes of data were proposed as possible solutions.

5.108         The committee considers that the use of these technologies will provide law enforcement agencies with necessary tools to address the challenges of big data. For this reason, the committee recommends that the Australian government considers the use of hybrid storage strategies, AI, and other advanced techniques for sorting, filtering and analysing large volumes of data.

Recommendation 6

5.109         The committee recommends the Australian government considers the use of hybrid storage strategies, artificial intelligence and other advanced techniques for sorting, filtering and analysing large volumes of data.

5.110         The committee is also interested in the Law Council of Australia's recommendations in relation to the use by law enforcement of biometric data and facial recognition systems, and considers that the Australian government should take these into account when developing its future strategies (noting the BIS project has been terminated):

Recommendation 7

5.111         The committee recommends that the Australian government takes the following into account when developing any future strategies for biometric data and facial recognition systems:

Internet of Things, protecting privacy and preventing domestic abuse

5.112         The committee is concerned about the lack of agreed security guidelines in relation to the manufacture of IoT devices. Whilst such devices are designed for legitimate purposes, they are vulnerable to hacking by criminals and those who seek to perpetuate violence against others. The committee notes the evidence from the ACIC and AIC that the proliferation of such internet-enabled devices is putting all Australians at serious risk of being targeted by organised and serious crime groups.

5.113         The committee believes that legal protections in relation to internet-enabled devices and other consumer products should be subject to regular monitoring and review in order to ensure that they keep pace with technological development and are enforced.

Recommendation 8

5.114         The committee recommends that the Australian government reviews current consumer protection laws and regulations in relation to internet-enabled devices and identifies changes that may be required to provide adequate and timely consumer protection in relation to the risks they pose.

5.115         The committee is concerned that many mechanisms currently available intended to protect victims from a perpetrator, such as AVOs, do not offer victims protection against crimes perpetrated using internet-enabled devices.

5.116         While AVOs are legislated by the states and territories, the committee supports Australian governments reviewing legislation to ensure that current legal mechanisms afford adequate protection to victims of crime perpetrated via internet-enabled devices.

5.117         The committee also heard evidence indicating that there is a need for more education and training of law enforcement personnel about technologically-facilitated violence and how to best respond given the prevalence of IoT devices.

Recommendation 9

5.118         The committee recommends that Australian governments review legal mechanisms intended to protect victims, such as Apprehended Violence Orders, to ensure that they offer adequate protection to victims of crime facilitated by internet-enabled devices.

Recommendation 10

5.119         The committee recommends that the Australian government develops education materials to inform law enforcement agencies and personnel about new and emerging information and communications technologies that offenders may use to facilitate family and domestic abuse, and to provide guidance on appropriate strategies for responding to such situations.

5.120         The committee welcomes suggestions for practical reforms to improve regulation and accountability by manufacturers of internet-enabled devices and other consumer products, particularly in relation to IoT devices that may expose consumers to hacking, stalking, violence and other criminal activities. Such reforms could include, for example:

5.121         The committee also welcomes suggestions for a public awareness and education program that informs consumers about the potential risks of internet-enabled devices, and other products and measures that they can take to protect their privacy. It also considers that the proposal for a consumer helpdesk has merit, offering device owners the means of having their devices checked if they suspect that it has been compromised.

Recommendation 11

5.122         The committee recommends that the Australian government develops and implements an Internet of Things (IoT) public awareness campaign that:

Navigation: Previous Page | Contents | Next Page