Good afternoon to everyone.
I was asked to speak on this panel about the constraints that exist in cooperation, and I will shortly present the principles of cooperation we had in a joint investigation with investigation authorities from the US. I am sure that this example will clarify some of the problems to which we must supply a solution.
In the beginning of 1998, the US was preparing to bomb Iraq because it did not comply with UN decisions, and refused entry to UN inspectors to examine stockpiles of mass-destruction weapons. At the very same time, a number of attacks on Pentagon and Government computers occurred. A wide US investigation team that included investigation units from the Air Force, Navy, NASA, CIA, FBI and others reached the conclusion that the source of the attacks was in Israel. I must state that the main basis of the attacks was from a computer situated in the Gulf Emirates, and from there to Pentagon computers in the US. This led us to assume that we were faced with cyber-war initiated by Iraq. That, at least, was the assumption of the President’s advisor. In fact, the source of the attacks according to the American investigation eventually led to Israel, due to the arrest of three suspects in the US. On March 16th a delegation of investigators from the US arrived in Israel. The delegation included FBI, NASA and Air Force investigators. They arrived with an 80-page document, but without a request for mutual assistance as required by the law. We were led to believe that the request was to arrive at our unit with them. In any case, I decided to first of all identify the leader of the hackers through our means, and I arranged with them that they return the next day (the 17th) for testimonies, hoping that the official request for investigation reach us by then. According to Israeli law, if the police are aware that a crime was committed, it is obligated to open an inquiry. On the evening of the 17th I had made all preparations to perform the search and arrest early the next morning. That evening I received a telephone call from a senior official of the delegation, who demanded adamantly that the US investigators participate in the search. I told him that it would not be possible, since not all requirement of the mutual assistance request had been fulfilled. I meant that according to our Legal Assistance Law, it is required that a specially authorized judge signs the order that enables the participation of foreigners. Therefore, at 6 in the morning of March 18th we entered the home of the suspected leader of the computer attacks (one of his nicknames was "Analyzer") and we performed the search ourselves. Despite this, at 7 a.m. I informed the senior official who had telephoned me that the Analyzer had begun to confess at home. During the day we performed additional searches and arrests of two other partners, who were so far unknown to the American investigators. All three – Tannenbaum, Fleischer and Rosenfeld - were interrogated by us. They confessed to the basic suspicions and I released them that evening to home-arrest. Throughout our operation that day I told the official that they could not be present at our headquarters, and that they had to wait for the judge to sign an order. Only the next day – March 19th before noon – a judge signed an order that enabled them to participate in the investigation and to receive the material. At 1 p.m. I held the first joint meeting with the delegation after the arrests. From that afternoon on, American investigators sat with our people and interrogated the Analyzer. But at this stage he was advised by his attorney to choose the right to remain silent. The investigation continued over the next days. The American investigators copied hundreds of Gigabytes the were found on his premises, including diskettes that had been stolen from the Israeli Air Force and the Military Industry, although we ourselves had not yet examined this material. The delegation left Israel at the end of March. We continued with our investigation, arrested two more suspects (Abitbul and Ochana), also because the Israeli group was involved in cyber-attack on the Israeli Parliament computer and had tried to break into an army computer system. On April 8th we first received logs from the computers of two American minors, that tied the Israelis to the above crimes. I would like to emphasize that the Americans performed a search of the two minors in California on February 25th. At that time they were already aware that the Analyzer was connected with them. A third American suspect – Calldan Levi Cofman – was interrogated by them on March 10th but he had already managed to destroy all evidence on his computer. He also tied the Analyzer into this case. By the time we had reached the Analyzer’s home he himself had destroyed most of the evidence on his computer. In fact, he had already done this as soon as the two minors had been arrested in California. Their arrest had been published in the US and he was also in personal contact with them.
The direct conclusion from all I have just told you is that the regular "modus operandi" of law enforcement agencies is irrelevant to the situation. It takes only seconds to destroy computerized evidence thousands of miles away.
I would also like to say that there are legal problems concerned with the process that must be answered before we act, for instance – Is computer hacking an extraditable crime? Is it a crime at all? Is the ISP obligated to keep logs and for which crimes? Can the ISP voluntarily supply the police with logs? Can it be coerced to supply logs? For which crimes? Is the ISP allowed to monitor for the police? And for which crimes?
Questions such as these must be answered online. For example, in Israel no ISP is required to keep log files, which is true in the US. Moreover, the issue of submitting digital evidence from intrusion detection systems has not yet been examined in Israel. Parameters, such as collection and preservation of digital evidence in courts, require inspection of the precision of the process, so that a judge can decide without sole reliance on law enforcement agencies. On this issue I must tell you that the Israeli Evidence Act, modified following the Israeli Computer Law, requires more severe examinations of digital evidence concerning law enforcement activities.
The last thing I want to say is that the issues of definition sections in telecommunications laws that influence the actions concerning cyber-crimes also require attention. For example, a wiretapping violation in the US is not necessarily a violation in Israel, because of a difference in the definition section. A situation such as this occurred concerning the Analyzer. Whereas the two American minors were also found guilty of wiretapping, the Analyzer was not charged with this crime although the facts were identical. The difference in methods on this issue stems from the constitutional system in the US, in which the definition sections in the criminal law are more detailed. Whereas in the Israeli system the basic terms are general and less detailed.
I hope that I have clarified some points from which lessons are to be learned. I have with me here the Analyzer’s indictment translated into English, our new computer law translated into English and an article I wrote that explains how we apply the computer law. I have handed them to the organizers here and I wish to thank you for your patience.
Home | Charter of the OAS | Inter-American Treaties | Resolutions & Declarations | Anti-Corruption | Programs & Plans of Action | National Legal Instruments | Model Laws | Inter-American Legal Agenda | Projects & Activities | Publications | Inter-American Juridical Committee | Secretariat for Legal Affairs | Events | Data Bases |
Search | Español | Français | Português |
conditions and disclaimer
questions or comments to: SLADLCIWebMaster@oas.org
© 2002 Organization of American States