In my last column, I expressed disbelief that victims of computer security breaches would fail to report break-ins to an appropriate law enforcement authority.

I've heard all the reasons, but just don't buy them. In a nutshell, if victims don't report computer crime, law enforcement can't catch the perpetrators. Everybody loses.

How businesses should deal with law enforcement was a topic of discussion at INT Media Group's recent E-Security Conference and Expo in Vienna, Va. In separate sessions, attendees heard from David Green, principal deputy chief of the Department of Justice Computer Crime and Intellectual Property Section (CCIPS), and Bryan Palma, a special agent with the U.S. Secret Service Electronic Crimes Task Force. Both speakers explained how industry and law enforcement can work together to stem computer crime.

Green succeeded in bringing humor to this serious subject, such as when he lamented the challenges the DOJ faces in prosecuting and sentencing perpetrators of computer crimes, many of whom turn out to be 14 or 15 years old.

"We're looking at grounding as an alternative sentence," he said. And in talking about insider attacks, he said, "A very low percentage of these insider attacks come from gruntled ex-employees; they're always disgruntled."

But he also offered solid advice, such as the need to have a response policy prepared ahead of time, in part to reduce the panic level should an attack happen. He said companies need to be careful that their response doesn't destroy evidence such as log files and that administrators should keep copious notes of all steps they take during the response, so they can reconstruct those steps later.

He also noted in no uncertain terms that "hacking back" against the attacker may well violate federal hacking laws, as hackers often launch their attacks from an innocent third-party's computer.

Green encourages companies to contact law enforcement agencies before they become a victim of a crime, so if the worst happens, you'll be calling someone you're already familiar with. A number of options exist in terms of who to call, including:

  • FBI's Infragard program, which has chapters in all FBI field offices: www.infragard.net;
  • Secret Service Electronic Crimes Task Force: www.ectaskforce.org;
  • U.S. Attorney's Computer and Telecommunications Coordinator (CTC) and Computer Hacking and Intellectual Property (CHIP) programs: www.usdoj.gov/criminal/cybercrime/enforcement.html#VIa;
  • National Infrastructure Protection Center hotline: 202-323-3205.
  • The DOJ's CCIPS Web site, www.cybercrime.gov, has more information on how to report computer crime.

    Green also sought to dispel some myths about what happens when companies bring in law enforcement to investigate a computer crime.

    Won't Victimize Victims

    "We're not going to seize your computers," he said. "We don't want to put a victim out of business. That's not good for us and it's not good for you, so we're not going to do it."

    Instead, investigators merely make copies of relevant logs and data. Victims never lose control of their systems, Green said.

    Companies may be putting themselves at greater risk by not reporting crime, because they will develop a reputation among hackers as a "free play," Green said. He argues that it's healthier to make it publicly known that you will seek to prosecute hackers.

    The Secret Service's Electronic Crimes Task Force, meanwhile, is trying to be proactive in reaching out and talking to companies about computer crime before disaster strikes, Palma said. He noted the the Secret Service is part of the Department of Treasury and was formed in 1865 to suppress counterfeit currency, which accounted for about a third of all currency at that time.

    Today, the goal is much the same, although now it's to ensure that the populace has confidence in online forms of currency, he says. Toward that end, the Electronic Crimes Task Force was formed about five years ago, with an office in New York. A Washington, D.C. chapter has since been added and seven more are coming on board: Boston, Charlotte, N.C., Chicago, Las Vegas, Los Angeles, Miami and San Francisco. (See www.ectaskforce.org for contact info.)

    The idea is to incorporate people from academia, the technology industry and business users to develop a coordinated response to computer crime, Palma said. "We don't think we're the hammer anymore," Palma said. "That's not our approach."

    Each chapter holds quarterly meetings hosted by partner organizations. Companies that get in touch with the task force can learn about preventative measures they can take and what to do if the company becomes a computer crime victim.

    It's clear that law enforcement agencies of various stripes are taking significant strides in trying to educate companies on how to deal with computer crime, and in prosecuting perpetrators. There is no longer an excuse not to get them involved.

    Paul Desmond is a writer and editor based in Framingham, Mass. He serves as editor of eSecurityPlanet.com, a source of practical security information for IT managers, CIOs and business executives. Email him at paul_desmond@king-content.com.