If industry is going to solve the problem of computer crime and put a stop to web site defacements and other security breaches, it will require a cooperative effort with law enforcement. And it's time that organizations of all types lose the notion that there is a stigma attached to reporting computing crime.
Those are two of the points made by David Green, principal deputy chief of the U.S. Department of Justice's Computer Crime and Intellectual Property Section (CCIPS), in a talk at the recent E-Security Conference and Expo in Boston.
The CCIPS was founded in 1991 as the Computer Crime Unit and is charged with coordinating law enforcement's computer crime efforts nationally. The group of about two dozen attorneys also negotiates international agreements, proposes and comments on legislation, and develops policies to protect the interests of law enforcement and users.
"There's a sense of shame in the cyber world that doesn't exist in the physical world," he said, noting people tend to blame the victim of online crime rather than the perpetrator. On the other hand, if a physical bank gets robbed, depositors generally don't rush to take their money out. This stigma extends to system administrators, who often don't tell management about computer break-ins for fear of repercussions.
Green also sought to dispel some misconceptions about what happens when law enforcement gets involved in a computer crime.
"Sometimes we go seize computers, but it's not from the victims, it's from the perpetrators," he said.
It's a good idea for organizations to develop an incident response strategy in advance. As part of that, companies should find out what law enforcement resources are available to them. Options include the U.S. Attorney's Computer-Telecommunications Coordinator (CTC), the FBI and the National Infrastructure Protection Center (see links below). The CCIPS Website also has information on how to report cybercrime.
All these organizations are willing to meet with companies in advance to talk about computer crime strategies, including incident response. "If you meet these guys in advance, it's a lot easier," Green said. Should you someday need to call in law enforcement, "You'll be calling Jim, not the FBI help line."
Green also noted the InfraGard program, led by the FBI and NIPC. InfraGard is a vehicle for exchanging information on computer security vulnerabilities and attacks. Participants are encouraged to share details of how they were attacked and sanitized versions of their stories, protecting identities, are published for others to learn from.
Given their limited resources, law enforcement will only respond to requests for help with computer crime if damage exceeds $5,000. That includes the cost of finding out how bad the damage is and repairing it, so Green encouraged companies to keep close track of hours spent responding to a breach.
Longer term, part of the solution to reducing computer security problems is to teach ethical computing. Green encouraged IT people to go into schools and help with that effort, helping kids understand that computer sabotage and hacking into sites solely for the challenge of it is really no different than committing a crime in the physical world. While there is plenty of pressure on youths not to steal from stores, for example, there is no corresponding pressure for socially responsible computing.
Striking a lighter note, Green also talked about cases of "insider" computer crime. "Less than 1% of insider hacks are done by gruntled employees, they're all done by disgruntled employees," he said. "So you really want to focus on the gruntled ones."
Law enforcement resources:
U.S. Attorney's CTC: www.usdoj.gov/criminal/cybercrime/enforcement.html#VIa
Listing of FBI field offices: www.fbi.gov/contact/fo/fo.htm