Establishing Digital Trust: Don't Sacrifice Security for Convenience
Speaking at the RSA Security Conference here on Tuesday, Director Robert S. Mueller III told an audience of security professionals that the Internet has become a "force multiplier" for criminals, and better collaboration is the only way to stop them.
''Our goal is to maintain a two-way dialogue with you so we can identify the threat,'' he said during a town hall-style meeting on battling cyber crime. ''We cannot investigate the problem if we do not know the threat is out there... There are too many weapons and too many avenues of attack. We must work together to protect America. Together, we will not be defeated. Together, we will keep America safe.''
Steven M. Martinez, deputy assistant director for the FBI's Cyber Division, went a step further and said the FBI simply can't do the job alone.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i''We're seeing an evolving threat,'' said Martinez, who addressed the audience of security professionals during the question-and-answer session that followed Mueller's speech. ''We'll never have the resources in-house that we need, so we need you. You are out there. You have the information that we need. You are the tip of the spear.''
Mueller also asked corporate executives to break their unwritten code of silence and report attacks on their networks, enabling both local and federal law enforcement agencies to investigate the crimes.
''You may have legitimate privacy concerns,'' he said. ''We do not want you to feel victimized by our investigation. Maintaining your silence will not protect you or your company in the long run... We are sharing information and combining forces. We work with the private sector every day to prevent cyber attacks and prosecute cyber criminals when we can.
''I'm asking you in the private sector to do everything you can to protect your own networks and your own information.''
That wall of silence, though, may be a hard one to break down.
Law enforcement agencies have been pleading with corporate executives for years now to open up and report attacks on their networks. It's still not happening, though, because executives fear the publicity that an investigation and prosecution could bring. Will stock prices be affected or will customers leave when information gets out about a security breach, data loss or virus attack?
So far, most companies err on the side of silence, according to Arif Alikhan, senior counsel to the deputy attorney general at the U.S. Department of Justice. Alikhan, in an interview with Datamation after the town hall meeting, says only 20 percent of companies that have suffered a security breach report it to law enforcement. Alikhan, along with Danny De Temmerman, a member of the G8's Subgroup on High-Tech Crime, also took part in the meeting, which was entitled Top Cops vs. Cyber Criminals.
While only 20 percent may be actually reporting attacks on their networks, a little more than 50 percent of IT professionals surveyed by Forrester Research for the Business Software Alliance, say they maintain a list of law enforcement contacts who they could call if they've been the victim of a cyber crime. This shows progress, says Robert Holleyman, president and CEO of the alliance, but far too many companies still are not using those numbers.
And that, says Alikhan, is impeding efforts to battle cyber crime.
''When companies don't report the breaches, there's very little we can do,'' says Alikhan, who oversees the government's Computer Hacking and Intellectual Property Program. ''If corporate America doesn't come to us, the problems will become worse and worse.''
Both Alikhan and Mueller said the FBI and federal prosecutors will do their best to protect companies during an investigation and legal proceedings. However, once a case goes to court, there's little to be done about keeping it quiet and out of the media. ''We can't assure them it won't become public,'' he told Datamation. But we can assure them we will use our discretion in releasing information. There are ways to minimize the amount of information that becomes public.''
Creating International Partners
A key theme throughout the town hall meeting was that no one can battle cyber crime alone.
Alikhan pointed out that teenagers hiding in their bedrooms after school are no longer the cyber culprits. Sophisticated and well-organized professional criminals are waging relentless attacks against corporate networks. The people and agencies that are fighting them need to be just as organized, he says.
And that kind of collaboration has to be an international effort.
Mueller noted that cyber threats, particularly virus attacks and online scams, are originating from outside the U.S. ''Our world has become smaller and our world has become smarter,'' he said. ''The outlaws of this new world operate without boundaries and without barriers... In this world of globalization, we build on the one central theme of partnerships.''
Because of this globalization of the threat, no one country can battle it alone, Mueller said.
Temmerman, who also works with the European Commission, says he is focused on building international "arrangements" so different countries can easily share information, send out alerts and track criminals together. ''There have been initiatives through the G8, especially with child pornography, but we need to work better together to fight cyber crime. Working together and initiating partnerships need to be boosted.''
Martinez says it's important that countries band together and forge these agreements, but there's no time to wait for them to come together.
''We can't sit back and wait for these arrangements to be set,'' he said. ''We need to put people on the ground in places where we maybe have never been -- like Estonia -- but where we can have an impact.''