Establishing Digital Trust: Don't Sacrifice Security for Convenience
As I was reading a story in the Boston Globe recently about a New Hampshire guy who is being sent to jail for hacking into his ex-employer's network, it struck me that I've been seeing more and more of these types of stories recently, with all manner of computer criminals being arrested, prosecuted and/or convicted, both in the United States and abroad.
To make sure I wasn't just imagining this phenomenon, I checked with the National Infrastructure Protection Center (NIPC). The NIPC works with U.S. government agencies, state and local governments as well as the private sector to protect critical infrastructures, including telecommunications and banking. Sure enough, the number of computer crime cases handled by the NIPC has doubled every year since its inception in 1998. Currently the agency is investigating - in cooperation with the FBI - more than 1,230 cases.
More and more, these cases and others are going to court and perpetrators are getting meaningful sentences.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=iConsider these cases from the last several months:
- Patrick McKenna of Hampton, N.H., got six months in jail and has to pay $13,600 in restitution for breaking into the network of his former employer, Bricsnet, a software services firm for the construction industry. According to the Boston Globe, on the day he was let go from Bricsnet, he twice broke into its network, deleted about 675 files, modified user access rights and sent bogus emails to company clients saying the company's "project center" would be temporarily closed or shut down. When he gets out of the slammer, he'll be subject to two years of supervision.
- On June 20 a federal grand jury indicted two Russian hackers on a slew of federal charges, from breaking into computer systems to stealing credit card information and attempted extortion. The indictment alleges the pair broke into computer systems at a number of U.S.-based banks and e-commerce companies and threatened to keep doing it until they were hired as security consultants. The FBI set up a bogus company that agreed to take them up on the offer. The pair was arrested in Seattle after coming into town for a "job interview." I just love that story. Can't wait for the movie.
- Raphael Gray, the Welsh hacker who used Bill Gate's credit card to send him a bunch of Viagra, was sentenced in his home country to three years of community rehabilitation with psychiatric care. (I probably should be more sensitive, but all I can picture is Jack Nicholson as Randall P. McMurphy in One Flew Over the Cuckoo's Nest.)
- The 20-year-old Dutch man who admitted he created the Anna Kournikova virus will be prosecuted and is likely to get a six-month prison sentence.
These kinds of prosecutions raise two issues. One, it should be clear by now that companies have far more to gain than to lose by working with law enforcement should they become a victim of cyber crime. Law enforcement is getting better at finding and prosecuting perpetrators, but the process works far better if victims cooperate.
There have been a lot of misconceptions about what happens when law enforcement is called in to investigate a computer crime. Companies are afraid their names will be plastered all over the papers, their computers confiscated as forensic evidence and business interrupted.
Not so, says David Green, principal deputy chief of the U.S. Department of Justice's Computer Crime and Intellectual Property Section (CCIPS), the group charged with coordinating law enforcement's computer crime efforts nationally.
"Sometimes we go seize computers, but it's not from the victims, it's from the perpetrators," Green told an audience at the E-Security Conference and Expo in Boston earlier this year (See http://www.ecomsecurity.com/News_2001-04-16_Green.cfm) And typically investigations only hit the press when they bear fruit, at which point the company in question comes out looking pretty smart.
Newsweek ran a good piece about how the online payment company PayPal is helping provide forensic evidence in the Russian hacker case noted above. (See http://www.msnbc.com/news/597642.asp?0si=-.)
And Michael Bloomberg certainly looked smart last summer when he helped the NIPC and the FBI nab two hackers from Kazakhstan who were trying to extort $200,000 from him in exchange for information on how they had broken into Bloomberg LP's network. The pair was arrested in London and the United States has requested their extradition.
While in that example it's clear a crime is being committed, in many others it is less obvious - or at least that's what hackers claim. That leads to the second issue: education on ethical computing.
The pinhead who unleashed the Anna Kournikova worm, for instance, claims he didn't mean to cause such damage, didn't realize what he had done - blah, blah, blah. (He also posted a note on his Web site saying anyone who got hit with the virus deserved it, the implication being that they didn't take basic precautions. He's got a point there, but still deserves a dope slap for saying it, just on general principles.)
Whether you believe him or not, there does seem to be a disconnect between the physical and cyber worlds in terms of telling right from wrong. A kid who would never think of robbing his local convenience store thinks nothing of hacking into a corporate computer for the sheer challenge of it. Perhaps he has no idea of the damage he can cost in time and money - even if he doesn't disturb anything.
And therein lies the problem. The kid should understand what he's done is a crime (and it is usually a "he"), that it means somebody on the other end is going to have to spend valuable time trying to figure out how he got in and what he did.
During his talk in Boston, the DOJ's Green encouraged IT people to get into schools and help educate kids about socially responsible computing. He also encouraged companies to create an incident response strategy that included contacting law enforcement, and meeting with these folks in advance so you're not calling them for the first time in a crisis. Good ideas, both.
If you want to get started, here are some links to law enforcement resources.
Listing of FBI field offices: www.fbi.gov/contact/fo/fo.htm
InfraGard, a shared knowledge base run by the FBI and NIPC: www.infragard.net
DOJ's CCIPS: www.cybercrime.gov
FBI's Internet Fraud Complaint Center: www.IFCCFBI.gov