We're going to convince you that you should call the FBI if your company is ever the victim of a computer crime. That's right, the Federal Bureau of Investigation. The feds. Government agents. Now, before you say "I don't think so" in your most sarcastic voice, read on.
There's a prevailing misconception that as soon as you pick up the phone to call the FBI, teams of agents will swoop down on you with guns drawn to confiscate your computers and seize control - effectively closing down your business. That's how it happens in the movies. This is life. Here's how it really happens.
Usermagnet had survived distributed denial-of-service attacks before, but nothing like what it experienced on a Sunday night in February of last year. Packet kiddiesinternational hacking groups comprising teenagers looking for a thrill - had taken over an online Java chat channel the company was hosting.
"It was vicious. These guys were completely suppressing our circuits," recalls Rick Ross, president of the Cary, N.C., Web services company. "We're talking 50 megabits per second massively overloading our servers. It went on for something like 14 hours."
When he and Vice President of Development Mike Sick went looking for other channel users under attack, they found the same assault happening simultaneously in at least a dozen places. The pair also found a friend who had managed to start a conversation with one of the hackers and gained access to his system. "There was a large amount of information on a whole hacker network," says Ross. There was also a list of about 500 machines the group had compromised and the passwords used to hack each unit. "We said, 'Whoa, we're over our heads here.'" After calling the FBI and getting its approval, Ross and Sick set out to turn several of the group members into informants. One of the hackers even asked to have a pizza sent to his house as a show of fidelity. Meanwhile, federal agents tracked entry points, contacted ISP's, pored over logs, monitored hacking channels and contacted owners of each machine that had been hit. The result? As this issue went to press, the one non-juvenile member of the group had pleaded guilty and was awaiting sentencing.
To Call or Not to Call
Calling the Feds is still filed under unthinkable acts in most organisations. The few brave companies that have made the call and lived to tell the tale say they got the help they needed and in some cases saw the perpetrators arrested. Federal agents have investigative skills, forensic knowledge, access to attachés in foreign countries, and established relationships with Internet players as big as Cisco Systems and as small as the local ISP's often used by hackers to launch attacks. (Do you? Does anyone at your company?) The feds can also build a case by aggregating your information with data from other cyber-crime victims you'd probably never find on your own. When you really need it, they can also find someone who speaks Dutch.
That's just what Susan Iverson needed in May 2000. Iverson, the information technology manager at J.H. Baxter, a San Mateo, Calif., wood-treatment company, came to work one morning and heard a voice mail that would raise the hairs on the back of any IS exec's neck. An official from the DOD (yes, that DOD, the U.S. Department of Defense) had called to say one of his servers was being attacked from an IP address registered to J.H. Baxter, and would Iverson be so kind and find the break and shut down the intruder?
Iverson and her team found the break and traced it to an IP address in the Netherlands registered to IBM but recently sold to AT&T. When Iverson tried to get someone to shut it down, she had trouble negotiating between the two companies, juggling two time zones and two languages. With the IP address still open and the assault still in process the next morning, she decided to bring in the big guns - the FBI's Northern California field office. IBM and AT&T took notice, the hacker was shut out, and Iverson was free to start repairing and securing her own systems.
In one sense, Usermagnet and J.H. Baxter are typical, modern corporations. They've been victims of a cyber-attack. If you believe a similar attack, or worse, can't happen to you, you're either naive or deep in denial.
In another sense, the two companies are rarities in the IT universe - organisations willing to call in federal law enforcement when they've been hacked. "That's extremely rare. Extremely!" exclaims a spokeswoman for a financial services trade organisation when asked if any of her members had ever contacted the feds.
A recent Sound Off column on CIO.com solicited opinions on the National Infrastructure Protection Center's InfraGard program, which lets companies anonymously share data on cyber-breaks. This drew a similar level of alarm among IT execs, if not outright vitriol. "There is no such thing as a partnership with the government. My interests don't even appear on their radar," said one IT director. Another respondent wrote, "Keep corporate security where it belongs - out of the hands of the government!"
Balance that level of distrust against the increasing frequency and severity of cyber-crime threats. The latest Computer Crime and Security Survey, conducted by the San Francisco-based Computer Security Institute, indicated that 85 percent of the respondents (primarily large corporations and government agencies) had detected computer security breaches during the past year. Sixty-four percent acknowledged financial losses due to computer breaches. (Details on the annual poll, conducted in conjunction with the San Francisco FBI's Computer Intrusion Squad, are available at www.gocsi.com/prelea_000321.htm.) The authorities are improving their expertise by establishing dedicated electronic-crimes units to boost their cyber-crime savviness and win the trust of corporate America. The FBI, for example, has almost finished outfitting its field offices with Regional Computer Crime Intrusion squads. The Department of Justice has established special Computer Crime & Intellectual Property divisions. The multiagency New York Electronic Crimes Task Force, which is coordinated by the U.S. Secret Service, attracted so many requests for help that the Secret Service plans to expand the concept to other field offices.
Also, the feds insist that despite overwhelming fears to the contrary, they won't screw up your company by seizing your computers or over publicising your case. "They left control with us. All they did was assist," says Iverson. "There were no guns, and I never felt like they were going to take off with our servers."
Finally, cyber-crime won't evolve from being shameful to being aggressively prosecuted until the trickle of reported cases grows to a torrent. "The best deterrents for these kinds of crimes is the strong message that there are very serious consequences," says Ross Nadel, chief of the Computer Hacking and Intellectual Property (CHIP) Unit in the U.S. Attorney's Office for the northern district of California, based in San Jose. "And a few good, serious cases can get that message across, if companies are willing to come forward."
Making the call isn't just a moral imperative, it's a practical one, says Usermagnet's Ross. "If we expect the information economy to create new sources of prosperity, it's got to be a reasonable, orderly place to do business," he says. "Packet kiddies are nothing more than juvenile delinquents running around with the Internet version of high-powered semiautomatic weapons. If the norm on the Internet becomes terrorist thugs pushing you around, nobody will bring their business there."
Time to Call the Cops
Three situations motivate companies to call the authorities: if they're legally required to do so, if it's "the right thing to do" and if it will help their bottom line, says Mark Rasch, vice president of cyber-law for network consultancy Predictive Systems in Reston, Va. Rasch is the former head of the computer crimes division for the U.S. Department of Justice who investigated renowned hacker Kevin Mitnick and prosecuted Robert Morris, the Cornell student who created a worm that brought the Internet to a standstill.
Banking and finance, nuclear power, air traffic control, health care and other critical industries are required by law to report certain types of security breaches or data loss. If you don't know what laws apply to your company, you should find out before you're attacked, Rasch suggests. You may also be required under contract to report attacks or breaches.
The "right thing to do" isn't as easy to define. Rasch and other security consultants say there are certain instances when you absolutely, positively should call in law enforcement. Things like bomb threats and child pornography should never be swept under the rug, not only because of the potential damage to human life but because a company can be held liable for such behaviors from its employees. Further down the severity scale are cyber-stalking, extortion threats, denial-of-service attacks and the proliferation of viruses.
The toughest call to make is determining your bottom-line impact, says Rasch. If your company loses trade-secret data to a random 15-year-old hacker, it may be better to handle the matter privately instead of risking a public relations fiasco. "But if it's a competitor who now has the blueprints for your new widget," he says, "it becomes very important for you to find out who did it."
The problem with that reasoning is that during an attack or at the moment you detect an intrusion, you're working blind, say law enforcement officials. You can't know if you're dealing with a random hacker or an underhand competitor until afterward. That should be reason enough to quickly call in reinforcements.
"If there is destruction or loss or theft of data, if there is a loss of US$5,000 or more for a non-government non-financial institution, if there's been a root-level compromise or a denial of service, you should call," says Doris Gardner, supervisory special agent in charge of the FBI's Charlotte, N.C., Regional Computer Crime Squad. As clear as those guidelines sound, Gardner and her counterparts in other task forces acknowledge that there won't be an increase in the number of crimes reported until they address corporate America's three biggest fears - the loss of control once they call the cops, being played for fools in the national media, and that in the end the feds will fail to catch the perpetrators or return a conviction.
Fear One: Loss of Control
Gardner is emphatic when trying to reassure nervous companies that an investigation will not spin out of control. When agents start examining evidence, she explains, they will most likely begin with the servers and inspect the logs to try to determine who touched what parts of the system and where they were coming from. A company's IS staff members are vital players during this type of investigation. "You're going to be involved," she says. "It's a partnership."
That's a mantra repeated by cyber-crime experts in the Department of Justice, the U.S. Attorney's Office and the Department of the Treasury. "We're not the cavalry. We're not going to come storming in and take off with your equipment," says Jessica Herrera, a federal prosecutor in the Computer Crime & Intellectual Property Section of the Department of Justice's Criminal Division in Washington, D.C. "We're there to work with the company, and we've found the best experts for examining computers are the people who operate them on a day-to-day basis."
Utenzi Corp., a data center outsourcer and corporate ISP, has worked with the FBI as a victim and other times assisting its customers who have been hit. The FBI leaves data-intensive tasks to the IS staff while its agents handle the forensic and legal aspects of a case, says Mark Nilsson, chief technology officer for the Research Triangle Park, N.C., company. "IS isn't their core competency, and they know that. Their core is investigative."
In one instance, he explains, "we gave them the signature of the hack and some log information, and they subpoenaed logs from another ISP, traced the user, served a warrant and made an arrest."
Fear Two: Front-Page Coverage
Of all the reasons companies suffer in silence after a cyber-crime, the most potent is the fear of bad publicity. Predictive System's Rasch sketches out a nightmarish scenario, only partly in jest - "Let's see, investigation on CNN, trial on Court TV, and conviction and sentencing on the front page of The New York Times." In all seriousness, though, he says one goal of prosecutors is to deter other would-be criminals. "If some guy goes to jail and nobody hears about it, they're not reaching that goal."
Law enforcement officials insist they take care to keep victims' names out of the public eye. "We've had plenty of cases when we wanted to blow our own horn and didn't," says Nadel of the U.S. Attorney's CHIP unit.
"We can't make any absolute guarantees, but in many cases, when a criminal charge is filed, we don't even name the victim in the indictment," says Nadel. "Unless there's a particular reason, we usually won't confirm that a particular company has been a victim." In fact, when CIO tried to follow up on the break at J.H. Baxter, the FBI agent who handled the case referred us to a spokesperson who wouldn't even say whether the case was closed or ongoing.
Iverson and executives at Utenzi and Usermagnet reported no unwanted publicity in their dealings with the feds. "An organisation like ours is very sensitive to having our name attached to security stories," says Utenzi's Nilsson. "The FBI has been very discreet. We've not seen a hit in the press or anything."
IT managers and security consultants say the best way to increase trust of law enforcement agencies is to establish a relationship with an agent that specialises in cyber-crime before a breach occurs. "You don't ever want to just call the police. You want to call your friend Bob down at the FBI," says Rasch.
Nilsson seconds that advice. Having once worked with a particular agent, he was much more comfortable calling that person when another incident arose.
Fear Three: Lack of Results
When it comes to involving the feds, skeptics seem divided into two camps: those who believe federal law enforcement should never be trusted, and those who believe the FBI and other groups mean well but are ultimately ineffective.
"The sense that I get in cases where the FBI has been involved is that they didn't provide a lot of value add," says Peggy Weigle, CEO of Sanctum, a Santa Clara, Calif., manufacturer of security and control software for Web applications. "The top priority for any company is to seal and secure the site. It's difficult to catch hackers. Our feeling is you should focus instead on getting back into shape."
Chip Smith is cautiously optimistic about the legal clout of law enforcement. Now director of corporate security for the Bank of New York, he's the former special agent in charge of the New York Field Office for the U.S. Secret Service. On one hand, he says, "law enforcement has come a long way in five years. They're making leaps and bounds in understanding all these things." On the other hand, he concedes, they still have a long way to go. "A lot of prosecutors still aren't familiar [with cyber-crime]. A lot of law enforcement still isn't familiar with it. The laws have to become commensurate with the crimes being committed."
Many crime fighters say the current laws already allow sufficient latitude for them to pursue criminals and win convictions. "In the United States, we have strong laws," says the Department of Justice's Herrera. "If we're able to figure out who the intruder is and if there's a climate where [the victim] wants to pursue an investigation, then the laws are enough."
If the FBI and other authorities hope to send a message in such cases, it's a message aimed just as much at corporate America as it is at the cyber-criminals. "You can have all the firewalls and intrusion detection systems you want, but nothing is 100 percent secure if it's connected to the Internet," Gardner says. "If companies have had things stolen and they don't want it to happen again, we're hoping they'll want to come forward and set an example."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.