Wednesday, July 25, 2007

GAO: CYBERCRIME Challenges

On July 20, 2007 I began my first day of work at The University of Alabama at Birmingham as the Director of Research in Computer Forensics. The position came about as a result of one fundamental issue that we have been working on together between the chair of Computer & Information Sciences and the chair of Justice Sciences: How can we better equip CyberCrime Investigators to do their job? The first part of our answer was to encourage more Academic partnership, where students would seek a "Certificate in Computer Forensics" by studying courses from both departments. We called this initiative "Training Digital Detectives for the 21st Century". The second portion was to begin hosting more training on CyberCrime Issues, such as The Birmingham Conference on Phishing on March 13-15, 2007, and the Identity Theft Summit held June 10-11, 2007. The third part was to create my position, and to begin focusing our joint research efforts on topics that would provide better techniques, tools, and training for CyberCrime Investigators.



With that background, you can imagine how reinforcing it was to see Federal Computer Week's article on July 23, 2007 -- FBI, Secret Service must improve CyberCrime Training. The article begins:

The FBI, the Homeland Security Department and other federal agencies are underequipped and lack enough properly trained employees to combat cybercrime, according to a recent report by the Government Accountability Office.

GAO found that staffing was one of four major challenges to addressing cybercrime.


The publication being referred to was GAO-07-705: CYBERCRIME: Public and Private Entities Face Challenges in Addressing Cyber Threats. This document, from David Pownder's group at the Government Accountability Office, says "The annual loss due to computer crime was estimated to be $67.2 Billion for US organizations" with the majority of that, $49.3 billion, being related to Identity Theft, and $1 billion associated specifically with phishing. That same opening letter pointed out that in addition, we know "Chinese military strategists write openly about exploiting the vulnerabilities" used by our military computing infrastructure, and that "terrorist organizations have used cybercrime to raise money to fund their activities". In 2006, it is estimated that there were 9.9 Million US consumers who suffered from Identity Theft.

Its our economy that is at risk. In the reports background it lists that "150 million US citizens" use the Internet, and that in 2006, "total nontravel-related spending on the Internet was estimated to be $102 Billion". And spam, according to a Ferris Research report cited by GAO, has a "global cost of $100 billion worldwide, including $35 billion in the United States".

As president of the Birmingham InfraGard, and a recipient of the 2006 "Partnership Award" from the IC3 and NCFTA, I was pleased to see the report listing "Key Partnerships Established to Address CyberCrime":


  • Internet Crime Complaint Center (ic3.gov)
  • InfraGard
  • The National Cyber Security Alliance
  • National Cyber Forensics and Training Alliance (ncfta.net)
  • Electronic Crimes Task Forces


The key challenges listed in the report are:


  • Reporting CyberCrime
  • Ensuring adequate law enforcement analytical and technical capabilities
  • Working in a borderless environment with laws of multiple jurisdictions
  • Implementing information security practices and raising awareness


Reporting CyberCrime


When surveys say 9.9 Million Americans lost $49 Billion to Identity Theft last year, its astounding that the Internet Crime & Complaint Center only had $180 Million in loss reports filed from 260,000 consumers. Some of the reasons GAO gave for this under-reporting were:


  • Financial Market Impacts - (will my stock tank if I tell you I was hacked?)
  • Reputation or confidence effects - (will my customers flee if I tell the truth about my brand's phishing losses?)
  • Litigation concerns - (will my customers sue me?)
  • Signal to attackers - (will other hackers pounce on me?)
  • Inability to share information - (is my data sequestered by the legal process?)
  • Job security - (will my IT staff be fired?)
  • Lack of law enforcement action - (will the cops do anything? do they know what to do?)


LE Analytical and Technical Capabilities



From the report:


Federal and state law enforcement organizations face challenges in having the appropriate number of skilled investigators, forensic examiners, and prosecutors.

...

officials, once an investigator or examiner specializes in cybercrime, it can take up to 12 months for those individuals to become proficient enough to fully manage their own investigations.


Some of the key challenges mentioned include the great possibility that a trained cybercrime investigator will be lured to the private sector by the much higher salaries their skills may demand in that arena. Within the FBI, the policy of rotating new agents to one of the 15 largest offices within 3 years often means that an agent recruited for their cyber abilities is assigned to a non-cyber position in their new office! (This happened to one of our favorite cyber agents in Birmingham, who is now in a non-cyber post in Miami!) These same rotations also mean that agents brought in to fill these new cyber-vacancies may have little or no cyber training. Even senior agents (supervisory agents) are limited to serving a 5 year term in their role if they wish to seek career advancement.

Keeping Up to Date with Technology and Techniques



The report also expresses the concern that cybercrime is evolving at a rate which requires new equipment and tools "and agencies' need for them does not always fall into the typical federal replacement cycle". Some of the training gaps are being met creatively within agencies by having centralized talent pools, such as the DOD Cyber Crime Center (DC3.mil), FBI Cyber Action Teams, and the Secret Service training programs for federal, state, and local officials (such as the new Center just opened in Hoover, Alabama!) These are all great, but often the resources are still too limited for the scope. These are supplemented by "public/private partnerships, like the FBI’s Infragard and National Cyber Forensics Training Alliance and the Secret Service’s Electronic Crimes Task Forces, [which] provide ways to share expertise between law enforcement, the private sector, and academia."

Borderless Crime



Key challenge in this area are:


  • techniques that "make it difficult to trace the cybercriminals to their physical location".
  • "the multiplicity of laws and procedures that govern in the various nations and states" - such as the fact that not all states or nations have antispam or antispyware laws.
  • "Developing countries, for example, may lack cybercrime laws and enforcement procedures."

  • The "need to rely upon officials of other jurisdictions to further investigate the crime."
  • "Conflicting priorities also complicate cybercrime investigations and prosecutions."
  • "Cybercrime can occur without physical proximity to the victim, and thus a cybercriminal can operate without victimizing a citizen in the jurisdiction or federal judicial district in which the crime originated." - It is difficult to commit local resources to investigate crimes that have no local victims!


Raising Awareness


"Criminals prey on people's ignorance". Ignorance of vulnerabilities. Of how to detect phishing. Of how to report CyberCrime.



In response to this report, the FBI mentioned that Director Mueller has established five "career paths" for agents, one of which will be a Cyber track. This will allow cyber agents to remain where there skills can be made most effective.

The Secret Service also responded, stating that their Electronic Crimes Special Agent Program (ECSAP) will have 770 trained and active agents by the end of FY 2007. Their response also mentioned their 24 Electronic Crimes Task Forces, which "combine the resources of state and local police, as well as academia and private industry", and their importance in maintaining a continuity of investigative ability even as new ECSAP agents face their 4th year rotations.

The Birmingham Electronic Crimes Task Force meets Quarterly according to their website. More information about the next meeting from 731-1144 or "bhmecwg@einformation.usss.gov".

1 comment:

  1. Gary,

    This was a great read and very worthwhile.

    I'm writing to say good luck in your new position and that you make all of us at InfraGard look great.

    I will be interviewed tomorrow by eWeek in a discussion on Botnets and how they relate to National Security. I read with some key interest an artical from the Washington Post a few weeks ago. See: http://www.washingtonpost.com/wp-dyn/content/article/2007/07/05/AR2007070501153.html?referrer=emailarticle for the post.

    Corporate executives and agency heads are being blinded by the shear nightmare of bombs, shooting and attacks all over the globe and anything that points to the dangers of information security is almost viewed as "white noise" just a blur in the days events.

    We in NYC want to try to rock the house a bit and show the small to med sized business executives that they are in danger and that the consequences are in fact very, very real.

    Everyone knows Information Security Awareness Month is coming up in October. We are pushing to get everyone spun up and ready to introduce programs and setup awareness campaigns locally.

    The Nation needs a seatbelt campaign for Information Security Awareness and the estimated cost is 10 million. However, if we can begin word of mouth, blog by blog we can help tighten up this nations information infrastructure and in turn do a great deal to protect our family, friends, neighbors, peers and country.

    All the best and good luck in your new post. Our expectations are in fact very high!

    Once again, all the best,

    Joseph R. Concannon
    CEO
    NY Metro InfraGard Members Alliance

    ReplyDelete

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.