Companies with compromised data have a duty to report that information to investigators as a way to keep others from being victimized, the director of the U.S. Secret Service said Tuesday.
The Secret Service, which has jurisdiction to investigate financial crimes as well as protect the U.S. president, is working hard to prevent Internet-related crimes such as identity theft, but it needs assistance from private companies, said Ralph Basham, Secret Service director, speaking at an event on organized cybercrime in Washington, D.C.
“Information is the world’s new currency; information has value,” Basham said at the event, sponsored by trade group Business Software Alliance (BSA) and think tank Center for Strategic & International Studies (CSIS). “Information discloses our vulnerabilities and systemic weaknesses, and therefore … compromises of information must be aggressively investigated.”
Compromises that affect one company are increasingly rare in a world connected by the Internet, Basham added. “The days when a single institution guards the system intrusion as a secret are no longer acceptable,” he said. “An intrusion for one represents a collective threat for us all.”
Still, the sharing of information between law enforcement agencies and private industry remains an area that needs significant improvement, said a group of IT security experts, speaking on a panel discussion following Basham’s remarks. Technology that could help reduce cybercrime does exist, but law enforcement agencies conducting investigations often don’t immediately share information about new threats, said Albert Sisto, president and chief executive officer of Phoenix Technologies Ltd., a security software vendor.
Federal law enforcement agencies are trying to share more information, but it’s often difficult to disclose too much information without compromising an active investigation, responded Kimberly Peretti, a lawyer in the Computer Crime and Intellectual Property Division at the U.S Department of Justice. The Secret Service is working on ways to distribute information faster, said Brian Nagel, assistant director for investigations at the Secret Service.
Most panelists agreed that technology can help fight organized cybercrime, but also called for other changes, including better international cooperation among law enforcement agencies and more tools and training for law enforcement agents. Cybercrime cases cost more to investigate than traditional crime, Nagel noted.
A combination of technology, law enforcement resources and laws are needed to combat cybercrime, said Bill Conner, chief executive officer and chairman of Entrust Inc., a security vendor.
But a number of federal laws passed in recent years haven’t done as much to raise awareness about data security as one California bill requiring companies with data breaches to notify victims, which became law in 2003, he said. Other states are now working on similar laws, and U.S. lawmakers have introduced similar federal legislation.
Technology alone can’t solve the problem, either, he said. “Technology is used by the good guys, and it’s used even more by the bad guys,” Conner added. “They’ve got lots of money.”
Panelists defined organized cybercrime as loose groups of criminals that meet through Internet Web sites or chat rooms, not mafia-style organizations. The groups often work together for short times, then disband, Peretti said. That transitional nature of cybercrime rings makes prosecution an effective tool against such groups, she added.
“The deterrence aspect works, because it says to the online criminals that are maybe the new emerging criminals that you can’t be online anonymously, that you can and will be caught,” Peretti said. “The second thing it does is it disrupts their trust. They operate on the Internet … and they don’t necessarily know who they’re dealing with. What investigations can do is say: ‘We have law enforcement agents out there, and we’re going to disrupt that trust.'”
Peretti and Basham highlighted Operation Firewall, an investigation spearheaded by the Secret Service that led to 33 arrests in the U.S. and six other countries. The operation, announced in October, led to charges related to identity theft, computer fraud, credit card fraud and other crimes, and may have prevented hundreds of millions of dollars in damages to victims, Basham said.
Although the cybercriminal rings are not formally structured like traditional organized crime, they no longer are teenagers hacking from their basement for their own amusement, the panelists said. Today’s cybercriminal steals data for profit, said James Lewis, director of the Technology and Public Policy Program at CSIS. “This is a professional sport now,” he said.
Asked if cybercriminals are winning the war, the Secret Service’s Nagel said no, but he encouraged companies that deal with data security to establish relationships with law enforcement investigators before a crisis. Jody Westby, managing director of the security and privacy practice at PricewaterhouseCoopers, seemed to disagree with Nagel, saying that only about 5 percent of cybercriminals are caught.
Westby called for a national law that would create a do-not-issue database, where those who sign up could require credit-card and banking companies to make personal contact with them before opening new accounts in their names. Such a national list would help reduce ID theft, she said.
Awareness about cybercrime is rising among corporate leaders, with recent headlines focusing on victims of ID theft and so-called phishing, she said. “Senior-level management is starting to wake up and realize this is a real management issue,” she said. “They’re really starting to realize cybercrime is a boardroom issue.”
