We’ve been, you’ve noticed, real quiet for about a month. That’s because both Dave and I have been not just slammed, but over-slammed on investigations of various sorts. Not making any excuses, but you get what you pay for.
Right now Dave is preparing to do some more work at CSG Analysis on some law enforcement technology, and we’re pleased as punch to have partnered with one of law enforcement’s most forward-thinking agency administrators on some upcoming research. More on that reasonably soon.
I spoke this past week at the SecTor Canada security conference, one of the best. I was truly honored to be on the same bill as luminaries like Brian Krebs, Mikko Hypponen, Sean Bodmer, Mike Smith, Kai Axford, Dave Mortman, Moke Rothman and a whole list of others. It was a great time.
Talks
On Monday I was speaking to a law-enforcement-only room about some of the attacks against police networks we’ve covered here: lessons learned and the like.
Then on Wednesday I was talking about how companies can work with law enforcement when they’re hacked, and why they don’t, and what can be done about it. I’ll put up links to the presentations (there’s audio available so you can watch the presentation and hear the commentary, I’m told) when they’re made available.
Why People Don’t Call The Po-Po
One of the guys there was questioning legislation, which brings me to an interesting idea I’d like to get some feedback on.
If we look through the proposals for updates to cybercrime law (have a look here for examples), from the over-broad and relatively meaningless National Security Council Strategy to Combat Transnational Organized Crime to Shouting Senators Baying For Cybercrime Legislation, we see that for the most part, the proposals fall into the category of, “Oh,-CRUD,-some-of-my-constituents-got-cyber-robbed-and-I-better-get-something-DONE-dammit”. This means that we get some real whirly-gig doozies of cyber-stinkers like the dunderheaded idea that lengthening sentences for computer intrusions is worth the paper it’s printed on.
The problem is not that the sentences are insufficiently severe, the problem is that no cops other than a small number of feds are empowered, prepared and trained to investigate, and also that the number is so small that triage means that less than 0.01% of cyber crimes are ever investigated, let alone prosecuted.
It is because of this lack of judicial experience in cyber crime cases that lawmakers are getting really, really crappy advice about what legislation should be doing to help in the fight against cyber crime.
The problem with cyber-legislation, therefore, is that it is not being driven by demands by judges and juries and prosecutors and cops and city officials and stakeholders for better clarity into the issues and better tools with which to do the job, but rather by chest-pounding lawmakers seeking to “do something”.
The knee-jerk reaction is in most arenas, of course, a highly effective proactive tool, but in cyber law, it’s particularly ridiculous.
Training
Let’s talk crime for a moment: someone comes into property which is not theirs, takes property which does not belong to them and monetizes it by selling it. In fact, there’s nothing particularly new about cybercrime other than the vector – the windows they break and the silverware they take. Yet cops, DAs and judges are so vexed by the vector that they can’t see the simple fact that there are laws on the books against crime – even against cyber crime.
They just don’t have the training in articulating the facts, nor the understanding of the systems or even the property values. We need that.
Support
Right now, the FBI rushes in and takes forever to get very, very few convictions. Don’t get me wrong – they’re wicked smart, but they’re hopelessly outgunned, and the high-profile arrests represent the teensiest, eensiest percentage of the actual levels of cybercrime out there.
Non-federal cops need support from the criminal justice mechanisms out there to investigate cyber crime on local and sate levels.
Oh ho! naysay naysayers, you don’t have jurisdiction.
In fact, we do. For example, crimes against Texans, or those which transit Texas in their commission, can be investigated by Texas cops – end of story. It’s just that the cyber crime investigation and prosecution is so painful and horrible, no one wants to investigate it. That is stupid, and deprives our citizens who are victims of cybercrime that the FBI won’t get excited about – stuff under, say $100,000 – of justice.
The hell with that.
Legislation
The wheels of justice do turn slowly, but here they’re even slower because of all the maladroit congresspeople trying to “help” with cyberlegislation written by technological Troglodytes who can’t update their iTunes without the help of an aide who’s under 30 and has an IQ of greater than 110. With training and support, cops and prosecutors can start making cases and then – and only then will they see the true limits of the current legislation.
Then – and only then – can they be in a position to make informed suggestions to lawmakers about the legal tools they need to combat cybercrime. This legislation can’t be imposed from the top down, by leaders just as clueless as the rest of us as to what is effective. This legislation must be driven by the unmet needs of the legal system.
But it’s okay – we only have to go through this if we want cybercrime legislation with any hope of addressing cybercrime.
Mike K.
21 October 2011
Great writing as usual Nick. But some thoughts on this…
First…Training.
I know you and I have talked about this but some of your context (and oddly enough Bad Boys II) got me thinking. So, if we look at investigating cyber crimes at a local level, are local agencies approaching it like a burglary or a homicide? I mean, and to quote Joey Pants…”Do we have detectives here…detecting shit….” ? Do the detectives know what to look for? From a forensic perspective if we look back 20 years, we have made great strides. DNA, computer modeling and a whole host of other tools enable the crime lab to gather more substantial evidence. But, how do they approach cyber crimes? Do they know how to look for how the “window” was broken or specifically what kind of tool could have been used to pry open the “door”? Do they know how to find the footprints leaving the scene like they do with a homicide? My sense is that probably not in most cases.
Second…Support.
So, cops can go across jurisdictions to pursue drug dealers, suspected terrorists and etc. I am not really knowledgeable on this but I know cops who are USMS task force members and they cross into MN from WI all the time. So, why can’t there be some sort of authorized joint task force for Cyber? I mean that is where the FBI and the USSS advertise their value, but to your point although possessing smart people they are out gunned. So why not have a cross-border task force organization where LE agencies can collaborate and pursue criminals. I mean, cyber criminals are a lot like Dillinger and he helped create the FBI as we know it because he would flee a state after robbing a bank. Anyway, I bet you have some insights here and I would love to hear them.
Third…Legislation
Shouldn’t the law reflect current statutes for robbery, extortion, burglary, and racketeering? If you hack into someone’s account and steal money, isn’t that really burglary only in the digital realm? If you are part of an organized group committing felonious crimes, should you not be subject to RICO laws? Like most things, the public elects the best looking dumbass with deep pockets who promises to give them what they want. Since we cannot count on their intelligence, perhaps the secret sauce is to keep the laws close to what we already have, but address the language to account for borderless operations and crimes.
Nick Selby
21 October 2011
Thanks, Mike,
You’re speaking directly to the heart of the problem. Right now, when someone gets hacked or cyber-ripped-off, if they CALL the cops, the cops are mostly unable to say anything other than, “call the FBI”. They can’t recognize or articulate the elements of the offense, and they really don’t like talking in any way about stuff which makes them sound like they don’t know what they’re talking about. Also, any cop worth his salt would move to get a call like that off his To-Do List, because after he works it, it WILL get taken by … another agency.
I would love to see the kind of task force to which you refer, and think it’s a great first step. Right now, the thing gets swooped and the locals get left ion the cold. If everyone worked task forces like the Marshals and the USSS, the world would be a better, and substantially safer, place.
Whether we need RICO extended to cyber-crime is up to others to say, but I would ask anyone who takes a position in that argument how many cyber cases they have actually taken through to verdict. The issue is that most people don’t have any clue how to do it – myself included – and those who do are so busy losing sleep on investigations they don’t have time to go back and be reflective about it.
Awesome comments Mike, thanks.
Brian M
21 October 2011
I like Mike’s thoughts on legislation, not sure it will ever be made that simple…let’s face it lawyers need to justify their existence somehow.
As for support and training. I’m not certain that you need joint task forces as much as joint efforts. I’ve yet to meet a cop who acted like anyone on television. After 10 years in law enforcement, I was always happy to receive help from anyone who could offer it, and happy to provide help when it was needed and I had something to offer.
Training is another subject. You can’t simply train every cop to look for the “footprints” leaving the scene when it comes to computers. This is an ever evolving world when it comes to computers, the internet, and cyber-crime. For this you need the officers to become educated far beyond what they’ll learn in a 40 hour course. Its a skill that they will forget quickly if they don’t use it with such minimal training, and an insufficient skill to boot.
Being able to setup iTunes, install Malwarebytes in safe mode, and format a hard drive are a far cry from tracking down cyber criminals. Government and Law Enforcement need to start seeking out and actively recruiting University grads who specialize in MIS and such. People who have the training and propensity for the investigations needed to start knocking down these criminals.
The standard of a degree in Criminal Justice is fine, but you need to start accepting more degrees, and encourage more degree fields. There is a big difference between a peace keeper and an investigator. We need the combination of the two and that is what makes an Officer.
Nick Selby
21 October 2011
I simply can’t disagree with what you’ve said, especially: “I’m not certain that you need joint task forces as much as joint efforts.”
The joint effort is exactly what is needed, and exactly what’s missing.
And of course, I’m right with you when you say, “There is a big difference between a peace keeper and an investigator. We need the combination of the two and that is what makes an Officer.”
Thanks so much for taking the time to write.
Gene Spafford (@TheRealSpaf)
21 October 2011
A couple of comments.
First, you are right on with a major point here — law enforcement is insufficiently capitalized and trained to deal with the problems. I’ve been banging this drum for well over 15 years in various fora (including in front of Congress), but not getting much traction. Right now, HUGE buckets of money are being spent on cyber offensive warfare tools for the military that we are highly unlikely to use, while the barest trickle is spent on training, tools and research for law enforcement. Very sad.
Your point about legislation and the legislative process is only partly correct. We do have some smart legislators who get some or all of the problem. As well, many legislators employ some really smart staffers who are immersed in some of these issues and know the details. Thus, there is some good expertise in Congress, and many of them know who to call to get more.
The issue with Congress is really one of politics. Initiatives requiring substantially more money than currently allocated either requires a huge public groundswell of support, or it has to be for something that is recognized by the public (their voters) as a “real” issue, such as national defense. Of course, if it is an election year, it also has to generate good sound bites and relate to party platforms. This arena is also saddled with an unfortunate albatross — the authority in Congress to deal with cyber is spread across scores of committees — Judiciary, Commerce, Homeland Security…. If you study the political process, getting something sweeping through requires getting all those committees to agree on points, and those points better not mean giving up some of their jurisdiction and funding authority! Power in Congress is partly from seniority and partly from committee assignments, and that crosses party boundaries — no committee wants to give up any authority. So, to get something passed that would add to both the FBI and Secret Service would require joint action by at least two committees in each house, and that isn’t easy. And don’t think that adding something substantial to one without adding to the other is likely to fly.
Meanwhile, our here in the real world, I find lots of local police agencies willing to get involved if they had the resources. (I think it is still the case that over 1/2 of the sworn law enforcement officers in the U.S. work for departments with 12 or fewer officers, so they are often starved for good, technical resources.) They need tools, training, and support. But they also are not willing to push investigations if the DAs won’t prosecute, and the DAs won’t prosecute unless they have air-tight cases. That is made more difficult by uniformed juries and judges, and…. well, it is a bad feedback process. We can’t get more informed judges and juries without more trials, but we don’t get them because there aren’t enough arrests, and ….
I’m not even going to touch the international issues other than to say that it requires a Federal agency (or three) to be involved once a non-US interest is identified.
So yeah, the situation is messed up. The best way to address it is precisely as you noted — getting more of the population concerned and vocal about it. But don’t expect it to make a big difference any time soon — too many other things are using all the political attention right now.
Nick Selby
21 October 2011
Thanks for that perspective, Spaf. The issue I face is this: Dave and I are willing to be the canaries in the coal mine and will continue to be shot down and pushed away by feds, while doing everything in our power to provide service to our community and business leaders by responding to cyber crime complaints. And we will continue to look naive and optimistic and idealistic in doing it.
We don’t expect it to change any time soon. But we do understand that until people, officers, like us stand up and TRY to do something, we will get nowhere. So dammit, we will continue to stand up and TRY.
Thanks so much for lending your voice to this discussion.
Nick
By the way, the new statistic is 80% of the nation’s more than 26,000 agencies have fewer than 25 officers.
Mikko Hypponen
24 October 2011
And here’s one more problem: the better you train the police, the more likely it is the bright investigators get hired by the private sector. We’ve seen this happen so many times.
Nick Selby
30 October 2011
That’s an excellent Point I hadn’t considered, Mikko. It’s funny – I went from public to private sector but every week when I speak with cyber cops they want to know about and learn how I made it in the private sector. The amounts of money that can be made from this as a private sector consultant are highly attractive.
VFAC (@CybercrimeForum)
25 October 2011
Excellent discussion on this topic. Kudos to all involved.
I agree with Mr. Spaf,
The political arena is unfortunately not a great place to solve interesting problems that require boring solutions. Building capacity and connections just isn’t an exciting platform to launch into the public spotlight with.
Furthermore, the ulterior motives are getting in the way of the goal of reducing crime and penalizing criminals. The bad guys have no confusion about what their priority is, that is what is giving them the advantage. They don’t get strung up in balancing the other concerns that international, national regional and industry politics throw into the mix.
It is interesting to note that the countries that are still developing programs to combat cybercrime are facing the same issue of needing education, capacity and effective collaboration systems.
Rob
5 November 2011
About 8 years ago I was investigating a Simple, and very common, auction fraud case which was maybe a $1500 loss to the local victim. I was able, through court orders and persistence, to track down the suspect to his door, and even had a telephone number. But the local DA would not pay to prosecute the case, including cost of extradition from what would have been 5 states away for a $1500 case. This pattern has followed over the years but I have seen no aid in this type of situation. Maybe a fund that is set aside to assist in the prosecution/extradition/transport of suspects for prosecution… or a mandate to prosecute in the suspects jurisdiction with the victim testifying via video or something would be in order?
The answer that most legislatures have is to increase penalties, as a deterrent or a feel good measure. But in reality it doesn’t help.