Metric of the Week: Smoke, Cyber Crime Fighting, and the 2012 FBI Budget

Posted on 4 December 2011 by

20


Slide from my SecTor 2011 presentation on cyber crime fighting

The best part of the new FBI budget request, if you’re a Libertarian, is that the total budget request this year is $200m lower than for last year. That’s great for saving money.

The bad news for anyone who tracks or participates in cyber invstigations is that the request by the FBI for increases in its resources to combat cyber crime and criminals was for a mere $18.6m.

Looks like they’ll get it, too.

That would bring to $166.5m from $147.9m the moneys given to the FBI to fight the cyber crime fight. FBI says that they are going to add 14 new special agents positions and 28 support staff, including five additional special agents and professional support staff who will make the National Cyber Investigative Joint Task Force increase to 24×7 coverage from their current 8am to 5pm stance.

Well, bwee-yaw. That is obviously needed stuff. It still boggles my mind that congress had to have it explained that,

Because threat actors operate globally, a significant volume of cyber threat activity occurs outside of normal business hours.

That’s awesome. So now we’ve got a 12% increase, which some friends tell me I should be happy about, because, as they say, it’s a step in the right direction.

Hang on a tick. Twelve per cent.  On a budget which was ludicrously low already (I know it was ludicrously low because the amount of cyber crime out there has not been reduced – and FBI goes to lengths to tell everyone that they, alone, are empowered to battle many types of cyber crime – for example, any cyber criminal act launched from outside the US which attacks US companies or government).

Anyone want to guess the rate of increase in cyber criminal activity year on year? Seriously?

I mean, we could go with hysterical vendor reports talking about trillion-dollar cyber crime figures and insane growth, like this, or just plain old 50%+ growth like this; or even more rational reports like this; or we could look at academic roundups (an entertaining one is by Dr Joe St Sauver at the University of Oregon – worth checking out).

But at the end of the day the reports themselves confuse and conflate cyber crime types and categories, and there are no standard metrics at all. Even the definitions vary – are we talking about credit card theft? ACH fraud?

What is a cyber crime anyway? As we wrote last April, the one thing we know about cyber crimes against banks like ACH fraud (committed when computers are infected by malware and then account credentials stolen and fraudulent wire transfers are ordered)  is that they are not, according to the FBI, bank crime.

The FBI also believes that skimmer fraud – you know, when credit card and debit card numbers are stolen by placing small computers in ATMs and gas pumps and point of payment card readers, and then turned into fake cards (by computers) and used to fraudulently purchase goods or extract money from banks – is not a bank crime either.

What is, according to the FBI, a bank crime?

A stickup.

The FBI has all kinds of metrics about stickups. They even count the number of dye packs which robbers took (last year? They took zero dye packs. That’s a metric.)

Metrics are Everything
Without any metrics at all about cyber crime, how the hell did the FBI come to the $18.6m increase request in the first place? And by what criteria was that request judged to be perfectly accurate by a congressional committee?

In fact, the FBI does not seem to be even creating the metrics to describe cyber crime. This year, in America’s Cyber Future, Security and Prosperity in the Information Age, Volume I, Kristin M. Lord and Travis Sharp argue that

“The U.S. government should maintain command and control procedures for cyber operations by the U.S. military and intelligence community to ensure that senior civilian leaders retain the ability to review and approve significant activities; appoint two separate leaders for U.S. Cyber Command and the National Security Agency (NSA); create a President’s Cyber Security Advisory Board to provide independent advice directly to the president; form a high-level joint contact group for DHS, the Department of Defense (DOD) and the intelligence community; establish a bipartisan, bicameral Cyber Security Task Force in Congress; and create objective cyber security performance metrics.” [emphasis added]

The call for these metrics dates to 2005. Go Google “FBI cyber crime performance metrics” and tell me if you can find any further discussion in serious circles, or from Congress, demanding these metrics, in the past 12 months.

They’re hard to come by because the FBI apparently does not want to discuss it. I’d bet an ice cold Dublin Dr Pepper this is because any rational discussion would demonstrate just how much they suck at prosecuting cyber crime. It’s not their fault – everyone sucks at fighting cyber crime.

But the way to not suck at cyber crime is to truly fight cyber crime and get better at it.

What Do They Count?
The metric of success for the FBI when hat-in-hand groveling to Congress is the UCR – the Uniform Crime Report – a metric invented in the 1930s and covering murder, rape, robbery, aggravated assault, burglary, larceny-theft, and auto theft. Cyber crime, not being that big in the 30s, was not included in the UCR family of metrics.

Strangely, cyber crime – arguably one of the fastest growing criminal segments in the world – is still not counted.

So they blow smoke.

The FBI Says, “Cyber Crime == Al Queda”
Since ACH fraud and skimming are not bank crime, are they cyber crime? Or are they something else? And if they are cyber crimes, does the FBI intend to use that $18.6m to fight those things? Doesn’t seem like it, does it, after reading the documents I link to above and below?

If you look at the most recent budget request by the FBI, they don’t discuss what they’ve done with cyber crime fighting and how they will improve on what they’ve begun to do. Instead, they work very hard to paint a picture not of international cyber crime and government organizations targeting American companies, banks and critical infrastructure for attacks to steal valuable intellectual property and straight out money, but rather as some evil plot by Al Queda to blow up power plants.

They also make some statements which stretch the truth, and a couple which are outright howlers. To wit:

A cyber attack’s impact could be similar to that of a well-placed bomb. To date, terrorists have not used the Internet to launch a full-scale cyber attack, but they have executed numerous denial-of-service attacks and defaced numerous websites.

That statement is rife with back-pedaling, qualification and other hocus-pocus, but we think it’s just a gas, a howl, a scream, that the best examples the FBI can come up with to get our blood boiling are DDOS attacks and site defacements. Al Queda is the best group of bad-guys-from-Central-Casting since the Nazis, and the most dramatic evidence that can be offered is that someone brings down a website? This is either the single most naiive statement about cyber criminals’ tactics, tecniques and procedures, or they’re just blowing, well, smoke.

And I see no mention of skimmers or ACH in anything mentioned about staying up late to catch Al Queda hackers looking to DDOS or deface America.

Here’s another good one:

“The FBI pursues cyber threats from start to finish.”

That’s patently disingenuous. The FBI pursues cyber crimes, once they’re committed, provided they pass a threshold of money (something like $100K) or pissing-off-the-FBI (like, say, Anonymous). They can’t pursue a threat if no crime has been committed, because any FBI person who says they’re in the preventing crime business also has a bridge to sell you. And even if they had 20,000 special agents doing nothing but cyber, they’d still need to be incredibly selective about which crimes they’d physically have the resources to pursue, let alone prosecute. If you want someone who pursues cyber threats, that’d be, say, the Air Force Cyber Command, or, you know, other agencies than the FBI.

“We have cyber squads in each of our 56 field offices around the country, with more than 1,000 specially trained agents, analysts, and digital forensic examiners. Together, they run complex undercover operations and examine digital evidence.

True, and most of those 1000 people are monumentally talented and dedicated. Yet firms like IBM and Ernst and Young have more people than that working security incidents and literally fighting cyber criminals each day for control of networks which are under attack, and even their marketing departments wouldn’t think to say that they have the resources to effectively combat cybercrime in the US on behalf of their customers.

But the FBI demonstrated within its budget request that, even within a serious document intended for Congressional eyes, they can still let loose the twinkle of their humor here and there. Referring to their special agents working cyber security, they quip:

“They share information with our law enforcement and intelligence partners.”

Ha, ha ha ha ha, ha ha ha ha ha ha ha ha, OH!, ha ha ha ha snort, chortle, belly laugh. Pah! Ha ha ha ha ha, oh, that’s a rich one, OH, ha ha ha ha ha ha ha ha ha ha ha ha ha, stop, yer killin’ me! Ha {wipe tears of laughter}. You guys!

Let’s move on.

And they teach their counterparts—both at home and abroad—how best to investigate cyber threats.”

Maybe so, but the real fact of the matter is that most of these hard working agents are hideously overworked, especially when they need to testify, and the overall level of forensic and investigatory skills within the bureau is statisticially non-existent.

Oh, and have you heard the one about how they share with their law enforcement partners? Ha! Sock it to me, baby!

Moving Forward
We’ve been clear about what needs to be done. Once again, we need to start calling crimes crimes, and stop relying on the UCR alone to determine success or failure of the FBI’s activities.

We need to start prosecuting cyber crime; not just the FBI, as if it’s some God-given jurisdictional right that they have to prosecute cyber crime, but ALL law enorcement has to get in on the action and start taking these clowns into custody. We’ll lose a lot of cases, but as we lose, real, local and county and state DAs will start to get good at understanding the issues, and start demanding real prosecutorial tools to help them prosecute.

We don’t need posturing, we need prosecution.

Not smoke.