Limitations of law enforcement in fighting cyber crime
S.H. Foss, Jr., COO, NorseCorp
The FBI recently broke up the largest cybercrime ring in history when more than two dozen people were arrested in the United States and around the world in a sting operation dubbed “Operation Card Shop.”
Federal authorities cracked down on online financial fraud, in which suspects allegedly stole credit card and banking data, and exchanged it with each other over the internet, a practice known as “carding.”
The bust came on the heels of another takedown earlier this year when the Microsoft's Digital Crimes Unit, along with U.S. marshals and a consortium of financial services security firms, orchestrated a high-profile and successful strike against a significant cybercrime operation that may have taken more than $100 million from tens of thousands of people. Known as “Operation B71,” the bust made headlines by taking out servers and computers infected with the Zeus malware.
On the surface, these recent activities appear to support the idea that the good guys are making progress in the fight against cybercrime. But a closer inspection of the complaints highlight the limitations of law enforcement and the existing legal code as an effective weapon.
The effort needs to shift from what happens once fraud has been perpetrated to prevention of the crime in the first place. And that requires an entirely new skill-set.
Take the Zeus/Microsoft case. According to the legal complaint, the unidentified defendants in the Microsoft case, John Does 1 – 39, are faced with prosecution under the Racketeer Influence and Corrupt Organizations (RICO) Act, the Computer Fraud and Abuse Act, and more routine violations under the Lanham Act and the CAN-SPAM Act.
The complaint resulted in temporary restraining and seizure orders that led to the removal of thousands of URLs alleged to be potential infection sites, removal of alleged command-and-control servers from ISPs, and the issuance of a summons for the defendants to appear in court.
So far, so good. URLs taken down, servers seized, notices-to-appear issued. But there is a problem. Who are John Does 1 – 39 and where do we find them? (Editor's note: Earlier this month, Microsoft named two of them).
The best that server logs will show us is the last jump point. Yet how far down the rabbit hole are investigators willing to dive? They could pore over reams of logs and very likely wind up in a dead end.
Cybercrime laws in the 21st century
The well-known RICO statutes were designed to combat organized crime and drug gangs in the physical world.
While RICO offers some leverage in the fight against cyber crime by investing law enforcement with an order of seizure power, there are limits when it comes to proving an offense in the internet world.
The web is a faceless void. If the virtual John Does did their jobs right, we will never know who they are. And if the other John Does flip, they probably don't know the identities of the architects of the Zeus operation and have never met them face to face.
If identification of the real culprits is nearly impossible, then so is proving their guilt. An elite cyber criminal could easily have hijacked an unwitting victim's computer to write malware, conduct crimes and launch attacks.
So the masterminds behind threats such as Zeus who provide the tools and the means of committing crimes, but often it's the actors further down the food chain who get caught and take the heat.
The solution: A three-legged stool
Effectively combating cyber crime requires a mix of strategies. Think of it as a three-legged stool, comprised of legal remedies, technology and practical experience which work together to prevent attacks like password breaches and online fraud.
The goal needs to be getting to the very bad guys at the top of the chain and stopping them before they strike.
The first leg represents law enforcement. Existing laws and the roles of federal and local officials need to evolve to meet the growing cyber threats.
Technology that provides deep layers of protection is another leg. Real-time intelligence is key to attack prevention.
The final leg represents real-world experience -- people engaged in the fight who know and understand the behavior of the criminals because the bad guys are smart and getting smarter. And they are very good at covering their tracks.
After all, “To know your enemy, you must become your enemy.” That's as true today in the war against cyber crime as it was when Sun Tzu wrote those words.