The recent Techno-Security Conference in Myrtle Beach, South Carolina brought out a bevy of IT security officers, IT administrators, law enforcement types and others to learn about what they can do to better their organization's infosecurity posture.
Attendees, who were estimated to reach approximately 600, could pick from a number of educational tracks to target specific areas of interest - anything from IDS and computer forensics investigating, to U.S. homeland defense or fighting electronic crimes through company/government partnerships.
This latter track proved too short, but interesting. Special Agent John Frazzini with the U.S. Secret Service's Electronic Crimes Branch in Washington, D.C. explained to attendees how various government entities, including his own, were making strides to better communicate and work with the private sector in investigating computer crimes.
The ultimate goal is improved information sharing among corporations and government agencies so that the occurrence of Internet crimes will be reduced, maybe even result in more frequent criminal prosecution. U.S. government agencies are making these strides, he explained, because they realize with the advent of the Internet, no longer do they alone drive information. They fully understand that entities of all sizes from every corner of the globe bounce informational bits through cyberspace like a volleyball.
Information sharing among the private and government sectors is not something new, but, especially in light of recent concerns about impending acts of terrorism, is a concept that it seems government spokespeople are emphasizing a lot more lately. Indeed, Frazzini noted that one problem faced by investigative bodies such as his that is fast becoming symptomatic of this day and age, is that lines between plain criminal acts and acts of war are increasingly blurring. He said that eventually his and other agencies will have to develop a way to differentiate plain old cybercriminals and those warring against a country's (in this case, the U.S.) critical infrastructure.
Now, all this sounds grand, but in reality how well is it actually working? Even though Frazzini and other government bodies are trying to ensure that companies are not 'victimized' in any way as they come forward with reports of possible Internet crimes, recent reports indicate that private enterprises still are not making too many reports. USA Today, for instance, recently reported that the FBI has found that even though cyberattacks are on the rise, with more companies than not having been a victim of some sort of cyberattack, most choose not to contact a law enforcement agency. Reportedly, according the FBI survey, most opt to say nothing because of the possibility of bad publicity.
Funny enough, Eugene Schultz, a member of the SANS Newsbites editorial team, states in a recent installment of the weekly security news overview which made note of the FBI survey, that while he is certain no reports are made because of chances for bad publicity, this can't be cited as the only reason. "Despite good efforts on its part, the FBI has not really established the level of trust and rapport with industry to make turning to the FBI a viable alternative," he notes.
However, there are still more reasons why an IT security officer, along with the CEO and corporate counsel, may neglect to file a report. According to one audience member of Frazzini's talk, there is simply no easy way to file a computer crime report - that is, he and other IT administrators like him are at a loss as to which agency to go to for help in the first place. But, strides are being made in this area, too. Besides individual investigative bodies trying to develop a more touchy-feely, come-up-and-see-me-sometime appeals to corporations, Infragard chapters are being set up throughout the U.S. to create a more united front against computer criminals. Such chapters have reporting mechanisms in place that get appropriate agencies involved when a crime is committed. In this way, some of the confusion about which agency to speak to is avoided.
Still, most companies are hard-pressed to even get a criminal investigation going outside their own corporate walls. If it is a situation they can quickly handle on their own, perhaps by remediating damage and then putting in additional infosecurity mechanisms, they will. In cases where an employee is responsible for thieving information, they simply resort to firing and then re-fortify security controls.
Too many stories are circulated among corporations that make top-level managers stop short of calling law enforcement in to help. Frequently, for example, investigative agencies may come into an organization during a cybercriminal investigation and physically take out various computers as evidence to sift through. This can effectively shut down business until the investigators decide the equipment is clean and ready for return, noted one vendor expert during a forensics educational track. In other cases, information about the case, though promises of discretion may be made, will be leaked to the media. And sometimes, even if a company has opted to go to an investigative body in hopes of retribution, nothing may come of it, which only adds to the private sector's skepticism about just how effective reporting an Internet crime to law enforcement actually is.
Most certainly, computer crime specialists like Special Agent Frazzini have their work cut out for them. Though most corporate and government officials concede it may be helpful to share information about the occurrence of possible computer crimes or incidents, there is still a strong hesitancy on the part of the business world to come forward. Too much is at stake. For those having already been attacked, the idea of scrambling to squelch a public relations nightmare, deal with investigators for any length of time on such a case, muffle concerns from board members and stock holders, ensure that the flow of venture funding is not slowed and worry about a host of other related items just doesn't seem worth it. To most, it may seem a little easier to just deal with any related downtime, clean up the mess and plug the hole. The trouble is though that there is always another attack. It appears investigative groups like the Secret Service aren't the only ones that have their work cut out for them.
Illena Armstrong is U.S. editor of SC Magazine (www.scmagazine.com).
