If you work for a large corporation, you hear lots of talk about corporate responsibility, and that's great. But I can't help but point out that, whether it is intentional, there is a massive and growing hypocrisy in the corporate world when it comes to prosecuting crime.
When I worked at a large company about 20 years ago, a mid-level manager told me the company showed it was serious about crime when he called the police about some minor vandalism to the doorways of our corporate headquarters. I'm certainly not saying that companies shouldn't act aggressively to ensure that employees and the public observe the rule and the spirit of law. Quite the contrary.
But it's anecdotally clear that most companies simply don't call the authorities when they experience criminal losses through online attacks. We in the industry know this, but I wonder if the assumptions we make as to why this is so are correct. It's especially important to consider this now, as we're in the middle of what can only be called a "conversion convergence" which continues to see increases in use of the Internet to monetize stolen information and to launder ill-gotten gains.
I've often said that there is no 9-1-1 for cybercrime. But I wonder: If there were, would anyone call?
I'm not so sure.
In handling computer incidents and advising companies which have been the victims of intellectual property theft in the millions of dollars, one thing we hardly ever hear is, "Let's prosecute." Actually, the concept of prosecuting a cyber breach seems so quaint as to paint the utterer with the brush of someone hopelessly out of touch. We in the business know the chances of a successful capture and prosecution of those responsible for a given act of cyber crime are nearly nil (unless you've gotten exceptionally greedy, irritated the FBI or US Secret Service, gotten your hack in Time or stolen the email of someone famous).
In fact, at this point, calling the authorities after you're hacked won't actually get you much. With my vandalism example above, at least the cops could provide directed patrol of your headquarters. No one's gonna patrol your network. Criminals and victims know this: When non-tough-guy Ashton Kutscher goes all Charles Bronson and says he's "coming for" those who hacked his Twitter account, law enforcement's failure to provide a deterrent is highlighted. Outside those very high-profile cases, you're pretty much out of luck when it comes to getting law enforcement help on a computer crime.
Sometimes, that's good. Victims consider very risky the reporting of a cyber attack. They fear the agency will leak, customers will get wind and, God forbid, take their money elsewhere. The last thing anyone experiencing a serious breach needs is to take that risk and report a cyber attack, only to have the agency send over a couple of inexperienced EnCase jockeys -- who all too often botch the forensic capture while the victim spends six, 12 or even 18 months before hearing that, "Crap. They got away." The wheels of justice grind slowly, but seriously?
Before we go too Emile Zola on law enforcement, though, let's recognize that since the victims are not choosing to report, we get the help we seem to be asking for. As I hear cries for new cyber legislation, I can't help but observe that we still have never taken the current laws -- under which cyber crimes are clearly serious crimes -- out for a spin. Without test cases, prosecutors at the state and local level can never learn which tools they really need and request legislative changes which are useful in prosecuting cybercrime.
The FBI aggressively asserts dominance in big cyber investigations, and its agents simply can't conduct a full-on investigation unless a federal prosecutor feels the case is strong enough to win hands-down and the victim is cooperative. Yeah, it happens as often as you'd expect.
Should the FBI be the only recourse to someone who's been hacked? I argue it should not -- local, county, state and tribal law enforcement agencies should not -- as they have -- abdicate responsibility to the FBI merely because prosecuting cyber crime is hard. Prosecuting aggravated assault, aggravated robbery and burglary is hard, too, but that doesn't mean the local constabulary gets to throw its hands (and by the way, our local tax dollars) up in the air and say, "Boy howdy! That there's a toughie. You better get you a G-Man."
Cybercrime is growing rapidly, and the money is highly compelling. In our forthcoming book, Will Gragido, Dan Molina, John Pirc and I go into some of these economics, but suffice it to say that the money is, like, really good. When he was at Microsoft in London, Ed Gibson gave me the best analysis I've heard to date about the criminal's perspective on their risk versus these great rewards. He said that if you commit a cybercrime there's almost no chance you'll get caught; if caught there's almost no chance you'll get prosecuted; get prosecuted and there's slim chance you'll get time; get time and there's no chance you'll serve anything like the whole ride. Under those conditions, what possible reason would there be not to commit cybercrime?
It is clear that the rapid growth of cyber crime is not the fault of the FBI -- they prosecute what they can and have taken on thousands of cases. The problem is that there are millions of cases to be investigated. Even if the FBI assigned all its nearly 14,000 agents and 22,000 professional staff to cyber, it'd still not be enough. Those other agents have been fighting crime, and that's still around, too. But when the odds are so stacked against any particular agency fighting this alone, would it make sense that anyone would claim to be "the" place to go for cyber? Einstein had some choice words on this subject, I think: insanity is doing the same thing repeatedly and expecting different results.
To get others interested, though, we need to have a better understanding of cyber crimes that go unreported. I'm particularly interested is that this appears to comprise the majority of cyber crimes against small American businesses. In my experience, these small and even very large businesses would rather eat the loss than get involved with law enforcement. But I have no hard proof that this is the case - and if it is the case, specifically why. I can guess, but we've all been doing that for some time now, and it's not working out too well.
There are, to my knowledge and the knowledge of lots of people I've spoken with, no good metrics about how many corporations call the po-po when they get their kit messed with. It seems -- through totally unscientific observation of my own -- that we're not asking for help. The answer is always, "No" until you ask.
No one is asking. No one -- certainly not the FBI -- can tell us how much money was lost to cyber crime last year. We're not even asking, without any metrics at all about cyber crime, how the hell did the FBI come to its request to increase its 2012 cyber crime fighting budget by the oddly specific sum of $18.6m? And by what criteria was that request judged to be perfectly accurate by a congressional committee?
Let's get some metrics. Let's start with who's getting hit and not calling the police. To get there, I'm running a (still unscientific but better than mere observation) survey to discover whether people call the authorities when they're hacked. If we get enough responses (I think we probably need a few hundred to be able to take the results seriously) then we can look at ways to collaborate with those in the information security and law enforcement communities to see what each side needs to interact more with the other.
The survey is up at surveymonkey.com. I hope you take it.
Nick Selby is partner, enterprise security, in N4Struct Inc. for whom he consults large organizations on computer network intrusions and industrial espionage. He is a sworn Texas police officer who serves at an agency in the Dallas-Fort Worth area, and co-author of the forthcoming Blackhatonomics (Syngress).