Global cybercrime prosecution a patchwork of alliances

We don’t hear much about John Dillinger-style bank robberies these days, with exciting police chases to the state lines. In 2015, there were 4,091 traditional bank robberies in the US, according to the FBI, with an average loss of less than $4,000 per incident. No customers or bank employees were killed in any of these robberies, though eight would-be robbers were killed.

The clearance rate for traditional bank robberies is around 60 percent, while the proportion of criminals that escape could be even lower, if they commit more than one robbery — the FBI currently has fewer than 500 people on its list of wanted and unidentified bank robbers. In most cases, the FBI has a picture of them, and a description, posted on its website.

The combination of bank insurance, surveillance cameras and other security features, and national-level enforcement has made bank robberies not exactly a non-issue, but not something most people are worrying about.

But when it comes to protecting money from cyber criminals, we’re nowhere near there yet.

Cyber insurance is still in its infancy and there’s no digital equivalent of surveillance cameras.

But one of the biggest issues is that unlike traditional bank robbers, who used to try to escape by driving their getaway cars across the state lines, modern cyber-crooks hide overseas. International cooperation is required to catch them and there is no global equivalent of the FBI when it comes to cybercrime.

Instead, according to experts, what we have is a patchwork of alliances, cooperation agreements, political maneuvers and back-channel negotiations – which may or may not be effective.

The rise of international task forces

This past November, a coordinated effort by international prosecutors and investigators brought down the Avalanche botnet, which was estimated to have cost its victims hundreds of millions of dollars. More than 200 servers and 800,000 domains were taken down, and the ringleaders arrested. The action was coordinated by Europol, and involved Eurojust, the FBI, the US Justice Department, the German law enforcement authorities, and many other agencies, from more than 40 countries.

A couple of months earlier, two hackers had been arrested in Israel for running the vDOS DDoS-as-a-service business, after being tipped off by the FBI.

Also in November, Europol announced 178 arrests related to cybercrime money mule operations. The crackdown involved Europol, Eurojust, the Joint Cybercrime Action Taskforce, the U.S. Secret Service, the FBI, the European Banking Federation, and law enforcement organizations from 16 European countries.

In December, “Operation Tarpit” resulted in the arrests of 34 people for paying for DDoS attacks. Investigations and arrests were conducted in Australia, Belgium, France, Hungary, Lithuania, the Netherlands, Norway, Portugal, Romania, Spain, Sweden, the United Kingdom and the United States. Again, the operation was coordinated by Europol.

Last summer, a joint effort between Interpol and the Nigerian authorities resulted in the arrest of a hacker believed to be responsible for $60 million worth of business email compromise and other scams. Also last summer, a Russian citizen was convicted of 38 hacking-related charges after being extradited from Guam.

Last year, the FBI also worked together with authorities in Belarus to arrest the operators of the Bugat botnet, which stole banking credentials. In April, Algerian citizen and SpyEye hacker Hamza Bendelladj was sentenced to 15 years in prison after being extradited from Thailand. In October, a Kosovo cyber terrorist who helped ISIS was sentenced to 20 years in prison after being extradited from Malaysia.

Then there was the sentencing of “Guccifer,” also known as Marcel Lazar, to 52 months after hacking and leaking Colin Powell and Sidney Bumenthal’s emails. He had been extradited from Romania for the trial, and then returned to that country to serve out a seven-year prison term for another crime before he comes back to serve his time in the U.S.

Progress has also been made in international efforts to combat ransomware, according to Raj Samani, vice president and CTO at Intel Security at Intel.

The No More Ransom project originally launched last summer with Intel, Kaspersky, the Dutch National High Tech Crime Unit, and Europol. Since then, more than two dozen other police agencies have joined up, including and many other private firms.

“It’s a global, international, coordinated effort,” said Samani. “It’s not just about advice, but about collaboration on the identification of infrastructure and seizure of decryption keys. If we have ransomware infrastructure that is hosted in a jurisdiction where one of our partners is involved, it makes it very easy.”

And even when a country isn’t part of the project, he said that cooperation has been improving when it comes to taking down ransomware infrastructure.

“Certainly there are bullet-proof hosting providers out there,” he said. “This is the game of cat and mouse that we play. They will do everything they can to obfuscate, to hide and we will do everything we can to uncover them and seize the infrastructure and bring an end to it. But, personally, I’ve never come across a country where we said, ‘Oh, they’re not helping at all.’ I think it’s progressively getting better.”

Not all security experts are quite that optimistic, however.

“From what I’ve seen, personally, there are a lot of good efforts,” said David Venable, vice president of cybersecurity at Masergy Communications.

Venable has previously worked for the NSA for several years. Now, at Masergy, he helps companies with international cybercrime investigations.

He said that it can be difficult to go after the smaller fish because the global cybercrime law enforcement processes aren’t well developed yet.

“And as long as there are any countries that aren’t cooperating, hackers around the world will use that country’s infrastructure to launch attacks,” he added.

For cybercrime, the area of the world where the cyber criminals can easily operate have been shrinking, said Lance James, chief scientist at security research firm Flashpoint.

“And it’s also not been shrinking,” he added. “What happens is that when it shrinks, it creates market demand, so they’ll invest in more pipes into Russia or other places we can’t get at. So it’s shrinking, but they’ve adapted. It’s literally whack-a-mole.”

What doesn’t help is that many countries have different definitions of what actually counts as a crime.

For example, when Mark Weatherford, senior vice president and chief cybersecurity strategist at vArmour, was working for the Department of Homeland Security, where he was the deputy under secretary for cybersecurity, one of his challenges was working with other countries to establish lines of communication about how to deal with cyber issues.

“I was at one institute three or four years ago, and there were 174 countries at the meeting, and we were challenged on just coming up and agreeing on terms,” he said. “What does cybersecurity mean? What does cybercrime mean?”

Organizations are seeing an inadequacy in public policy in the U.S., where they have to sit on their hands, and criminals can do anything they want.

Mark Weatherford, senior vice president and chief cybersecurity strategist at vArmour

The U.S. might say that a cybercrime occurred because there was a data breach, or cyber espionage.

“But another country may say, depending on the circumstances, ‘We don’t think a crime was committed, so we’re not going to comply with extradition,'” he said.

Then there’s the thorny question of state-sponsored actions, he added. “We go to other countries and say, ‘We want you to extradite.’ But what if Russia came to us, and said, ‘We know there were people in your government responsible for some activity, and we want you to extradite a government official or a general to Russia to face trial for this crime’?”

“I don’t know how we would feel about that,” he said.

This is an area that requires the international community to come together and create some norms, he said, that everyone could agree to.

The new European Union General Data Protection Regulation, which goes into effect next year, will help set some standards, he said.

And the Tallinn 2.0 cybersecurity manual was released earlier this month, he added, which should lead to more organizations talking about the issue.

“It was led by NATO and there were 19 different countries that participating in its drafting,” he said.

The European Union has seen great success in its cybercrime prosecution efforts with the establishment of Europol and its cyber-capabilities, said Eddie Schwartz, member of the ISACA Board of Directors and executive vice president of cyber-services at Dark Matter. Previously, he was global vice president of cybersecurity services for Verizon, and vice president and CISO for RSA.

Asia is also stepping up, he said, and Interpol recently opened a cyber center in Singapore.

“Where you find problems is countries where you have a significant cybercriminal presence that haven’t signed up for the same amount of cross-border collaboration,” he said. “For example, Russia comes to mind as a country where it’s been very difficult for western law enforcement to reach across the border, to provide evidence of criminal behavior, and to obtain cooperation and actual prosecution.”

Some countries turn a blind eye to cybercrime, or even use criminal groups as proxies, he said.

It’s particularly frustrating that companies that have been hit by cybercrime can’t call in the authorities, like they can if there was a traditional robbery — and they also aren’t allowed to take the law into their own hands.

“In the case of cyber attacks, what we’ve seen until recently is that corporations are simply told that they’ve been hacked — maybe — and left to their own devices,” he said. “It’s not like there’s some sort of cyber police. Everyone is just told do a better job with security.”

If the situation doesn’t improve, organizations might considering become a little bit more proactive, more offensive, in their approaches, he said.

“In the U.S, it’s illegal for commercial organizations to hack back if they detect hacking or gather information on attackers and provide it to law enforcement if that information would be obtained illegally,” he said. “But it is theoretically possible to employ such forces who operated from other countries where those types of activities aren’t considered illegal, which is considered a gray area. Well, I suppose law enforcement in the U.S. wouldn’t consider it a gray area, but organizations are seeing an inadequacy in public policy in the U.S., where they have to sit on their hands, and criminals can do anything they want.”

Meanwhile, there are steps that enterprises can take to help in this fight, and progress has been made on this front, said Bill Conner, CEO at security firm SonicWall, which was recently spun out of Dell.

The first thing, he said, is that enterprises need to share more information with one another.

“And that is happening,” he said. “Over the last five years, the cooperation between banks about cyber has dramatically increased, and that’s a good thing. And all enterprises, not just banks, are reporting more and more not just to the FBI, but to local law enforcement.”

It can seem daunting, he added.

“You feel like you’ve handed over the data and they have all the cards and you can’t see them,” he said. “So there’s still an issue. Most of the time, law enforcement could be more helpful about giving color about things to do and talking about what’s happening.”

Tough political climate for cooperation

In 2015, former President Barack Obama and Chinese President Xi Jinping signed the U.S. China Cyber Agreement.

“They should be given a lot of credit for setting the stage on what international cyber governance and law could look like,” said James Carder, CISO at security firm LogRhythm.

And early last year, President Obama announced the Cybersecurity National Action Plan, which provides for cybersecurity information sharing not only between the public and private sectors in the U.S., but also with other governments and agencies.

Another big step towards taking cyber attacks more seriously was NATO’s decision last summer to make cyber operations part of its domain, in addition to air, sea, and land.

“Now the question is, if we confirm an attack from another nation, what will the United Nations, NATO, and other allies do about it?” Carder asked. “These are components that are still undetermined and need to be figured out before we see international governance and global response to cyber attacks be taken seriously. Until then, you'll have countries that will continue to launch attacks without any real consequence.”

Protecting against cyber attacks would seem, on the surface, to be a bipartisan issue. Last year, most security experts would probably have predicted slow but steady progress.

Now, however, all the old assumptions about how things work have been upended.

For example, there have been concerns raised about whether the U.S. should continue to support the U.N., said Jon Condra, director of East Asian research and analysis at Flashpoint.

“If these kinds of organizations start breaking down or lose credibility, we’re going to be in a place where it’s going to be a lot harder to come to some sort of agreement,” he said. “Pulling away from international institutions that are designed to come to a consensus on major issues of international importance would have an impact.”

It’s the wrong time to try to make progress, said Anup Ghosh, founder and CEO at security firm Invincea.

Ghosh is a former offensive researcher with the Department of Defense, and points to the recent attempts to restrict international travel as one example of potential problems.

“The more we constrict and insulate ourselves from the world, the less likely our allies are going to cooperate from us, including on things like law enforcement actions,” he said. “Most of the cyber criminals that we try to chase down have been protected by Russia. Today, we typically get them when they travel abroad on vacation.”

On the other hand, he added, if cooperation with Russia does improve, then extradition could become easier.

Or not.

According to Flashpoint’s James, Russia has a different approach to cybercrime than the West does.

“They don’t look at it as crime, they look at it as business,” he said. “It’s not about them getting their act together. From their point of view, they have their act together.”

“In the current geopolitical environment, it seems really unlikely that the Russian and Chinese governments will be willing to cooperate on cybercrime investigations where the primary suspect is in China or Russia,” said Levi Gundert, vice president of threat intel at security firm Recorded Future.

Gundert previously worked for the U.S. Secret Service, and has also observed the important role that personal relationships play in international law enforcement efforts.

“You’d go to a conference, sit down with officials from other countries, drink some vodka, eat some cold cuts, and form these relationships of trust,” he said. “And that’s how some of the bigger cybercriminal cases happened. It may not be through official channels, but there’s a lot of cooperation that happens to get cases done.”

Even when, say, Russia is unwilling to extradite a cybercriminal, good relationships with other countries can help.

“There have been lots of high-profile cases of extradition from the Maldives and France and other countries where Russians tend to vacation,” he said. “That’s been very successful. When you can hamper these peoples’ ability to travel, it affects them.”