Ghosts in the machine

Hoover’s List

The FBI’s ‘Ten Most Wanted List’ was born in 1950, after a conversation between legendary Director J. Edgar Hoover and William Kinsey Hutchinson, the editor in chief of what became United Press International.  A published article the year before detailing Hoover’s most wanted ‘bad guys’ garnered so much positive publicity the Bureau created the list in response.

Contrary to popular legend, the list is not ranked.  As fugitives are caught, die, or their charges are dropped, they move up and down the list.  (Disappointingly, there isn’t really a ‘Number One on the FBI’s Most Wanted List’.)  And for nearly five decades that’s how the program worked. 

That all changed the day Leslie Isben Rogge turned himself in after a twenty year career where he robbed over thirty banks.  On May 19, 1996 Rogge become the first person on the Ten Most Wanted List to be apprehended due to the Internet.  The FBI hasn’t been the same since.

Ninety days after the 9/11 attacks the FBI informed the financial community that they would turn the job of investigating bank robberies over to local authorities whenever possible.  Bank robbers were largely a homegrown crime, so wherever local law enforcement was capable of handling it, the Bureau would concentrate its federal muscle on terrorism. 

Intelligence, cybercrime, technology, and security divisions were quickly spooled up to prepare for the new mission. It was the most profound change to FBI doctrine in decades. But what Director Robert Mueller didn’t fully appreciate at the time was the procedures that made the FBI so effective in physical robberies, would not work quite so well when it came to cybercrime.

Investigating bank heists involves a lot of traditional detective work.  There are employees and customers to be interviewed.  There is surveillance video that must be reviewed.  There is likely a getaway vehicle of some kind – so there may be ATM or street cameras with video.  The FBI would release a picture of the offender to the media and a lot of the time, someone recognized him and turned him in to collect the reward.

But things have changed. In 2010, the average bank robbery netted only $7500, so physical bank robberies are not as attractive.  Given the risk of capture, (or running afoul of a customer with a concealed carry permit), busting through the front door of a bank doesn’t make sense.  The FBI simply has more resources than the average unskilled criminal.

But criminals with skills – they are a whole other matter.

Skilled criminals don’t worry about cameras, or eye witnesses, or getaway vehicles.  Dye-pack rigged bags of money aren’t a deterrent when funds are digital.  And the FBI is way behind the curve on this skill set.

Many of the tools for breaking into financial networks are now automated, meaning they scour over bank databases 24/7 looking for weaknesses – an unsecured port, or a default 123456 password.  Only when an obscure vulnerability is discovered does an automated bot report back to a human interlocutor to take over the operation. 

No more faces to plaster on billboards or Facebook.  No eyewitnesses to interview.  No getaway vehicle.  Just a bunch of missing data – bank balances, social security numbers, or just about anything else.  And the bad guys simply slip away like ghosts.

Ghosts in the machine

The Bureau’s antiquated computer infrastructure has been the butt of jokes for years.  Until very recently, field agents often had to deal with blue screens of death when an office computer inexplicably locked up. 

Government recruiters have had a difficult time finding and keeping qualified cyber investigators.  Private sector opportunities offer better money, working hours, working conditions, and opportunities for advancement.  It means the FBI is now the underdog – under funded and dogged by a reputation as a technology backwater.

Tech companies can plead for nations to not hoard cyberweapons, but that’s like telling them to not build fighter planes or battle ships.  Do the Silicon Valley elite really believe the United States is not going to build up a digital arsenal when we know every other nation is racing to build their own?

That’s the blunt reality of what weaponizing cybercrime really means. Criminals that can be ‘trusted’ to give you back your data when a ransom is paid are one thing.  Others who permanently encrypt your data aren’t criminals, they’re anarchists.  They give criminals a bad rap. 

How do you know which group has seized your data?  You don’t.  And as a result, you don’t know who to trust.  Why pay if you don’t believe your corporate (or customer) data is going to be released?  This will change the decision making in ways no one, government or industry, has fully thought about yet.

The future

For banks, it means the days of government protecting the house truly are over.  Fingerprint and DNA evidence are becoming the footnotes of criminal yesteryear.  The pace of change, already fast, is now racing at a speed no getaway car ever dreamed of.  Unfortunately, the government is all too often driving the previous decade’s digital squad cars.

Financial institutions large and small are going to have to invest big money in protecting digital vaults full of figures – not just our bank balances but also our user ID’s, passwords and pin numbers, and so much more.  This is no longer an IT back office function – cyber is now the front lobby, the sign on the street, and the brand awareness. 

Perhaps most importantly, it is the dominant goodwill asset of the future.

(The author’s father was an FBI fingerprint specialist, recruited by J. Edgar Hoover in the 1960’s.)