U.S. government agencies are getting better at sharing information about cyberattacks with private companies, but cybercrime shows no signs of slowing down, cybersecurity experts told lawmakers Wednesday.
The U.S. Secret Service, the FBI and the Department of Homeland Security work closely together to combat cybercrime, witnesses from the three organizations told a subcommittee of the House Financial Services Committee. But criminals are taking advantage of the growing amount of personal information online and the ability to share attack tools and strategies over the Internet, said A.T. Smith, assistant director of the Secret Service.
"The Secret Service has observed a marked increase in the quality, quantity and complexity of cybercrimes targeting private industry and critical infrastructure," he said.
The FBI is investigating more than 400 cases involving unauthorized wire transfers from bank accounts of U.S. businesses, said Gordon Snow, the assistant director there. Those 400 cases involved the attempted theft of $255 million, with actual losses of $85 million, and the cases involving the takeover of accounts represent just one type of attack against financial systems, he said.
Snow also listed recent examples of payment processor breaches, stock trading fraud, ATM skimming, mobile banking attacks and other schemes targeting the U.S. financial system. Cybercriminals' capabilities are at "an all-time high," although combating cybercrime is a top priority for the FBI and other agencies, he said.
The annual cost of cybercrime is about $388 billion, including money and time lost, said Brian Tillett, chief security strategist at Symantec. That's about $100 billion more than the global black market trade in heroin, cocaine and marijuana combined, he said.
The financial services industry, the focus of Wednesday's hearing, is a top target for cybercriminals, Tillett said, but he also praised cybersecurity efforts there.
"The financial services industry generally, has been ahead of the curve on cybersecurity, recognizing the importance of these issues long before they were common in daily headlines," he said. "Thus, the need for action is not so much an issue of additional legislation or regulation, but rather an issue of responding to evolving threats by implementing mitigation and protection measures."
Subcommittee Chairwoman Shelley Moore Capito asked if the DHS and other agencies were sharing information about cyberattacks with each other and with private companies.
Employees of private companies with security clearances now have access to the DHS National Cybersecurity and Communications Integration Center (NCCIC), which coordinates cyberincident response efforts within the U.S. government, said Greg Schaffer, acting deputy under secretary at the DHS. U.S. agencies have also provided assistance to the financial services industry during cyberattacks, he said.
"We are in a better place today, in terms of information sharing, than we've been in the 15 to 17 years I've been in this space," Schaffer said. "We have certainly made a lot of progress."
Snow agreed, but said the sharing still needs to happen faster. If government officials wait to exchange information face-to-face, it's often too late to stop a threat, he added.
"We go from manual speed to network speed," Snow said. "This threat comes at us in nanoseconds."
Rep. Steve Pearce (R-N.M.) asked what percentage of cybercrime reports are prosecuted and what percentage result in a conviction. Snow and Smith said they didn't have that information immediately available.
The Secret Service made about 1,200 cybercrime-related arrests last year, resulting in the prevention of about $7 billion in losses, Smith said.
Pearce asked how often the three agencies representatives have met about cybersecurity issues. Snow said he's met with Smith and Schaffer more than 150 times. "Sometimes we have meetings even when we don't want to have meetings," he said.
Pearce also asked the agency officials about the percentage of cybercrime that goes undetected by government investigators. The problem may be much worse than statistics show, he said. "How many attacks are coming in that we don't even know about?" Pearce said.
That's difficult to judge, because there's no law requiring private companies to report most types of cybercrime, Schaffer said. "We know what we know about," he said.
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is email@example.com.