Secret Service head calls for cybersecurity cooperation

Companies should report data thefts, says Ralph Basham

Companies with compromised data have a duty to report that information to investigators to keep others from being victimized, the director of the U.S. Secret Service said yesterday.

The Secret Service, which has jurisdiction to investigate financial crimes as well as protect the U.S. president, is working hard to prevent Internet-related crimes such as identity theft, but it needs assistance from private companies, said Secret Service Director Ralph Basham, who spoke at an event on organized cybercrime in Washington. The event was sponsored by the Business Software Alliance and the Center for Strategic & International Studies (CSIS).

"Information is the world's new currency; information has value," Basham said. "Information discloses our vulnerabilities and systemic weaknesses, and therefore ... compromises of information must be aggressively investigated."

Compromises that affect just one company are increasingly rare in a world connected by the Internet, he said. "The days when a single institution guards the system intrusion as a secret are no longer acceptable," Basham said. "An intrusion for one represents a collective threat for us all."

Still, the sharing of information between law enforcement agencies and private industry needs significant improvement, said a group of IT security experts at a panel discussion after Basham's remarks. Technology that could help reduce cybercrime does exist, but law enforcement agencies conducting investigations often don't immediately share information about new threats, said Albert Sisto, president and CEO of Phoenix Technologies Ltd., a security software vendor in Milpitas, Calif.

Federal law enforcement agencies are trying to share more information, but it's often difficult to disclose information without compromising an active investigation, said Kimberly Peretti, a lawyer in the Computer Crime and Intellectual Property Division at the U.S Department of Justice.

The Secret Service is working on ways to distribute information faster, said Brian Nagel, assistant director for investigations at the Secret Service.

Most panelists agreed that technology can help fight organized cybercrime, but they also called for other changes, including better international cooperation among law enforcement agencies and more tools and training for law enforcement agents. Cybercrime cases cost more to investigate than traditional crime, Nagel said.

A combination of technology, law enforcement resources and laws are needed to combat cybercrime, said Bill Conner, CEO and chairman of Entrust Inc., a security vendor in Addison, Texas.

But a number of federal laws passed in recent years haven't done as much to raise awareness about data security as one California bill requiring companies with data breaches to notify victims that became law in 2003, he said. Other states are now working on similar laws, and U.S. lawmakers have introduced similar federal legislation.

Technology alone can't solve the problem, Connor said. "Technology is used by the good guys, and it's used even more by the bad guys. They've got lots of money."

Panelists defined organized cybercrime as loose groups of criminals that meet through Web sites or chat rooms, not Mafia-style organizations. The groups often work together for short times, then disband, Peretti said. That transitional nature of cybercrime rings makes prosecution an effective tool against such groups.

"The deterrence aspect works, because it says to the online criminals that are maybe the new emerging criminals that you can't be online anonymously, that you can and will be caught," Peretti said. "The second thing it does is it disrupts their trust. They operate on the Internet ... and they don't necessarily know who they're dealing with. What investigations can do is say: 'We have law enforcement agents out there, and we're going to disrupt that trust.'"

Peretti and Basham highlighted Operation Firewall, an investigation spearheaded by the Secret Service that led to 33 arrests in the U.S. and six other countries. The operation, announced in October, led to charges related to identity theft, computer fraud, credit card fraud and other crimes and may have prevented hundreds of millions of dollars in damages to victims, Basham said.

Although the cybercriminal rings aren't formally structured like traditional organized crime, they are no longer teenagers hacking from their basements for their own amusement, the panelists said. Today's cybercriminal steals data for profit, said James Lewis, director of the Technology and Public Policy Program at CSIS. "This is a professional sport now."

Asked if cybercriminals are winning the war, the Secret Service's Nagel said no, but he encouraged companies that deal with data security to establish relationships with law enforcement investigators before a crisis.

But Jody Westby, managing director of the security and privacy practice at PricewaterhouseCoopers, seemed to disagree with Nagel, saying that only about 5% of cybercriminals are caught. Westby called for a national law that would create a do-not-issue database, where those who sign up could require credit card and banking companies to make personal contact with them before opening new accounts in their names. Such a national list would help reduce ID theft, she said.

Awareness about cybercrime is rising among corporate leaders, with recent headlines focusing on victims of ID theft and so-called phishing, Westby said. "Senior-level management is starting to wake up and realize this is a real management issue," she said. "They're really starting to realize cybercrime is a boardroom issue."

Copyright © 2005 IDG Communications, Inc.

  
Shop Tech Products at Amazon