If you were to play Dr. Phil with your management, what do you think its greatest anxiety would be?
In this era of hurricanes, war, and terrorist attacks, you might believe that the greatest fears would be the physical security of the IT infrastructure. Or you might believe that companies in the global economy are most afraid of losing their competitive edge as they struggle to keep legacy software up-to-date with demands. If you are currently seeking work in the field of IT, you might even hope that they were worried about replacing the IT talent that is scheduled to begin retiring over the next decade.
Yet, according to a survey conducted by IBM last March, cyber-crime is probably your company's Number 1 fear: Management feels less than confident that it has a cohesive and coordinated plan to address the threat. Moreover, it has begun to recognize that whatever plan it implements will soon be outdated as organized crime becomes increasingly savvy with advanced IT technology.
IBM Quantifies the Fear
With input from 600 CIOs or other qualified individuals, the IBM survey revealed that 84 percent of IT executives of U.S. businesses believe that organized criminal groups possessing technical sophistication are replacing lone hackers in the world of cyber-crime. Moreover, almost 75 percent of the respondents believe the threat from unprotected systems in developing countries is an uncontrollable problem. Finally, 74 percent say that threats to corporate security are now coming from inside their own organizations.
Jurisdiction
Perhaps the most difficult problem addressing the issue of cyber-crime is identifying who is responsible for protecting IT assets and enforcing the laws that are already on the books.
According to the Department of Justice (DOJ), "The primary federal law enforcement agencies that investigate domestic crime on the Internet include: the Federal Bureau of Investigation (FBI), the United States Secret Service, the United States Immigration and Customs Enforcement (ICE) , the United States Postal Inspection Service, and the Bureau of Alcohol, Tobacco and Firearms (ATF) ." However, if a crime is committed, in addition to these federal agencies, you are also required to file a complaint with both local and state law enforcement as well as international agencies, depending on the scope of the crime.
For instance, the DOJ says that crimes associated with hacking should be reported to the local office of the FBI, the U.S. Secret Service, and the Internet Fraud Complaint Center. Internet fraud and spam should be additionally reported to the Federal Trade Commission and the Securities and Exchange Commission. If there is suspected trafficking in child pornography, the U.S. Postal Inspection Service should also be notified. If there is a bomb threat sent via the Internet, the ATF office should be notified.
Each of these agencies has its own forms and procedures that must be followed to initiate an investigation.
Coordination for Cyber-Crime Lacking
The DOJ has not identified a specific agency to handle corporate identity theft on the Internet, one of the most frightening crimes for CFOs. (For recent articles on identity theft in MC eServer Insight, see "Evil Ones Lurking" by Carol Woodbury and "Corporate Identity Theft" by Thomas M. Stockwell). No specific agency has been identified to handle the theft of data itself, such as vital corporate employee or payroll records.
Yet, according to the survey conducted by IBM, nearly 60 percent of U.S. businesses believe that cyber-crime is more costly to them than physical crime. In these executives' minds, it's as though they are conducting business with a warehouse of goods that is sitting unprotected by local and federal law enforcement. No wonder they are concerned.
Handling the Threat
According to the IBM survey, 83 percent of U.S. organizations are responding to the increased/changing threat of cyber-crime in a number of ways:
- Seventy-three percent are upgrading their virus software.
- Sixty-nine percent are upgrading their firewall.
- Sixty-six percent are implementing intrusion detection/prevention technologies.
- Fifty-three percent are implementing vulnerability/patch management systems on their networks.
This is old news to IT professionals, but is it really enough to stem the flow? It's hard to say because, with so many federal and local agencies involved, there is no centralized database of cyber-crime statistics.
What We Know About the Problem
The last DOJ effort was a pilot survey conducted in the second half of 2002. In that pilot, consisting of 500 sampled companies, less than half responded to the survey. Of that number, 75 percent reported that they had detected at least one incident of ciber-crime. Fewer than 12 percent reported the incidents to law enforcement. Yet 68 percent of those that indicated they had experienced an incident said they had incurred losses. The total losses reported were more than $68 million.
That survey was conducted almost five years ago, and the odds are that—considering the level of sophistication that organized crime is believed to have achieved—the losses today have not decreased, but have increased substantially.
Federal Priorities
Given the potential threat against the U.S. economy, one would suppose that cyber-crime would be a hot topic at the Department of Homeland Security (DHS), but unfortunately the job of assistant secretary for cyber-security and telecommunications remains open, as it has been since secretary Michael Chertoff created it last October.
According to reports from Capitol Hill, members of congress are very upset about the lack of movement by the DHS, and their concerns became known when the House Homeland Security Committee began finalizing the Homeland Security Science and Technology Enhancement Act of 2006 (HR 4941). An effort by the committee's Democratic members to specify $50 million for cyber-security upgrades failed on a party-line vote of 15 to 13, and unfortunately this will force the determination of the priority of the department's spending on the appropriations committee, which is less familiar with the issue.
"The lack of progress on cyber-security is of grave concern," said Rep. Zoe Lofgren (D-CA). Lofgren believes it's vital to elevate the post of secretary for cyber-security within the DHS.
Other members of Congress agree. Representative Loretta Sanchez (D-CA) has said, "There is very little leadership coming out of the department on cyber-security." Sanchez was the sponsor of the amendment to HR 4941 that would specify an amount for additional cyber-security spending.
A Defense Issue
Instead, Congress has moved money to the Department of Defense (DoD) to spend on cyber-security. "In the Defense budget, we have put hundreds of millions of dollars in for information dominance," Rep. Curt Weldon (R-PA) said. He also said that the Pentagon now has programs to fund universities to launch cyber-security study centers and to expand the military's own cyber-security programs. In addition, the committee sent to the House a bill that directed DHS to launch several cyber-security efforts, including mitigation and recovery technologies; modeling, test-bed, and data set development for cyber-security research; secure Internet protocols; and voluntary standards for critical infrastructure systems.
In other words, the extent of the DHS involvement has been lowered to that of a funding mechanism for basic cyber-security research, with no law enforcement capabilities.
What the DOJ Is Doing
Meanwhile, the DOJ does what it can on the cyber-crime front. On its Web site the department lists its latest successful convictions:
Florida Man Sentenced for Causing Damage and Transmitting Threat to Former Employer's Computer System (July 13, 2006)
Former Technology Manager Sentenced To A Year In Prison For Computer Hacking Offense (June 23, 2006)
North Carolina Man Charged with Illegally Accessing American College of Physicians Database (June 15, 2006)
Former Federal Computer Security Specialist Sentenced for Hacking Department of Education Computer (May 12, 2006)
"Botherder" Dealt Record Prison Sentence for Selling and Spreading Malicious Computer Code (May 8, 2006)
California Man Pleads Guilty in "Botnet" Attack That Impacted Seattle Hospital and Defense Department (May 4, 2006)
Considering the scope of the problem and the potential threat to the U.S. economy, it's important to note that all of these convictions were the result of local and regional efforts on the domestic front.
The last globally reported arrest of individuals involved in international cyber-crime was the capture in 2005 of the authors of a Windows 2000 worm called Zotob. In that case, the authors were physically located in Turkey and Morocco, and the FBI chose not to extradite the offenders. Even so, it is doubtful that the FBI would have located them had Microsoft not provided them—through its analysis of the worm code—with the precise location of the criminals. Since then, few reports of law enforcement success on an international level have been reported.
U.S. vs. International Business Concerns
In this regard, it appears that U.S. firms concerned with cyber-security are forced to go it alone until the government begins to treat the threat with more sensitivity.
Yet, in a global economy, the issue of cyber-crime knows no boundaries. According to the IBM survey, the U.S. and international business communities share the same concerns when it comes to the key costs associated with cyber-crime. Both groups indicated that loss of revenue (63 percent U.S. versus 74 percent international) and loss of current customers (56 percent U.S. versus 70 percent international) would have the highest cost impact should their organizations fall victim to a cyber-crime.
Damage to their brand/reputation is of much higher concern to international businesses than those in the U.S. Over two-thirds (69 percent) of international businesses cited this to be a key cost associated with cyber-crime, compared to only 40 percent of U.S. businesses.
U.S. businesses are equally concerned about the loss of their current and prospective customers (56 percent for each) compared to the international community, which is more concerned with losing current customers (70 percent) and less concerned about losing prospective customers (33 percent).
FIRST.org
Yet, despite the lack of interest in Washington, the requirements for international cooperation for cyber-security are wel- known. In its white paper "International Coordination for Cyber Crime and Terrorism in the 21st Century" the Computer Emergency Readiness Team (CERT.org) identified the challenges of creating a framework by which international technical and law enforcement communities could approach the issue on a global basis. "There is an urgent and ongoing need to provide a global infrastructure to provide a fast, effective, and comprehensive response to computer security incidents on a local, national, and international scale. At this time, there is no infrastructure to support a coordinated global incident response effort," CERT says.
In the 1990s, such concerns led to the establishment of the Forum of Incident Response and Security Teams (FIRST.org), which now has over 170 members. FIRST.org was designed to act as an international clearing house for technical threats from cyber-crime, such as viruses, worms, and Trojans. FIRST.org has representatives from 19 countries and provides a closed forum for teams to share experiences, exchange information related to incidents, and promote preventive activities.
However, though DoD and the U.S. Postal Service are active members, no representation from the DOJ is currently present, and the reporting mechanisms that emanate from FIRST.org focus on computer threats such as rapidly spreading viruses.
Recent FIRST Initiatives
On June 21, 2006, FIRST.org sponsored a conference in Baltimore, Maryland, in which Brian Nagel, assistant director of the U.S. Secret Service Office of Investigations, presented the keynote address "Building Effective Relationships between CSIRTs and Law Enforcement." Yet during the keynote, the conflict of focus between roles of the law enforcement community and the technical community became widely talked about, and it became clear that better coordination between the two was required.
Directions
Certainly, we are living and operating our businesses in a truly global cyber-space in which our advancing technologies have opened doors and windows to opportunists who will take advantage of their sophisticated knowledge to rob our enterprises. How extensive this trend has become is still not known, though the extent of what has been reported publicly is sobering. Business reputations and profitability are at stake, yet the federal government in the U.S. does not yet have a comprehensive law enforcement strategy. The results of its efforts are now focused upon finding the low-hanging fruit: the least-sophisticated offenders, who are easily identified when incidents are reported.
Federal policy currently seems to currently consider the threat of cyber-crime only insofar as it impacts the national security of the country. It does not seem to be aimed at coordinating international efforts to reduce levels of cyber-crime that will impact our business enterprises.
Technical communities have made strong efforts to alert businesses to potential threats and to reduce the technical vulnerabilities within our organizations. These same technical communities are working overtime to identify threats and fix software, in both the open-source environment and at the commercial software front. However, attempts to coordinate its knowledge with law enforcement officials have been hampered by a lack of agency funds at every level of government.
Meanwhile, business leaders who still fear this unseen threat must spend sleepless nights wondering who is accessing the company's data, who is stealing its secrets, and who is selling access to vital information that is stored in their systems.
In IT, we tend to see this first as a technical problem that requires our stringent attention, but it is more than that. It is an international epidemic of crime that is awaiting the right moment to inflict its impact upon our economy.
Are we truly secure? Of course not! Is our management aware of the threat? Certainly! Are we taking whatever actions we can to protect our organizations and our livelihoods? Yes! But it will take more than our individual efforts.
Industry experts analyzing the traffic on the Internet report that over 80 percent of what is being transmitted is spam. When a new virus attack commences, our organizations have literally seconds to identify and quarantine the offensive rogue agent. We are operating our businesses on the edge of catastrophic security meltdown, and we need coordinated federal and international assistance.
Where will we find it?
Thomas M. Stockwell is Editor in Chief of MC Press Online, LP.
LATEST COMMENTS
MC Press Online