Posted at 01:46 a.m. PDT; Tuesday, October 6, 1998
FBI team needs victims' cooperation to nab computer crooks
by Peter Lewis
Seattle Times staff reporter
Seattle's FBI office is in line for a high-tech upgrade - a team of agents
specially trained to counter a troubling trend, the rise of computer
crime.
But will it have much business?
Prosecutors and computer-security experts are concerned about one big
obstacle: a pattern of silence on the part of many computer-crime victims.
One prosecutor even likened the situation to rape, with victims worried
about being re-victimized if they go public.
Experts cite several reasons for the reluctance, including fear of drawing
attention to weaknesses that might attract other attacks, liability
questions, a perception that law enforcement isn't up to the task and
relatively light sentences when offenders are caught.
For each of the past three years, the number of organizations reporting
computer break-ins to law enforcement has held steady at 17 percent of
those surveyed, according to the Computer Security Institute, a San
Francisco-based international group serving information-security
professionals.
Even so, Seattle's new unit is part of a larger national effort to boost
confidence in law enforcement's ability to fight computer crime. The unit
would add 11 agents to the regional office, plus about a half-dozen
non�agent technical analysts with a computer-science background.
"As we become more and more dependent on computer communications, it's
going to replace a lot of things, and it's important to protect those
things," says federal Prosecutor Steve Schroeder, the "computer guy" in
the U.S. Attorney's Office in Seattle. To add prosecutorial oomph, a
second assistant, Floyd Short, is joining Schroeder to handle
computer-crime cases.
Officials at FBI headquarters in Washington, D.C., say their proposed 1999
budget includes $11.6 million to cover the cost of the new Seattle squad
as well as five similar Computer Analysis and Response Teams around the
country. Funding comes in part from money freed up from Cold War-era
counterintelligence activities. A handful of big cities, including New
York, San Francisco and Washington, D.C., already have such squads.
The unit will assist in cases where computers facilitate crime - such as
in child pornography, drug-dealing or financial crimes.
At a more sophisticated level, the unit will help investigate intrusions
into computer networks, sometimes pulled off by "recreational" hackers,
but more commonly by disgruntled employees with access to corporate
computers.
The Seattle unit could also be called upon as part of a larger response to
cyberterrorists intent on pulling off the electronic equivalent of the
World Trade Center bombing. Instead of targeting buildings, dams or
planes, such terrorists could attack power grids, military defense,
financial institutions or telecommunications systems. What's more, they
could do it from overseas with inexpensive equipment at no risk to their
personal safety.
Some examples illustrate the problem:
-- In 1994, criminals operating in several countries hacked into the
Citibank Cash Management System that is used for functions such as wire
transfers. They attempted 40 transfers totaling $10 million.
-- Late last year, authorities in this country and Israel arrested three
teenagers who are suspects in a series of intrusions into Department of
Defense and other government agencies' computers.
-- Earlier this year, a Massachusetts teenager pleaded guilty to having
crippled an airport's control tower by using a computer to disable voice
and data communications.
Statistics are scarce
"Roughly two years ago, the FBI had 100 pending (computer intrusion)
investigations. . . . Today, we have over 500," says Ken Geide, section
chief for the Computer Investigations and Operations section of the
National Infrastructure Protection Center, based in Washington, D.C.
The mission of the center - a relatively new agency composed of
law-enforcement, intelligence and other government officials - is in part
to coordinate response to cyberattacks and to collect reliable data on
them.
Computer-crime statistics are scarce. For example, the most current
figures, from fiscal 1997, show that the number of FBI arrests increased
950 percent from the previous year. That's not terribly meaningful,
though, because the number of arrests jumped from four to 42.
In a similar vein, findings from a 1998 survey conducted jointly by the
FBI and Computer Security Institute indicate that computer crime is on the
rise.
In a survey of 520 U.S. corporations, government agencies, financial
institutions and universities, 64 percent reported information-security
breaches. Total financial losses from the 241 organizations that could put
a dollar figure on the incidents added up to nearly $137 million, a 36
percent increase from the previous year.
Given this trend, Prosecutor Schroeder thinks it's good news that the
local FBI office has been designated to receive a computer-crime squad.
Still, it will be of limited value if victims don't report intrusions. And
all indications are that computer crime is seriously underreported, both
locally and nationally.
"It's been relatively quiet," Schroeder says of his computer-crime
caseload. "I'm continually amazed at how few (criminal) referrals we get
from the big boys," including Microsoft. "There's a mindset that if (a
break-in) gets publicized . . . that hurts their image and business."
"They just don't come in," echoes King County Deputy Prosecutor Ivan
Orton, who has been handling computer cases for the county under state law
since 1984. He says he averages about two or three cases a year.
"I cannot imagine that King County is not a hotbed of criminal computer
activity," says Orton. "There's too many computer companies and people who
know how to do this stuff."
He recounts a case from the mid-1980s when an 18-year-old on the Eastside
got into at least 50 companies' computers - and only four complained to
police.
`Fear and embarrassment'
Of victim reluctance, Orton says: "It's a combination of fear and
embarrassment." There's also a cost-benefit factor.
When businesses weigh the time and costs of prosecution, the need to give
investigators access to confidential records and publicity likely to paint
them as "the big dumb company vs. the smart, clever hacker," they usually
opt to handle intrusions internally, Orton says. The atmosphere reminds
him of old "blame the victim" attitudes toward sexual assaults.
At Microsoft, Howard Schmidt, director of information security,
acknowledges that his team regularly detects people trying to get into the
software giant's networks.
But many would-be intruders are not worth reporting to law enforcement, he
says, because they don't do enough damage.
"You shut them (the intruders) off," says Schmidt. "There's not a whole
heck of a lot that someone's going to be able to do with it, or should do
with it." He described repelled computer break-ins as "attempted crimes."
"By the same token, if it (the intrusion) is destructive, we'd report it,"
Schmidt adds.
In the year he's been at Microsoft, Schmidt says the company has made four
referrals to law enforcement. Each is still pending, and he declined to
disclose details.
The federal fraud-and-abuse computer statute was shaped in part by a
6-year-old Seattle case, Schroeder recalls. In that case, two young Puget
Sound area men hacked their way into the computer system maintained by
U.S. District Court, and downloaded an encrypted password file.
Then, the duo got into a Boeing supercomputer, which had the ability to
decrypt the courthouse password file, Schroeder says. That move gave them
"superuser" status in the courthouse system, meaning they could read,
alter or delete any file in the system.
At the time, Schroeder recalls, the federal computer-fraud statute covered
interference with authorized use of a government computer but not simple
"trespass." Somewhat sheepishly, Schroeder now acknowledges it was "a
stretch" to charge the pair as he was forced to.
(Both young hackers pleaded guilty to misdemeanors; their probationary
sentences were subsequently revoked, however, and they pleaded guilty to
felony charges stemming from their hacking into the computerized guest
registry at the Red Lion Inn in Bellevue to steal credit-card numbers.)
Congress amended law in 1994
Privacy and monitoring shortcomings highlighted by the Seattle case caused
Congress to amend the law in 1994 to make simple trespass a crime and to
give system-monitoring privileges to data network providers, Schroeder
says.
Separate from the Seattle case, and perhaps more significant, the law was
also broadened two years ago to cover computers used in interstate or
foreign commerce or communications. Essentially, that includes anyone
connected to the Internet.
Formerly, "protected" computers were more narrowly defined as those used
by or for the federal government. Federal law now also allows private
parties to recover damages when there's unauthorized access.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Wed Oct 7 08:31:08 1998