Breaches Abound

By Dennis Fisher  |  Posted 2004-05-24 Print this article Print

Actually, cyber-crime has been happening for years. It is only now entering the public consciousness, thanks to high-profile incidents like the BJs theft and elsewhere, such as those perpetrated on Guess Inc. and MTS Inc.s Tower Records unit.

In fact, of the 500 companies that responded to a recent FBI survey, 90 percent said theyd had a computer security breach, and 80 percent of those said theyd suffered financial loss as a result.

Today, online criminals use stolen credit card numbers as illicit currency. The information is traded for other commodities, such as Social Security numbers or access to networks of compromised PCs that can be used in distributed-denial-of-service (DDoS) attacks.

But as the cyber-crime rate climbs, security experts, consumers and even former government officials are questioning why federal lawmakers and administration officials have devoted so few resources to combating the menace. Many attribute the resource issue to the war on terrorism.

"There were decisions made that things like credit card investigations werent worth it at that point," said one former federal law enforcement agent who was involved in cyber-crime investigations for more than a decade. "Cyber-crime was put on the back burner. Pure investigations into cyber-crime have diminished at the FBI and the Secret Service."

Indeed, in the months following the terrorist attacks of Sept. 11, 2001, counterterrorism became the highest priority for the FBI as well as the Secret Service, the two federal agencies responsible for the bulk of the governments cyber-crime investigations. That shift took its toll on the computer crime units at both agencies, and nearly 20 Secret Service agents who were working on cyber-crime at the time of the attacks were transferred to terrorism investigations.

"Theres a broken spirit in the government as far as cyber-crime," the former agent said. "Its one of the most daunting tasks that law enforcement has ever had to deal with."

For those investigators at the FBI and Secret Service still responsible for handling cyber-crime—about 300 and 100, respectively—many are often pulled away from their regular duties to work on special details, which can lead to long delays in completing investigations.

"There just arent enough agents to do whats required," the former agent said. "The response from the government hasnt been commensurate with the problem. The big investigations that you see on TV with the press conferences were the exception, not the rule. "Theyre just showpieces. Having a massive investigation every six months is inconsequential when you have a crisis going on."

According to government and law enforcement officials, the lack of interest in fighting cyber-crime comes from the top down and is traced to the current and past presidential administrations.

Richard Clarke, chairman of Good Harbor Consulting LLC, in Herndon, Va., and a former counterterrorism official in the Clinton and current administration, often warned of the potential for a terrorist-based computer attack that would take out portions of the U.S. power grid or financial networks.

At the recent eWEEK Security Summit, Clarke said enterprises should hold developers accountable for their softwares security. Click here to read more. When the power grid that serves huge swaths of the Northeast, Midwest and portions of Canada failed on a sweltering day last August, just days after the outbreak of the infamous Blaster worm, many people thought Clarkes oft-repeated prediction of a "digital Pearl Harbor" had come true.

Within hours of the blackout, CNN reported from the paralyzed streets of Manhattan that U.S. officials were investigating the possibility that Blaster had caused the outage.

It seemed to fit. Blaster was running rampant on the Internet, infecting hundreds of thousands of machines. More to the point, other recent worms had wreaked havoc with machines and networks not normally thought to be vulnerable. The SQL Slammer worm in January 2003 brought down the 911 dispatch system in Bellevue, Wash., and disrupted the operation of Bank of Americas network of ATMs, angering customers and inciting fears that so-called crackers had stumbled on a new attack vector. Then Blaster arrived.

But in the 10 months after the blackout, no evidence linking Blaster to the outage was found. In fact, an exhaustive report written by a joint U.S.-Canadian committee formed to study the blackouts effects determined there was no connection to any deliberate malicious attack on the power companies computers.

"The [Security Working Group] found no evidence that malicious actors caused or contributed to the power outage, nor is there evidence that worms or viruses circulating on the Internet ... had an effect on power generation," the report concluded.

The report should have relegated Blaster to a footnote in the matter. But many security experts point to the incident as a perfect illustration of how the specter of cyber-terrorism can obscure the real problem of cyber-crime.

Next Page: "What we see today is just the tip of the iceberg," Clarke says.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel