BOSTON—His title may be the first assistant United States Attorney for the Northern District of Ohio, but Craig Morfords work fighting cyber-crime touches nearly every corner of the globe.
Morfords responsibilities include the prosecution of federal terrorism, organized crime, public corruption and corporate fraud, and one of the issues he spends much of his effort on today is battling the growing use of computing networks to help carry out those felonies.
At a security conference organized by imaging giants Xerox here on May 12, Morford blew away attendees with some of the anecdotes and examples of the types of struggles the government and private industry have encountered in trying to stop the flow of proprietary information into the hands of criminals.
eWEEK Senior Writer Matt Hines sat down with Morford at the event held in the vault of the Boston Stock Exchange to see what sort of progress is being made to that end.
One of the big questions we hear from business leaders is who they should to turn to first when trying to report and investigate IT-related crimes. Who should these people call for help?
From what were seeing, the FBI and Secret Service are actually the best places to start, as both have major growing cyber-crime sections tailored to specifically addressing these types of offenses. In some cases were seeing one or the other, and sometimes were seeing both organizations working together. Companies shouldnt be afraid to call these guys up if they have a serious problem to report, its something that the Department of Justice is attuned to, and committed to in terms of addressing a growing need.
Youve obviously got experience in fighting organized crime in the offline world, but as we know theres a huge element of criminal networks backing a lot of the IT-oriented attacks were seeing today. How are organized crime groups adapting to utilize IT systems to carry out their schemes?
Well, you have to understand that this is an almost entirely new type of organized criminal, and that you can define organized crime in a lot of different ways.
It used to be that when people used the term, they were referring to what we typically thought of as organized crime, a family network with some sort of ethnic ties that has bosses, caporegimes and soldiers that work primarily within some specific community.
But what were dealing with in cyber-crime is something different, a community of criminals that is changing and adapting over time. Its a guy in his twenties in a rundown apartment in Ukraine or somewhere else in Eastern Europe who has a network of computers on which theyre communicating with thousands of other people who he has never met in person, and who could be in any country around the globe. And these people are involved in a web of criminal activity. This is something we havent had to deal with before.
One of the critical issues in fighting any sort of crime is what sort of budget you have to support those efforts. Should private businesses and government law enforcement officials be pooling their resources to have a broader impact?
Theres absolutely an opportunity for that type of collaboration, and its one of the many things that were trying to do to help solve this problem. The Secret Service and FBI are both actively reaching out to business, and to law enforcement worldwide for support, education and to help more people understand the threats that are out there.
People need to invest with each other and learn to trust each other, and because of the international nature of the crimes being committed, everyone needs to reach out to foreign governments. If people can establish evidence-sharing treaties and form cooperative arrangements with law enforcement, along with forming partner relationships between corporations and federal investigators, a lot can be achieved.
What the Government Can
Do to Help”>
Ultimately, what is law enforcements role in facilitating all of this?
The best the government and law enforcement can do for private companies is to serve as a backstop. We can prosecute a certain amount of cases and that will help as a deterrent and to prove the punishments for committing cyber-crimes, but ultimately a lot of the burden falls on corporate America to use civil laws and remedies to go after perpetrators and recover some of their assets through restitution.
We hear a lot these days about the internal threat, and how frequently people are exposing their employer to cyber-crime without even knowing it. How do businesses decide who is trying to hurt them intentionally, and who is just making a bad decision that leads to a problem?
In the case of cyber-crime, the technology is new but weve been fighting the same types of activity for over 200 years. The truth is that when youre prosecuting something like this there are a lot of similarities to ordinary mail fraud cases.
As always, the challenge is in proving intent and the answer is looking at it in the same way we always have, by looking at the evidence and the persons behavior to try to prove their intent. In that sense, theres no difference from traditional fraud.
So in that sense, technology may actually make it easier to establish some of these patterns.
Technology can help in this process, its absolutely amazing what you see some people writing in e-mails they dont think will be read by anyone other than their anticipated recipients. Technology is both a blessing and curse; it helps leave a trail of evidence that we can follow, but it also opens up a lot of opportunity to commit crimes.
Over the years weve heard a lot about cyber-terrorism, and even the ties that terrorists may have to common forms of computer-related crimes. What do businesses need to know about the place of terrorism in dealing with IT-based attacks?
Theres a multifaceted threat with terrorism, and its not just the type of foreign terrorism that everyone thinks of first. You have the external threat of groups that want to steal, sell or use the data, and you have this threat of internal terrorism where employees want to steal something and sell it for a profit, or just to hurt the company for some reason.
There are also domestic terrorists such as local rights groups who may launch computer-related attacks just to support some belief they support, and your Ted Kaczynski types who may have a beef with corporate America and carry out their own terrorist acts alone.
Really there are a host of things that can be done to inflict damage on computing networks that can be defined as terrorism. Corporations need to be aware of that and to watch out not just for the theft of data but also the potential destruction of data, and the timing that some of this sort of activity that goes along with considerations of all that.
Some people feel that the outsourcing of jobs overseas could aid terrorists in harming U.S. companies. Do you think theres any truth to that idea?
The best comparison that I can make is to a movie like “Bubble Boy.” When you leave your bubble, all kinds of bad things could happen to you, you could get in your car and have an accident or catch a virus, but that doesnt mean we should stay locked up in the house as a result.
You really have to put your seatbelt on, drive the speed limit and try to behave carefully when operating overseas. But, its not realistic to tell companies that they shouldnt go overseas to do business.
They just need to realize the security risks and take reasonable steps to both prevent crime and take action when they are victimized, no matter where in the world it is that they might be doing business.