informa
/
Vulnerabilities/Threats
News

One Bite Is Not Enough

On a global scale, today's crime dogs are more bark than beef

5:05 PM -- WASHINGTON -- McGruff, the crime dog, was on display here yesterday at the Visa Security Summit. It seems that law enforcement agencies are taking the venerable mutt out of mothballs to "take a bite out of computer crime."

The image seems appropriate, because it appears that "a bite" is the most today's law enforcement agencies can even hope to get.

In one panel, the Visa summit featured an impressive panel of law enforcement experts: top computer crime officials at the Secret Service, the Federal Trade Commission, the Department of Justice, and the City of London's Metropolitan Police. The results were both depressing and scary.

The four organizations, formidable as they may be individually, responded to questions with separate viewpoints and perspectives. While they took great pains to discuss the ways in which they work together, it was clear at the summit -- as it has been clear in my own research -- that U.S. law enforcement agencies seldom attack computer crime in any sort of coordinated, nationwide fashion. Almost everything is still being done regionally. The speakers all said they are "working with local law enforcement," and many of their successful efforts seem limited to specific regions of the country.

Internationally, the problem appears to be even worse. During the presentation, a discussion of the prosecution of international computer criminals quickly devolved into an explanation of jurisdictions and extradition treaties. One of the speakers essentially said that Interpol, the organization that's supposed to be coordinating cross-border crime investigations, is all talk and no action.

Even if law enforcement agencies could somehow circumvent all of the regional, state, and national jurisdictional issues -- and that problem seems almost insurmountable -- it is clear that their combined forces would still be too small to effectively combat the large volume of computer crime on and off the Web.

All four of the speakers conceded that they investigate only a fraction of the cases that are reported, because only that fraction has a chance to result in arrest and conviction. If it's unlikely that the cops can find the criminal -- or if they anticipate having trouble prosecuting the case -- they simply don't even look into it. "We just don't have the resources," two of the speakers said.

So the average Russian spammer today is sitting pretty. Even if U.S. or U.K. officials could find him, which is no easy task, they probably wouldn't have the resources to pursue an arrest. And even if they did find him and arrest him, they might not be able to extradite him -- or they might not be able to build a case that resulted in a prosecution in another country's courtroom.

And heck, even if the cops could find him, arrest him, extradite him, and convict him, he's probably going to get a light sentence in the end, anyway. Gary Min, caught red-handed stealing $400 million worth of intellectual property from DuPont last month, only faces 10 years and a $500,000 fine. He'll probably get a low-security prison cell, time off for good behavior, and a big book deal when he gets out.

When we polled black hats about their attitudes last month, fewer than 3 percent of respondents said they worry about getting caught and ending up in jail. Four percent said they worry they might get caught, but they doubt they could be convicted. Five percent said they know getting caught is a possibility, but they don't worry about it. (See Five Myths About Black Hats.)

Given the obstacles currently faced by law enforcement agencies, I'm surprised that black hats are worried at all. Even with McGruff now on their side, it appears that today's computer cops are more bark than bite.

— Tim Wilson, Site Editor, Dark Reading

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5