October 1, 2012
Federal undercover agents are resorting to show and tell to combat a growing menace—criminal hackers. The Justice Department has been making headlines by publicizing prosecutions, disclosing investigative techniques and revealing findings before clinching guilty verdicts. Sure, calling attention to charges and arrests could discourage digital invaders. But that’s not the only factor driving the candor.
“What about all the intelligence that could have been shared with these victims before they were victims?” says Shawn Henry, the bureau’s former cyber chief. The hope is that frankness will convince the public that more treacherous criminals are out there—orchestrating the kinds of hacks that, for national security purposes, officials cannot discuss in detail. These are the cripplin network activities that FBI Director Robert Mueller has said will supersede terrorism as the greatest threat to the country.
“The bureau had always been a little quiet when it came to singing its praises,” says Scott Aken, a former special agent in the FBI’s computer and cybercrime unit, adding that it seemed like there never was any press release put out during the more than five years he spent there. The goal of the FBI was always a conviction, says Aken, who now works in the defense sector. “You wanted to keep your sources close to the chest,” he adds.
But today, given the enormity of the cyber threat and public interest, sharing some investigative details before closing a case could help citizens understand the danger. “Now the word ‘botnet’ and the word ‘malware’ are a lot more in the open,” Aken says, referring to a network of computers that crooks remotely commandeer without the owners’ knowledge.
In June, for example, Justice unsealed charges against a 23-year-old Pennsylvania man, alleging that he and others hacked into computer networks at Massachusetts company RNK Telecommunications Inc., the Energy Department and other organizations nationwide—and then sold access to those systems.
Between 2008 and 2011, he pilfered the network credentials of authorized users to carry out the scheme, an FBI press release stated.
The proclamations, however, don’t equate to a mission accomplished. Henry, who retired as FBI executive assistant director in March, says it would be nice if there weren’t so many indictment announcements. Not that he’s ashamed; he just doesn’t like that the crimes happened at all.
As cybercrime is escalating, “the FBI has arrested hundreds of groups in this space,” says Henry, now president of security startup CrowdStrike Services. But “the reality is the breadth and scope of the threat is much larger than the current capabilities of law enforcement in the United States. It’s through absolutely no malfeasance. It’s not through any poor capability.”
Cybersecurity “is a long-term problem without a short-term solution,” he says. “There needs to be a comprehensive plan and it needs to be implemented. But what is happening is taking a long time, and that’s not good for anyone.”
Aken agrees, adding that complicating matters is “you have to be careful that you are not revealing your sources and methods” when addressing the public about the problem.
Federal law enforcement officials say it is typical to unseal an indictment against a suspect when an arrest is made. They maintain that indictments are written for the sole purpose of substantiating the charges against an alleged offender. “As a general matter, the Justice Department and FBI have always sought to balance important interests when releasing information related to public criminal and civil cases, including cases involving cyber-related matters,” Justice spokesman Dean Boyd says. “These include the right of the public to know, an individual’s right to a fair trial and the government’s ability to effectively enforce the administration of justice.”
There is no concerted effort to unseal more indictments or to publish more press releases about computer cases, officials say. They describe recent outreach as business as usual and certainly not a political strategy. More charges are being handed down, which might be why more court papers are getting out, they add. And top FBI officials certainly are speaking out more about the cyber threat at conferences and other public venues, bureau officials acknowledge.
“In its communications with the media, the Justice Department and FBI are careful to protect the integrity of ongoing investigations and prosecutions, to safeguard sensitive information and investigative techniques, and to preserve the rights of individuals,” Boyd says.
Out in the Open
Seán McGurk, the former director of the National Cybersecurity and Communications Integration Center at the Homeland Security Department, notes that openness actually benefits national security. “Providing direct feedback to the public really allows us to do our job better,” he says. “Sharing often is a good thing because it speeds all our activities along.”
McGurk, now managing principal for industrial control systems cybersecurity at Verizon, highlights one recent case in which DHS helped citizens targeted by a botnet.
For almost a year, the FBI and DHS have maintained public Web pages offering instructions for users to check their computers for a virus named DNSChanger, which the bureau partially neutralized after a probe called Operation Ghost Click. During that incident, the FBI and international authorities stopped a botnet that was redirecting people to bogus websites. They seized the instigators’ servers and, in November 2011, replaced them with clean servers that would safely navigate victims to their desired online destinations. But there was a hitch. Until victims removed the infection, they always would be reliant on the special servers for surfing the Web. So, several agencies, including DHS, published recommendations on how to expunge the worm.
“It’s important to educate the public about cyber threats, such as the DNSChanger malware, and what individuals can do to protect themselves,” Boyd says. “Public reporting on cyber-related law enforcement actions is one of many factors that may contribute to tips to law enforcement on illegal cyber activities.”
McGurk notes that hacker activists, not necessarily the FBI, are inviting attention to the bureau in some instances. “We can always rely on criminals to become notorious by using cyber means,” he says. Federal officials say the media might be to blame for trumpeting hacktivists’ boasts about run-ins with the law, noting the FBI just documents the facts.
Still, in March, it was federal investigators who released lengthy indictments and media statements regarding six hackers, including one government informant, who allegedly are tied to the hacker vigilante group Anonymous.
The court papers revealed some digital surveillance techniques that agents used to prove a suspect’s electronics were the same devices penetrating networks. The feds, for example, detected public signals broadcasting from a wireless router inside a Chicago building known to be the suspect’s residence, according to the documents. Through other signals, they determined the media access control, or MAC, address of the computer tied to that router. A MAC address is a unique serial number for hardware that often identifies the device’s manufacturer, which in this case was Apple. The cooperating witness knew the suspect used a MacBook. He then reported to the feds that the suspect was online at the time they identified the computer’s signals—helping confirm the device and the culprit’s computer were one and the same.
One reformed hacker says the FBI likely made the disclosures to convince skeptics that agents had the right crooks. In the past, the bureau has arrested the wrong activists.
Some former agents say all of this transparency could backfire, by discouraging companies from reporting breaches if they think they will be identified. Often businesses are afraid of tarnishing brands by admitting computer weaknesses. “The FBI has always had a tough time getting companies to admit when they have been hacked,” Aken says. “Press releases in my eyes would not be a good thing for the general public [at a business], even if the criminals were caught.”
Justice officials say they are sensitive to the risk of companies being revictimized through negative publicity. “Throughout its history, the FBI has seen the value of partnerships time and time again,” Boyd says. “The FBI understands that the private sector has practical concerns about reporting breaches to law enforcement. Where necessary, the FBI, working with the Justice Department, seeks protective orders to preserve trade secrets and business confidentiality.”
Another unintended consequence of high-profile cases is backlash from privacy advocates. Americans say they don’t want the feds poking around in their online activities—or requesting customer information from Internet companies—to gather evidence against hackers. Former agents say, as citizens themselves, they understand. But, the agents note, if the opponents knew the extent of the menace that could be stopped by obtaining more information, then critics would see where the feds are coming from.
“I’m a U.S. citizen first before I was ever an FBI agent,” Henry says. “I believe in civil rights and civil liberties and privacy. It’s probably the base upon which this country was built.” He views privacy groups as an important check on the federal government’s conduct. “All that being said, I believe that if people understood what the risk from a cyberattack was, they would be much more willing to help the government do what it needs to do” in sharing information to protect networks.
Now Henry gets into the territory of cyber investigations the bureau can only hint at. Every top federal official from Mueller to President Obama is warning of cyberattacks that could physically wipe out critical infrastructure—disconnect power lines, contaminate the water supply and unleash other havoc on the scale of the Sept. 11, 2001, terrorist attacks.
Henry says convincing the public to share information would be like asking Americans to go through enhanced airport security screening before Sept. 11. No one would agree to it. “If in August of 2001, people were told they needed to take off their shoes at the airport, they would have been through the roof,” he says. “Then fast-forward a month, now you’ve got to take off your shoes . . . you’ve got to put your toiletries in a plastic bag.”
Henry adds, “I’m not happy about having to take off my shoes, but I get it. People would be receptive to more intelligence sharing if they really knew what the threat was.”
He, like many cybersecurity experts, predicts it will take a violent cyber-attack for consumers, industry and governments to disclose information. “I’m interested in privacy, I have things I don’t want everyone to know about, but because of the totality of the circumstance that we live in, I’ve got to identify myself when I go places.”
October 1, 2012