From: Government Executive
By Aliya Sternstein
Federal undercover agents are resorting to show and tell to combat a growing menace—criminal hackers. The Justice Department has been making headlines by publicizing prosecutions, disclosing investigative techniques and revealing findings before clinching guilty verdicts. Sure, calling attention to charges and arrests could discourage digital invaders. But that’s not the only factor driving the candor.
“What about all the intelligence that could have been shared with these victims before they were victims?” says Shawn Henry, the bureau’s former cyber chief. The hope is that frankness will convince the public that more treacherous criminals are out there—orchestrating the kinds of hacks that, for national security purposes, officials cannot discuss in detail. These are the crippling network activities that FBI Director Robert Mueller has said will supersede terrorism as the greatest threat to the country.
“The bureau had always been a little quiet when it came to singing its praises,” says Scott Aken, a former special agent in the FBI’s computer and cybercrime unit, adding that it seemed like there never was any press release put out during the more than five years he spent there. The goal of the FBI was always a conviction, says Aken, who now works in the defense sector. “You wanted to keep your sources close to the chest,” he adds.
But today, given the enormity of the cyber threat and public interest, sharing some investigative details before closing a case could help citizens understand the danger. “Now the word ‘botnet’ and the word ‘malware’ are a lot more in the open,” Aken says, referring to a network of computers that crooks remotely commandeer without the owners’ knowledge.
In June, for example, Justice unsealed charges against a 23-year-old Pennsylvania man, alleging that he and others hacked into computer networks at Massachusetts company RNK Telecommunications Inc., the Energy Department and other organizations nationwide—and then sold access to those systems.
Between 2008 and 2011, he pilfered the network credentials of authorized users to carry out the scheme, an FBI press release stated.
The proclamations, however, don’t equate to a mission accomplished. Henry, who retired as FBI executive assistant director in March, says it would be nice if there weren’t so many indictment announcements. Not that he’s ashamed; he just doesn’t likethat the crimes happened at all.
More Attacks
As cybercrime is escalating, “the FBI has arrested hundreds of groups in this space,” says Henry, now president of security startup CrowdStrike Services. But “the reality is the breadth and scope of the threat is much larger than the current capabilities of law enforcement in the United States. It’s through absolutely no malfeasance. It’s not through any poor capability.”
Cybersecurity “is a long-term problem without a short-term solution,” he says. “There needs to be a comprehensive plan and it needs to be implemented. But what is happening is taking a long time, and that’s not good for anyone.”
Aken agrees, adding that complicating matters is “you have to be careful that you are not revealing your sources and methods” when addressing the public about the problem.
Federal law enforcement officials say it is typical to unseal an indictment against a suspect when an arrest is made. They maintain that indictments are written for the sole purpose of substantiating the charges against an alleged offender. “As a general matter, the Justice Department and FBI have always sought to balance important interests when releasing information related to public criminal and civil cases, including cases involving cyber-related matters,” Justice spokesman Dean Boyd says. “These include the right of the public to know, an individual’s right to a fair trial and the government’s ability to effectively enforce the administration of justice.”
There is no concerted effort to unseal more indictments or to publish more press releases about computer cases, officials say. They describe recent outreach as business as usual and certainly not a political strategy. More charges are being handed down, which might be why more court papers are getting out, they add. And top FBI officials certainly are speaking out more about the cyber threat at conferences and other public venues, bureau officials acknowledge.
“In its communications with the media, the Justice Department and FBI are careful to protect the integrity of ongoing investigations and prosecutions, to safeguard sensitive information and investigative techniques, and to preserve the rights of individuals,” Boyd says.
Out in the Open
Seán McGurk, the former director of the National Cybersecurity and Communications Integration Center at the Homeland Security Department, notes that openness actually benefits national security. “Providing direct feedback to the public really allows us to do our job better,” he says. “Sharing often is a good thing because it speeds all our activities along.”
Some former agents say all of this transparency could backfire, by discouraging companies from reporting breaches if they think they will be identified. Often businesses are afraid of tarnishing brands by admitting computer weaknesses. “The FBI has always had a tough time getting companies to admit when they have been hacked,” Aken says. “Press releases in my eyes would not be a good thing for the general public [at a business], even if the criminals were caught.”
Justice officials say they are sensitive to the risk of companies being revictimized through negative publicity. “Throughout its history, the FBI has seen the value of partnerships time and time again,” Boyd says. “The FBI understands that the private sector has practical concerns about reporting breaches to law enforcement. Where necessary, the FBI, working with the Justice Department, seeks protective orders to preserve trade secrets and business confidentiality.”
Another unintended consequence of high-profile cases is backlash from privacy advocates. Americans say they don’t want the feds poking around in their online activities—or requesting customer information from Internet companies—to gather evidence against hackers. Former agents say, as citizens themselves, they understand. But, the agents note, if the opponents knew the extent of the menace that could be stopped by obtaining more information, then critics would see where the feds are coming from.
“I’m a U.S. citizen first before I was ever an FBI agent,” Henry says. “I believe in civil rights and civil liberties and privacy. It’s probably the base upon which this country was built.” He views privacy groups as an important check on the federal government’s conduct. “All that being said, I believe that if people understood what the risk from a cyberattack was, they would be much more willing to help the government do what it needs to do” in sharing information to protect networks.
Now Henry gets into the territory of cyber investigations the bureau can only hint at. Every top federal official from Mueller to President Obama is warning of cyberattacks that could physically wipe out critical infrastructure—disconnect power lines, contaminate the water supply and unleash other havoc on the scale of the Sept. 11, 2001, terrorist attacks.
Henry says convincing the public to share information would be like asking Americans to go through enhanced airport security screening before Sept. 11. No one would agree to it. “If in August of 2001, people were told they needed to take off their shoes at the airport, they would have been through the roof,” he says. “Then fast-forward a month, now you’ve got to take off your shoes . . . you’ve got to put your toiletries in a plastic bag.”
Henry adds, “I’m not happy about having to take off my shoes, but I get it. People would be receptive to more intelligence sharing if they really knew what the threat was.”
He, like many cybersecurity experts, predicts it will take a violent cyber-attack for consumers, industry and governments to disclose information. “I’m interested in privacy, I have things I don’t want everyone to know about, but because of the totality of the circumstance that we live in, I’ve got to identify myself when I go places.”
I have a lot of fear of hackers. Especially because I am 72 years old and don’t know computer well. I often open spam and click on the inwanted links my son always grumbles about all that.
72 is yet not 130 years old. So you still have a chance to learn how to use your computer. Do you have Mac or PC? My mother is 83 and she is reading https://setapp.com/ to help her solve all her computer-related problems. So if such an old woman can do it, why don’t you try these instructions? I am sure you are not hopeless.
Have you ever wondered what distinguishes Boomf https://boomf.com/ from any other online card/gift shop? It’s all about Boomober and going the extra mile.