Battling Hackers

85

Hackers can be tough opponents because the best of them share ideas online about new ways to attack networks and how to hide from law enforcement. Gangs in nations like Russia or China can be particularly resourceful and dangerous – especially since governments there are secretly sponsoring hackers’ efforts and protecting them from international law enforcement, a former top FBI official tells U.S. News.

“Both Russia and China are sponsoring hackers that collect information on behalf of the nation state,” says Shawn Henry, the former executive assistant director in charge of the FBI’s Criminal, Cyber, Response and Services Branch. “Intellectual property is being funneled to benefit companies in their home countries.”

Submarines, airplanes and medical devices are among the products made by China using intellectual property stolen from networks of U.S. companies, says Henry, who retired from the FBI in 2012 and is now president of the cybersecurity firm CrowdStrike. Along with threatening U.S. national security, theft of intellectual property is among the top reasons hackers cost consumers and companies between $375 and $575 billion each year, according a report from the Center for Strategic and International Studies funded by cybersecurity firm McAfee.

Cooperation with Russia and China on prosecuting hackers would make a huge difference, but that’s unlikely in the near future because the countries benefit from co-opting hacker theft and because of political divisions between the U.S. and those nations, Henry says.

To counter well-connected hackers, the FBI and other agencies have been treating them like “a new kind of organized crime” by chasing, researching and recruiting them with methods similar to those used against the Mafia, Henry says. The FBI spent years building successful cases against the Mafia in the U.S. by studying the culture of that community, sharing information on crime rings with other law enforcement agencies and by gaining information directly from the crime groups through undercover agents or protected informants.

Similar efforts can help agencies understand and prosecute international hacker groups, Henry says.

“Merely blocking them on networks may slow them down, but it won’t deter them,” he says. “We need law enforcement action. Intelligence is critical – you have to understand how they work. We have to remember at all times these are people, it’s not merely technology.”

Perhaps the most valuable pieces of information hackers sell on the black market are zero days: network vulnerabilities that have not yet been exposed, making them incredibly valuable to criminals looking to stage an attack or companies paying a ransom for their own security.

Outbidding others for the zero days and disclosing them could potentially boost cybersecurity, said Dan Geer, chief information security officer for the CIA’s venture capital firm, In-Q-Tel, which funds startups for intelligence uses.

“There is no doubt that the U.S. government could openly corner the world vulnerability market; that is, we buy them all and we make them all public,” Geer said while speaking last week as a private citizen during the Black Hat USA conference. “By showing everyone what it is that we bought, we zero out whatever stockpile of cyberweapons our adversaries have.”

The U.S. and other intelligence agencies buy zero days off the black market, and it would benefit the Internet community to disclose those vulnerabilities to help fix the security gaps, says James Lewis, a cybersecurity researcher at the Center for Strategic and International Studies. But buying zero days and trying to subsidize the hacker community to prevent trouble has its limits, he adds.

“We should not buy them all with the hopes that it will end the market for them somehow,” Lewis says. “It’s like the arms market. We could buy them all, but people would just make more.”

The government has confidential ways of communicating with companies to give them a chance to protect themselves against zero-day security gaps, but would have to be careful about disclosing them publicly, says Michael Vatis, founding director of what was the FBI’s first cybercrime division, the National Infrastructure Protection Center.

“Word spreads among the hacker community more quickly than it does among potential victims,” Vatis says. “Even if potential victims hear about it they might not take the necessary precautions in time.”

Along with buying zero days, the U.S. government also recruits hackers for consultation, but that can be difficult if the hacker is in a foreign country, Lewis says.

“In some cases the producers have obligations to the government they live in,” Lewis says, noting that the Chinese government often force hackers to share zero days with its intelligence agencies for free. “Recruiting U.S. hacker talent is a good idea, but don’t think that is going to turn Russian and Chinese hackers into law-abiding citizens.”

The governments of China and Russia may refuse to identify or extradite hackers, but the U.S. has been tracking and, in some cases, detaining online criminals when they travel. Last month, the U.S. Secret Service arrested Russian national Roman Valerevich Seleznev in the Maldives. Seleznev had been indicted in 2011 for “hacking into point of sale systems at retailers throughout the United States between October 2009 and February 2011,” according to the law enforcement agency.

Seleznev was likely beyond the reach of U.S. online crime law enforcement in Russia – in part because his father is a member of the Russian parliament. The Russian government called his arrest in the Maldives ” kidnapping” because the U.S. had not warned in advance of plans to detain him, The Moscow Times reports.

Even as U.S. agencies have imitated the research and case-building efforts used against the Mafia in fighting hackers, they should follow those efforts by increasing pressure on companies that buy from hackers, says Stewart Baker, former general counsel for the National Security Agency.

“There is a tendency on the part of hackers to think they are invisible, and they are not,” Baker says.

Recruiting reformed hackers to write code or do counterintelligence against online crime is also a useful tactic as “people grow up” from a youth of infiltrating computers – especially when they find they aren’t invisible to law enforcement, Baker says.

Turning online criminals into informants in exchange for leniency can be another useful tactic.

“There are going to have be people who live and breathe these groups and look for ways in, look to put assets inside the organizations,” Baker says.

Baker says a recent example of an inside asset is Hector Xavier Monsegur, an informant who helped build cases against members of the hacker communities Anonymous and LulzSec. After being arrested in 2011, Monsegur – also known as Sabu – agreed to become an FBI informant to help build cases against members of the hacker groups, Baker says. Monsegur faced decades in prison for various computer crimes, but was granted a limited sentence for his cooperation and released on parole.

Unlike prosecution of the Mafia, online crime is an evolving concept with gray areas about whether potentially lengthy jail sentences are appropriate. The Secret Service’s arrest of Aaron Swartz in 2011 stoked intense controversy about the Computer Fraud and Abuse Act used to prosecute online criminal acts and led to the introduction of bipartisan bills in Congress to reform the law.

Swartz was famous for developing Infogami, which merged with the online news site Reddit, and for his activism of Internet freedom. The Secret Service arrested him for downloading more than 4 million copyrighted academic articles, and Swartz faced decades in prison if found guilty of violating the Computer Fraud and Abuse Act. The stress of the impending prosecution is believed to have led him to commit suicide in 2013.

“What I can see in the reaction to [the] Aaron Swartz prosecution is that just because you can charge someone with six felonies does not mean you should,” Baker says.

Hi Tech Crime Solutions