To protect the classified information stored on her desktop computer,
Special Agent Nenette Day uses one of the most powerful tools on the
planet -- an air gap.
Day points to an IBM ThinkPad resting on the table behind her desk. "That computer is hooked up to the Internet," she says. "But if you break into it, have a good time: there's no secret work on it."
Two meters away on her desk sits Day's other computer -- a gray-and-chrome minitower emblazoned with a red sticker proclaiming that its hard drive is classified SECRET. "This," she says protectively, "holds my e-mail." Day readily talks about the ThinkPad, describing how she got it as part of a big purchase by the Federal Bureau of Investigation (FBI) a few years ago and explaining that it's now somewhat out-of-date. And she happily shows off a collectible action figure -- still in its display box -- a colleague brought back from Belgium. It's a "cyberagent" with a gun in one hand and a laptop computer in the other. But if you let your eyes drift back to that red sticker and try to copy the bold, black words printed on it, Day will throw you out of her office.
Day belongs to the FBI's Boston Computer Crime Squad, one of 16 such units located throughout the United States. Each is composed of about 15 agents who investigate all manner of assaults on computers and networks -- everything from lone-hacker to cyberterrorist attacks -- with a dose of international espionage thrown in for good measure. Crimes range from Web site defacements and break-ins to so-called denial-of-service attacks, which prevent legitimate users from accessing targeted networks.
The Computer Crime Squads form the heart of the FBI's new Cyber Division. Created as part of the FBI's reorganization that followed September 11, the Cyber Division is the U.S. government's first line of defense against cybercrime and cyberterrorism. Its mission, said FBI Director Robert S. Mueller, when he appeared before the Senate Committee on the Judiciary last May, is "preventing and responding to high tech and computer crimes, which terrorists around the world are increasingly exploiting to attack America and its allies."
The emphasis on cybercrime is a big departure for the FBI. The bureau's agents traditionally got the most attention -- and the biggest promotions -- by pursuing bank robbers, kidnappers, and extortionists. J. Michael Gibbons worked on one of the FBI's very first computer-crime cases back in 1986; when he left the FBI in 1999, he was chief of computer investigations. "Frankly," says Gibbons, now a senior manager at KPMG Consulting in McLean, VA, "there was no great glory in the FBI on working computer investigation cases."
But that attitude is changing as Washington increasingly realizes that big damage can be inflicted on U.S. businesses through their computers and networks. Remember back in February 2000 when a massive denial-of-service attack shut down Web sites belonging to companies such as Yahoo!, eBay, and Amazon.com? It cost those companies literally millions of dollars in lost revenue. That attack, it turns out, was executed by a single high school student. Experts worry that a similar assault on the nation's electric utilities, financial sector, and news delivery infrastructure could dramatically exacerbate the resulting confusion and possibly even the death toll of a conventional terrorist attack, if the two attacks were coordinated.
Even without the specter of terrorism, cybercrime is bleeding millions of dollars from businesses. Earlier this year, the Computer Security Institute surveyed 503 organizations: together, they reported $456 million dollars in damages due to attacks on their computers and networks over the past year, and more than $1 billion in damage over the previous six years. Those numbers -- which are the closest thing that the computer establishment has to reliable figures for the incidence of computer crime -- have climbed more than 20 percent since 2001.
Day's activities show that although the FBI, the nation's premier law-enforcement agency, is starting to come to terms with cybercrime, it still has a long way to go. Agents such as Day receive special training and have access to specialized tools (many of which the FBI refuses to discuss). Their equipment, if not always at the James Bond cutting edge, is no longer embarrassingly outdated. On the other hand, the FBI's cybercrime squads are locked in a battle to keep current in the face of unrelenting technological change, and they are so short-staffed that they can investigate only a tiny fraction of the computer crimes that occur. Agents such as Day have served as only a small deterrent to hackers and high tech criminals bent on attacking a society that has become hopelessly dependent on its machines. But the deterrent is growing.
How to Catch a Cybercrook
The phone rings at the FBI Crime Squad and a "complaint agent" answers. Most calls are short, not too sweet, and not terribly satisfying for the person seeking help. "We get a lot of phone calls from people who say that somebody has hacked their home computer," says Day. Others report death threats delivered in online chat rooms.
Unsettling as such events are for the victims, most callers are told that there's nothing the FBI can do for them. For one thing, federal computer-crime statutes don't even kick in unless there is at least $5,000 damage or an attack on a so-called "federal interest computer" -- a broad category that includes computers owned by the federal government, as well as those involved in interstate banking, communications, or commerce. In places especially rife with computer crime, like New York City, the intervention bar is even higher. Even cases whose damages reach the threshold often die for lack of evidence. Many victims don't call the FBI right away. Instead, they try to fix their computers themselves, erasing their hard drives and reinstalling the operating system. That's like wiping fingerprints off the handle of a murder weapon: "If you have no evidence, we can't work it," says Day. And, of course, an attack over the Internet can originate from practically anywhere -- the other side of the street or the other side of the world. "We can't do a neighborhood sweep and ask, 'Did you see anybody suspicious walking around here?'" she explains.
For many computer offenses, the FBI lacks not only solid evidence but even the knowledge that an incident has occurred at all. According to this year's Computer Security Institute survey, only about one-third of computer intrusions are ever reported to law enforcement. "There is much more illegal and unauthorized activity going on in cyberspace than corporations admit to their clients, stockholders, and business partners, or report to law enforcement," says Computer Security Institute director Patrice Rapalus.
Every now and then, however, all the ingredients for a successful case come together: a caller who has suffered a significant loss, undisturbed evidence, and a perpetrator who is either known or easily findable.
Day remembers a case from October 2000. The call came from the vice president of Bricsnet US, a software company in Portsmouth, NH. Bricsnet had just suffered a massive attack over the Internet. Somebody had broken into its systems, erased customer files, modified financial records, and sent e-mail to Bricsnet's customers, announcing that the company was going out of business.
When Day arrived on the scene she went quickly for what she hoped would be the key source of evidence: the log files. These are the routine records -- the digital diary -- computers retain about their actions. Computers can keep highly detailed logs: an e-mail server, for example, might track the "To" and "From" addresses, as well as the date, of every message it processes. Some computers keep no log files at all. Getting lucky, Day found that Bricsnet's log file contained the time of the attack and the Internet Protocol, or IP, address of the attacker's computer.
Every address on the Internet is assigned to either an organization or an Internet service provider. In the Bricsnet case, the address belonged to a local service provider. Day issued a subpoena to that company, asking for the name of the customer "who had connected on this IP address" when the attack took place. This information came from the service provider's own log files. It turned out that the offending address corresponded to a dial-up connection. Each time a subscriber dials in, the service provider's log files record the date, time, username, and the originating phone number. Within a week of launching the investigation, Day had fingered a likely suspect: Patrick McKenna, a help desk worker whom Bricsnet had fired on the morning of the first attack. McKenna was arrested, charged, and convicted under the Computer Fraud and Abuse Act. He was sentenced in June 2001 to six months in federal prison, followed by a two-year parole. He was also ordered to pay restitution for the damage he had caused, which the court determined to be $13,614.11.
Masked Men and Dead Ends
Day's bust in the Bricsnet case was unusual for its speed and for the resulting conviction. That's because many crimes are perpetrated with stolen usernames and passwords. In the Bricsnet case, for instance, McKenna had broken into the company's computers using his former supervisor's username and password.
The key to cracking the Bricsnet case was caller ID and automatic number identification (ANI), two technologies more and more Internet service providers are using to automatically record the phone numbers of people dialing up their servers. When a crime is committed over a telephone line, this information is invaluable.
"I love ANI," says Day. "The last thing you want to do is show up at Joe Smith's house because some hacker has logged in using Smith's username and password." This tool, she says, "lets you know if you are on the right track. It has made a huge difference." Not all new telecommunications technologies are so helpful, though. Many recent computer attacks, for example, flow from the growing availability of always-on high-speed Internet connections. Attackers employ computer viruses and other programs to compromise users' home computers, and then they use the compromised computers as platforms for launching other attacks without the owners' knowledge. Even worse, an attacker can jump from system to system, forging a long chain that cannot be traced. Microsoft Windows typically does not keep logs of its activity. "A lot of our investigations have been stopped cold in their tracks because someone is trotting through one of those computers," Day says, referring to cable-modem-connected PCs that run vulnerable copies of Microsoft Windows 95.
Even caller ID and automatic number-identification information can be faked by a person who has control of a corporate telephone system with a certain kind of connection to the public telephone network. So far, faked caller ID hasn't been a problem -- but that could change, too.
The Internet's cloak of anonymity has made fighting crime especially tough. It's almost as if there were booths outside banks distributing free ski masks and sunglasses to everybody walking inside. "Anonymity is one of the biggest problems for the FBI crime squads," former agent Gibbons says. He maintains that cybercriminals' ability to disguise their identities does more than just complicate investigations; it also makes attackers more aggressive and more willing to take chances and do damage.
"People act differently when they don't think that they are being held accountable for their actions," says Gibbons. For years, computer security experts have maintained that corrupt employees and former insiders -- such as McKenna at Bricsnet -- perpetrate the lion's share of computer crime. But Day's experience contradicts this prevailing wisdom. Today things are changing: according to Day, most cases she investigates involve outsiders who commit their crimes anonymously over the Internet, frequently from overseas. Day says she has traced some 70 percent of the attacks to foreign Internet addresses. Nevertheless, insiders still represent the bulk of her investigations as they represent the most damaging attacks. In one case, Day says, she determined that a major break-in had originated at a cybercafe in a small town in Romania. Because computer hacking is not a crime in Romania, the local police offered no assistance. Seeking help elsewhere, she phoned the cafe itself and talked with its owner, who spoke fluent English. "The owner said he has a bunch of cyberhackers who come there, but this is Romania, and they pay cash," Day says.
The investigation was terminated.
Attack of the Grownups
The media frequently portray the typical computer criminal as a disaffected male youth, a computer wizard who lacks social skills. In the archetypal scene, FBI agents conduct a predawn raid: with their guns drawn, they arrest a teenager while his horrified parents look on. And in fact, Day says that as recently as five years ago, juveniles made up the majority of the perpetrators she encountered. They were teenagers who broke into Web sites that had little security, and their digital crowbars were tools that they downloaded freely from the Internet. These kids made no attempt to hide their success. Instead, they set up their own servers on the penetrated computers, bragged to their friends, and left behind lots of evidence of their misdeeds.
But such attacks are no longer the most important cases that Day's office investigates. Recent years have brought "an interesting shift," she says. Now she sees attackers breaking into computers that are supposedly protected by firewalls and security systems. These perpetrators -- virtually all of them adults -- mount extremely sophisticated attacks. They don't brag, and they don't leave obvious tracks. "It's economic espionage," Day concludes.
It's not surprising that these cases are the hardest to crack, she says. One incident involved a suspect who had used a stolen credit card to purchase dial-up accounts at Internet service providers, specifically smaller providers that did not use caller ID or automatic number identification. He then proceeded to quietly break into thousands of computers. Day monitored the attacker for four months, trying to figure out who he was. "He was very good," she recounts. Then, in the middle of her investigation, the stolen credit card was canceled and the dial-up accounts were closed. "I was horrified," she says. The investigation fell apart, and the perpetrator is still at large.
Computer crime culprits defy stereotyping. One case that was successfully prosecuted -- after a three-year investigation by the FBI -- involved an assistant principal at a Long Island high school. The school administrator flooded the e-mail systems at Suffolk, James Madison, and Drexel universities with tens of thousands of messages, causing significant damage. In July 2001 the culprit, whose crimes carried punishments as high as a year in jail and $200,000 in fines, was sentenced to six months in a halfway house.
In the coming years the widespread adoption of wireless networking technology will probably pose the biggest problem for the FBI cybercrime squad. These networks, based on the 802.11(b), or Wi-Fi, standard, let people use laptops and handheld computers as they move freely about their homes and offices. But unless additional protective measures are taken, wireless signals invariably leak beyond buildings' walls: simply lurking within the 100- to 300-meter range of a typical base station, an attacker can break into a network without even picking up a telephone or stepping onto the victim's property. "Many people who are moving to wireless as a costsaving measure don't have any appreciation of the security measures they should employ," explains Special Agent Jim Hegarty, Day's supervisor.
And as the Boston cybercrime unit has discovered, wireless attacks are not just theoretical. The wireless network of one high tech company recently suffered a break-in. According to Hegarty, the attacker -- an activist who was opposed to the company's product and management -- literally stationed himself on a park bench outside the company's offices and over the course of several weeks, used the wireless network to "sniff" usernames and passwords of the company's president and other senior-level executives. The activist then used the information to break into the company's computers -- again, making his entry through its wireless network. Armed with this illicit access, the attacker downloaded months of e-mail and posted it on the Web.
The e-mail contained confidential information about customers and their contracts. Once that became public, all hell broke loose. Some customers who discovered that they were paying higher rates than others demanded better deals; others canceled orders upon discovering that the vendor had been selling the same product to their competitors. Ultimately, the attacked company suffered more than $10 million in direct losses from the break-in. As wireless networks proliferate, attacks of this kind are likely to become more common, according to Hegarty. The advent of 802.11, he says, "is going to be a watershed event for us."
All in a Day's Work
When Technology Review first approached the FBI about interviewing an agent of the computer crime squad, the idea was to write about an agent's "average day." The public affairs manager at the FBI's Boston office nixed the idea: there are no average days for an FBI agent, she said. Indeed, Day says that one of the best things about her job is its endless variety.
"I might spend one day in trial preparation. I could spend an entire day milling through computer files doing evidence assessment. The next day I could be scheduled to testify in a trial. And last month I spent a couple weeks in Bangkok, Thailand, teaching police from 10 different Asian countries." She spends some days on the phone, perhaps overseeing a new case coming in from a financial institution or phoning FBI headquarters with information that needs to be relayed to other field offices. A few days later she might be off to the range for weapons training. Agent Day carries a .40-caliber Glock 23 and assists on the occasional drug raid. "It is very long work, and it's very hard," she says about her job, "but it gives you something that you would never see in the private sector."
The Glock doesn't get much use out there on the Internet, of course, but Day's FBI training in understanding criminal behavior does. She is, for example, involved in a project at the FBI's research center in Quantico, VA, developing a psychological profile of serial hackers -- people who might become criminals or could be hired by a foreign government. A serial hacker could be a powerful tool for Al Qaeda or some other terrorist organization.
Moving forward, the biggest challenge, says Day, will be for society as a whole "to try to define and distinguish between what is basically online vandalism -- when somebody is damaging a business or a computer-and cyberterrorism. All of those things are conflated in the discussion of the criminal prosecution of hackers. In my mind those are different kinds of contact with different social harm."
Today cybercrime is one of the FBI's top priorities -- even above fraud, drugs, and gun running, says Day. But while scary talk of cyberterrorism captures the headlines, the most damaging cybercrime may actually be old-fashioned crimes being committed with new and virtually untraceable tools. Catching the new bad guys will require people like Nenette Day to stay on technology's leading edge, but it will also require an FBI able to build an organization that gives Day and her fellow agents adequate support. Furthermore, it will require the capability to bring superior computing firepower against the cyberattackers and beat them at their own high tech game.