Computer Crime Research Center


Why Cybercrime Is So Hard to Investigate

Date: December 29, 2015
By: Kristina Davis, San Diego Union-Tribune

About a dozen military bases. More than 500 defense contractors. One of the largest concentrations of biotech in the world. All in one county.

And all in the crosshairs of cyber criminals.

San Diego County is considered among the most target rich areas in the nation when it comes to cyber attacks.

“If you take down all the power grids in San Diego, you take away a portion of the Navy’s ability in the United States,” said Eric Basu, president and CEO of San Diego-based Sentek Global, a technology service provider for the government.

“It’s a continual arms race: people trying to get in and people defending against it.”

While fears of a major infrastructure takeover are very real, smaller scale attacks are part of daily life for local industries.

For instance, the Navy’s San Diego-based space and naval systems command, or SPAWAR, is hit multiple times daily with breach attempts, Basu said.And hackers tried to get into San Diego Police Department’s computers recently, via the home router of one of the department’s vendors, he said, but were stymied by advanced cyber protection software.

“I’ve had four to five clients recently get calls from the FBI saying ‘Your stuff has been flowing over to China for the last six months,’” Basu said.

Who are these hackers? They are state-sponsored actors from countries such as China, North Korea, Russia and Syria trying to spy on the U.S., steal intellectual property — from drugs to drones — to better their economies or defenses, or perhaps cause harm to our infrastructure.

They are criminal organizations — often based in Eastern Europe and Africa — focused on stealing your personal information and financial scams.

They are “hacktivists,” or hackers that breach systems to make a moral or political statement. Sometimes, they are a combination of these archetypes (ie. criminal groups hired by foreign governments to steal intellectual secrets.)

And many times, they are untouchable.

That can be the most frustrating thing about cyber warfare for both victims and investigators alike. Maybe the leak of information can be stopped and prevented. Maybe a counter attack can even be launched. But rarely does justice come in the form of seeing the perpetrator in handcuffs in a courtroom.

“It’s a challenge,” said Supervising Special Agent Terry Reed, who oversees one of two cyber squads in San Diego’s FBI office. “It’s demotivating when the point of origin leads you to guys that we just can’t get our hands on.”

Stepping Up Recruiting

Cyber crime is so prevalent that cyber investigations are now handled by nearly every law enforcement agency, from Homeland Security Investigations to local police departments.

Hiring officers with the technical expertise needed for these complex investigations is becoming a major obstacle. Last year, Congress authorized the FBI to hire some 2,000 people, many of whom would be assigned to cyber issues.

“You don’t make a cyber agent by sending them to training,” said Reed. “It begins when they are very little, it’s a hobby to them, they grew up living and breathing technology.”

Finding the young minds with the right skill sets who can pass the rigorous FBI background and testing requirements is where it gets tricky. “It filters out a large population of people,” Reed said.

FBI Director James B. Comey made headlines last year when he said it has become harder to hire hackers to tackle cyber crime due to their apparent fondness for marijuana. The agency’s current regulations won’t allow applicants who’ve smoked pot in the past three years.

The government is also competing with the lucrative private sector for the same talent, though Supervisory Special Agent John Caruthers, who also runs a local cyber squad, says the FBI does have one advantage over corporate jobs: “The cool factor keeps them.”

Tackling cyber crime from the 10,000-foot level is The National Cyber Investigative Joint Task Force, which integrates federal investigators, U.S. military, international partners and private security experts and serves as a clearinghouse for cyber crime intelligence.

“We are looking at the broad strategic shifts in the enemy’s tactics and movements. What are these bad actors doing, and what threats do they pose?” FBI Special Agent Paul Holderman explained in a bulletin on the group.

And unlike in most other areas of criminal investigation, in cyber crime the private security sector is seen as a huge partner to law enforcement, with its expertise and eagerness to close any vulnerabilities. In San Diego, a large network of cyber security companies and experts regularly exchange intelligence, help mentor new talent in the field and encourage new cyber businesses to make their homes here.

Anatomy of an Investigation

The FBI employs two cyber teams in San Diego with special agents, computer scientists and analysts who are solving cases, connecting the dots on various intrusions and educating local businesses on how to better protect their systems. One team deals primarily with criminal cyber fraud, which is mostly financial in nature, while the other focuses on threats from other governments.

Cases get opened either when the FBI notices through its investigative techniques that an intrusion has happened, or when a victim notices the breach and reports it.

“We figure out what happened, how did they get into the network, was anything taken, and tell the company what we learned,” Caruthers said. “We gain a lot of institutional knowledge on different groups and take that knowledge back to the companies.”

Some companies don’t want to disclose a breach, for fear of shaking consumer and investor confidence and to protect its brand.

“There’s a calculation: What must I report?” Reed said of such companies. The law requires certain types of companies to report any intrusions to law enforcement, including defense contractors and businesses that deal with customer data.

This past summer, the Department of Justice launched a pilot program in San Diego in hopes of encouraging companies to report data breaches quicker to law enforcement, so any compromised data can be seized before it goes overseas. The program kicked off with a roundtable meeting that included private law firms who typically get notified by their clients when an attack occurs.

Assistant U.S. Attorney Sabrina Feve, who prosecutes cyber cases and is involved in the program, said it’s important to create incentives to make companies want to report when they’ve been hacked, including offering them resources that they wouldn’t be able to access on their own.

Next, the investigators must establish venue: Who has jurisdiction when the victim is in San Diego but the victim’s servers are located in Ohio and the bad guy is in yet a third location, possibly even overseas? What about if the hacker is targeting victims all over the world?

Oftentimes it comes down to what makes the most sense for evidence collection and prosecutorial support, Reed said. The FBI has agents in about 75 countries to act as liaisons to bring criminals there to justice.

Even then, it’s not often that these hackers go to court. Stopping the attack, minimizing losses and fortifying computer systems for the next attack is a more common outcome, authorities said.

In the past five years, the U.S. Attorney’s Office in San Diego prosecuted eight computer hacking cases and at least 14 involving the theft of credit card or banking data, according to the office. The number of cyber prosecutions is likely low because cyber crimes often get charged under other various laws, including wire fraud, Feve said.

Cyber cases also bring unique challenges to the courtroom. Digital evidence might be overseas. Hackers may delete or encrypt evidence. And lawyers need technical expertise to make a jury understand complex evidence and processes, Feve said. National security investigations, those can take years and years, and often remain top secret.

“Attribution in cyber (crime) is extremely difficult, and criminals realize that. It’s low risk and potential high reward for cyber criminals,” said Stephen Cobb, a security researcher at ESET, one of the world’s largest security software firms. “It’s hard to fight back if you don’t know for sure who carried out the attack and why.”

This past year saw a number of massive breaches that remain under investigation and highlight the growing threat.

The U.S. Department of Health and Human Services found that 55 health care providers suffered data breaches resulting in theft of data for more than 110 million Americans, including the massive breach of Anthem patients, Motherboard reported. In July, hacktivists were responsible for the Ashley Madison website breach, unveiling the identities of men and women looking for extramarital affairs.

Even the government was not immune, with the the hack of personal information —children’s names, financial activity, sexual partners, marital troubles, debts and substance abuse problems —of some 20 million federal...

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo