Why law enforcement can't stop hackers
We look at the challenges law enforcement authorities face in keeping a lid on hacking
By Meridith Levinson | CIO US | Published: 14:31, 16 November 2011
On July 19, 2011, FBI agents in nine states rounded up 14 men and two women ranging in age from 21 to 36 for their alleged involvement with the international hacking group Anonymous. Fourteen of these individuals were arrested for allegedly plotting and executing a distributed denial of service (DDoS) attack in December 2010 that took down the PayPal website.
The two other individuals arrested in the sting, both 21, were indicted for separate hacking incidents: one against the Tampa Bay, Florida InfraGard chapter's website (InfraGard is an FBI-sponsored public-private partnership devoted to critical infrastructure protection); the other for allegedly hacking into AT&T's systems, stealing thousands of confidential documents and files containing the company's plans for its 4G data and mobile broadband networks, and for posting that information on public file sharing site Fileape.com.
Two months later, on September 22, FBI agents in Los Angeles took a member of LulzSec, an offshoot of Anonymous, into custody for his alleged involvement in a high-profile hack against Sony Pictures in late May and early June. Meanwhile, in San Jose, a federal grand jury brought two men associated with the Peoples Liberation Front hacking group up on charges related to their alleged participation in a DDoS attack that took down Santa Cruz County's website on December 16, 2010.
These arrests and indictments are part of a broader effort by law enforcement officials to crack down on cybercrime, which costs organisations anywhere from $1 million to $52 million dollars, according to the FBI. The average cost of a data breach to organisations reached $7.2 million in 2010, according to the Ponemon Institute. The security and privacy research organisation noted that in 2010, data breaches cost companies an average of $214 per compromised record, and that the costs of data breaches have grown every year since the Institute first began tracking them in 2006.
Whether or not law enforcement has been effective in deterring cybercrime is up for debate. Verizon suggests that law enforcement has curtailed some activity. The report shows that the total number of records compromised through data breaches across the combined caseload of Verizon and the United States Secret Service declined from an all-time high of 361 million records in 2008 to 144 million records in 2009 to four million records in 2010. The report attributes the decline to investigations, arrests and prison sentences that law enforcement agencies have made around the world. In 2010, the FBI arrested 202 individuals for criminal intrusions, up from 159 in 2009. Meanwhile, the Secret Service apprehended more than 1,200 suspected cybercriminals last year.
While the Data Breach Investigations Report notes the decline in compromised records, it doesn't declare a victory. In fact, the report indicates there were more data breaches in 2010 than in previous years; it's just that the amount of data that was compromised in the breaches declined. It also states that after a major investigation or arrest, cybercriminal organisations are quick to change their tactics to evade detection.
Clearly, cybercrime shows no signs of abating, and that's why law enforcement experts interviewed for this story say there's simply no stopping hackers. They say law enforcement officials lack the manpower, training, technical resources and political support necessary to crack down on these crimes. Even when they do successfully prosecute cybercrime cases, the convicted hackers rarely serve maximum sentences, which hardly helps to discourage other people from committing similar crimes.
"We are never going to solve the cybercrime problem. We are just trying to keep a lid on it," says Marc Rogers, a former cybercrime investigator in the US and Canada. "We don't even know how many of these activities are going on. We're only aware of a fraction of what's happening. That makes it a very hard problem to deal with."
We look at the challenges law enforcement faces in keeping a lid on hackers.
Investigating hacking incidents
Marc Rogers has investigated more than 200 cybercrime cases during his 13-year career in law enforcement. In describing how law enforcement officials investigate data breaches, he makes it sound systematic, if not downright easy.
"The first thing to do is to figure out which systems were breached, then it's a matter of putting a time line together, working back from when and where the attack happened to figure out how they the hackers came in," he says. "You move from database system to whatever type of security was around it - usually a firewall or intrusion detection system. From there, you work your way to the outside of the organisation and ultimately to the telecom carriers these people used to get in."
Eventually, he says, the trail leads to the hacker's computer.
If data breach cases are so straightforward to solve, why can't law enforcement stop them?
For one, law enforcement can't keep up with the volume of computer intrusions, says Eugene Spafford, a professor of computer science at Purdue University. So far this year, the Internet Crime Complaint Center has processed on average 26,588 cybercrime complaints per month, up from an average of 25,000 per month.
Shawn Henry, the FBI's executive assistant director, told attendees at the Information Systems Security Association's international conference in Baltimore last month that "intrusions into corporate networks, personal computers, and government systems are occurring every single day by the thousands."
Cybercrime is so prevalent largely because it's so lucrative. Hacking into retailers' systems to steal customer credit and debit card information made Albert Gonzales, the mastermind behind the TJX and Heartland Payment Systems data breaches, a millionaire. Edwin Pena also enjoyed a lavish lifestyle before the FBI caught up with him for profiting off several VoIP companies' infrastructures. Joshua Holly, who gained notoriety after he hacked into Miley Cyrus's Gmail account and posted racy photos of her online, reportedly earned at least $110,000 for spamming. Not bad for a 21-year-old.
Of course, not every hacker exploits lax corporate IT security for the money. Hacktivists break into corporate and government systems and deface websites to expose security vulnerabilities, flex their tech muscles, protest perceived fascist political policies or spread anti-establishment agit prop. Sometimes the hacktivists work on the same side as the law, and with great effectiveness, as Anonymous did last month when it took down a child pornography website and posted the account details of nearly 1600 of its sicko users, according to ArsTechnica.com.
"If you look at the sheer volume - the number of compromises, record disclosures, bank fraud, identity theft - that are occurring weekly in the US alone, these numbers are at least in the tens of thousands of incidents, if not hundreds of thousands," says Spafford. "When you say you've been seeing an increase in prosecutions, how many is that? Maybe 200 or 300 have been visibly reported in the news. The response has been nowhere near proportional to the need."
The resource problem
Besides the explosive number of hacking incidents taking place every month, the fact that law enforcement officials are stretched thin across different types of cyber threats makes it even more difficult for them to stem cybercrime.
Keith Chval, the former and first-ever chief of the Illinois Attorney General's Office's High Tech and Computer Crime Unit, says that for the most part, law enforcement officials' first priority is online child exploitation cases. Because investigating child pornography and related crimes draws on the same staff as computer intrusions, says Chval, fewer people are left to investigate data breaches.
In addition to more investigators, law enforcement agencies need ongoing training to keep up with new technologies and with the evolving schemes hackers use to commit their crimes, adds Chval, who now runs Protek International, a computer forensics and investigative services firm.
"When you get to the point of seizing computers with a search warrant or otherwise gain access to evidence, it needs to be examined properly," he says. "The investment in people and their training is significant, and that's challenging in our current economic situation. The physical facilities, the labs, to do the forensic work are critical, too. That's been a real backlog in the system: There are cases where forensics need to be completed before they can move forward."
Purdue University's Spafford criticises federal legislators for not taking cybercrime seriously and for not giving law enforcement officials the political and financial support they need to fight it.
"It's interesting to note the way legislators do react to cybercrime," says Spafford, who started and directs Purdue University's Center for Education and Research in Information Assurance and Security. "They require companies to disclose breaches. There's legislation that would set new regulations on software suppliers and the people who configure the systems, but there's been no budgeting to add law enforcement to investigate those breaches. For law enforcement to succeed, they need money for training, equipment, and they need political support to do these investigations."
When cybercrimes span state and international boundaries, investigating them gets even more complicated, adds Spafford. "If you're trying to get logs or assistance remotely, it is very difficult with some countries to get the cooperation of their law enforcement, especially if the crime is being committed by someone in their country," he says. "That's another area where the government could help, by putting pressure on countries that have been unwilling to assist in the investigation of crimes."
Prosecution and prison sentences
Former cybercrime investigator Rogers says prosecuting cybercrime cases is "usually pretty cut and dried." The evidence linking a hacker to a crime is hard to dispute because every activity on the internet leaves a trail, he says.
"Usually there's nothing more than a token effort to defend it," says Rogers. "The evidence really stands up if you've done the investigation correctly."
That leaves sentencing. Judges impose prison sentences for three main reasons: 1) as punishment; 2) to prevent the convict from carrying out the same crime again (at least while they're incarcerated) and 3) to discourage others from participating in the same crimes.
Prison sentences for hackers vary by jurisdiction. If the crime is federal, prison sentences are set according to federal sentencing guidelines. The maximum prison sentence for one common hacking charge - accessing a protected computer without authorisation - is five years in prison and a fine of up to $250,000. The maximum prison sentence for another common hacking charge - intentional damage to a protected computer - is 10 years plus a fine of up to $250,000.
Hackers are also often arrested on conspiracy charges, which carry a maximum penalty of five years in prison and a $250,000 fine.
The cybercrime and law enforcement officials interviewed for this story don't see any problems with the sentencing guidelines. The problem is that hackers rarely serve maximum sentences. Albert Gonzales is one of the few who is doing serious time - 20 years. Consider the following examples:
Robert Moore was sentenced to two years of prison for hacking into the networks of internet phone companies. He was up against a maximum five years.
David Kernell, who hacked into then vice presidential candidate Sarah Palin's Yahoo email account at age 20, was sentenced to 366 days at a rehabilitation center, where he was allowed to continue his college studies. Kernell also faced a maximum five years.
Miley Cyrus hacker Joshua Holly got just three years' probation for spamming and computer fraud. He could have been sentenced to 10 years in jail.
Because the evidence against them is usually so incriminating, hackers often enter plea agreements with prosecutors, where they plead guilty to all charges in return for a more lenient sentence. In a plea bargain, the criminal might also agree to cooperate with prosecutors on other cases by serving, for example, as an informant or witness.
While plea bargaining has its benefits (prosecutors get freed up to work on other cases, often with the help of the convict), it weakens the deterrent effect that prison sentences are intended to have.
"The sentences that people are getting don't really seem to have any deterrent effect," says Rogers. "Hackers realise if they get caught, they might get five to 10 years, but when they get out, they'll have a book deal, make a TV movie or become a consultant. In some cases, that's what happens," adds Rogers, referring to Kevin Mitnick and Kevin Poulsen, two of the most famous hackers of all time. Mitnick is now a security consultant and sought-after speaker. Poulsen now works for Wired as a senior editor.
Another reason hackers tend to get lenient sentences is because they're often young, says Chval. He points to Joshua Holly, who despite having about 200 stolen credit card numbers stored on his computer, didn't serve a day of prison time.
Chval realises that judges have to strike a balance when sentencing young hackers: They don't want to be overly harsh on defendants who are essentially kids, not hardened criminals, with no prior offences. Nor do they want to overreach with draconian sentences designed to send a message to other young hackers simply because law enforcement doesn't have the resources to investigate and prosecute all of these cybercrime cases, says Chval. But, he adds, striking this balance comes at the expense of deterring other young people from computer crimes.
"Obviously, kids aren't getting the message about the seriousness of cybercrime, of hacking," he says.
Hacking as a social problem
Chval and Rogers believe that the individuals the FBI arrested this summer for their alleged involvement with Anonymous will get harsher sentences if convicted because they taunted, embarrassed and attacked government websites and financial institutions. Prosecutors may finally have their opportunity to exemplify these young hackers as a cautionary tale.
But for law enforcement to have any real impact staunching cybercrime, experts agree they need to raise the public's awareness that hacking is a real crime with real victims.
Part of the reason hackers, particularly the younger ones, get lenient sentences is because judges have to weigh a potential backlash if the public sees them as being too harsh for sending "a college kid who made a mistake" to federal prison for five years, says Chval. The potential public relations backlash suggests that the public doesn't understand the severity of these crimes, he adds.
"Parents need to talk to their kids about illegal music downloading," says Chval. "It's all part of the same realm. A kid who doesn't see anything wrong with downloading music he hasn't paid for probably wouldn't see much wrong with taking credit card numbers. It's a slippery slope when you start down that path."
Indeed, adds Rogers, the problem with hackers is that they don't see their activity as criminal. "They never see the victims. They never see the impact. All they see is the technology," he says. "For the most part, these people understand right and wrong. They wouldn't rob a bank or engage in other deviant criminal activities, but as soon as technology is involved, that line dividing what's right from what's wrong gets really distorted."
For that reason, Rogers would like to see classes on ethical computer behavior taught in elementary, middle and high school.
"If we only rely on law enforcement and the legal system to solve the problem, it's never going to happen," says Rogers. "This is a cultural problem. It's an education and awareness problem. It's an ethical problem."