On Wednesday, May 16, I had the pleasure of attending the Atlantic Council’s ”Lessons from Our Cyber Past: The First Cyber Cops” discussion moderated by Jason Healey, the director of the Cyber Statecraft Initiative and featuring Steven R. Chabinsky, Assistant Deputy Director of National Intelligence for Cyber and the former Senior Counsel of the FBI’s Cyber Division, Shawn Henry, former Executive Assistant Director of Criminal, Cyber, Response, and Services Branch at the Federal Bureau of Investigation, and Christopher M. Painter, the Coordinator for Cyber Issues at State and former U.S. Attorney, Computer Crime and Intellectual Property Section of the Department of Justice.
The panelists have been fighting cyber crime since its early days in the 1980s and, aside from swapping old war stories about celebrity hackers, missed cyber wake up calls, and successful operations, all brought up a common, often neglected theme: investigating cyber crime isn’t that different from investigating any other type of transgression. Even though the crime is committed in cyberspace, the perpetrator still lives in the real world and getting a conviction stems more from gathering physical evidence and using human informants than interrogating code.
Shawn Henry was the first to mention the overwhelming parallels between investigating online and offline crime when he referenced a major case, the details of which remain classified, in 2000 where the FBI used informants to infiltrate a criminal gang. The procedure was similar to any other undercover operation, with the informant joining the organization and hacking targets set up by the FBI to gain its trust until they had enough evidence for convictions. Christopher Painter later expanded on this theme by noting that simply following the cyber trail is rarely enough to combat organized crime and that investigating the flow of money as well as using undercover agents is critical for major busts. This can be problematic due to the global nature of cyber crime as criminals that operate abroad or in gangs that span several nations may be protected by laws against undercover operations in their home countries. Steven Chabinsky went further to add that cyber crime is decreasingly isolated to the Internet with more devices now networked, including critical infrastructure, medical devices, and cars, all of which can be hacked for real world damage.
The similarities and overlaps between cyber and physical crime also mean that many solutions are the same as for any crime wave. Much of cybersecurity focuses on reducing vulnerabilities, but as in the case of burglary, simply locking your door isn’t enough to deter burglars, you also have to catch and punish the criminals. To do so, law enforcement faces the age old problem of getting victims to talk to the police. Just as many crimes in bad neighborhoods go unreported for fear of retaliation, a reputation as a snitch, and getting into deeper trouble with the law, many companies fear working with law enforcement due to the stigma surrounding getting hacked and fears that the investigation will only make things worse by confiscating servers or hampering recovery. As with most successful policing, the FBI has also seen benefits from taking a more preventative approach. While in the early days they would only look into cyber attacks that did costly damage, the FBI has since learned that a minor breach can lead to a major one and that the damage done can’t simply be measured in dollars.
While the obstacles to countering cyber crime are great, it was reassuring to hear veteran “cyber cops” talk about it like any other crime. Too often, cyber is treated as a unique, unsolvable problem. Attribution is said to be impossible, the technology poorly understood, and the legal framework underdeveloped. While these are all challenges, conventional crimes such as burglary or drug trafficking carry many of the same difficulties which law enforcement has largely been able to overcome. With more experience and lessons learned, there is no reason to think law enforcement will not improve at countering cyber as well.