
Information Security News mailing list archives
Cybercriminals On The Loose
From: William Knowles <wk () C4I ORG>
Date: Sun, 5 Nov 2000 03:37:33 -0600
http://www.zdnet.com/intweek/stories/columns/0,4164,2649836,00.html By Lewis Z. Koch Special To Interactive Week November 2, 2000 The National Infrastructure Protection Center, the unit of the Federal Bureau of Investigation that's supposed to catch hackers, has cooked up a cacophony of hype to persuade the American public that a bunch of teenage hackers are equal in menace to the threat posed by professional cybercriminals. And despite the FBI's promotion of the e-mail tapping/sniffing program, Carnivore, on the grounds that agents need more information, the NIPC's performance so far suggests that the problem isn't too little information - it's the FBI's inability to distinguish signal from noise. It's time to assess just how well or how poorly the center has been doing. Cooperation One of the key missions of the NIPC, according to its Web site, is to organize and coordinate intergovernmental, interagency cooperation in the war on cybercrime. "The NIPC will combine the aggregate power of numerous aspects of the U.S. federal government: investigators from the FBI and the [Secret Service], representatives from the Department of Defense and the intelligence community, and delegates from federal lead agencies." Maybe, but Michael Vatis, the Harvard Law School alum who was named NIPC director, seems bent on ensuring the failure of that part of the mission. First, Vatis assembled the center, bringing in representatives from overt and covert federal law enforcement agencies, along with "delegates from federal lead agencies." Then he demanded that each sign a nondisclosure agreement, stipulating that the agent would not notify or bring back to his agency anything he learned at the NIPC. Yet, the agents were told to share information from their own agencies with the NIPC. Among the agencies initially represented in the NIPC were the Central Intelligence Agency, the National Security Agency, the Secret Service, the State Department and the Pentagon. But it didn't take long for everyone to discover that the NIPC's definition of cooperation was a no-exit back alley. The agencies decided that if Vatis and the NIPC wouldn't share nicely with them, they'd just take their intelligence marbles and go home. In the end, only the military remained - and only because it didn't have any other conduit into what the civilian agencies were doing. Spin Control Vatis quickly established the ground rules for dealing with the NIPC: All accomplishments were to be credited to him and his agency. As detailed in my previous columns, real, certifiable computer security experts who literally handed the identities of cybercriminals to the NIPC never received public credit. Vatis and the FBI encouraged the public to believe they had captured these criminals through savvy high-tech sleuthing. Even worse, the NIPC has been strangely silent about its efforts to catch hackers. The reason: Federal agents have virtually no hope of catching hackers unless an outside expert spoon-feeds them the information -not something the public wants to hear. Sharing the Toys The center's Web site also states: "As part of its mission, the NIPC conducts outreach and information sharing with the public and private-sector owners and operators of critical infrastructures. The InfraGard program is now an essential part of the NIPC's nationwide outreach efforts. The program establishes a mechanism for two-way information sharing about intrusion incidents and system vulnerabilities, and provides a channel for the NIPC to disseminate analytical threat products to the private sector." But there's one condition that belies the notion of "outreach." Recipients have to sign away their right to tell anyone else what they're getting from the NIPC and InfraGard. The NIPC's supreme fantasy is the Cybercriminal Behavior Assessment Project. As the name suggests, this effort was concocted by some of the same FBI folks who created the Behavioral Science Unit to develop profiles of serial killers. Never mind that, according to Pulitzer Prize-winning author Richard Rhodes, the BSU has yet to identify a single serial killer. Among the key findings in the FBI's 1993 Son of Slammer hacker study was this profound insight into the criminal mind: "Every hacker interviewed identified the purchase of their first modem as the most significant step leading to future computer crimes." Ah, the smell of our tax dollars hard at work. Vatis initially agreed to be interviewed for this column, but later canceled. Epilogue In the course of my reporting for this column, three people, including a high-ranking Department of Justice official who had worked with the NIPC, predicted the imminent demise of Vatis' tenure - and perhaps of the NIPC itself. Not surprisingly, none of the three would agree to be quoted or identified. It will be interesting to see just how strong Vatis' fingernails are as he clings to the leadership of a once-promising group that he has rendered ineffective. On the other hand, he might not want to stay on. Surely, he could find lucrative refuge with some international corporation hungry for what he has worked so hard to portray as his expertise and insider knowledge. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Cybercriminals On The Loose William Knowles (Nov 06)