Information Security News mailing list archives

Cybercriminals On The Loose


From: William Knowles <wk () C4I ORG>
Date: Sun, 5 Nov 2000 03:37:33 -0600

http://www.zdnet.com/intweek/stories/columns/0,4164,2649836,00.html

By Lewis Z. Koch Special To Interactive Week
November 2, 2000

The National Infrastructure Protection Center, the unit of the Federal
Bureau of Investigation that's supposed to catch hackers, has cooked
up a cacophony of hype to persuade the American public that a bunch of
teenage hackers are equal in menace to the threat posed by
professional cybercriminals.

And despite the FBI's promotion of the e-mail tapping/sniffing
program, Carnivore, on the grounds that agents need more information,
the NIPC's performance so far suggests that the problem isn't too
little information - it's the FBI's inability to distinguish signal
from noise.

It's time to assess just how well or how poorly the center has been
doing.

Cooperation

One of the key missions of the NIPC, according to its Web site, is to
organize and coordinate intergovernmental, interagency cooperation in
the war on cybercrime. "The NIPC will combine the aggregate power of
numerous aspects of the U.S. federal government: investigators from
the FBI and the [Secret Service], representatives from the Department
of Defense and the intelligence community, and delegates from federal
lead agencies."

Maybe, but Michael Vatis, the Harvard Law School alum who was named
NIPC director, seems bent on ensuring the failure of that part of the
mission.

First, Vatis assembled the center, bringing in representatives from
overt and covert federal law enforcement agencies, along with
"delegates from federal lead agencies." Then he demanded that each
sign a nondisclosure agreement, stipulating that the agent would not
notify or bring back to his agency anything he learned at the NIPC.
Yet, the agents were told to share information from their own agencies
with the NIPC.

Among the agencies initially represented in the NIPC were the Central
Intelligence Agency, the National Security Agency, the Secret Service,
the State Department and the Pentagon. But it didn't take long for
everyone to discover that the NIPC's definition of cooperation was a
no-exit back alley. The agencies decided that if Vatis and the NIPC
wouldn't share nicely with them, they'd just take their intelligence
marbles and go home.

In the end, only the military remained - and only because it didn't
have any other conduit into what the civilian agencies were doing.

Spin Control

Vatis quickly established the ground rules for dealing with the NIPC:
All accomplishments were to be credited to him and his agency. As
detailed in my previous columns, real, certifiable computer security
experts who literally handed the identities of cybercriminals to the
NIPC never received public credit. Vatis and the FBI encouraged the
public to believe they had captured these criminals through savvy
high-tech sleuthing.

Even worse, the NIPC has been strangely silent about its efforts to
catch hackers. The reason: Federal agents have virtually no hope of
catching hackers unless an outside expert spoon-feeds them the
information -not something the public wants to hear.

Sharing the Toys

The center's Web site also states: "As part of its mission, the NIPC
conducts outreach and information sharing with the public and
private-sector owners and operators of critical infrastructures. The
InfraGard program is now an essential part of the NIPC's nationwide
outreach efforts. The program establishes a mechanism for two-way
information sharing about intrusion incidents and system
vulnerabilities, and provides a channel for the NIPC to disseminate
analytical threat products to the private sector."

But there's one condition that belies the notion of "outreach."
Recipients have to sign away their right to tell anyone else what
they're getting from the NIPC and InfraGard.

The NIPC's supreme fantasy is the Cybercriminal Behavior Assessment
Project. As the name suggests, this effort was concocted by some of
the same FBI folks who created the Behavioral Science Unit to develop
profiles of serial killers. Never mind that, according to Pulitzer
Prize-winning author Richard Rhodes, the BSU has yet to identify a
single serial killer.

Among the key findings in the FBI's 1993 Son of Slammer hacker study
was this profound insight into the criminal mind: "Every hacker
interviewed identified the purchase of their first modem as the most
significant step leading to future computer crimes." Ah, the smell of
our tax dollars hard at work.

Vatis initially agreed to be interviewed for this column, but later
canceled.

Epilogue

In the course of my reporting for this column, three people, including
a high-ranking Department of Justice official who had worked with the
NIPC, predicted the imminent demise of Vatis' tenure - and perhaps of
the NIPC itself.

Not surprisingly, none of the three would agree to be quoted or
identified.

It will be interesting to see just how strong Vatis' fingernails are
as he clings to the leadership of a once-promising group that he has
rendered ineffective. On the other hand, he might not want to stay on.

Surely, he could find lucrative refuge with some international
corporation hungry for what he has worked so hard to portray as his
expertise and insider knowledge.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".


Current thread: