Saturday, May 19, 2012

Lessons from the First Cyber Cops

I was so excited to see Bob Gourley's blog post "A Lesson From the First Cyber Cops" which is how I learned about an event on May 16th hosted by the Atlantic Council. As part of a program called the Cyber Statecraft Initiative, Jason Healey moderated a discussion called: ”Lessons from Our Cyber Past: The First Cyber Cops”.

The panelists were all people that I have met and been very impressed with over the years: Steven Chabinsky was the lawyer who served as Senior Counsel to FBI's Cyber Division and advised our InfraGard national board when I served in 2002-2003. He was the first lawyer I met who actually understood what cyber was all about. He's currently the Assistant Deputy Director of National Intelligence for Cyber.

Shawn Henry, former FBI Executive Assistant Director of Criminal, Cyber, Response, and Services Branch, and now a principal at CrowdStrike. I saw him last sharing his passion for the InfraGard program up in DC last November.

Christopher Painter, the Coordinator for Cyber Issues at State and former U.S. Attorney, Computer Crime and Intellectual Property Section of the Department of Justice, who I first met as I was learning about the "24/7 network" of international information sharing that he helped to build.

What I've done here is listened to the audio recording of this panel session, and done my best to accurately transcribe what I heard. I think you'll find it as fascinating as I did, but encourage you to Listen to the MP3 if you have time. There were about forty minutes of Q&A from the audience at the end that I have not transcribed. Any errors in transcription are mine, please take this as "gary's notes" and use the MP3 as your authoritative source.

Getting Started in CyberCrime Investigations

Q: What got you started in Cybercrime?

A: (Chris Painter) Always interested in technology, while I was in college and law school. In 1991 went to the US Attorney's office in California. This was before the web, but many companies, and the government, and the military and others were certainly relying on computers.

I was working with Scott Charney who had started the first Computer Crime unit. There were several companies experiencing theft of source code, including cellular phone companies, and the University of Southern California, where they had data losses, but also someone storing stolen data there. That turned out to be Kevin Mitnick. We had great FBI agents here, Trent Teyema, Ken McGuire and others. In the course of investigating Kevin, I had to learn Linux, and how to review log files. Worked with the first Stock manipulation cases, the first eBay case, which was the Mafia Boy DDOS case, which was the first case I worked with Shawn on. Back in that day a plane was circling the court house with a banner reading "FREE KEVIN!"

A: (Steven Chabinsky) The way I got into computers was with games. In 1979 or 1980 I had a cousin that had a TRS-80. He was signing in to a service called "The Source" and he allowed me to play "Adventure". One of those games where you typed "Turn Right" and it says "You see a nasty elf, what do you do?" and you type "Fight Elf" and it says "The nasty elf killed you!" I was fascinated. I was the kid that worked every day after school, not to save money to buy a car, but to buy an Apple computer. The one I wanted was 1200 bucks and it didn't come with a floppy drive. A floppy drive was another 400 bucks. It came with 48k. I had to buy another 16k just to be able to program, in Fortran at the time. I end up joining the FBI. Fast forward. In 1998 President Clinton had PDD-63, and the FBI was put in the lead of the National Infrastructure Protection Center. The concept was that multi-agency and private sector had to work together. They needed another lawyer, and I raised my hand immediately. It had to do with Cyber. In 1996, Cleveland, Columbus, and Toledo had started InfraGard. I really need your help. How would we nationalize this program? We took this group of a couple hundred people and today it has 50,000 members. The FBI only has 30,000 members. After September 11th, it grew to be beyond Cyber and to include Critical Infrastructure. And in that time I began to give legal advice, and began to give legal advice on all sorts of intrusion cases, which is how I met Shawn Henry.

A: (Shawn Henry) I'm honored to be with two of my closest friends. Our relationships developed because we were on the front line in this space in 1999 and 2000. There were not a lot of things known at this time. I latched on to these two attorneys who were working in this space and who were most importantly innovative. My start was very similar to Steve's only instead of playing with an elf, mine was Star Trek. You see a Klingon ship. Turn right. That was my interest as a freshman in high school. When I joined the Bureau there were some linux courses and cyber courses available and I took them. There was a vacancy as Chief of the Cyber Investigations Unit and this was a natural route for me to take.. I had spent a couple years at headquarters as a supervisor. I wanted to take the things we did in the physical world, the things we learned fighting organized crime and terrorist groups, white collar crime, and apply them in the Cyber realm. I had a lot of experience using authorized intercepts, wiretaps, informants, that sort of thing. This was 1998. I remember sitting there with Steve in the command post at 11:59 PM on New Year's Eve watching the countdown, 9, 8, 7, ... when it hit zero, the lights went off. Because someone had flipped the switch off as a prank. But Steve and I started working the very first undercover case in the Computer Intrusion environment. We had hundreds of cases at the time but we had never used this technique. It was the first time Steve and I had met to chat about the legal consequences. We had an undercover agent who joined a hacking group, who actually did some hacking - all segmented and legally authorized - it gave us great insight into the group and is now common practice for us. That would have been February or March of 2000. We did get a prosecution, but I can't say what group.

What were the Wake Up Call events?

Q: The DOD has been through several "wake up call" events, the latest being Buckshot Yankee. Has DOJ been through that as well?

A: (Steve) Yes, with Solar Sunrise we see military computers, .mil computers, being intruded upon coming from abroad. It was happening during the conflict with Iraq. The traffic is coming in from a middle eastern country, and it really looks like this is an attack coming from a nation state. There was the obvious real possibility that we were under attack. If we are, how do we handle attribution, how do we respond. Of course the FBI does their investigations constitutionally, by the rules, regulations, statutes, and constitutional requirements of the US, not traveling easily in ways that would impact the sovereignty of other nations. Dealing with probable cause and beyond a reasonable doubt. Is there enough to justify a military response. We were at the table saying that we don't think there is enough attribution at this time. Of course we know the end of the story. A couple kids in Cloverdale, California, working with a young adult in Israel, purposely routing their traffic to make it appear to be coming from another country. (Gar-note: we blogged about The Analyzer, the Israeli in Solar Sunrise.) What was the moral of the story? Our .mil had been intruded upon. It could have been used to launch attacks on other countries. Will our adversaries show the same restraint if they were to see our computers attacking them? Another incident involved the White House, getting all the named players on a teleconference, this was before DHS. A large botnet, a very large botnet was being assembled - is it possible that it is being grown to attack the United States? Well, no, in the end it was being used for click fraud. (Laughter) Yes, your reaction, it becomes comical. But at the time, you can't anticipate the end of the story while you are in the middle of it. Early on we were thinking an attacks was coming from your country, but now its gone to the other extreme, there is such poor attribution that the problem has resolved itself. We're better at understanding the motives of events. We don't have White House calls about these incidents any more.

A: (Chris) You asked about wake up calls, we've had several, but they are like wake up calls with a snooze button. It gets attention briefly and then we go back to sleep. Back in 2000 when we saw these big botnets being built, we thought this was going to be how the criminals took down everything. But then we started seeing the large DDOS events against media companies like CNN. They got a lot of media attention, it took a few months, but we found him and it turned out to be a 13 year old boy, MafiaBoy, living in Canada. At the time we were saying "This must be a nation state! It's too sophisticated, it couldn't be an individual." RCMP monitored his communications back to his house. The father was ordering a hit on one of his colleagues, so it was Mafia Dad and Mafia Boy, great family.

That was one wake up call. Later on you had the commercialization of this with botnets, botherders, and then the lone wolf, lone gunman hackers, who kept a low profile who didn't want to be seen who wanted to steal money or trade secrets from companies and others or having an impact on infrastructure. The early Infrastructure impacts were inadvertent. Some kids playing in a telephone switch who impacted a local airport ... (24:40) ... these all built on each other to create the atmosphere now compared to even five years ago is dramatically different, because of these cases, successful cases that we've talked about and other things that have happened.

A: (Shawn) We haven't had the wake up moment yet globally, and we won't until there are physical implications ramifications of an actual attack. When the lights go off for a period of time, or when people die. Its the equivalent of planes crashing into buildings. People take terrorism seriously when they see blood in the streets. For me the wake up uwas the I Love You virus. Around Valentine's Day, I love you, everyone wants to know who, so they all click on it and have a virus. It had a cascading effect around the world in 24 hours. This is not a United States problem, this is a global problem. In the past it was relatively clear where venue was. We had victims in all 50 states and 56 field offices who all claimed they had venue. I had to decide where, as chief of the unit, where venue was going to be and which field office was going to work that case, and I did it without conferring with the US Attorney's Offices. I gave it to Newark, and their US Attorney's Office jumped on board. When ultimately at the end of the day we identified that this was a young man in the Philippines, he was identified and someone put their arms on him, but in the end the Philippines had no law against what he did. Even though he was identified, even though he caused great economic damage, nothing happened. They arrested him, but then they let him go. The global element here. How do we look at this as an International level. Its an international problems. We need to have consistent laws, consistent strategy. We have to have a consistent understanding. The FBI has now centralized rather than 56 field offices operating independently there is a central command. Headquarters will decide how things get done. We, and not just the FBI, but the community as a whole have become much more strategic in our operations and much more strategic in the execution of our mission.

A: (Steve) Cybercrime has lead in terms of our understanding and Cybersecurity followed on. People were working on cyber crime policy before they were thinking at a policy level about cyber security, partly because of the I love you virus. There was a lot of efforts through the G8 to focus on cybercrime. There was a ministerial meeting back in 1999 where this was pushed as a major initiative. Three legs of a stool, you had to have good capacity to fight these crimes, good laws in place, and the capability to cooperate internationally. The G8 and then the Budapest Convention on Cybercrime, the Council of Europe convention that is still the single item that really deals with these issues. The 24/7 program which started with 8 countries and now has 60 countries. There was a lot of work enhancing the Legat program around the world. It was really good expert work among the cognicenti that has now reached the leadership of these governments.

A: (Shawn) I think you are being modest Chris, because the world looked to you and your colleagues at DOJ. The Philippines ended up updating their laws in just a couple months and the world followed. The Department of Justice put us in a leadership role here. The United States, through the Department of Justice, really put us in place. I haven't seen any cases in the last eight years where we haven't been able to prosecute because the laws were not in place.

A: (Steve) I'll go back to what Shawn said -- Its not about all following the cyber trail. There is the money trail. You have to combine all these things. There are a lot of countries where it is still illegal to do undercover operations. You can react all day long, but if you can't get inside these organizations and bust them down from the inside.

Are We Winning?

Q: It sounds like overall on the cybercrime and law enforcement side in the US, we've made great progress. Are we winning?

A: (Shawn) We are not winning

A: (Steve) But I don't think we are losing. This is why I always hate this question! (Shawn: The State Department!) What are the metrics for winning? How do you measure winning or not winning? Clearly there is much more awareness, there is much more law enforcement resource, there are things like Infragard on the private sector, there is more international awareness of this, but the threat has gotten bigger. Criminal groups, nation states, potentially terrorist actors though we aren't seeing this yet. We clearly are more reactive than we should be and we need to have more capability to fight it. Yes or no.

A: (Shawn) When I say we aren't winning, we are not getting ahead, we are falling behind. We are having impact. We are having success. Through the efforts of the FBI, the Department of Justice, the Intelligence community, and the private sector, we have had impact. We have made arrests, we have identified groups, we have attribution, but we are not getting ahead, we are falling behind. there is more and more data getting pushed, more and more people coming online more subjects getting into this who are realizing opportunities to exploit and to line their pockets, and there are countries getting involved in cyber espionage. We are having successes but we are falling behind.

A: (Chris) We are having successes. I came to this in August of 1998. The private sector is working together, the government and the private sector are working better together. I'm seeing more arrests. Tactically, you can show a chart showing how we've improved. We're doing better, but the threat is outpacing our capabilities. When we look at our strategy - what does success look like? The reason we are getting further behind - early on we saw this as an Internet problem a net-centric threat. Over time we've come to see this is a technology threat. Every aspect of our lives are chip-enabled. The threat is controlled by technology. The vulnerabilities to automobiles there are chips controlling your accelaration chips control your brakes. Can we get in through bluetooth? Biomedical devices - there is software in the insulin pump that allows for remote diagnostic capability. There are chips controlling the flow of insulin into your body. Can we cause that to happen remotely? The researchers say yes. You see the problems with Wireless, purposeful interference and jamming. We are becoming more reliant on inherently vulnerable products and services. So the combination of those two make us as a strategic point, falling further behind. We are getting to a point where we have to reflect on what risk mitigation looks like in this area. Whether our policies that focus predominently on vulnerability mitigation and whether that is a successful long term security model. If you think of most security models they rely on on threat deterrence - the notion that the actor won't act because there will be some deterrant effect. you'll be captured, have some penalty. Here we have a model relying on hardening our targets. That's not how we live in the real world, that's called a fortress. Technologies are not meant to be bunkered down. It's not surprising as we accept technologies that are not fortressed and bunkered down, when we have a risk model that doesn't rely on threat deterrence, we'll fall further behind.

A: (Steve) We have to have both of them. You need to lock your doors which we haven't done a good job of, AND have consequences for the people who break in also. There is a lot more to do on hardening the targets and locking the doors, but you have to do threat reduction and threat deterrence. The question is, If you are a cyber criminal, let's take the criminal element for now, it used to be really costless to you, could route your attacks through other countries, you really wouldn't think there was any chance of getting caught. Most cyber criminals ... There have been some great deterrent cases, Getting deterrence cases out there, undercover cases taken down that make the criminals not trust each other. But there is no perception of risk. The positive side if there is a benefit to the criminal, but there is a neglible chance of getting caught, you aren't going to have an impact.

Lessons Learned?

Q: When I look at DOD, I see them caught up on the same questions they had in the late 90s on organizations, and authorities, and definitions, but when I look at Cybercrime it seems you have made progress beyond all that. What are the most important lessons, and are those lessons being inculcated on the new agents, new attorneys?

A: Understanding the scope of this problem and how it will impact your life. There is an age-old problem that the three of us have dealt with for years, which is that victims won't come forward. There is a sense there is nothing government will do for them. That they would be further victimized, that law enforcement would come in and cart off their computers, that they would suffer public reputational damage if it was found out. We need to move this from the area of cyber intrusions being some special sexy kind of thing, but more like bank robberies in Los Angeles. There were many bank robberies in Los Angeles, but people kept using the banks.

A: There has been dramatic progress in how law enforcement addresses these issues. We are doing much better on not victimizing victims. There were big cases before I got there, a Citibank case ???? (42:15) ??? there were stories early on when the FBI came in and in order to preserve the data we seized the computers. We fixed that right away. We didn't keep repeating that, although the stories continue. We also stopped naming the victims so often. Working with the private sector better. The other issue, a Cuckoo's Egg issue back to Clifford Stoll, where someone says there has been a victimization and you ask how much the damage is and its neglible, 75 cents, you hang up and laugh. (Gar-note: Clifford really did report that someone had used 75 cents of computer time, and then had changed the logs to hide it.) The damage is not obvious, but the threat to infrastructure represented by these intrusions are real. You don't have to wait for a big dollar loss to take an attack seriously. The third area of change is taking information IN THE COURSE Of the investigation, and using that information to help protect victims while the case is still active. Back in the NIPC days, we would literally get on a stage and tell private sector what we knew while proceeding with the investigation. I hear all the time that the FBI wants to keep the problem happening so they can monitor the crime and don't care about the victim. We've done a better job helping law enforcement provide value to the Net Defender while we are proceding against the adversaries.

Q: When we first started, every FBI dude would stand up and say "I don't really understand these computers, I have to ask my granddaughter to help me ..." and every FBI dude would get up and start the pitch that way - but I remember the first time I heard Steve with Kim Perretti talk and realize they really get this stuff.

A: We started really hiring towards this hiring pool. In the 90s we hired attorneys and CPAs for the agent role, but then over time began hiring very brilliant people, who work for major companies patriotic people who sometimes take a cut of 2/3rds of their salaries. We created a career path oriented towards cyber, with 30 unique courses that are evaluated constantly to make sure they are timely.

A: In dealing the victims, we only identified in the Mitnick case the victims by their initials. Bloomberg had a hacker try to extort them, and he came to the FBI and said "screw them, I want to send the message that you can't come threaten me like this." Bloomberg met the guy in London with $250,000 with two of his colleagues who were actually a Metropolitan Police officer and an FBI agent who proceeded to lock up these two Kazikstanis and bring them back to New York. (See: Zezov case for details)


Q&A Session