[Nettime-bold] Study shows FBI Alienates Industry Security Experts

[" McAlexander" <invictus@sbcglobal.net>]

Study Shows: FBI Alienates Industry Security Experts 
L. Taylor - August 21, 2000 
(The original article may be found on TechnologyEvaluation.Com.) 

Problem 

Fighting cybercrime is complex and time-consuming. One case can involve
a multitude of computer systems, networks, and administrators, and
requires the cooperation of all system owners, and sometimes many
nations, in order to find the perpetrator. Due to their love of
technology, their education, training, and experience, it is not
uncommon for security industry professionals to be far more qualified
and adept at resolving cybercrime than law enforcement. 

Though the FBI thrives on reaping assistance from industry security
professionals, many industry security experts are reluctant to help the
Federal law enforcement agency when it comes to cybercrime. Though it
makes it a lot more difficult for the FBI to track cybercriminals
without the help and cooperation of private industry, savvy security
experts are not lining up to help. This lack of respect that industry
professionals have for the FBI results in cases taking longer to crack,
and many going unresolved. It also often leaves the Department of
Justice looking like a three-ring circus. 

Background 

Typically, when the FBI requests assistance from a security
professional, the kind of assistance they require is extensive which is
to be expected, given the circumstances. They need to understand the
network topologies, the systems affected, the points of entry, and need
to locate, collect, and analyze all the corresponding log files. All
this data gathering and analysis takes time. 

Private industry exists in order to create revenue. In this burgeoning
Internet economy, information technology resources are scarce. Inside of
that IT circle, information security resources are still more scarce.
Taking time out from daily security duties to assist the FBI in a case
that may not have directly impacted their own company's bottom line can
actually end up costing a company a significant amount of lost revenue.
It's often more cost effective to tell law enforcement, "No, no logs on
any of our systems that would be useful to you" than spend hours, days,
or weeks, combing through log files, systems, and backup tapes, only to
hand them over to a law enforcement agency that in many cases does not
know what to do with them. 

Unless log files have been subpoenaed, and therefore must be turned over
as evidence, there is often no return on investment when a company
spends hours combing through log files for data that may or may not be
helpful or appreciated. 

It is not unusual for a company to charge $200 an hour for security
consulting services. If a security consultant spends a whole day
assisting an FBI agent, this can amount to $1600.00 a day in lost
revenue for the consultant's employer. For a service provider, a day
without a security engineer can also open them up to potential lawsuits,
lost customers, and lost future revenue streams. In short, it costs
companies exorbitant amounts of money to assist the FBI. Because
companies allocate resources to assisting the FBI and other law
enforcement agencies, they need to have this "free consulting" respected
and rewarded. In the course of our study, we communicated with a
wide-selection of industry security experts from around the country.
Some of these experts are ex-FBI employees. In doing so, we would like
to retell some of the experiences that have been communicated to us, and
would like to share certain trends that we have identified that seem to
hamper the cybercrime investigation process. 

Why We Don't Help the FBI 

Case 1: A Security Director at a well-known Internet company was plagued
with some serious domain hijacking problems. Domain hijacking is when
someone who does not own the dot-com name takes it over through
technical DNS manipulations, and uses it for their own, sometimes
subversive, purposes. In essence, this is kidnapping a domain name. This
Director spent a significant amount of time and resources identifying
the perpetrator of the attacks, down to documenting the name, address,
and phone number. This information was turned over to the FBI's
Wasington, D.C. headquarters office to investigate. 

The Director justified the case by presenting a considerable amount of
evidence that supported $2-3million worth of damages. The domain that
was hijacked was a very well known and lucrative domain name. A week
after the incident, the Director met with the FBI and submitted the
initial report. In the next 9 months, the only thing he heard was that
according to the FBI agents, the work the director's team had done saved
the FBI several months of time. The information in the Incident Report
submitted to the FBI included the suspect's name, address, parent's
names, and almost everything required to obtain a timely prosecution. 

After nine months, someone from the FBI contacted the Director, asking
him to re-submit the report, telling him that the report needed to be
submitted in person. (The Director had submitted the report in person
nine months earlier in the initial meeting.) The FBI agent said he would
come to the Director's facility to pick up the report. The Director was
waiting for the agent with yet another copy of this same Security
Incident Report. 

When this FBI agent arrived, he already had the report in his hands (due
to the in-person submission nine months earlier). He handed it to the
Director, and then said, "Now I need you to give it back to me so I can
testify that you submitted this report in person." The FBI agent handed
the report that the Director had written nine months previously back to
him, and instructed the Director to now give it back to the FBI agent.
The FBI agent then thanked the Director and said that now the FBI could
begin looking into the case. As of June 2000, the Director has still not
heard anything back from the FBI. 

Questions that come to mind are the following: 


Why is the FBI not willing to receive reports from the public and
private sector electronically? The likely reason is that they do not use
strong encryption and therefore cannot adequately authenticate the
original document owner. 
After spending an enormous amount of time and resources identifying the
perpetrator, why was this Director not contacted for 9 months?
Typically, professionals who take the time to submit detailed reports
are interested in seeing a case come to closure. 
Was the case even investigated? Not to the Director's knowledge. 
Was the case documented in an Incident Tracking Database? 
Were charges pressed? Was anyone prosecuted? Not according to the
Director. 
Is this perpetrator now hijacking other domain names? 
The Director has told TEC that he will not be taking the time to
research and hand-over evidence to the FBI in future incidents. His
perception is that, "The FBI is woefully under-equipped." 

In the IT world, things happen quickly - this includes engineering
developments and security breaches. The IT sector cannot afford to play
bureaucratic reporting games to the FBI that in the long run produce no
results. The FBI needs to be digitally equipped to securely accept
information sent to them electronically. A trend that we noticed in
talking to information security experts is that the wheels of justice
are very slow. 

Case 2: An Internet dot-org group (a non-profit Internet company) that
was being managed by security experts was trying to assist the FBI in
the February 9th, distributed denial of service attacks. They went
through the trouble of putting up a private link, just for the purpose
of providing information and evidence to the FBI. They provided the FBI
with IRC chat logs, and names and contact information of people who had
actually confessed to participating in the crime. The dot-org group said
that the FBI chose to not even access the link with the details of the
crime. 

Questions that come to mind are the following: 


Why did the FBI choose not to access the electronic evidence? 
Was the information entered into an Incident Response Database? 
Has the perpetrator been instigating new denial of service attacks? 
Looking at Cases 1 and 2, we may surmise that if evidence is not
presented in person, the FBI is not interested in reviewing it. 

Case 3: An Internet dot-org group identified multiple perpetrators of
web-site defacement - digital graffiti. They presented this information
to the FBI, and never heard anything back. 

Questions that come to mind are the following: 


Was the information entered into an Incident Response Database? 
Was the case even investigated? 
Has the perpetrator been defacing more web-sites? 
Case 4: A seasoned security professional became aware that his name was
included on a database of "well-known hackers" that was later sold to
the FBI by a competitor. The security professional has never engaged in
unethical hacking activities, and feels that his name was libelously and
inappropriately included in this database of "well-known hackers" for
spiteful, competitive reasons. Since the FBI purchased this database
that was established without verification, the security professional
feels that the FBI in conjunction with the begrudging competitor, may
have potentially damaged his professional reputation. In light of this
transgression, the security professional is no longer interested in
assisting the FBI. 

Questions that come to mind are the following: 


How can a professional find out if his/her name is being erroneously
catalogued in an FBI database? 
What sort of verification processes does the FBI use when purchasing
non-qualified information? 
What other kinds of non-qualified information of criminal activity does
the FBI purchase? 
Case 5: A security expert spent an enormous amount of time doing
forensic work and analysis in tracking down a well-publicized hacking
incident. The information was reported to the FBI, only to have the FBI
take credit for doing the expert analysis, while never paying a cent for
consulting services. 

Case 6: A security contractor who was working for a federal agency had
the website that he was administering defaced by a cyber vandal. Instead
of helping him identify the perpetrator, the FBI questioned him for
hours, suggesting that a colleague of his had participated in the
incident. Although it was never proven, the FBI insisted there had been
some sort of duplicity on the contractor's part, insinuating that he
himself was somehow involved in the crime in question. The real
perpetrator was never identified, and the security contractor no longer
wants any association with the FBI. 

Case 7: A well-known ISP refuses to install the "Carnivore" surveillance
tracking device citing implementation and administration issues. 

Questions that come to mind are the following: 


Why doesn't the FBI realize that asking one entity to invade the privacy
of others does not usually build relationships or trust? Most ISPs have
contractual privacy agreements with their customers that they must abide
by. Installing a device such as the Carnivore would in many cases be a
breach of customer contractual agreements. 
If the FBI wants an ISP to perform some sort of service for them, why
are they not willing to become a legitimate paying customer and pay for
implementation, administration, and overhead costs? 
Inside the FBI 

One security professional told us that he found it easy to work with the
FBI, but conceded that he did this by circumventing the bureaucratic
processes and accessing resources through back doors at very high
levels. He went on to say that the FBI's cybercrime task force is
clearly under-equipped. 

The FBI does not always do a good job of "marketing" what it does well.
Naturally, bad news always receives more attention in the press than
good news. Our research has indicated that one thing that the FBI does
well is investigate cyberpedophilia. Though many incidences of
cyberpedophilia go unreported, of the cases that are reported, the FBI
has an impressive track record of apprehending the perpetrators most of
the time. Almost all cyberpedophilia arrests lead to people going to
jail. The FBI (and U.S. Customs) prosecutions in this area have
approximately a 99% success rate.[1] Keeping America's children safe is
an initiative that an overwhelming majority of security professionals
support and are often eager to help in this area. 

[1] Source: Parent's Guide to Protecting Your Children in Cyberspace, by
Parry Aftab 

Recommendations for Resolution 


If the FBI requires the assistance of private industry to conduct
investigations, they should pay for it like everyone else. Providing
free services to Federal agencies is not something that businesses are
setup to do. Managing security incidents is a business. If the FBI needs
to outsource, they should be paying for this service. If the FBI pays
for the necessary IT services they require, they will likely see a
resounding change in the willingness of information security
professionals to assist them. The FBI does not manage incidents - they
investigate and prosecute suspects that may cause such incidents. 
The FBI needs to start giving credit where it is due. If an industry
professional does all the leg work in tracking down a cybercriminal for
free, they should be credited appropriately for their expert analysis
and the time they contribute. Begging others for clues, and then taking
the technology credits for doing the expert analysis done by someone
else does not go over well with industry professionals. 
Industry professionals who understand information security, also
understand technology privacy implications more than most people. They
are somewhat leery of involving government agencies in general due to
the belief that in the future, true privacy will be available only for
those with the privilege of a technology education. 
Lawmakers need to understand technology in order to regulate it. Most
lawmakers and Federal agencies are to a large degree, technology
illiterate. Knowledge helps one gain respect. Law enforcement needs to
build productive relationships with America's IT security community to
better increase their knowledge base. 
Our research indicates that the metropolitan FBI offices are fighting
and managing cybercrime somewhat independently of each other, each
having their own processes for investigations. These processes need to
be standardized across all FBI offices in order for the FBI to become
truly effective. Private industry needs to understand the investigation
process in order to provide better assistance. A former employee of the
FBI commented that the FBI cybercrime unit is surprisingly
decentralized. 
On occasions, when private industry has proactively sought out the FBI
for assistance, it has been reported that various FBI offices seem
uninterested in assisting private industry - an attitude that has an
off-putting effect. If an information security engineer has had a
previous experience where the FBI has shown no interest in providing
assistance, the FBI can expect a similar attitude from the information
security engineer in the future. 

_______________________________________________
Nettime-bold mailing list
Nettime-bold@nettime.org
http://amsterdam.nettime.org/cgi-bin/mailman/listinfo/nettime-bold