In the United States, conventional law enforcement policies and tactics do a decent job catching conventional criminals.
In cyberspace, those same policies are outdated and don’t keep pace with the technology evolution, according to some law enforcement experts.
Major government networks and private sector companies were breached in 2014, and many of these offenses have thus far gone unpunished. It's no surprise that organizations that "get owned" would come to an unfortunate conclusion: Victims get blamed for porous security, criminals profit and, if large amounts of cash have swapped hands, financial institutions absorb the damage and pass those fees onto their customers.
“Cybersecurity seems to be the only crime where you blame the victim,” said Frank Cilluffo, associate vice president and director of the Homeland Security Policy Institute. Cilluffo was one of several experts speaking at a Bloomberg cybersecurity event in Washington, D.C., on Tuesday.
“The reality is, we’ve got to level the playing field one way or another," said Cilluffo. "Companies are dealing with nation states' advanced persistent threats."
He added that intellectual theft by Chinese nationals elevates cyber to a national security issue.
“We’re losing jobs,” he said. “Companies are paying the price for believed or perceived threats from other countries. We need to change that.”
Evidence Doesn’t Guarantee Justice
On the Internet, everything happens at the speed of light. When a hacker in China or Russia digitally unloads a U.S. bank account, the cash doesn’t take four to six business days to arrive. While digital crimes happen instantaneously, any hope of resolution depends on a number of factors.
Cyberattacks can be complex. Many hackers use botnets or program “zombie computers” to do their bidding, said Sen. Sheldon Whitehouse,bD-R.I., who also spoke at the event. Unravelling the pieces of a sophisticated cyberattack can be costly and time consuming. The prospects of catching a criminal dwindle if a criminal appears to be overseas, where jurisdictional problems arise.
Even under the broad criminal authority of the Justice Department, catching big-time cyber criminals is a complex, often fruitless process.
“The biggest challenge in cybersecurity from the criminal perspective is that even if you know who they are and have evidence against them, you might not get your hands on them,” said Leslie Caldwell, assistant attorney general for the Justice Department’s Criminal Division.
Caldwell also expressed unease regarding tech companies’ use of encryption on products like mobile devices to protect customers’ personal information. Such encryption would make it far more challenging for law enforcement to, for example, comb through a suspect’s personal device in search of evidence.
“We really need to think long and hard about whether we want to create a zone of lawlessness where law enforcement can’t go,” Caldwell said. “It doesn’t seem right they could be able to do that – where law enforcement with a search warrant couldn’t get information. It could affect investigations going forward in a very negative way.”
Unlike forms of conventional crime – theft, assault, murder and others – humanity hasn’t had thousands of years to figure out how to respond to crimes in cyberspace.
“This has exploded so rapidly that it surges ahead of what existing structures were set up to handle,” said Whitehouse, who lauded current cyber efforts at the Justice Department. “We’re doing incredibly complex legal work under civil law. The department is doing an increasingly good job blending civil and criminal together. We’re getting better, and trying to get a good sense of shape of the problem and contours and structure of what law enforcement is doing.”
At the conference, Symantec Chief Executive Officer Michael Brown remarked that, “2013 was the year of the megabreach” -- before noting that 2014 “was much worse.”
The playing field in cyberspace still tips in favor of criminals who make use of the same disruptive technologies private industry and government have adopted.
As Joe Demarest, assistant director of the FBI’s Cyber Division, said: “[Cyber criminals] just have to get lucky once. We have to defend 100 percent of the time.”