TR: How do you catch these criminals? What sort of technologies do you use?
CP: Almost anything you can think of. For the Shadowcrew case [a massive identity and credit-card trafficking network], we did an undercover operation. That is one of our tools to get inside these various groups. Another thing we do is to get court orders and trace communications when we see attacks coming in. It’s every investigative technique you can think of. And it’s not just electronic ones. One of the good things – if it’s a good thing – about money being more of the motivation, is that you also have a monetary trail. So the traditional gumshoe methods come into play. So it’s not exclusively following the electronic footprints, it’s pairing that up with good old-fashioned investigations, interviews, and so on, and tracing money that leads to some of the culprits.
TR: Once you catch these criminals, what are the penalties?
CP: In the U.S., the penalties have increased fairly significantly over the years. They’re being driven largely by monetary damages, so I think there have been a number of significant sentences. We’ve certainly moved away from where it was when I started doing this, when a lot of times computer criminals were looking at, at least in their view, a slap on the wrist or probation. They’re now actually getting real jail time – and sometimes significantly long sentences.
TR: Could you give me an example?
CP: There was a case in North Carolina, the Lowe’s computer intrusion case. The attackers were getting into the Lowe’s stores through their wireless connection and basically stealing credit-card information and financial data. We did an operation in which we were able to triangulate on the people, find them, identify them, and identify what they were taking about. The ring leader got a sentence of seven or eight years. The longest sentence before that was Kevin Mitnick [a former hacker who now owns a security company], who got five years.
Something that’s very important for us to emphasize is to change the perception that there aren’t any consequences for the people who do these things. It’s just like any other type of crime.
TR: Say, as an individual, you find out that someone has used your bank account to purchase spamming software. What do you do? Should you report this sort of crime. And to whom?
CP: The FBI has set up the Internet Crime Complaint Center, called “IC3,” and one of the things it does is take complaints and try to aggregate those complaints. It’s seldom the case that someone is the sole victim of one these crimes, and if you start looking at the cases systematically and putting together who these victims are, it’s a much larger course of conduct. That’s something that IC3 is supposed to do: aggregate the data, and then get law enforcement interested in it.
TR: What do you see in the future of cybercrime fighting?
CP: We need to continue to work on an integrated response to this. I don’t anticipate cyber crime really decreasing. I anticipate that as new technologies are developed there are going to be continued attacks. As we get more secure implementations in the Internet and other protocols, it will help. But people are going to continue to commit these types of crimes and we’re going to need to respond to them. The key things for us are making sure we have strong international partnerships – not just among law enforcement, which I think we’ve done a good job at, but also having a unified response, so the law enforcement people who do these investigations are working with the technical people and companies. One of the things I have been preaching is getting the technical community and law enforcement community really talking to each other quite a bit.