Over the past few years, the number of crimes involving computers and the Internet has exploded. Given the technological nature of these crimes, some unique challenges are involved in tracking down the perpetrators. For instance, cyber criminals often use secure software to remain anonymous – and even if they’re identified, their activities can be based in countries that don’t prosecute such activity. As a result, catching them requires technically trained investigators, who must coordinate with international partners, using a blend of high-tech and low-tech tactics.
Chris Painter is deputy chief of the Computer Crime and Intellectual Property Section of the U.S. Department of Justice. He oversees a team of 22 lawyers involved in all aspects of computer crime, from denial-of-service attacks to attacks on computer networks. Recently, he shared some insights into computer crime and how the criminals are caught.
Technology Review: How are computer crimes changing? Has any one type of crime become more prevalent than others?
Chris Painter: When I started doing this, society wasn’t as dependent on computers and computer networks as it is now. The kind of attacks we saw were more singular – they used to be the result of lone gunmen, if you will, who were more interested in doing it to show they could. But more and more we are seeing a couple things. One is a merger between the criminal groups – the groups who were using the Internet as a new tool to reach new victims – and the more sophisticated hackers. What that means is that these kinds of hacking attacks are more and more done for a monetary motive. And we’ve also seen the rise of organized criminal groups. There have been some examples recently where organized criminal groups were hacking into systems and then extorting companies.
TR: How is the technology used by these criminals changing?
CP: The kinds of technology they’re often using are meant to hide their identities, by using proxy servers, secure websites, or by routing their communications through several different countries – which is why it’s so important for us to work internationally. But they’re also coming up with new ways of invading people’s computers and taking advantage of new vulnerabilities.
If you look at the development of “botnets” [software robots that run autonomously, usually for stealing private information], they’ve become much more sophisticated over time, and this is true of “phishing” [in which a criminal impersonates a legitimate party and tricks a user into sharing private information over the Internet]. So when the criminals see a law enforcement response, or even a preventative response, they just adjust their methodology. The thing that’s a little different, I think, is that you don’t have to be a very sophisticated person now to use these sophisticated tools. It used to be that only the cleverest hackers had access to these tools, but now they can spread them around pretty quickly, and people without much sophistication can use them, and in fact often do to launch attacks.
TR: How do you catch these criminals? What sort of technologies do you use?
CP: Almost anything you can think of. For the Shadowcrew case [a massive identity and credit-card trafficking network], we did an undercover operation. That is one of our tools to get inside these various groups. Another thing we do is to get court orders and trace communications when we see attacks coming in. It’s every investigative technique you can think of. And it’s not just electronic ones. One of the good things – if it’s a good thing – about money being more of the motivation, is that you also have a monetary trail. So the traditional gumshoe methods come into play. So it’s not exclusively following the electronic footprints, it’s pairing that up with good old-fashioned investigations, interviews, and so on, and tracing money that leads to some of the culprits.
TR: Once you catch these criminals, what are the penalties?
CP: In the U.S., the penalties have increased fairly significantly over the years. They’re being driven largely by monetary damages, so I think there have been a number of significant sentences. We’ve certainly moved away from where it was when I started doing this, when a lot of times computer criminals were looking at, at least in their view, a slap on the wrist or probation. They’re now actually getting real jail time – and sometimes significantly long sentences.
TR: Could you give me an example?
CP: There was a case in North Carolina, the Lowe’s computer intrusion case. The attackers were getting into the Lowe’s stores through their wireless connection and basically stealing credit-card information and financial data. We did an operation in which we were able to triangulate on the people, find them, identify them, and identify what they were taking about. The ring leader got a sentence of seven or eight years. The longest sentence before that was Kevin Mitnick [a former hacker who now owns a security company], who got five years.
Something that’s very important for us to emphasize is to change the perception that there aren’t any consequences for the people who do these things. It’s just like any other type of crime.
TR: Say, as an individual, you find out that someone has used your bank account to purchase spamming software. What do you do? Should you report this sort of crime. And to whom?
CP: The FBI has set up the Internet Crime Complaint Center, called “IC3,” and one of the things it does is take complaints and try to aggregate those complaints. It’s seldom the case that someone is the sole victim of one these crimes, and if you start looking at the cases systematically and putting together who these victims are, it’s a much larger course of conduct. That’s something that IC3 is supposed to do: aggregate the data, and then get law enforcement interested in it.
TR: What do you see in the future of cybercrime fighting?
CP: We need to continue to work on an integrated response to this. I don’t anticipate cyber crime really decreasing. I anticipate that as new technologies are developed there are going to be continued attacks. As we get more secure implementations in the Internet and other protocols, it will help. But people are going to continue to commit these types of crimes and we’re going to need to respond to them. The key things for us are making sure we have strong international partnerships – not just among law enforcement, which I think we’ve done a good job at, but also having a unified response, so the law enforcement people who do these investigations are working with the technical people and companies. One of the things I have been preaching is getting the technical community and law enforcement community really talking to each other quite a bit.