On July 19, 2011, FBI agents in nine states rounded up 14 men and two women ranging in age from 21 to 36 for their alleged involvement with the international hacking group Anonymous. Fourteen of these individuals were arrested for allegedly plotting and executing a distributed denial of service (DDoS) attack in December 2010 that took down PayPal's Website.
The two other individuals arrested in the sting, both 21, were indicted for separate hacking incidents: one against the Tampa Bay, Fla. InfraGard chapter's Website (InfraGard is an FBI-sponsored public-private partnership devoted to critical infrastructure protection); the other for allegedly hacking into AT&T's systems, stealing thousands of confidential documents and files containing the company's plans for its 4G data and mobile broadband networks, and for posting that information on public file sharing site Fileape.com.
Two months later, on September 22, FBI agents in Los Angeles took a member of LulzSec, an offshoot of Anonymous, into custody for his alleged involvement in a high-profile hack against Sony Pictures in late May and early June. Meanwhile, in San Jose, a federal grand jury brought two men associated with the Peoples Liberation Front hacking group up on charges related to their alleged participation in a DDoS attack that took down Santa Cruz County's Website on December 16, 2010.
These arrests and indictments are part of a broader effort by law enforcement officials to crack down on cybercrime, which costs organizations anywhere from $1 million to $52 million dollars, according to the FBI. The average cost of a data breach to organizations reached $7.2 million in 2010, according to the Ponemon Institute. The security and privacy research organization noted that in 2010, data breaches cost companies an average of $214 per compromised record, and that the costs of data breaches have grown every year since the Institute first began tracking them in 2006.
Whether or not law enforcement has been effective in deterring cybercrime is up for debate. Verizon's 2011 Data Breach Investigations Report suggests that law enforcement has curtailed some activity. The report shows that the total number of records compromised through data breaches across the combined caseload of Verizon and the United States Secret Service declined from an all-time high of 361 million records in 2008 to 144 million records in 2009 to 4 million records in 2010. The report attributes the decline to investigations, arrests and prison sentences that law enforcement agencies have made around the world. In 2010, the FBI arrested 202 individuals for criminal intrusions, up from 159 in 2009. Meanwhile, the Secret Service apprehended more than 1,200 suspected cybercriminals last year.
While the Data Breach Investigations Report notes the decline in compromised records, it doesn't declare a victory. In fact, the report indicates there were more data breaches in 2010 than in previous years; it's just that the amount of data that was compromised in the breaches declined. It also states that after a major investigation or arrest, cybercriminal organizations are quick to change their tactics to evade detection.
Clearly, cybercrime shows no signs of abating, and that's why law enforcement experts interviewed for this story say there's simply no stopping hackers. They say law enforcement officials lack the manpower, training, technical resources and political support necessary to crack down on these crimes. Even when they do successfully prosecute cybercrime cases, the convicted hackers rarely serve maximum sentences, which hardly helps to discourage other people from committing similar crimes.
"We are never going to solve the [cybercrime] problem. We are just trying to keep a lid on it," says Marc Rogers, a former cybercrime investigator in the U.S. and Canada. "We don't even know how many of these activities are going on. We're only aware of a fraction of what's happening. That makes it a very hard problem to deal with."
Here, CIO.com exposes the challenges law enforcement faces in keeping a lid on hackers.
Investigating Hacking Incidents
Marc Rogers has investigated more than 200 cybercrime cases during his 13 year career in law enforcement. In describing how law enforcement officials investigate data breaches, he makes it sound systematic, if not downright easy.
"The first thing to do is to figure out which systems were breached, then it's a matter of putting a time line together, working back from when and where the attack happened to figure out how they [the hackers] came in," he says. "You move from database system to whatever type of security was around it—usually a firewall or intrusion detection system. From there, you work your way to the outside of the organization and ultimately to the telecom carriers these people used to get in."
Eventually, he says, the trail leads to the hacker's computer.
If data breach cases are so straightforward to solve, why can't law enforcement stop them?
For one, law enforcement can't keep up with the volume of computer intrusions, says Eugene Spafford, a professor of computer science at Purdue University. So far this year, the Internet Crime Complaint Center has processed on average 26,588 cybercrime complaints per month, up from an average of 25,000 per month.
Shawn Henry, the FBI's executive assistant director, told attendees at the Information Systems Security Association's international conference in Baltimore last month that "intrusions into corporate networks, personal computers, and government systems are occurring every single day by the thousands."
Cybercrime is so prevalent largely because it's so lucrative. Hacking into retailers' systems to steal customer credit and debit card information made Albert Gonzales, the mastermind behind the TJX and Heartland Payment Systems data breaches, a millionaire. Edwin Pena also enjoyed a lavish lifestyle before the FBI caught up with him for profiting off several VoIP companies' infrastructures. Joshua Holly, who gained notoriety after he hacked into Miley Cyrus's Gmail account and posted racy photos of her online, reportedly earned at least $110,000 for spamming. Not bad for a 21-year-old.
Of course, not every hacker exploits lax corporate IT security for the money. Hacktivists break into corporate and government systems and deface Websites to expose security vulnerabilities, flex their tech muscles, protest perceived fascist political policies or spread anti-establishment agit prop. Sometimes the hacktivists work on the same side as the law, and with great effectiveness, as Anonymous did last month when it took down a child pornography Website and posted the account details of nearly 1600 of its sicko users, according to ArsTechnica.com."If you look at the sheer volume—the number of compromises, record disclosures, bank fraud, identity theft—that are occurring weekly in the U.S. alone, these numbers are at least in the tens of thousands of incidents, if not hundreds of thousands," says Spafford. "When you say you've been seeing an increase in prosecutions, how many is that? 200 or 300 have been visibly reported in the news ... The response has been nowhere near proportional to the need."
Next Page: Resources, prisons, and the social problem...