The Internet is Not the Wild West

Because there’s no Sheriff, no Posse, and the Bad Guys pretty much Always get Away

Comparisons between the ‘Wild West’ and the Internet used to get more ink: I think recent trends in CNO/CNE, mobile device security, and the new garden varieties of cyber crime effectively put a nail in that dusty metaphoric coffin back in ’99 or so. But let’s resurrect the throwback reference briefly if only so that we can measure if for a pine suit and lower it back 6 feet under (yes, the hokey references will continue throughout).

I’m by no means a cyber security expert. I’m neither a code writer, nor am I technically adept at network protocols, the intricacies of SSL drive-by infections, MD5 algorithms, and the like. What I am pretty familiar with is the cyber crime scene. I’ve assisted and counseled defrauded victims, worked network intrusion, defacement events, data exfiltration, and extortion investigations. I’ve debriefed people who have seen their identity effervesce into cyberspace and talked to companies who know the money is gone and that they probably could have prevented it. Binary splatter patterns. Digital fingerprints. And let’s not forget TOR networks and non-attribution hop points: the cyber criminal’s leather gloves and bandana mask.

Way before the Governator, Yul had the freaky run-amok cyborg thing down.

The Short Arm of the Law

What I haven’t done is help prosecute a lot of cyber crimes. That could just be a personal failure, but I likewise haven’t seen a lot of my colleagues and partner agencies succeed in this, in terms of complaint-to-prosecution metrics—not routinely at least. In fact, except for law enforcement’s laudable albeit technically hamstrung efforts at deterring child pornography through ICAC programs, I’d say in this Saturday matinee, the bandits are robbing the mail train daily, in both directions, and the clerk with the visor and the sleeve ties doesn’t even both locking the safe anymore because he’s sick of watching it get dynamited.

Ok, maybe that’s a stretch, but let me illuminate the situation — from a homeland security perspective — using a conversation I had recently with an educated non-expert who was trying to understand what was being done about this cyber crime wave. Here’s how I laid it out:

Help me mister, I’ve been robbed!

If your computer gets hacked, you (meaning private person or business) generally have to sustain a demonstrable loss before law enforcement (LE) will even accept a complaint (virtual breaking and entering doesn’t count — it’s gotta involve burglary). If you call local LE, they will usually refer you to the FBI or, if it’s a crime involving banking or credit cards, perhaps the Secret Service. If you call your local FBI, they will ask for some basics, and, assuming you haven’t lost over, say, $100,000 (depends on your Assistant U.S. Attorney’s case docket and thresholds), they’ll refer you to their cyber crime intake point: the Internet Crime Complaint Center (IC3).

But they didn’t collect stats in Tombstone!!

Why look Ma, it’s web based! The Internet is, after all, just where you wanted to air your dirty digital laundry after having sustained a loss through the web! You dutifully record all the salacious and embarrassing details of your personal tragedy on an IC3 web form and wait for the phone to ring. It doesn’t. It won’t. IC3 is a clearinghouse for cyber crimes. Though administered by the FBI, IC3 “does not conduct investigations” and “cannot guarantee that your complaint will be investigated.” Essentially, they provide a repository for the FBI (primarily) and other agencies granted access to cherry pick cases they deem of interest. And to glean your information for statistical purposes (i.e. more or less complaints, average value of loss, etc…) and request additional funding from Congress to help them help you further of course. Um, Wyatt Earp didn’t draft bar charts folks, he delivered justice.

Get ‘em slim!

As the feds have been no help, you turn in desperation to your state agencies. They refer you to…the attorney general’s consumer fraud department perhaps. Or if you’re lucky, your tech-savy state has established some type of assistance center. They’ll tell you to re-image your machine, always use a firewall and anti-virus, check your credit report, and maybe recommend you seek professional assistance. More run around. Far from a ‘Don’t fret Ma’am — we’ll git yer silver back from those scoundrels!’ you’ll likely not even hear the cautious suggestion that your money or your identity might be returned/secured or the perpetrator punished. More likely, you’ll be not too subtly informed that maybe you’re somewhat to blame because you didn’t take sufficient precautions. If you grow desperate, you’ll be chastised for being unreasonable or overly demanding for assistance.

$500 reward? Dead or Alive?

We may want them, but we ain’t gonna get them.

You see, what these agencies know but don’t like to concede is that even if they could find out who robbed you (they usually can’t), the Bad and the Ugly are likely sitting in a country disinterested in prosecuting them or with whom your Homeland has no extradition treaty. Their government may, in fact, tolerate or outright encourage their criminal entrepreneurialism as a trade balance equalizer and anti-America spectacle of technical virility to be celebrated. Think Mexican Federales actively supporting Billy the Kid.

Even if the perpetrator is domestic, any cyber bandit worth their salt will be sufficiently anonymized to carry their loot back to Smuggler’s Cave without fear of being digitally tracked by Tonto and Kemosabe. I’d point to the collective response, official impotence, and criminal success (and estimated $30 Million take in 100 days!) in dealing with Cryptolocker from fall 2013 through the winter as a strong indication of how the technically savvy can now extort you in the sanctity of your own domicile without credible fear of the guys in white. The writing’s on the wall.

Let’s round up a posse!

They robbed your bank account? Credit card numbers hacked from Target or Nieman Marcus? Grab your scatter gun Hoss — let’s tar & feather them! Or, maybe let’s just sustain the loss and get you a new card number, hmmm?? In the cyber Cheyenne, the bank prefers discretion to justice. Call the FBI? Why, they’ll just bust in here an book my servers into evidence for a crime they have a snowball’s chance at solving. Or even if they do, they’ll never draw a long enough lasso to throw around the 22 year-old hacker in Minsk. (how do you spell ‘low down good for nothing varmint’ in Cyrillic?). You, the victimized, are placated with return of your funds. The bank, credit card company, or business writes off the loss rather than sustain the bad publicity or intrusion of a fruitless investigation, the network is patched, future countermeasures instituted, apologies delivered, and the bad guys get away clean. Justice is a relative term when Internet-based profit margins are tallied. There is no High Noon. The hangman’s noose swings forlorn.

So Whatcha Suggest We DO then Mister?

Share your misery. If there is an aphorism that plays equally well in this digital Deadwood as in the tactile realm, it’s that knowledge is power. In the absence of a viable enforcement deterrent, collective security enhancement through real-time information exchange of tactics, techniques, exploits, and malicious code is the only way we can make this rugged frontier a safer place. I’m not talking about traffic logs to your vendor. If McAfee and Symantec collect this info, they use it to improve their individual products— not everyone’s IDS/firewall/anti-virus. ISACs help, but they’re sector specific. We need an umbrella solution.

Rather than secure individual networks, we need to embrace and enhance our domestic network of networks, creating the tide that will raise all our boats. We need federal sponsorship, secure sharing platforms, expertise…lawyers, guns, and money. We’ll need realistic incentives or, in their absence, new regulations to ensure everyone circles their wagons. It won’t be quick and simple. It won’t be painless and cheap. But if we want to ride into that cathode sunset of our glowing LCD screens with our heads held high rather than horseless, shirtless, penniless, and clueless, we better start learning to work together. Fence mending and community resilience worked in 1880. It can work again.