Why companies don’t call the cops when they get hacked

Posted on 26 February 2011 by


This is what business people imagine will happen when they call the cops after a computer breach.

If you’re a cop, when’s the last time you took a call that a business in your jurisdiction had suffered a cyber breach? For most cops I know, if that day never comes it will be too soon. When I was in the police academy – and this was recently, mind you – the lessons on cybercrime, credit card theft and identity theft were taught perfunctorily, unenthusiastically, and always prefaced with, ‘You’ll never have to deal with this, but. . . ‘ And this was at a good police academy.

At Dave’s academy, 15 years ago, it wasn’t mentioned at all. Since then he’s taken heaps of continuing education classes – he can now make Power Point presentations of how to get along with diverse people and fly while armed, and, to be fair, he has learned about traditional identity theft. From postal inspectors. The kind where someone breaks into your letterbox, steals your personal information and commits mail fraud.

“Tech savvy” has never been a prerequisite for law enforcement, and it isn’t, still.

But it should be.

Cyber-Crime: The Exciting Growth Industry
If you could pick a way to commit the best crime – that is, the crime with the lowest possibility of being caught and prosecuted and the highest probability of getting money out of it, you would pick cyber crime. Sure, you could stick up a gas station and get away with, say, $500 bucks and a great chance of spending the next ten years in and around the criminal justice system.

Or, you could buy yourself a malware-kit and a rent some time on a botnet, harvest you some account credentials and pick up tens of thousands of dollars in a short time. There’s almost no chance you’ll be caught; if caught there’s almost no chance you’ll be prosecuted; if prosecuted there’s almost no chance you’ll get convicted; if convicted there’s almost no chance you’ll get serious time, and if you get serious time there’s almost no chance you’ll have to serve it. Win!

The reason? Cops generally don’t understand cybercrime. We don’t understand the actors, the tools, the targets, the attack vectors, the attack surfaces. We don’t understand the haul – that is, if someone tells us that they got smacked over the head and a guy lifted his wallet, we’re raring to go get the bad guy. But if some poor sap calls and tells us his servers were compromised by a cross-site-scripting attack that led to his CRM databases getting swiped, we’re not exactly sure which form to fill out.

Stop Calling It Cyber-Crime. It’s Crime
Whether it’s on the Internet or in a barn, cops need to know a few things before they investigate a reported crime. They need to know that a crime happened. They need to know where it happened, when it happened, and the most exhausting process of all, they need to know how a crime happened. This is not a cyber thing – stop thinking of cyber-crime as “fancy” and “high-tech” and start thinking of it as “crime”.

I mean, if a guy came into the station and said his house got robbed, you’d first, patiently, explain that he means it was burglarized, and then you’d need to know exactly – and I mean, exactly – how the burglar got in. And what was taken. And what was left behind. The cop would expect, reasonably, an accounting of how much the property was worth, and would likely infer the market for these objects.

Cybercrime is the same thing: who, what, when, where and how; what was taken, what’s it worth? The problem is that all those “w” questions are tough, and the “how” question is sometimes even tougher. Tough for the victim to explain, tough for the cop to understand.

At the BSides San Francisco Conference in early February, I spoke on on the need to bridge the communication gap between information security and law enforcement professionals.

See, in my opinion, this is not a problem of cyber crime – it’s not even a problem of crime. It’s entirely a problem of language and culture: we don’t understand what the victim is telling us. After all, if someone’s car had been stolen and he came into your police department, and all he spoke was Serbo Croat, you’d have the same issues: who, what, when, where, how?

The reception to this concept was ebetter than I would have hoped.

The basic premise of the talk is that both information security professionals and police officers have the same desire to protect the flock. They’re cyber-sheepdogs. I know this to be true for many reasons, but the most telling is that these folks have often chosen to make less money to work not in information technology generally, but in IT security specifically.

I explained to the InfoSec people the following:

  • It’s not that cops don’t care. It’s that they don’t understand you. Most cops will help a victim. Most cops don’t know from a remotely-exploitable stack-based buffer overflow.
  • Small agencies are resource-starved On a local level, cops often don’t have the time, training or resources to help unless they truly understand that a serious crime has been committed. Then they will often try to find the time, training and resources.
  • Large agencies are time-starved Even if you’ve got something that a state or federal agency would find interesting, they must combat their own backlog, and triage the cases they can accept.
  • Cops speak the language of the law For a cop to help, the elements of a crime must be understood; the cop has to explain what he does to his boss, and to a prosecutor, who must explain it to a judge for warrants and to a grand jury for prosecution, and to a jury. If they don’t understand what happened, none of that can happen.

At the same time, cops need to know:

  • Information security people fight criminals every day Most enterprise networks are under siege 24/7, and information security people are constantly under-staffed, under-budgeted and facing a dynamic, always-changing threat landscape. Treating them like colleagues and trusted or at least respected stakeholders is a great idea.
  • Infosec pros can see the damage. They can trace attacks back to “patient-zero” – that is, the place in their network where the attack started. They know the what, the when, and the how. They need help with the who. And they would love show this to the police (and at the same time, you might get a good resource for future cases: someone who can help you understand the realm of the possible in, say, a child porn or computer breach case).
  • Infosec people don’t know what cops need. No one has ever told them. From their perspective, cops are dense, suspicious and unwelcoming people who act as if the information security people are imposing upon them.
  • Infosec people don’t think it’s worth talking to cops. Cops sometimes come in and treat the whole network as a crime scene. No one wants a lobby full of guys in bluie windbreakers or badges around their necks drinking coffee and scaring the locals. Cops need to explain that, if the infosec people can help define the crime scene, the cops can work within the boundaries.
  • Infosec people are used to cops treating them badly. The worst time for both parties is when an Infosec person has a problem and he calls a cop; neither side understands the other, but both sides act as if the other side is holding out. Both parties find a suspicious and somewhat hostile person across the table.This is not conducive to cooperation.

It’s our hope that conversations like the one we started at BSides, and working with groups like FIRST (the Forum for Incident Response and Security Teams), HTCIA (High Tech Crime Investigation Association) and Infragard that we can raise the level of discourse between cops and information security people and work smarter to solve cybercrimes.

What do you think?