Monday, July 18, 2005

Stiennon on Enforcement

Richard Stiennon's blog makes a great point today. He says

"The entire IT security market is focused on protections. This is great as more and more protections by default are deployed. But I believe that enforcement actions must be taken as well. There is some sign that cooperation between enforcement agencies in the UK, Israel, and Russia have been effective. The most important was the breaking up of a ring of cyber-extortionists in 2003 that dramatically slowed the number of DDOS incidents.

As it will be a while before prosperity finds its way to every corner of the globe it is imperative that law enforcement agencies start working together to track down and jail cyber criminals now."

He is completely correct. Remember the risk equation: Risk = Threat x Vulnerability X Cost (of asset). We security practitioners (and our clients) can only really influence the vulnerability aspect of the equation. We can't usually decrease the value of an asset, either. Only those in law enforcement or the military can take direct action against threats. The only real way to eliminate risk is to eliminate the threat. No amount of countermeasures can remove all vulnerabilities and keep a determined adversary from exploiting a target. Making the threat go to zero is the only way to make risk go to zero.

Stiennon also points out a fascinating Privacy Rights Clearinghouse chronology of data breaches since the ChoicePoint incident.

1 comment:

Joe Stewart said...

I completely agree. I think there is a fundamental flaw in the way law enforcement approaches cybercrime; that is, they wait for a large company to complain that they lost X thousands of dollars due to hacking/malware and only then will they open an investigation. Most of the time companies are not going to report an outbreak of Mytob or other worms/viruses, so nothing happens on the investigative front. Meanwhile, the situation for everyone gets worse. The cybercriminals certainly see that there are very few prosecutions (and therefore nothing to fear), and the ones we do hear about are most often due to an informant (as in the Sven Jaschen case) or a "clueless-kid" mistake like tagging your release with your domain which is registered with your home address (such as Jeffrey Parson).

There needs to be a law-enforcement task force actively searching for those who write and release malware in the wild, and they should start at the top of the food chain - the ones who are doing it for profit. Oftentimes, through various clues left in the binary and information shared among researchers, we find out the real identity of various malware authors. Yet not a single one of these cases we have passed along has been seriously investigated by law enforcement. This seems to be because no large company has come forward and complained that they lost substantial money due to this malware. Meanwhile these miscreants are free to continue releasing variant after variant, improving their skills and causing increasing damage worldwide. What ever happened to protecting the public?