Please enter your email below to subscribe
More than 25 years ago, I attended a training session for police officers learning to investigate computer crimes. The internet was new, bulletin boards were the rage and hacking was mostly an ego-driven activity. The instructor described a realistic crime scenario and advised the attendees that key evidence was on the hard drive of the computer assigned to them. With only minimal clues about what to look for, and instructions not to speak with each other, the exercise began and the officers commenced examining their hard drives with the tools available at that time.
After about 10 minutes of dead silence, except for the clicking of keyboards and muttered oaths, the instructor asked everyone to pause. He then said, “That’s why the bad guys are so far out in front of us.” No one, including me, understood his point. But, at the front of the room was a huge blackboard that was completely blank. The instructor added, “Hackers would have filled this board with comments about what they did and did not find. I told you not to speak to each other. I did not say not to communicate.” Fortunately, since I was there as a legal instructor on computer crime issues, I could smugly pretend he was not including me in his comment.
The point was well taken. Law enforcement and the “good guys” in general, tend to be protective and isolationist in their approach to computer security problems. Intruders, who are inherently more aggressive in attitude, have historically cooperated, albeit often loosely and informally. In the intervening years the computer security landscape has changed dramatically and intruders are far more diverse and well-organized. Certainly, the damage computer intrusions have caused to private citizens, businesses and governments is exponentially greater.
But perhaps there is a ray of sunshine amid the gloom. The good guys are learning to share.
The United States Senate recently passed theCybersecurity Information Sharing Act which takes an indirect approach to cybersecurity. Rather than attempt to impose cybersecurity standards as prior bills attempted, this one protects companies from liability for sharing otherwise confidential information about security breaches. Although some critics have alleged the bill could have an adverse impact on consumer privacy, the general idea that we must create an environment in which the good guys are encouraged to cooperate with each other and with the government without fear of violating the law.
The financial services industry has created the Financial Services Information Sharing Analysis Center as a means of working together to enhance their cybersecurity. Even some of their law firms are getting into the cooperative spirit. Some of the largest law firms that represent financial institutions have announced that they are trying to create a vehicle for sharing information with each other concerning the cyber vulnerabilities of their clients.
Sharing is critical. There is no reason for victims and intended victims to learn the same lessons independently. Information on attack vendors and defenses that failed and succeeded must be shared as much as legally possible to enhance our common defense. The routine exposure of the personal records of millions of Americans and the continuing loss of corporate research and trade secrets demands nothing less.
Kenneth C. Citarella is senior managing director for the Investigations and Cyber Forensics practice at Guidepost Solutions LLC. He has more than 30 years of experience investigating and prosecuting white collar crime and computer crime.