The FBI is the country’s top police unit, charged with tackling the biggest problems facing its citizens. Cybercrime, by just about any measure, would fall somewhere near the top of that list of problems.The FBI historically has been ineffective and at times indifferent to all of this. However, there are signs–including the major carder takedown yesterday–that the bureau might just be finding its feet in the fight against malware gangs, botnet operators, carders and other assorted bad guys.
One of the major issues facing law enforcement when it comes to cybercrime is jurisdiction. A crime committed online, whether it’s bank fraud, phishing, credit-card theft or DDoS attacks, by its very nature os almost certain to cross state or national borders. The attacker may be in Texas and the victim in Thailand. If the victim complains to her local or national authorities, they may take the easy road and say, “Sorry, can’t help you. Call Texas.” No police force is looking for more cases to handle.
This certainly is true of the FBI, which has responsibility for major crimes all over the United States, as well as assisting with international investigations. Since the dawn of the Internet, the FBI has treated computer crimes as more of a nuisance than anything else. Unless a victim–be it an individual or a company–could show significant financial losses, the bureau wasn’t much interested. It had terrorists, bank robbers and serial killers to worry about, after all. What difference did a few thousand dollars in credit-card fraud make?
Well, in the last few years, cybercrime has grown into a multi-billion dollar industry. While that was happening, the major law enforcement agencies have continued to play hot potato, tossing the problem back and forth with no one wanting to be caught holding the cybercrime spud at the end of the game. Some countries haven’t even bothered to enact any computer crime laws, and others have just decided that as long as the attackers are going after foreign citizens it’s not their problem.
The FBI has been in the middle of this all along, and it’s only in the last couple of years that the agency has begun to commit serious resources to solving the problem. Oh, it’s had a computer crime team for a long time, but that squad has been the Kansas City Royals of law enforcement: short on money and talent and outgunned by its opponents. But now, the FBI has begun to string together a few hits, mostly singles with a few doubles mixed in, and is threatening to become a serious player.
Most of what the FBI has been able to do of late revolves around botnets in one way or another. The bureau has been involved in a number of major botnet takedowns in the last couple of years and has helped private companies and foreign law enforcement agencies track down and arrest the crews behind these operations. The alleged operators of the Mega-D, Coreflood and other botnets have found themselves standing in front of a judge thanks, at least in part, to work done by the FBI. Those takedown actions are important in that they show botnet operators that they’re no longer as safe as they once were, and also because they demonstrate some necessary cooperative skills from the agency. But they’re still rare enough that they make major headlines when they happen.
The coordinated arrests on Tuesday of more than 20 alleged members of a major international carding ring is a major win for the FBI, and not just because it grabbed some headlines for a day or two. The real value of the operation, which involved agencies in the U.K., Bosnia, Germany, Italy and other countries, is that it shows a much higher level of understanding of the cybercrime ecosystem and its inhabitants than had ever been seen before from the bureau.
The key to the case, which stretched back two years, was the FBI’s operation of a carder forum called CarderProfit, which it ran as a honeypot to draw in criminals. That tactic has been tried before in various forms and with varying dgrees of success, but this is the first time that the FBO has been able to execute such an operation from beginning to end. It’s a fair bet, though, that it won’t be the last, given its success this time around.
There is still plenty of room for improvement from everyone involved, though.
“The FBI has been aggressive about dominating investigation of cyber crime, and they have demonstrated repeatedly their ability to make sensational cases. What’s not often discussed is how good they are getting at making and supporting non-sensational operations that gain and even share intelligence and support other agencies in their quest to fight cyber crime. The limiting factor is the small number of agents available to conduct this important work, their immense and ever-growing caseload and an eternal lack of resources. Let’s face it: even if the FBI doubled or even tripled the size of their current cyber crime fighting cadre they’d still be hopelessly outgunned. Cyber crime can be highly lucrative, is generally easy and it’s still very hard to get caught and punished,” said Nick Selby, a Texas police officer and partner with N4struct, a company that advises organizations on cyber security incident response.
“What is needed is an agressive national push to train other agencies including state, county and local agencies, not just in how to fight cyber crime but how to identify that cyber crime has happened, and to come up with training for non-federal prosecutors on methods and strategies to prosecute cyber crimes at a state, county and local level.”
Selby’s point is typically well-made. The FBI is just now hitting its stride in terms of cybercrime investigations, but even at its best, the agency is a massive underdog in this game. But if smaller agencies in the U.S. and abroad begin to pitch in, we could see some major leaps in terms of effectiveness and capabilities across the board. Now’s the time.