Why Law Enforcement Can't Stop Hackers
The threat that criminal hackers pose to corporate and government information systems has spiked in the past five years, according to the FBI, and shows no signs of abating. The worst part: Law enforcement is virtually powerless in cracking down on cybercrime. CIO.com investigates the challenges law enforcement officials face in investigating and prosecuting hackers.
Tue, November 15, 2011
CIO — On July 19, 2011, FBI agents in nine states rounded up 14 men and two women ranging in age from 21 to 36 for their alleged involvement with the international hacking group Anonymous. Fourteen of these individuals were arrested for allegedly plotting and executing a distributed denial of service (DDoS) attack in December 2010 that took down PayPal's Website.
The two other individuals arrested in the sting, both 21, were indicted for separate hacking incidents: one against the Tampa Bay, Fla. InfraGard chapter's Website (InfraGard is an FBI-sponsored public-private partnership devoted to critical infrastructure protection); the other for allegedly hacking into AT&T's systems, stealing thousands of confidential documents and files containing the company's plans for its 4G data and mobile broadband networks, and for posting that information on public file sharing site Fileape.com.
Two months later, on September 22, FBI agents in Los Angeles took a member of LulzSec, an offshoot of Anonymous, into custody for his alleged involvement in a high-profile hack against Sony Pictures in late May and early June. Meanwhile, in San Jose, a federal grand jury brought two men associated with the Peoples Liberation Front hacking group up on charges related to their alleged participation in a DDoS attack that took down Santa Cruz County's Website on December 16, 2010.
These arrests and indictments are part of a broader effort by law enforcement officials to crack down on cybercrime, which costs organizations anywhere from $1 million to $52 million dollars, according to the FBI. The average cost of a data breach to organizations reached $7.2 million in 2010, according to the Ponemon Institute. The security and privacy research organization noted that in 2010, data breaches cost companies an average of $214 per compromised record, and that the costs of data breaches have grown every year since the Institute first began tracking them in 2006.
Whether or not law enforcement has been effective in deterring cybercrime is up for debate. Verizon's 2011 Data Breach Investigations Report suggests that law enforcement has curtailed some activity. The report shows that the total number of records compromised through data breaches across the combined caseload of Verizon and the United States Secret Service declined from an all-time high of 361 million records in 2008 to 144 million records in 2009 to 4 million records in 2010. The report attributes the decline to investigations, arrests and prison sentences that law enforcement agencies have made around the world. In 2010, the FBI arrested 202 individuals for criminal intrusions, up from 159 in 2009. Meanwhile, the Secret Service apprehended more than 1,200 suspected cybercriminals last year.
While the Data Breach Investigations Report notes the decline in compromised records, it doesn't declare a victory. In fact, the report indicates there were more data breaches in 2010 than in previous years; it's just that the amount of data that was compromised in the breaches declined. It also states that after a major investigation or arrest, cybercriminal organizations are quick to change their tactics to evade detection.