CIOs Look Beyond Cops for Help Fighting Cybercrime

When the website of the Central Florida Educators’ Federal Credit Union was attacked by phishers last August, CIO and VP of Marketing Kevin Dougherty’s first instinct wasn’t to call the police. Though he did eventually contact the FBI, “unless you can say you were hit with some very large dollar amounts I don’t think they have enough people to deal with this,” he says.

And so CIOs like Dougherty are assembling crime-fighting coalitions from among consultants, vendors and telecom providers. There’s a historical parallel, says Peter Cassidy, secretary general of the Anti-Phishing Working Group. When banks opened up 150 years ago, there wasn’t an FBI, “so banks hired private law enforcement like the Pinkertons,” he says. One day there will be routine cyber-investigations, “but for now we are still in the Wild West.”

More On Cybercrime

How You Can Fight Cybercrime

How the Mob uses IT

What Adult and Gaming Sites Can Teach You About Innovation

A Brief History of Cybercrime

Law enforcement faces several challenges. First is the nature of cybercrime: global and independent of geography. Hackers in Russia can steal money from a bank in the United States using a computer in France quickly, cheaply and with no human intervention required. And their fingerprints—the IP addresses of the computers that initiate the attacks—can be made to disappear before investigators can track them, according to Ron Plesco, director of the Privacy and Special Projects Group for consultancy SRA International. Internet service providers keep logs of every connection but can’t afford to hang on to the piles of data for more than a few days without overwhelming their storage systems.

There’s also a shortage of computer expertise among the FBI and Secret Service, which investigate cybercrime, and the U.S. Department of Justice, which prosecutes it. Given the manpower shortages, investigators need to limit themselves to cases with big losses. Unfortunately, the majority of cybercrimes are committed by small operators, says Uriel Maimon, senior researcher in the Office of the CTO of security provider RSA.“There aren’t many $250,000 frauds,” he says, but there are a lot of $2,000 cases—a big-enough haul for a criminal in an impoverished country.

Finally, there is the complexity of fighting crime across different countries, many of which lack laws that specifically target cybercriminals. Experts speculate that we could someday see the rise of a new global organization specifically targeted at cybercrime, much as the FBI was created to take on the automobile-fueled rise of interstate crime in the 1920s and ’30s. Chris Painter, principal deputy chief of the Computer Crime and Intellectual Property Division at the U.S. Department of Justice, is skeptical. “What we need to do is connect the dots rather than create a new über-organization,” he says. Painter chairs a G8 committee that has agreements with 48 countries, which have identified cyber-investigators whom they make available to the network 24/7, he says.