You’ve Been the Victim of a Cybercrime. Who You Gonna Call?
Published 02/02/2016
By Leo Taddeo, Chief Security Officer, Cryptzone
Part 1 of a 2-part series
Right now, one of the greatest challenges in the fight against cybercrime is the difficulty we have in creating a meaningful deterrent for hackers.
Basically, the number of cybercriminals out there is demonstrably very large, and all the available data shows the number grows larger all the time. And yet the number those cybercriminals who are caught and punished is very small, and changes little from year to year. In terms of risk versus reward, it’s a very attractive game for hackers to be in.
In this blog post – the first of two – I’d like to talk about how one of the reasons for this difficulty in creating a deterrent is that US organizations often fail to engage law enforcement when their networks come under attack.
Let’s say you’ve been the victim of a cybercrime. Who you gonna call?
The Trouble with Cybercrime Reporting
The first challenge many US organizations encounter when they attempt to report cybercrime is that there’s no one correct way to do this. Even if you restrict your definition of the term to only cover network intrusions and not other illegal online activity like identity theft, there are still several different places a person can go to alert the authorities to an incident.
According to the official guidance of the Department of Justice, organizations have no fewer than three options when it comes to reporting cybercrime. They can call their local FBI office; they can call the Secret Service; or they can log a complaint with the Internet Crime Complaint Center (IC3).
On top of that, the Department of Homeland Security has its own online portal for reporting cybercrime of any type, including network intrusions. State and local authorities add more options, as some victims resort to calling their local police departments or prosecutors offices.
Then there’s the question of which agency actually has jurisdiction over what. According to Title 18 Section 1030 of the US Criminal Code, both the FBI and Secret Service have the authority to investigate criminally-motivated cyberattacks. Should an incident be a matter of national security, the FBI is designated the lead agency.
In a nutshell, cybercrime reporting can be confusing. This is exacerbated by the fact that it’s rarely possible to know whether a cyberattack is a criminal or national security issue at the outset of an investigation – you might need to study a large amount of forensic information before this becomes apparent. Who wants to deal with this level of confusion right after discovering a data breach?
Why Engage Law Enforcement, Anyway?
Consequently, a lot of cybercrime goes unreported. This is an issue I touched upon in a recent blog about the lack of reliable cybercrime statistics, and it’s troubling for a number of reasons. It means that authorities don’t consistently have access to up-to-date threat intelligence; the victim has no access to the intelligence that law enforcement does have; and, at the end of the day, nobody is arrested and prosecuted.
Obviously, no organization should rely on the government to protect it against network intrusions and any damage that occurs as a result by chasing down and locking up hackers. But if the authorities had a more complete picture of the threat landscape, it’d be an enormous net positive for the security community – we’d be better equipped as a country to fight cybercrime and therefore create the deterrent we so badly need.
My advice? If you’re the victim of a cybercrime, report it to the FBI, which has jurisdiction over both criminal and national security cases.
Really, though, you should be doing everything you possibly can to ensure it never comes to that. Invest now, and strengthen your network defenses, because we’re a long way from having a sufficiently powerful deterrent to prevent the threat from growing day by day.
In part two of this blog, I’ll talk about the difficulty we have in bringing wanted cybercriminals to justice.