Financial cybercrime a national security threat, U.S. Justice Department official warnsFordham Law in Reuters, September 21, 2012
U.S.-based financial services institutions that don’t tell law enforcement agencies about having been victimized by cybercrime are compromising the nation’s security as well as that of their firms, a top Department of Justice official warned this week.
The remarks on Wednesday by Lanny Breuer, assistant attorney general for the department’s criminal division, came as a financial industry group warned banks to be on heightened alert for cyber attacks after Bank of America and JPMorgan Chase experienced unexplained outages on their public websites.
Institutions, Breuer said, have a duty to disclose security breaches. “After a possible, brief delay due to a law enforcement investigation, the institution whose data has suffered a breach should need to inform the public that it happened,” Breuer said in a talk at Fordham Law School.
He called cybercrime is one of the most serious threats to national security and said it “is so hard to get a handle on because a lot of it is perpetrated by those working abroad who are skilled at what they do, and the anti-virus software most of us use only protects us from known vulnerabilities.”
The threat includes the growing “botnet” networks of computers compromised by hacking software that turns over control of personal computers to criminal hackers, but the Justice Department is fighting back, Breuer said.
In April 2011, the department’s computer crime and intellectual property division, which is responsible for cybercrime initiatives, took steps to dismantle botnets by using its own software to call into a network, find the malicious software and force it to “go to sleep,” he said.
Cyber criminals and their malware work around the clock, Breuer said. “Our international partners and the United States have a 24/7 assistance network for global cooperation and assistance in dealing with this type of crime.”
Cyber attack threat level raised
The Financial Services Information Sharing and Analysis Center, an industry security group on Wednesday raised its threat level for cyber attacks to “high” from “elevated.”
The warning cited “recent credible intelligence regarding the potential” for attacks, following earlier intermittent outages at Chase’s consumer banking website, and issues on Tuesday with Bank of America’s website. It urged banks and other industry members to “ensure constant diligence in monitoring and quick response to any malicious events.”
The group also cited a warning from Microsoft Corp that hackers have attacked some of its customers due to an as-yet unfixed security bug in Internet Explorer browser software.
Reuters has reported that the U.S. Department of Homeland Security has advised users to follow Microsoft’s recommended steps to reduce the risk of attacks but noted that the measures may not fully secure the browser.
The attacks on U.S. banks may have been spurred by a purported film that has riled the Islamic world, the bank security group said. Breuer suggested another reason for targeting financial firms and online credit providers: that’s where the money is.
Online broker-dealers have suffered losses they claimed were not financially significant, but million-dollar losses could bankrupt a small brokerage or advisory firm.
Online firms want to make it easy for customers to do business without hard-to-remember passwords or other obstacles to fast transactions, and, as Breuer noted, don’t want to scare customers from using the Internet.
Firms can’t control their customers beyond suggesting safer practices but they must supervise their own employees, he said.
Regulatory guidance, some of it in enforcement actions, urges firms to ensure that employees use hard-to-hack passwords and install – and keep updated – anti-malware software on all devices for accessing internal networks and the Web. It’s harder to be rigorous over mobile devices for using email and social media than desktop systems, but there are risks in purported Facebook friends and “spoofed” emails that appear to be from colleagues, as well as in requests from supposedly deposed dictators for help in accessing their stolen loot.
Breuer said the government is mindful of privacy rights and careful in making sure it has probable cause when seeking evidence of cybercrime, as mandated by the Electronic Communications Privacy Act, he said.
The department must show probable cause to get subpoenas and court orders for obtaining evidence, but Breuer admitted being concerned over the delays this can cause, saying, “If law enforcement cannot get this type of data easily, it cannot protect your information.”
A key obstacle in obtaining cyber-evidence is the fact that Internet service providers are not required to retain their data for any specific amount of time, Breuer said. “We’ll go through the process of getting a search warrant for the information, but the ISP might not have the data any longer when we get there,” he said.