How to catch a cyber crook? Money talks

With the profusion of cyberattacks, it's only a matter of time before the financial incentives employed in other areas of crime fighting come to cyberspace. Dan Farber predicts that governments and even corporations will begin offering bounties to those
Written by Dan Farber, Inactive

The FBI, the Department of Homeland Security and other agencies have now joined the hunt to track down the individuals who perpetrated the MSBlast worm and the Sobig.F virus, but the odds for a successful capture are not good.

"Protecting the nation's cyber infrastructure is a top priority for the FBI, and we are working with the Department of Homeland Security and with state and local law enforcement on our Cyber Task Force to track down the perpetrators of SoBig and the recent W32/Blaster worm," FBI director Robert Mueller said this week. "We employ the latest technology and code analysis to direct us to potential sources, and I am confident that we will find the culprits." Despite all the law enforcement agents and application of the "latest" technology, the virus writers have the advantage.

Serious virus writers focus just as much on covering their digital tracks as on the bits of code that infect machines. It appears that whoever wrote the Sobig.F virus was savvy enough to use a stolen credit card to create an account with an Arizona Internet service provider and upload the code to the Usenet network.

Law enforcement can throw resources at high profile cases, but given the increasing rate and sophistication of attacks, there aren't enough FBI agents or anti-cybercrime specialists to keep up with the demand. Similarly, most corporations don't have the resources or funds to create more tamper-proof networks or to investigate a wide range of intrusions and potential cybercrimes, most of which are carried out by internal employees.

The U.S. government will continue to talk about securing cyberspace, produce documents and hold hearings, but with little demonstrable progress. The massive regional blackout this month got the attention of Christopher Cox (R-California), chairman of the Select Committee on Homeland Security, who is holding a series of hearings to investigate the vulnerability of the power grid to cyberattacks. The House Subcommittee on Cybersecurity, Science, and Research & Development is looking at the viability of setting minimum security standards and providing financial incentives to help companies invest in cybersecurity.

In the end, money talks. The FBI, for example, recently inked a five-year, $140-million contract with Lockheed Martin Information Technology Inc. to help secure the agency's new enterprise networks. Perhaps a tax break on cybersecurity products and services could help companies, and even consumers, gain more protection against attacks, but legislation is more of a band-aid than a solution. The problem is not just the cost, but also the complexity of maintaining a secure environment. Security is an ongoing process that requires constant vigilance, updating, and education. Unfortunately, many companies think they are immune from a major cyberattack until it's too late to easily remedy the situation. Given a choice, they will hire another salesperson rather than spend more on cybersecurity products or personnel.

Today, the vast majority of public and private agencies and firms are scrambling to keep up with patches and virus definition updates, and calculating the escalating costs of keeping the petty and white collar cybercriminals and cyberterrorists at bay.

The battle for cyberspace will be an endless technology duel between two opposing forces. Every time a new, more effective security appliance, firewall, or intrusion prevention system is introduced, the cyberattackers will have figured out another avenue of attack.

With the profusion of cyberattacks, it's only a matter of time before the financial incentives employed in other areas of crime fighting come to cyberspace. In fact, I'll predict that governments and even corporations will begin offering bounties to those who help bring serious cybercriminals to justice. With the right incentives (cash in the currency of your choice), individuals will clearly be more motivated to become informants, and cybercriminals far more circumspect in their activities. If the heads of Uday and Qusay Hussein are worth about $30 million, a mere virus or worm writer causing a few billion dollars in collateral, soft damage should be worth a few bucks.

A new breed of tech-savvy cyber bounty hunter, far outnumbering what law enforcement can deploy and probably more closely connected to the murky cyber underworld, would scour the planet for the authors of malicious and destructive code. With many companies unwilling to make cyberattack incidents public, there is already a cadre of highly paid "consultants" and security firms investigating cybercrimes.

Of course, whenever money enters the equation, several undesirable elements come along for ride. Imagine if the chief security officer of a corporation were authorized to pay special bonuses to employees who inform on others, or cyberattackers who frame some unsuspecting individual and then collect the reward. Nonetheless, techniques for fighting terrorism and other high crimes in the analog world will find their way into the digital world sooner than later.

Use TalkBack to let your fellow ZDNet readers know what you think. Or write to me at dan.farber@cnet.com. If you're looking for my commentaries on other IT topics, check the archives.

Editorial standards