Why is the US Secret Service Investigating Cyber-Crime?
In reading a wired news article about the LexisNexis identity thefts I came across a somewhat disturbing fact. The US Secret Service is responsible for finding and persecuting most cyber-crime, hacking, etc… Especially when it involves financial institutions. I don't really understand why this agency needs to be involved. In fact, I am not sure that I understand why any of the existing agencies have to take up the mantle of fighting cyber-crime and hackers. Oh, by the way, the wired article I am talking about is here, and the US secret service's website is here.
Cyber-crime is too new and different for any of our existing legal and, especially our enforcement, agencies to deal with. The Secret Service's mission states that they 'also' deal with cyber-crime involving financial institutions. Also? I'm sorry, but saying that you also deal with enforcing information law is like saying that you are a coal-miner but you also perform brain surgery on the weekend. That is unacceptable. Cyber-crime is a full time thing, it requires a government agency's full attention, or they shouldn't be involved.
One of the most troubling issues with hacking is that it frequently cuts across national and state boundaries, which makes it necessary for a federal agency to deal with malicious security breaches. Right now, there seems to be a special division of many different agencies for cyber-crime, hacking, etc… This can not be the most efficient method of tracking hackers. Most hacks still are just for fun, to see if it can be done. Frequently the hacked company ends up all the better for it, not that hacking is good, but it forces companies to look seriously at their security. Most hacks are suprisingly non-technical, it is really hard to crack RSA encryption, or even simple SSL 128 for that matter, so most hackers go after the weakest link.
A company's personnel is the weakest link in the security chain. I agree with the security manager from Microsoft that it is a good idea to let people write down their passwords, or keep them in their PDAs. At least then people will select stronger passwords, and if they lose the device, or the piece of paper with the passwords on it, they will know about it immediately and select new ones. Most people just increment their passwords by a single digit or some other simple method for keeping their passwords easy to remember thereby defeating the purpose of forcing them to change the passwords regularly. Any pattern is going to be childs play for a Pentium 4, let alone what is coming down the pipe. Passwords should be somewhat random.
At any rate, there should be a single agency capable of dealing directly with foreign dignitaries, that employs as many hackers as it can, and that has the power to cut deals with the hackers it catches. There are plenty of people out there hacking who are completely patriotic and have no evil intent whatsoever but at the same time are extremely good at what they do. There is no real reason to put these people behind bars, or restrict their access to computers, that would be a huge waste. They are better utilized in fighting people who do have malicious intent such as cyberterrorists, etc… This agency should be similar to the CIA when it was started, collect the best brains you can and they will produce. Overall system security in the US would be the better for it, this group would actually understand what is going through the minds of hackers, and people who wanted to hack would have a legitimate employment path.
In fact, as a country we have to do this, as do others to keep us safe going forward. We have seen by the DMCA (Digital Millenium Copyright Act) that most people making laws have almost no idea what the internet, or the digital lifestyle is about, so they definately shouldn't have the ability to pass laws that attempt to legislate relationships over the internet.
I know that it is scary for most of America to think of a group of uber hackers in cubes with nothing better to do than to look around the web for exploits, people have an issue with giving the people who can break into their computers the authority to do so, but if it were to stop a very bad exploit, the only way to do it would be to also break into that system to disable it in another way so that it couldn't be used by the evil hackers. This is war of a sort. America's response to escalated nuclear weapons production around the world was to stockpile the most and biggest nuclear weapons around. While this was and still is crazy, and probably not the best solution, it worked. Keeping a stable of the best hackers on the federal payroll, if they aren't already, under a single agency to do good is a similar tactic, and probably the only way to defend / deter others from destroying our financial markets in the near future when computers are a lot more powerful.
This agency would have to have a lot of power and political clout because it would have to move in strange ways due to the nature of the crime. Agreements would have to be in place for them to work through the communications systems of other countries, but if they couldn't be worked out, the hackers could probably cover their tracks. It would be easier if everybody worked together though. The price for this cooperation would have to be shared knowledge of exploits, once patched of course.
Our outdated approach to cyber-crime is going to come to a head soon. People aren't caught as fast as they should be, mostly because they are better than law enforcement. How could someone breach a system so badly that they could steal 310,000 records of personal information without anyone knowing they were there? IT probably figured it out when they checked the trend and saw that there was triple the traffic across their database servers. Of course if IT is detecting the hacking by analyzing trends, it is too late.
Initially it would be met with resistance, but eventually companies would again want to be in the United States because they could conduct their electronic business in private. The US should be, like in Cryptonomicon, a data-haven, but for any data-haven to work it has to be reasonably safe inside the haven. This will give the US a new edge in the technology sector, but if we continue to follow the model of letting our old outdated concepts of science, information, patent law, or religious zeal stop us from advancing we will again sit on the sidelines and watch South Korea take the gold. We have to revamp our information law and build this agency to keep our information safe in the time to come.