U.S. boosts fight against global cybercrime
The FBI and Secret Service are sending agents overseas to deal with digital dangers.
WASHINGTON - The tip came from another country's law enforcement officials: Eight major banks in the United States were being targeted by cybercriminals operating there.
FBI agents fanned out that night to warn the branches that hackers were aiming to break into their computer systems. The banks were able to spot and block the attempted breaches, FBI officials said.
Concerned about the rise in this type of sophisticated computer attack from abroad, the FBI and the U.S. Secret Service are beefing up their international cybercrime enforcement, sending agents who specialize in the threats overseas to specifically deal with digital perils.
Their growing coordination with other nations, however, faces legal and political challenges posed by conflicting laws and the lack of broadly accepted international guidelines for Internet oversight.
"With the increased connectivity in countries that heretofore didn't have that amount of access, and the technological advances made in corporate America that have put vulnerable financial information online, it's been the perfect storm," said Shawn Henry, assistant director of the FBI's cyber division.
So far, Henry said, the FBI has set up new cybercrime offices in four countries, including Romania, Estonia, and the Netherlands, and hopes to add two or three more over the next year. Henry would not name the fourth country.
The cybercrime specialists operate in addition to the 61 legal-attache offices the FBI has overseas.
"We've gotten so many requests [for help in overseas cases] that we actually have started to embed FBI personnel into the national police agencies of a number of countries," Henry said.
The Secret Service is setting up an electronic-crimes task-force office in Rome and adding a field office in Tallinn, Estonia, a country that suffered a major cyberattack in the spring of 2007.
While the Secret Service declined to discuss specific staffing, it now includes some computer training for all of its 3,400 agents. About a third of those get digital forensics and investigative training.
According to FBI data, international cybercrime cases opened by the bureau leaped from a handful in fiscal 2001 to about 300 in the year ending Sept. 30, 2008. In the same period, leads received by the FBI on overseas cybercrime shot up from about 570 in 2001 to about 2,120 in 2008.
The cases involve an array of cyberthreats, intrusions, and denial-of-Internet-service attacks, but do not reflect the many other crimes that could involve computer use, such as threats sent electonically, or fraudulent wire transfers.
The breadth and sophistication of the crimes is expanding dramatically, said Jim Meehan, assistant to the special agent in charge of the Secret Service's cyber section.
He pointed to the case of Albert Gonzalez, 28, a hacker who - along with two Russian coconspirators - was indicted in a scam to steal tens of millions of credit-card and debit-card numbers by breaching the computer systems of TJX Cos., BJ's Wholesale Club, OfficeMax, Boston Market, and others.
Hackers in one country often attack a bank on another continent by routing their breach through armies of infected computers in various nations. The owners of the infected computers often don't know their laptop is under someone else's control.
Many countries - particularly underdeveloped ones - don't yet have laws covering cybercrime, law enforcement officials and analysts said. Others have laws against activities such as free speech that are not illegal in the United States.
As an example, charges against a Filipino student who unleashed the "Love Bug" computer virus in 2000 were dismissed in part because the Philippines had no laws that applied to computer hacking. The virus crippled e-mail systems worldwide and caused damages in the billions of dollars.
Countries in Eastern Europe, Africa, and South America - including Nigeria, Brazil, Ukraine, and until recently Romania - have become burgeoning sanctuaries for hackers because of weak law enforcement, officials said.
"We need at least to establish common privacy definitions and minimum standards so that you can effectively combat criminals," said Ulf Bergstrom, spokesman for the European Network and Information Security Agency.
So far, only 26 countries have ratified the Council of Europe's Convention on Cybercrime, an agreement to define, enforce, and prosecute computer crimes and cooperate with other nations, including in extradition.
Twenty other countries have signed but not yet ratified it. Critics say a key problem is that the nations where cybercriminals operate freely are not among those participating in the agreement.
In one key split, the United States refused to sign an addendum defining racist or xenophobic acts committed via computer as crimes, saying that conflicted with free-speech rights.