Late last year, the U.S. Department of Justice formed a cybercrime division in the wake of an announcement made by Assistant Attorney General Leslie Caldwell at the Cybercrime 2020 Symposium in Washington, D.C. The new body is called the Cyber security Unit and is housed within the DOJ’s Computer Crime and Intellectual Property Section. It is designed to consolidate the federal government’s efforts toward cybercrime prevention and create a stronger force for shaping appropriate legislation in this space.
“Given the growing complexity and volume of cyberattacks, as well as the intricate rubric of laws and investigatory tools needed to thwart the attacks, the Cyber security Unit will play an important role in this field,” stated Caldwell during her presentation. “This new unit will strive to ensure that the advancing cyber security legislation is shaped to most effectively protect our nation’s computer networks and individual victims from cyberattacks.”
The Cybersecurity Unit is a welcome development in the fight against cybercrime. However, the division can only be understood in the context of major recent incidents that have spurred the public and private sectors to recalibrate their defense strategies. Caldwell’s announcement came right on the heels of the Sony Pictures hack and roughly a year after the breach of Target. Between those two milestones, a lot happened, from the Heartbleed revelation to the infiltration of JPMorgan’s servers, to justify a new outlooks on cyber security.
Why the U.S. Cybersecurity Unit had to be formed
Over the last year plus, there has been an uptick in high-profile corporate breaches as well as incidents of sophisticated malware such as CryptoLocker. Cyberattacks have always been cause for concern for enterprise CIOs, but 2014 provided plenty of reasons to adopt mechanisms like two-factor authentication, continuous monitoring and deep discovery software and sensible bring-your-own-device policies:
Caldwell cited the Gameover Zeus botnet and the CryptoLocker ransomware, which was distributed at one time via that botnet, as examples of how malware can cause significant financial damage to businesses and individuals. CryptoLocker was a trailblazer in the use of strong encryption and a countdown timer to goad victims into paying the ransom. Otherwise, they would never be able to get the encryption key to unscramble their data.
CryptoLocker generated $27 million in ransom payments for its perpetrators. In a post detailing the mechanics of CryptoLocker, Ryan Certeza of Trend Micro pointed out how CryptoLocker automatically searched for certain file extensions when deciding what to encrypt and as a result typically hit productivity documents.
One New Hampshire town lost up to $3,000 after CryptoLocker compromised the systems at the local police department, but refused to pay the ransom. The infection was eventually isolated and eliminated, without the cybercriminals receiving further funding through payment.
As the amount of data that passes through corporate networks rises, so do the stakes for securing infrastructure from infiltration and unwanted surveillance. Cisco has estimated that global IP traffic could pass a zettabyte by the end of 2016, thanks to rapidly rising broadband speeds, the proliferation of mobile devices and the maturity of content delivery networks. Caldwell devoted a few minutes of the presentation to the recent surge in online breaches.
In a recent tweetstorm, venture capitalist Chris Dixon also noted that there is a constant back and forth between applications and infrastructure, with innovations like Web and mobile video benefiting from – and in turn, contributing to – the rise of broadband. With enterprise networks, something similar is at play with the growth of virtualization, cloud computing and data storage leading more information to be shifted from paper or local repositories to the Internet. With this interplay at work, security must be upped in order to make the transition worthwhile.
In 2014, there were several prominent retail breaches, such as the ones at Home Depot and Michaels, as well as an incident at JPMorgan that may have been enabled by the lack of two-factor authentication on just a single server. The Sony Pictures breach was the result of a concerted effort to exploit years of questionable security practices such as simple passwords and the sharing of sensitive information in emails.
As network infrastructure scales to take on and automate business tasks, security teams must keep pace. Exploits like Heartbleed and Shellshock show that spotting basic vulnerabilities can be difficult in light of how quickly corporate networks and applications are evolving.
Building trust between the public and private sectors to take on cyber security challenges
The formation of the Cybersecurity Unit both crystallizes some of the DOJ’s successes in going after cybercriminals – Caldwell cited the law enforcement response to Gameover Zeus in particular – and acknowledges the difficulties ahead. In addition to the need to deal with advanced malware and targeted attacks, government officials will also have to improve the relationship between the public and private sector, which has been strained by revelations about the National Security Agency’s intelligence-gathering activities.
More recently, calls by the Federal Bureau of Investigation to permit backdoors into encrypted mobile operating systems like Apple iOS and Google Android have highlighted the divide between the government and businesses when it comes to cyber security. Encryption by default is now in place for hundreds of millions of devices worldwide, creating what Caldwell has loosely characterized as a “zone of lawlessness” that law enforcement can’t reach.
At the same time, technology firms have balked at the idea of allowing deep access to their platforms by government agencies, especially considering the implications for users in countries outside the U.S. There’s the prospect of losing contracts and business due to uncertainty about whether an OS has any intentional backdoors in it.
Ultimately, some level of trust and common ground will need to be established if the DOJ and private sector are to work effectively toward reducing cybercrime. Collaboration in areas like botnets and breaches can be a start, even if the encryption issues remains up in the air.