Industry Cautiously Eyes Effort to Fight Cybercrime

By William Welsh, Staff WriterThe information technology industry and law enforcement community have reached quick agreement on the need for cooperation in the fight against cybercrime, but determining precisely how the public and private sectors will share information and expertise figures to be a more difficult task.Attorney General Janet Reno most recently sounded the call for greater cooperation at a June 19 "Cyber Crime Summit" of industry and government leaders, where she urged industry to report promptly Internet attacks to the proper law enforcement agencies. Industry officials who oversee infrastructure protection welcomed Reno's invitation, but voiced concerns stemming from previous experiences in reporting high-tech crimes. Officials said they would want assurances that the identity of companies making reports will be protected and that prosecuting attorneys will share information with industry groups about investigations. They also want the Department of Justice to issue guidelines, not just for industry, but for its law enforcement authorities instructing them in the nuances of investigating and prosecuting Internet crime. "In today's competitive marketplace, industry members who are victims need to feel that they won't be [further victimized] by going to law enforcement," said Hank Kluepfel, vice president for corporate development with Science Applications International Corp., San Diego. Kluepfel is vice chair of the Information Sharing and Critical Infrastructure Protection Task Force of the President's National Security Telecommunications Advisory Council. "Essentially, [companies] need to feel like they are in control," he said.Reno anticipated many of these concerns, saying that law enforcement authorities at the federal, state and local levels will explore with industry ways to make cooperation easier and minimize the impact of investigations on corporate victims. She also solicited industry advice on the kinds of equipment and expertise it will take to enforce cyberlaws and on possible sentencing guidelines for cybercriminals. She said that the Department of Justice does not advocate government regulation or monitoring of the Internet on the grounds that over-regulation hinders innovation."[W]e would like to share with you vulnerabilities that we observe so that you can take steps to prevent it," said Reno, speaking at the summit sponsored by the Information Technology Association of America at the Electronic Data Systems Corp. office in Herndon, Va. "And we would like for you to let us know what problems you see so that we can be more effective in law enforcement."Richard Brown, chairman and chief executive officer for Plano, Texas-based EDS, who shared the podium with Reno, said, "We will all be better off when we report criminal activity and then work cooperatively with law enforcement officials."While industry officials generally share this view, they also want a strong voice in helping to define the terms of cooperation with the government. Without exception, industry representatives said it is imperative that the government protect the identity of those companies that report cyberattacks against their systems. The most common reason for a company to refrain from reporting a crime against its business and operating systems is the belief that it will "tarnish their brand name and product," said Sunil Misra, managing principal for security practice at Unisys Corp., Blue Bell, Pa. Corporations working with the Clinton Administration on cybersecurity through the National Security Telecommunications Advisory Council have expressed reluctance to share information with the government unless they receive a new exemption from the Freedom of Information Act related to critical infrastructure protection, said Kluepfel. Without this exemption, the government may not get the information from industry it wants about vulnerabilities, intrusion detection, and emerging threats to cybersecurity. The reporting of Internet attacks is highly problematic for a number of reasons, according to industry officials. For one thing, nearly one-quarter of the incidents are not reported to the upper echelons of the company, said Misra.EDS' Brown has said that industry owes it to itself in this regard to perform regular technology assessments, harden infrastructures and increase investments in information assurance ? and perhaps in the process corporate leaders will become aware of incidents that previously went unreported within their companies. Furthermore, the government may be better off in the long run without across-the-board reporting of cybercrimes, said Guy Copeland, vice president of information infrastructure advisory programs and special assistant to the chief executive officer at Computer Sciences Corp., El Segundo, Calif."There is a real risk that if [the government] got what it was wishing for, they would have a flood of information that would be overwhelming, and they would have no way to do the analyses," said Copeland. "But I don't think it will get the flood immediately, because it takes a while to develop trusted relationships."Another major industry concern is government's unwillingness to share information with industry. The government is asking industry for assistance in preventing crimes and enforcing Internet laws, while at the same time it appears unwilling to loosen the rules by which it shares information with industry about criminal activity in this sector.Kluepfel, for example, cited instances where law enforcement officials declined to share information gained from criminal investigations in the telecommunications industry that would have been helpful in preventing similar attacks.Sharing information will be easier for some companies and for some government agencies than others, said industry officials. "There are a number of companies that traditionally have had closer and more open relationships with the government for sharing of sensitive information in this area," said Copeland. Industry officials also said guidelines are needed that spell out how companies should report incidents and how law enforcement agencies should handle cases involving Internet-related crimes. The attorney general and the Department of Justice, for example, should be more specific about the kinds of incidents and details they need to provide better protection for all Internet users, whether business or consumer, said Copeland. Kluepfel agreed, saying: "There is currently no policy at the DoJ if you run into a case like this." The Justice Department needs to provide internal guidelines so that when suspected criminal activity related to the Internet is reported, law enforcement officials can determine if it poses a significant threat to critical infrastructures, when they should consult expert witnesses and how they should move the case through the courts in such a way that no privacy information is divulged, he said. The success of information sharing between government and the IT industry relies on enlightened prosecutors or district attorneys who are knowledgeable in cybercrimes and who see the big picture; in other words, how Internet crime affects the financial well-being of not just individual businesses but of the entire U.S. economy, said Kluepfel.