To avoid cyberwar and protect infrastructure -- fight cybercrime first

Published 14 April 2010

Fighting cybercrime is the first step to avoiding cyberwar, protecting infrastructure; Christopher Painter, the White House’s senior director for cybersecurity: “There are a couple of things we need to do to harden [critical infrastructure] targets” — “But the other thing you need to do is reduce the threat. And the predominant threat we face is the criminal threat — the cybercrime threat in all of its varied aspects”

A top White House cybersecurity aide said yesterday that transnational cybercrime, such as thefts of credit-card numbers and corporate secrets, is a far more serious concern than “cyberwar” attacks against critical infrastructure such as the electricity grid. Christopher Painter, the White House’s senior director for cybersecurity, made his comments at a conference arranged by top Russian cybersecurity officials in Garmisch-Partenkirchen, Germany. David Talbot writes that Russia is a major source of cybercrime, but its government has declined to sign the European Convention on Cybercrime — the first international treaty on the subject. The treaty aims to harmonize national laws and allow for greater law-enforcement cooperation between nations.

Painter acknowledged that critical infrastructure needed to be made more secure, but said that the best defenses start by cracking down on crime. “There are a couple of things we need to do to harden the targets, and make the systems as secure as possible,” he said. “But the other thing you need to do is reduce the threat. And the predominant threat we face is the criminal threat — the cybercrime threat in all of its varied aspects.”

The European Convention on Cybercrime has been ratified by twenty-nine countries, including the United States. Russia says it will not sign because it does not want give foreign law-enforcement agents trying to investigate crimes unfettered access to its Web data, which the convention requires. Instead, Russia wants an arms-control treaty in which all nations would agree not to use cyberweapons.

There are a lot of controversial issues that need to be resolved before we can sign that convention,” said Vladislav Sherstuyuk, who leads the Institute of Information Security Issues at Moscow State University. Russia wants to “preserve state sovereignty and monopoly on the conduct of investigative activities based on existing domestic laws and procedures,” he says.

Talbot writes that critics say it would be difficult, if not impossible, to define and verify who possesses “cyberweapons,” and to tell whether a government or a rogue hacker was responsible for any attack that might have occurred.

Painter did not directly address this issue, but his presence — along with that of Secret Service and State Department staffers — suggests a new determination to engage with Russia. “The United States and Russia have very different ideas about how to solve the international problem, but it’s clear there has been a decision in the Obama administration to engage more broadly with the Russians on this issue,” said Stewart Baker, who was assistant secretary for policy at DHS during the second half of the Bush administration, and who is now a partner in the Washington law firm Steptoe & Johnson. “And there is a Russian interest in engaging on these issues. They’d like a reputation of being cooperative and they would like to find solutions to security problems. And that’s a good thing for both sides.”

Painter said nations must build the capacity to investigate computer crime, and need emergency teams to respond to attacks and breakdowns of computer networks. As an example of the severity of the online crime problem, Painter pointed to the case of Albert Gonzalez, who last month was sentenced to twenty years in federal court in Boston for leading a group of cyberthieves, including two in Eastern Europe, in the largest case of identity theft in U.S. history.

Gonzalez’s group stole more than 130 million credit- and debit-card numbers from retailers and a credit-card transaction processor. Adding to the intrigue, Gonzalez had been an informant for the Secret Service. Painter said Gonzalez had generally entered the company’s systems through open wireless networks and had caused $200 million in damage.

Talbot notes that despite its disagreement on the convention, Russia says it is stepping up its efforts to fight crime. Officials point to the recent arrests by Russian authorities in relation to the $10 million online robbery of the Royal Bank of Scotland as evidence of its sincerity in combating cybercrime. Those arrested included citizens of Russia, Moldova, and Estonia.

Fighting cybercrime around the world requires strong legal structures to enable prosecutions; a trained corps of investigators to respond to crimes; and the ability to cooperate internationally. Painter is a former federal computer-crimes prosecutor in Los Angeles and later worked in the computer crime division at the Department of Justice. “When I started prosecuting these cases [in 1991], we had lone-gunman hackers,” he said. Today, “you also have transnational criminal groups involved in things like cyberextortion and theft of [intellectual property], and the insider threat is a huge threat we face, too.”

There has been some progress, Painter said. Twenty years ago, international cooperation was based on personal relationships. Today “you really do have organizations set up in the other countries.” However, he added, too few countries are fully engaged, and “we need to build that more generally.”