Michael Vatis has had a busy year.
As director of the FBI’s National Infrastructure Protection Center, Mr. Vatis is the government’s top cyber cop. The wave of attacks this year from the e-mail-delivered “ILOVE-YOU” virus to the denial-of- service attacks in February that clogged networks with requests for information have kept him hopping.
Q: Do you think the attacks have undermined the public’s faith in the Web and made people hesitate before giving an electronic commerce site their credit card number?
A: I think those high-profile attacks and other instances of computer crime that we’ve seen over the last year can have the effect of undermining people’s confidence in security on the Internet and make them more reluctant to engage in e-commerce.
That’s a powerful reason why companies should really demand more security in the software they use.
Q: Do e-commerce companies take enough security measures to protect themselves and consumers?
A: I think overall it’s important that e-commerce sites and consumers demand better security. It’s accepted now that security has been an afterthought when it comes to hardware and software because there’s been a rush to market with new features and things that are attractive to consumers without paying much attention to security… . But I think people are realizing that either their privacy is in jeopardy, their business operations are in jeopardy or even their money may be in jeopardy if they don’t pay attention to security.
As a result, the market is demanding better security. One element of proof of that is the flourishing of security companies now, and that’s a good sign, and I think we will begin to see security integrated more into products as they come to market.
Q: Are hackers unleashing more attacks, or just more destructive attacks that are getting more attention?
A: Both. We are seeing more attacks and are definitely seeing more sophistication in the attacks.
One of the ironies is that while sophistication of attacks is growing, they also are becoming easier to use because they’re automated … and loaded onto hacker Web sites so someone who’s not very technologically savvy himself can download the latest tool and use it against a target. That’s where we get people derogatorily referred to as “script kiddies.” They’re often young people who don’t have a lot of skill but want to hack, and instead of using their own script, they use someone else’s.
A lot of the attacks that get a lot of media attention are often not the ones we should be most worried about. The ones that are most worrisome escape people’s notice and could involve attacks by organized crime, groups looking to steal money or proprietary information, economic espionage, where one company is trying to steal information from another.
Q: Is there any expectation that people charged with catching cyber criminals and writing anti-virus software will be able to stem the tide of attacks, or are people and businesses simply at the mercy of hackers?
A: In the last two years, since the NIPC was created … we have made tremendous progress in building up our capabilities to investigate computer crimes of all sorts, and I think we’ve had a lot of success … and that’s significant because not only does it help us investigate, apprehend and prosecute perpetrators, but it will provide a deterrent effect and let people know they can’t engage in cyber crime without consequences.
At the same time it’s important to note the state of security across industry and the government is not where it needs to be and sophisticated cyber criminals can still take advantage of the Internet’s design to make themselves anonymous, hide their trail and make it difficult to catch them.
Q: How many cases do you have under investigation now?
A: We’ve got approximately 1,100 pending cases in the FBI that involve computer intrusions, denial of service attacks or viruses, which is a large increase from where we were before we started the NIPC. That number doesn’t include cases other agencies are investigating or FBI investigations into computer-facilitated crime … like a child pornographer disseminating child pornography on the Internet or an Internet fraud scheme, where the computer is a tool to carry out a traditional crime.
So the number is growing because the crime problem continues to grow, and that shouldn’t be surprising as more people get on line … we’re also seeing more companies and victims reporting incidents to us than before … and we’re successfully investigating more cases. All those things contribute to the increase in the numbers.
Q: Who’s smarter hackers or the people who have to catch them?
A: We’ve got some very technically savvy investigators here and in the FBI field offices. We have computer scientists on staff who can provide high-end technical advice to our investigators. We supplement that with private contractors … so I would put our team up against the best hackers out there and be very confident in our ability.
It’s also clear we need to keep building our capabilities … as the crime problem grows we need to make sure we keep pace … and we also have to keep our personnel trained because the technology changes rapidly and we need to make sure they are going through continuing education so their skills are on the cutting edge.
Q: Are you outmanned?
A: I wouldn’t say we’re outmanned. We are fully using the resources we have, but we clearly need to keep growing because the crime problem is growing very quickly.
Q: Doesn’t it undermine your efforts when so few countries have laws to punish people who use computers to commit crime?
A: It does make our job more difficult, but we’ve been addressing that problem by reaching out to countries … to encourage those who don’t have substantive criminal laws to address computer crimes to adopt such laws. We are also establishing a relationship with countries so if we need assistance in case a digital evidence trail leads over there.
I think we are seeing more countries adopting computer crime laws… . If a hacker in a foreign country hacks into a U.S. system and causes damage, even if they want to extradite someone for prosecution in the U.S., they still need a domestic law in place because many countries won’t extradite someone to another country unless there’s dual criminality, and that means the conduct he engaged in has to be a crime not just in the U.S., but also in that country itself.
So if a country doesn’t have any applicable law to address a hacking offense, we could be left without the ability either to extradite them or to prosecute them in that country.
Q: Catching Mafiaboy [charged in connection with the denial-of-service attacks] was important. Do you need more high-profile arrests before people begin to think they can’t mess with you?
A: “I think the deterrent effect that comes from successful investigation and prosecution only works if people who are thinking about engaging in crime know about those successes… . Two years ago I used to read a lot of disparaging remarks about law enforcement’s ability to deal with computer crimes. I see a lot less of that now. In fact we’ve seen hackers saying the skills of FBI agents are really quite good.
We still have a way to go … but I think the progress we’ve had is having a positive deterrent effect.