A little over two weeks ago United States Army Specialist Bradley Manning was arrested and life as he knew it changed forever. Manning, an intelligence analyst stationed at Forward Operating Base Hammer, 40 miles east of Baghdad, had implicated himself as being responsible for the disclosure of in excess of 260,000 classified documents that he harvested from military classified networks (SIPRNET and JWICS). He shared this information with Adrian Lamo, well known “reformed” black hat hacker over encrypted instant messaging sessions ultimately culminating in Lamo turning to the United States Army’s Criminal Investigation Division (CID). Lamo, who along with Wired.com journalist Kevin Poulsen, have been labeled as ‘snitches’ as a result of Lamo’s cooperation with the authorities and Poulsen . The Internet is awash with speculation regarding this story with parties such as Julian Assange, founder of the Internet whistleblower site WikiLeaks.org – the site which Specialist Manning allegedly provided these documents and videos to, stating that were Specialist Manning responsible for the submissions (which Assange will neither confirm nor deny), he should be regarded as a national hero.
Regardless of your position on free speech or what only time, investigation and thorough analysis will reveal pertaining to the Manning case, gross misconduct occurred in what can only be described as a willful manner as it relates to Specialist Manning, his military occupational specialty, his rating, unit, command and brothers in arms the world over. Philosophy, politics and idealism are the wildcards in our space; the black swans which, when identified must be taken note of as that which motivates them in many respects lies squarely outside of the norms associated with breeches of this type. In most cases of espionage, which is candidly what this is — regardless of your feelings or philosophy, there are often common indicators that are noted and tend to be exploited by those seeking to exploit a party to do their bidding. This case is different. It’s interesting and quite candidly horrifying in that Specialist Manning (to the best of the data we have to date), was not motivated by greed or financial hardship (motivators seen in countless other cases such as the cases of Ames, the Walkers, or Hanson for example), or vice (as seen in the case of Lonetree). No, by all accounts (again taking into consideration that these accounts are coming largely via third party relay and information being disclosed resulting from the communications between Manning and Lamo along with information provided by friends of Specialist Manning), Specialist Manning was motivated by that which we might most easily describe idealistic or philosophical.
As a result, I am going to refraining from weighing in within an opinion regarding guilt or innocence as no doubt Specialist Manning will be undergoing investigation and I would imagine a Court Martial as a result of the allegations being brought forth against him. Certainly the communications he provide Lamo will act in building and strengthening the case against him and we would all do well to remember that Specialist Manning – like all Military personnel, swear an Oath of Enlistment which calls for the party swearing said oath to defend the Constitution of the United States from all enemies, foreign and domestic. The oath itself looks like this:
“I, (name), do solemnly swear (or affirm) that I will support and defend the Constitution of the United States against all enemies, foreign and domestic; that I will bear true faith and allegiance to the same; and that I will obey the orders of the President of the United States and the orders of the officers appointed over me, according to regulations and the Uniform Code of Military Justice. So help me God.“
It is communicated in an elegant and articulate manner and leaves no room for interpretation. Beyond that, when one enters into a military occupational specialty which requires a security clearance one’s life and personnel opinions must be willingly put aside for the greater good as the lives of others more often than not depend on a clear, unwavering stance on service, obligation and duty to the nation. Having said that, it should be noted that it is not my place nor is it my desire to pass judgment on this young man. That day and duty will come and justice served in a military court of his peers at a time yet to be determined. My real concern stems around the situational awareness of those in charge of the facility in which Specialist Manning worked on a daily basis and their procedural and operational effectiveness. Allowing anyone to enter into classified environment with read / writable media is not uncommon. Read writable material is used within these environments. However, allowing them to leave the facility with read / writable material – regardless of how it was labeled (in this case Specialist Manning stated that he labeled a read / writable disk as a ‘Lady Gaga’ cd and proceeded to pretend to lip-sync to her songs while he was scouring secure, classified systems and networks for material which he later downloaded within a split compressed file), is unusual to say the very least. In most cases it does not and never should occur.
This no doubt will be investigated by Army CID and others and will likely see the watch command, Officer in Charge and others investigated in order to proper assess whether Specialist Manning acted alone or in collusion with others. The results? Well we’ll have to wait for the results to be arrived at – we may never know as the Department of Defense may desire (and it is their right to do so), not disclose all that they find. Regardless I cannot think of a better case to highlight the need for regular, and vigilant security awareness and educational training in addition to greater degrees of cognizance of the existence and potential use and hosting of onion routed repositories within networks (public or private), which may be used for questionable and in some cases quite clearly, criminal ends.
Introduction: Changing the Paradigm
Lately, cyber-crime legislation seems to be in vogue. The Cybersecurity Act introduced by Senators Rockefeller and Snowe (S. 773), and the International Cybercrime Reporting and Cooperation Act, introduced by Senators Gillibrand and Hatch, as well as some serious talk in the European Union of creating a treaty to address cyber criminal activity, have caused me to put a lot of thought into what would make such laws or treaties successful, and what would cause them to be ineffective, or worse, detrimental. We should all be able to agree (based on solid research and evidence), that cybercrime exists, and that, as the Internet knows no legal or national boundaries, that it impacts us all, whether we find ourselves in the Americas, Asia-Pacific Rim, or somewhere in any number of European–Middle Eastern – African nations.
However, though we can agree on the existence and prevalence of cyber-crime globally, what we struggle to do and fail to agree upon is arriving at succinct way in which to address, investigate, and prosecute it on a global level. As such, the need for a truly international legal framework, one which scales and encourages all nations to participate while ensuring that proper recourse is taken and justice is being served without bias is required now more so than ever before in human history. Legislation drafted in a vacuum – regardless of the intentions of those parties responsible for its drafting and creation, will only serve to cloud the already murky waters of prosecution while ultimately negatively impacting the ability of one or many nations to prosecute these types of criminals. A new era in thought and deed is required to usher in a formulaic, repeatable approach to prosecuting those actively involved activities deemed ‘criminal’, while preventing those from considering involvement from getting involved in the first place.
A Farewell to Arms: A New Era in Prosecuting Cyber-Criminals
The first premise of this treatise, I owe to a great conversation I had with Will Gragido of Cassandra Security, Inc. It involves basing the international cybercrime laws I’m referring to above in the RICO statutes of the Untied States of America. The Racketeer Influenced and Corrupt Organizations Act (commonly referred to as RICO Act or RICO) is a United States federal law that provides for extended criminal penalties and a civil cause of action for acts performed as part of an ongoing criminal organization. It was first enacted by section 901(a) of the Organized Crime Control Act of 1970 (Pub.L. 91-452, 84 Stat. 922, enacted October 15, 1970) and is codified as Chapter 96 of Title 18 of the United States Code, 18 U.S.C. § 1961–1968.
Originally, according to Gragido, its authors had envisioned it solely being used in prosecutorial endeavors targeting members of the United States branch of the Italian Mafia known colloquially as La Cosa Nostra. Its use has been realized beyond its initial purpose and continues to be used creatively by law enforcement in prosecuting others who were actively engaged in organized criminal activity. As a result, its application is much more widespread and effective than comparable legislation and traditional, perhaps even out dated, prosecutorial tactics. Were there an equivalent or a porting of the RICO Act to the cyber realm, cyber-law would move forward at the speed of light, thus enabling it to truly meet the needs of the Internet dependent global economy. RICO-like statutes would mean that we could prosecute people who were racketeering and conspiring to perform illegal acts on the Internet (as implied by the basic tenets of the act), in addition to those who knowingly associate with known criminal entities. People like Alberto Gonzalez, who was recently convicted for his instrumental role in the TJX data theft – a theft culminating in excess of 44 million credit cards, could have been stopped while in their planning stages. Legislation such as the type being described here might very well have prevented some other crimes, such as Hannaford, Heartland, 7-11, and countless others.
Tempus Fugit: Time Flies and Waits for No One
We are living in progressive and wondrous times. The passing of the Rockerfeller-Snowe bill within the Congress of the United States of America demonstrates a small, yet important glimpse of just how progressive they are. This bill would permit the United States to apply an enforce sanctions against a nation who knowingly harbors cyber-criminals. Though the bill is well intentioned, and in truth ahead of its time in some respects, it is fatally flawed in many areas not the least of which its failure to approach the importance of geo-presence and location within the legislation. Criminals, as we all know, can hide, spoof, and bounce off many countries while they commit their crimes little effort provided they are well organized and possess a rudimental knowledge of tcp/ip networking and spoofing techniques. As a result we would in many cases find ourselves applying sanctions against mules, hapless redirectors, or a botnet lieutenant guilty of nothing more than having an un-patched system connected via an enterprise or home network, to the internet. I started thinking about how we surf the internet, or in other languages, how we navigate through it. That gave me an idea that I would propose could be a great foundation. We need a RICO-like statute that is based on Admiralty law. I propose calling it Cyber-RICO.
Cyber-RICO: Changing the Rules To Accommodate The Game
One might ask, why Admiralty law? Well, for a variety of reasons. First of all, Admiralty law (sometimes referred to as maritime law) deals with questions and offenses that happen in international waters, and I think that we can draw a solid parallel to the cloud like nature of the Internet and those very real waters. It touches many countries, and we all have a vested interest in protecting it. More importantly, no one nation can lay claim to, nor police international waters, as by definition, they are international and thus the responsibility of all who use and take advantage of them. Think about that for a moment. Who doesn’t use or take advantage of international waters if not directly, than indirectly? International commerce uses these waterways a seaborne transport mechanism for goods and services, much like people the world over use the Internet cloud. And just like on the high seas, where for millennia privateers and pirates have sought to try to take advantage of the open, permeable nature of these waterways, so too in the Internet age have our own pirates (cyber-criminals) and privateers (economically motivated hackers), who have sought to take advantage of the nebulous nature of the Internet.
Back when maritime laws were developed, the principle reason that drove ratification of these multilateral treaties was self-interest. Some nations, such as those that provided safe harbor to the pirates, were hesitant to come adopt them at first. However, when the pirates turned against them, the countries own self-interest quickly encouraged them to ratify and espouse such a law
The basis of maritime law is that any country that has signed the multilateral treaty can involve themselves in the enforcement of the laws. In the same fashion, the Internet Cyber-RICO would give countries the ability to prosecute cybercriminals that commit these crimes on the high seas of the Internet. Even when country boundaries are crossed, international task forces could now work with a common framework of enforcement, such as with the current anti-piracy task forces that are working off the coast of Somalia. They respond to any call for assistance, regardless of the flag that the afflicted vessel is flying. That is the right spirit of the law, and it would work as well as it relates to cybercrime.
Cyber-crime: Evolutionary End or A New Beginning?
At times it can be very difficult to focus on the facts in a world where one is barraged by information in ways that the greatest of science fiction writers could never have dreamed. Media figures along with industry pundits tend to spout facts and figures often in the absence of knowledge and authority. Many times this leads to outcries amongst the information security intelligentsia who seek to ensure as little flawed logic and FUD (fear, uncertainty, and doubt) is interjected on a daily basis as possible. Opposition from within the ranks of the intelligentsia is a good thing though many might suggest it is elitist and at times breaks from the tradition of all things ‘hacker’ in the sense that it establishes a clear ‘us’ and ‘them’. The truth however is that not all members of this informal fraternity are “experts” on cyber-crime nor do they all have more than a working knowledge of it as it relates to their day – to – day roles and responsibilities. No. In fact, many if not most are engaged in other noteworthy endeavors with the hope being that those who do possess an acute understanding of this subject matter shall use it to the benefit of us all. For many the overt goal is the sanctity of fact, preservation of information and its dissemination for the common good. There is not one thing wrong with this attitude and in fact I would go so far as to suggest that we not only wish it to be the case but need it to be so. The IC3 released its Annual 2009 report on cyber crime late last week and with it came a number of things:
- More solid, statistical information on cyber criminal activity going on around the world
- Many unanswered questions stemming largely from the obvious increases in activity and dollar loss to
The IC3 stated that the total dollar loss from all referred cases (that is cases which were referred to and studied by their team), was approximately $559.7 million dollars (US) with a median or average dollar loss per instance being reported. The significance is quite noteworthy in that it demonstrates that from the year 2008 (which saw a total of $264.8 million dollars (US) in losses) to 2009, the IC3 saw an increase in losses of approximately $295.1 million dollars (US). This growth represents a little more than two times what had occurred in the previous year. One need not look too much further in order to see patterns emerging if they ever doubted they had existed. That statistic alone should alleviate any doubt that cyber-crime is swiftly becoming (and will likely supersede) the most sought after element of modern criminal activity.
For many years, empirical evidence has been amassed and studied in order that trends could be determined via the careful application of analytics. Through deep analysis an analyst begins to note trends and pattern development. Similarly, an analyst would begin to note points of adaptation, deviation and evolution as they relate to the trends and patterns. Many factors influence these patterns of development. In the past I’ve found it both necessary and helpful to create impact lists of items that either influence or aid my topic of study. The following list, though detailed, is by no means complete. It demonstrates some of the more prominent elements at work (some of which the sub-economic environment shares with the traditional economic environment):
- Globalization – supply and demand
- Risk / reward ratio – re-evaluation of business models, lines of business, and operations
- Weak or unclear legislation—localized and international
- Qualification and articulation — inability of private citizens, organizations and industry professionals
- Interconnectivity – mass availability of broadband technologies (fixed and mobile)
Who’s To Blame?
We could easily begin finger pointing and assigning blame to corporations and individuals alike however it is my assessment that was not and will not be necessary. Would it be convenient to blame Microsoft for every bad piece of code written using their .Net framework? Of course it would. It would be just as convenient and likely every bit as easy to blame IBM for it’s rationale framework and in the same breath begin addressing the failures of individuals and organizations’ internal code developing. It would also be intellectually dishonest and morally suspect. I believe there is plenty of blame to go around and it is not entirely any one organization, or disciplines fault. It is all of our faults in the sense that we failed to communicate the value proposition of the importance of securing properly to avoid securing dangerously. We speak of evolution, adaptation and sophistication as though they were the norm; part of the meme if you will of our industry though the evidence shows that there is significant disparity between idealistic states and those anchored in reality. We talk of sophistication in attacks and exploits yet in many cases ‘sophistication’ isn’t even a consideration as many recently occur using unsophisticated means (Ghostnet). We use terminology such as ‘elegance’ to describe the state that is arrived at upon being owned (and being made aware of said owning), by those with questionable or nefarious intent if a level of sophistication was demonstrated. In reality, some of the more notable attacks of the last 18 months were not terribly sophisticated yet still quite effective.
First Steps
So who is to blame? My answer is that we all have an ownership stake in this as I mentioned earlier. We live in a world driven by deadlines and meeting/exceeding customer expectations. There is nothing wrong with that. Managing against deadlines is both noteworthy and sensible from a business management perspective. I do however believe that sacrificing quality in order to meet deadlines introduces problems sooner or later. As my father is fond of saying, you can’t cheat death and I think (at least in spirit), the same sentiment can be echoed with respect to doing poor work: you can’t cheat quality. Often in my career I’ve worked with clients who simply could not afford to not meet deadlines (internal or external customer facing deadlines).
Recently my friend Josh Corman and I were discussing the basis for what became the Rugged Software initiative. During that conversation we discussed many of the arguments – pro and con, (most of which are quite old it should be noted) related to SDLC (software design life cycle) and the challenges which seem to manifest into reality all too often in development houses. My belief is that until SDLC is communicated in a manner to which demonstrates the value of the bits to the boardroom it will be an uphill battle. That doesn’t mean it isn’t worth fighting but rather that until it resonates with the stakeholders, the business unit owners who set and oversee (and who are overseen by the board for example), it will likely fall on deaf ears.
My suggestion is that organizations and those charged within them for managing risk within and as it relates to them should begin by evaluating the organizational risk posture. In doing so, provided the exercises are followed through upon, it will become clear what level of exposure the organization is incurring, what has been defined (formally or informally), as an acceptable level of risk and whether or not that needs to be re-addressed in order to align with the expectations set forth by the risk management team in preparing the organization for cyber threats such as those associated with ‘cyber-crime’.
On December 23, 2009, the United States Department of Justice concerning Stephen Watt released a statement. Stephen Watt is likely a name not rolling off the tongues in households across America however, his participation in what has been called to date the “largest identity theft in our nation’s history”, is likely quite familiar. You see, Watt, Stephen as I like to call him or soon-to-be federal prisoner Stephen Watt was an integral member of the team assembled by Albert Gonzalez (you remember Alberto right?), for the express purpose of stealing as many credit and debit card numbers as possible without being detected or ultimately prosecuted. The case in question is the now infamous TJX data breach. However, though not new news, the sentencing and pathology is something, which few, if any, are addressing.
In the statement released by the U.S. DOJ, Watt was sentence on December 22, 2009, for his role in the TJX breach, specifically for the creation of a sniffing (siphoning), application used to monitor and capture data including customer credit card and debit card information as it traversed across corporate computer networks. Watt, who pled guilty to conspiracy charges on October 28, 2008, was sentenced to two years’ imprisonment, to be followed immediately by three years of supervised release a condition of which was electronic monitoring of any computer use. Additionally, he was ordered to pay restitution for $171.5 million dollars US. For five years Watt unlawfully gained electronic access to corporate computer networks and in doing so downloaded customer’s credit and debit card information which he later used trafficked, sold and used for personal fraudulent gain. The United States Secret Service along with third party digital forensics firms investigated the case. Assistant U.S. Attorney Stephen Heymann, who is active Chief of the Computer Crime Unit of the Secret Service which spear headed this case, prosecuted it.
Watts’ attorney attempted to establish a scenario that suggests that he simply lacked sound judgment and was led to participate by his own intellectual curiosity and the bonds of friendship he had forged with Albert Gonzalez while the two were teenagers. I find this to be weak at best. Would I expect a defense attorney to suggest otherwise in a case such as this? No, I think that in a case such as this one if I were a defense attorney I would be looking for any plausible egress point possible in the hopes that one would lead to light. However, I would expect that those parties hearing and prosecuting the case would not fall prey to such delusional lines of thinking (I have no reason to believe nor am I insinuating that either Mr. Heymann or the Honorable Judge Nancy Getner did fall prey to such vapid arguments but rather arrived at a satisfactory judgment based on the facts and goals they were presented with and working toward).
The facts are clear: Stephen Watt willingly created ‘blaba’ for the express purpose of monitoring, collecting and siphoning credit and debit card information belonging to others. That this data resided on the TJX network and systems was but a technicality as Watt and his co-conspirators were, after all, engaged for the criminal profit. According to his defense, Watts’ had no idea his creation would be used for illegal activity (this is insulting to all who read it and to logic itself given the design intent, nature and use of the code). This clearly suggests that he is either a liar or lunatic given the amounts of evidence collected related to conversations and other salient details of the operation that he and Gonzalez led.
What I find interesting is the potential use of similar arguments of defense in cases such as Watts’ and others where the ability to distinguish right from wrong seems to be suspect. Let’s look a little more closely at Watts’ background. A highly intelligent software engineer with an impressive resume including, among others Morgan Stanley and Imagine Software (trading software manufacturer), Watt graduated high school at age 16 in Florida with a 4.37 grade point average. In 2004, he moved to New York to work for Morgan Stanley, and began frequenting nightclubs and experimenting with drugs. In 2007, he took a role with Imagine Software where he was working up to the time of his arrest. He cited his intellectual curiosity and as mentioned earlier, friendship with Gonzalez as being deciding factors in his participation however I believe (and so too did the prosecutors and judge involved), that the deciding factor was profit. Profit via criminal activity that did not seem to bother Watt or his accomplices in the slightest. Conventional thought suggests that they believed that the “banks” were insured by the FDIC and that the monies and profits acquired were reimbursable (never mind the damage they did to the reputations and credit ratings of countless thousands and overt brand damage they brought to the doorstep of TJX). Though Watt was not the mastermind of the breach, that honor belongs to Alberto Gonzalez who is currently awaiting sentencing in Boston, for up to seventeen years in federal prison. The two housed Watt’s code on a leased server located in Latvia and with it, over 16.3 million stolen credit card numbers while another 27.5 million stolen card numbers were located on a server in the Ukraine.
I worry that more will, upon being identified and caught, feign or claim ignorance or worse yet, the inability to determine right from wrong as a plausible defense making illegal activity of this sort, and its prosecution akin to violent crime prosecution and the insanity plea. I feel there is danger in this and in other defenses, being introduced into courts of law that suggest that a person guilty of committing (knowingly committing), a criminal act was unable to determine the legality of their actions due to some pre-existing circumstance or condition. Take the case of Gary McKinnon of the United Kingdom for example. McKinnon was found guilty of penetrating and disrupting computer systems and networks belonging to NASA and the United States Department of Defense. McKinnon, who claims to have been on a quest for truth regarding UFOs, penetrated over 90 classified systems and networks in 2001 and 2002. He faces extradition to the United States, which was granted by the courts of the United Kingdom however is currently fighting extradition to the United States based on his claims of suffering from Aspergers Syndrome (is a type of pervasive development disorder (PDD). PDDs are a group of conditions that involve delays in the development of many basic skills, most notably the ability to socialize with others, to communicate, and to use imagination), and based on the information gathered on it does not suggest a failure or inability to recognize wrong from right. In fact, there are many highly regarded, influential historical figures from all occupations that have been diagnosed with Aspergers.
Personally, I feel that defenses such as that posed by Watts’ attorney and by McKinnon are both scandalous and shameful. They insult and mock those who do suffer from diagnosable developmental disorders while, at the same time, attempt to insult the intelligence of the masses. In order to prevent them from becoming the defense de jour, it is my hope that the courts begin laying down much more restrictive, severe sentencing for criminal acts such as these. Failure to do so in many respects encourages the risk – reward calculation used by criminals in order to justify their activities.
