By Brian Krebs
washingtonpost.com Staff Writer
Tuesday, August 19, 2008
At the end of the Black Hat hacker convention in Las Vegas this month, James Finch, head of the FBI's Cyber Division, sat down for an interview about crime and the Internet. About 4,000 people gathered at the annual convention to hear about research on the latest network and computer or electronic-device security vulnerabilities.
The FBI's Cyber Division is responsible for investigating high-tech crimes, including computer and network intrusions and child pornography cases. Each of the FBI's 56 field offices has a cyber squad, which pulls from a pool of 500 to 600 agents specializing in the area. According to an FBI spokesman, there are currently about 50 FBI-led cybercrime task forces across the country working cases with state and local authorities and with investigators from other law enforcement agencies.
These are excerpts from the interview:
QThere are some people who say the threat from cybercrime -- the financial threat and threat to our economy -- is overhyped. What do you think?
AI don't think it's overhyped. The Internet works the same for everybody, bad guys included. If you take the time to understand the Internet, let me tell you there aren't many things you can't peel back and look behind. Whether that requires decrypting encryption or undermining some of the safeguards we have, there's a way to do it.
A lot of people just don't take the basic precautions, or don't know how to take them. Many people just don't have the level of knowledge needed to safeguard themselves. The bar is raised every day. So how do you as a common user keep up with the necessary safeguards? How do you configure it? Should I let this in or not? Who's going to know unless they have some basic information security knowledge?
QAt the "Meet the Feds" talk at Black Hat, someone raised a question that . . . speaks to the issue of how we tackle cybercrime that originates from other countries. The common perception is that we're not getting terribly good cooperation from similar authorities in Eastern Europe and Russia in particular.
ALook, I've had good cooperation from most countries we've worked with. I really have . . . I've traveled to various parts of Eastern Europe and Romania to set up task forces there, and I've made arrests in intellectual-property cases with the Chinese.
Q[Do] you think it would be helpful to build in some kind of cybersecurity component into treaties we have with other countries, as we have done with intellectual property and software and so on?
AOne of the things I get real concerned about is . . . the point-shoot-aim-type of action when it comes to writing certain clauses into various agreements. I don't want to get into the State Department's area or the Justice Department's area, but because we are at what I consider to be the infancy of the Internet . . . we're veering into a point where a lot of things will be Web-based, we're probably going to see some things that will make us probably regret acting too quickly in terms of writing things into trade agreements.
QDo you think the government has a bigger role to play here in educating people in what they need to do and the attitudes they should adopt in order to stay safe online?
AI think the government is doing a fairly good job of reaching and making people aware. Take, for example, http://www.lookstoogoodtobetrue.com or http://www.ic3.gov-- those are public-awareness sites. Other agencies have public-awareness sites on cyber. What do you want, the government to teach classes? I mean, the No. 1 criticism in many cases is that the government has overreached; they're reaching into our privacy, into our lives; they're interfering too much. Well, what more do we do than to try to make people aware, provide them with a place to go if they believe they've been harmed on the Internet? We can't force people to become more aware.
Q It appears that a huge number of people committing crimes are doing so through botnets and distributed proxy and anonymization networks. Can you talk about the challenges that development poses and how the FBI is addressing it?
AWell, botnets do create an identification problem. It's a challenge. Reason being, you have computers that are unwittingly being used to commit crimes, and so when the owner of the computer doesn't know his or her PC is being used to commit a crime, it makes it difficult . . . well, you can't go after that person for that crime.
QAre there threats you see emerging that keep you up at night? Or is it more of the same old stuff?
APeer-to-peer botnets are becoming more prevalent, like Storm and Kraken. A lot of these are being created so that they avoid detection by anti-virus software, so they're hiding better. For the average user, if their anti-virus can't find it, then they don't have the background to delve deeper into the operating system to detect it.