Companies should establish professional relationships with the gardaí so that they can co-operate in investigations and know the correct procedures to take in the event of a security breach, a conference on cybercrime heard yesterday.
Howard Schmidt, chief security officer with E-Bay and a former US government advisor, highlighted the importance of co-operating with the police even before events happen, so that organisations will know better how to react to a security risk or attack. “When should we call law enforcement? Tomorrow. If you call them after something happens, it’s too late,” he said during the opening address at the Irish Cybercrime Forum, hosted by ISSA Ireland, the local chapter of the Information Systems Security Association.
Schmidt added that companies do not have to worry about sensitive information being disclosed if they call the police in to investigate. “Even if you call them, you make the decision what to report and what gets made public. We must have that relationship with those who can help us.”
Detective Superintendent Eugene Gallagher, deputy director of the Garda Bureau of Fraud Investigation, acknowledged in his presentation that companies may be afraid of the consequences of disclosing sensitive information and he emphasised that organisations can speak to the Gardaí in confidence.
According to Gallagher, there is widespread reluctance to report IT security incidents. “There’s no doubt that cybercrimes are happening and they’re not reported; not just here but universally,” he said.
Schmidt had pointed out that law enforcement officials are now technically trained so they are familiar with computer systems. Gallagher echoed his point, stressing the importance of preserving data in its original form if a company suspects a crime has occurred. The gardaí have specialist software that can take a mirror image of a computer, he said, which allows them to examine the data it contains without disturbing the original machine which could contain vital evidence.
Detective Inspector Paul Gillen, head of the Computer Crime Investigation Unit, added that organisations were not under pressure to report a crime, but he said that meeting with gardaí, even informally, could be useful for both parties. “You may or may not decide to report a crime, but at least you get some professional advice and we get to know about the attack and how it was perpetrated,” said Gillen.
In several cases of computer crime, the offenders have committed the same crime on more than one occasion. “Our experience is, these guys appear somewhere else,” said Gallagher. “By sweeping [an incident] under the carpet, it becomes somebody else’s problem. But if we in the police force are not made aware of it, we see it as a much smaller threat than it is.”
Gallagher drew parallels with the whistleblower legislation that obliges company directors to reveal suspected cases of fraud. “We get about 5,000 disclosures per year about money laundering. From an intelligence point of view, that’s invaluable.”
The day’s final presentation was given by Ed Gibson, assistant Legal Attaché at the US Embassy in London. Gibson is also a supervisory special agent with the FBI and since 2000 has been responsible for all of the bureau’s cybercrime investigations in the UK and Republic of Ireland. He spoke of obstacles that can hinder police investigations of cybercrime cases. Obtaining basic subscriber data as part of an investigation is very difficult because webmail and hosting companies often do not comply with the local laws of the countries in which they operate.
“It’s difficult for law enforcement to function in this area,” he said. “When a .com address is involved, it requires law enforcement to put resources and time to obtain data,” he added, explaining why cyber criminals often hide behind the generic .com address rather than a country-specific .ie domain, for example.
“When the gardaí come across a Hotmail or Yahoo! address in a kidnapping or a robbery, how on earth do they get any type of information from Yahoo.com?” he asked. He said it could not do so easily because the US, where webmail and hosting companies are usually based, has very strict privacy laws “which it should have”. However, this creates a complicated and time-consuming legal process for investigators. “Four to six months later the information can get back to the gardaí, assuming the case is still on the radar,” he said.
Cybercrime investigations often involve co-operation between law enforcement in different jurisdictions but this creates paperwork and can slow down responses to crime. Gibson argued that some of this overhead could be solved if the large hosting companies were compelled to disclose technical data in the countries where they have customers. “Governments have to require multinational companies to abide by local laws,” he said.
For all that, Gibson paid tribute to the work being done to tackle cybercrime. “Police forces are exceptional but always understaffed,” he said.
By Gordon Smith