Cybercrime and military cyber-defense plans were aired by U.S. government officials during the RSA Conference yesterday.
SAN FRANCISCO -- The U.S. government faces huge challenges both combating cybercrime and improving military cyber-defense capabilities, but progress is being made, according to officials speaking at the RSA Conference.
Howard Cox and Kimberley Peretti, attorneys in the Justice Department's cybercrime division, Tuesday spoke about cracking international cybercrime rings involved in stealing millions of dollars from U.S.-based ATMs through sophisticated network-sniffing and malicious code in bank systems that enable the theft of debit-card PINs.
Some of the high-profile cases are providing law enforcement with insights into the growing problem of cyber-crooks brazenly tapping into bank systems.
"They use the PINs to withdraw cash at ATMs and clean out accounts," Cox explained. Investigators believe hackers are finding vulnerabilities in banking systems, capturing huge blocks of PIN numbers, and locating encryption keys to decrypt encrypted PIN blocks that may be stored in hardware security modules (HSM), a physical box used to hold PIN blocks traversing the Internet in the banking system to be processed at points involving the bank or payment-card provider.
Employee debit cards that employers may use to provide employee payments are favored targets, and cybercriminals will "go into the system and change the [withdrawal limit] amount, get the cash and then go back into the system and change it back again," Cox said.
One bank reportedly lost $5 million in 24 hours through 9,000 withdrawals. Sometimes it appears the only reason the cybercriminals didn't steal more is because the ATMs ran out of cash.
"They're into banks, merchants, restaurants, large and small companies, domestic and international," Peretti said. "They're on every continent."
The top hackers appear to be overseas, "many Russian-speaking," Peretti said. They end up with plenty of money, they are young and they travel. Cooperation with law enforcement on an international level is improving, Peretti said, leading to a much better chance of apprehending, indicting and convicting cybercriminals who can carry out their crimes remotely over the Internet.
According to Peretti and Cox, these cybercriminals often work in a group comprising the hackers, the code writers and the "money mules to take it out of the ATM machines." They don't need to meet face to face to carry out their crime.
The U.S. government now has about 240 prosecutors travelling to work on cybercrime cases, and it's mainly the ones with "large-dollar impact" that get the most attention, Cox noted. He added that often "they know our networks as well or better than we do." Some use VPNs to "suck the data out," he said. "Some hackers use more security than their victims."
The U.S. military is also eager to improve its security posture in cyber-defense, according to RSA Conference speakers from the Department of Defense. Robert Lentz, deputy assistant secretary for information assurance -- effectively the military's CISO -- said the Defense Department's basic problem is "we have too many networks."
The military services operate more than 15,000 networks in 88 nations, for a total of 120,000 telecom circuits and 1.1 billion Internet users. The military is constantly under cyber-attack with 360 million probes per day, Lentz said. The reality is that the military is so dependent on its networks that "airplanes cannot fly if the network is down."
Military networks have been penetrated in the past, he said, and when asked whether Chinese cyberspies have gotten in -- a topic big in the news lately -- he said "probably."
"The reality is the bad guys are going to be in our network, so how can we fight through the bad guys being in the network?" he noted.
The military has plans for a Cyber Command that will be consist of about "90,000 certified cyber-warriors with specialized skills" who will take on protection of the military's critical infrastructure, Lentz said. He also expects the Defense Department as soon as next week will announce an overall "Defense Department Identity Assurance Strategy" that will entail more use of biometric ID methods.
The Obama administration, in a keynote address at the RSA Conference by Melissa Hathaway, acting senior director for cyberspace, is Wednesday expected to detail the findings of the "National Cyber Security Review" undertaken over the past 60 days to set a course on protecting the nation's infrastructure, such as transportation, banking, power supply and the military.
While much debate to date has raged over whether the National Security Agency should be playing a large role in protecting civilian government agency and private-sector infrastructure, yesterday Lt. Gen. Keith Alexander, director of the NSA and chief of the central security service, gave a keynote address Tuesday about the topic.
"We don't want to run cybersecurity for the U.S. government," Alexander said.
He noted in the past that statements in Chinese military publications indicate that high-tech cyberattacks could be used to disrupt and destroy the U.S. economy. He also pointed out that Estonia, Latvia, Lithuania and Georgia have in the past two years have each found their country's networks under sustained attacks by attackers -- though he didn't point to specific known origins.
The NSA's role, along with the Federal Bureau of Investigation and other government entities, should be to "help protect the nation during key events," Alexander said. He said there needs to be a dialog with industry, academia and the nation's allies to ensure the coordination and technical capabilities are there.
"How do we provide early warning?" Alexander asked. "We're each early warning for each other."