Unlike most other areas of criminal investigation, in cyber crime the private security sector is seen as a huge partner to law enforcement, with its expertise and eagerness to close any vulnerabilities.
(TNS) -- About a dozen military bases. More than 500 defense contractors. One of the largest concentrations of biotech in the world. All in one county.
And all in the crosshairs of cyber criminals.
San Diego County is considered among the most target rich areas in the nation when it comes to cyber attacks.
“If you take down all the power grids in San Diego, you take away a portion of the Navy’s ability in the United States,” said Eric Basu, president and CEO of San Diego-based Sentek Global, a technology service provider for the government.
“It’s a continual arms race: people trying to get in and people defending against it.”
While fears of a major infrastructure takeover are very real, smaller scale attacks are part of daily life for local industries.
For instance, the Navy’s San Diego-based space and naval systems command, or SPAWAR, is hit multiple times daily with breach attempts, Basu said.And hackers tried to get into San Diego Police Department’s computers recently, via the home router of one of the department’s vendors, he said, but were stymied by advanced cyber protection software.
“I’ve had four to five clients recently get calls from the FBI saying ‘Your stuff has been flowing over to China for the last six months,’” Basu said.
Who are these hackers? They are state-sponsored actors from countries such as China, North Korea, Russia and Syria trying to spy on the U.S., steal intellectual property — from drugs to drones — to better their economies or defenses, or perhaps cause harm to our infrastructure.
They are criminal organizations — often based in Eastern Europe and Africa — focused on stealing your personal information and financial scams.
They are “hacktivists,” or hackers that breach systems to make a moral or political statement. Sometimes, they are a combination of these archetypes (ie. criminal groups hired by foreign governments to steal intellectual secrets.)
And many times, they are untouchable.
That can be the most frustrating thing about cyber warfare for both victims and investigators alike. Maybe the leak of information can be stopped and prevented. Maybe a counter attack can even be launched. But rarely does justice come in the form of seeing the perpetrator in handcuffs in a courtroom.
“It’s a challenge,” said Supervising Special Agent Terry Reed, who oversees one of two cyber squads in San Diego’s FBI office. “It’s demotivating when the point of origin leads you to guys that we just can’t get our hands on.”
Cyber crime is so prevalent that cyber investigations are now handled by nearly every law enforcement agency, from Homeland Security Investigations to local police departments.
Hiring officers with the technical expertise needed for these complex investigations is becoming a major obstacle. Last year, Congress authorized the FBI to hire some 2,000 people, many of whom would be assigned to cyber issues.
“You don’t make a cyber agent by sending them to training,” said Reed. “It begins when they are very little, it’s a hobby to them, they grew up living and breathing technology.”
Finding the young minds with the right skill sets who can pass the rigorous FBI background and testing requirements is where it gets tricky. “It filters out a large population of people,” Reed said.
FBI Director James B. Comey made headlines last year when he said it has become harder to hire hackers to tackle cyber crime due to their apparent fondness for marijuana. The agency’s current regulations won’t allow applicants who’ve smoked pot in the past three years.
The government is also competing with the lucrative private sector for the same talent, though Supervisory Special Agent John Caruthers, who also runs a local cyber squad, says the FBI does have one advantage over corporate jobs: “The cool factor keeps them.”
Tackling cyber crime from the 10,000-foot level is The National Cyber Investigative Joint Task Force, which integrates federal investigators, U.S. military, international partners and private security experts and serves as a clearinghouse for cyber crime intelligence.
“We are looking at the broad strategic shifts in the enemy’s tactics and movements. What are these bad actors doing, and what threats do they pose?” FBI Special Agent Paul Holderman explained in a bulletin on the group.
And unlike in most other areas of criminal investigation, in cyber crime the private security sector is seen as a huge partner to law enforcement, with its expertise and eagerness to close any vulnerabilities. In San Diego, a large network of cyber security companies and experts regularly exchange intelligence, help mentor new talent in the field and encourage new cyber businesses to make their homes here.
The FBI employs two cyber teams in San Diego with special agents, computer scientists and analysts who are solving cases, connecting the dots on various intrusions and educating local businesses on how to better protect their systems. One team deals primarily with criminal cyber fraud, which is mostly financial in nature, while the other focuses on threats from other governments.
Cases get opened either when the FBI notices through its investigative techniques that an intrusion has happened, or when a victim notices the breach and reports it.
“We figure out what happened, how did they get into the network, was anything taken, and tell the company what we learned,” Caruthers said. “We gain a lot of institutional knowledge on different groups and take that knowledge back to the companies.”
Some companies don’t want to disclose a breach, for fear of shaking consumer and investor confidence and to protect its brand.
“There’s a calculation: What must I report?” Reed said of such companies. The law requires certain types of companies to report any intrusions to law enforcement, including defense contractors and businesses that deal with customer data.
This past summer, the Department of Justice launched a pilot program in San Diego in hopes of encouraging companies to report data breaches quicker to law enforcement, so any compromised data can be seized before it goes overseas. The program kicked off with a roundtable meeting that included private law firms who typically get notified by their clients when an attack occurs.
Assistant U.S. Attorney Sabrina Feve, who prosecutes cyber cases and is involved in the program, said it’s important to create incentives to make companies want to report when they’ve been hacked, including offering them resources that they wouldn’t be able to access on their own.
Next, the investigators must establish venue: Who has jurisdiction when the victim is in San Diego but the victim’s servers are located in Ohio and the bad guy is in yet a third location, possibly even overseas? What about if the hacker is targeting victims all over the world?
Oftentimes it comes down to what makes the most sense for evidence collection and prosecutorial support, Reed said. The FBI has agents in about 75 countries to act as liaisons to bring criminals there to justice.
Even then, it’s not often that these hackers go to court. Stopping the attack, minimizing losses and fortifying computer systems for the next attack is a more common outcome, authorities said.
In the past five years, the U.S. Attorney’s Office in San Diego prosecuted eight computer hacking cases and at least 14 involving the theft of credit card or banking data, according to the office. The number of cyber prosecutions is likely low because cyber crimes often get charged under other various laws, including wire fraud, Feve said.
Cyber cases also bring unique challenges to the courtroom. Digital evidence might be overseas. Hackers may delete or encrypt evidence. And lawyers need technical expertise to make a jury understand complex evidence and processes, Feve said. National security investigations, those can take years and years, and often remain top secret.
“Attribution in cyber (crime) is extremely difficult, and criminals realize that. It’s low risk and potential high reward for cyber criminals,” said Stephen Cobb, a security researcher at ESET, one of the world’s largest security software firms. “It’s hard to fight back if you don’t know for sure who carried out the attack and why.”
This past year saw a number of massive breaches that remain under investigation and highlight the growing threat.
The U.S. Department of Health and Human Services found that 55 health care providers suffered data breaches resulting in theft of data for more than 110 million Americans, including the massive breach of Anthem patients, Motherboard reported. In July, hacktivists were responsible for the Ashley Madison website breach, unveiling the identities of men and women looking for extramarital affairs.
Even the government was not immune, with the the hack of personal information —children’s names, financial activity, sexual partners, marital troubles, debts and substance abuse problems —of some 20 million federal applicants and contractors with top security clearances. The U.S. Office of Personnel Management breach is suspected to be the work of the Chinese in an attempt to gather sensitive details about government employees that could be useful to blackmail them or persuade them to become spies.
At least one San Diego government contractor whose personal information was breached has filed a federal lawsuit in the case, joining several others nationwide.
Hackers also hit an FBI portal that was used for federal and local law enforcement to share key intelligence on cases and suspects. The hack was believed to be perpetrated by the same intruders who got into CIA Director John Brennan’s AOL email account.
Cyber news site E-Commerce Times predicted hot hacker targets for 2016 include fantasy football sites and wearable devices collecting personal health information, such as Fitbit and Apple Watch. The news site also predicted an uptick in use of ransomware, when hackers scramble a company’s system and demand a ransom to unscramble it.
How do we protect ourselves — and San Diego’s top targets — from cyber attacks, especially when the threat is a click away?
“Twenty to 30 years ago, the bad guy had to breach physical locations and get passwords,” Reed, the cyber squad supervisor, said. “... Now the threat is so passive. Everyday on your computer a new threat is coming at you from email right at your front door, and all you’re doing is clicking on a link and giving the bad guy complete access.”
And as the technology advances at light speed, so do the vulnerabilities.
The intense competition in the technology industry means developers are often trying to roll out new products faster than their competitors, getting it out on the market as quickly as possible — often times at the expense of strong security features, authorities said.
The answer, said security expert Cobb, often lies in tried and true basics.
“A lot of good security is not magic, it’s not rocket science in terms of cutting edge. There are well established practices that if followed incrementally, you increase protection,” he said. “Key elements are use of encryption, anti-malware, strong authentication, good backup and recovery capability and good employee education.”
But, as FBI supervisor Caruthers reminds: “It’s way more expensive for us to defend ourselves than the adversary to conduct the attack.”
“Humans are the weakest link,” Caruthers said.
One of the newest scams that has resulted in millions of dollars in losses to San Diego companies is a technique called “whaling.” It’s similar to “phishing” — trying to gain sensitive information by posing as a trusted source — but goes after the big fish, or top leaders, of a company.
The hacker will usually start by getting into the email account of someone who controls the purse strings in the company, such as a money manager. Then the hacker will do reconnaissance on the leadership, a CEO or top decision-maker.
A typical scenario might go something like this: The CEO posts on his Twitter or social media accounts that he is at a convention in Phoenix that week. He offers other personal information on the web that the hacker can then use to pretend to know him.
The hacker will then send an email through the money manager’s email account that might read like this: “Hi boss, I’m so sorry to bother you at your convention but our customer in Taiwan says they did not get payment and it is very late. Can you wire the payment to the following account so we can get it to them right away .....”
Authorities say it can be easy to fall for such sophisticated attacks, but also said that many businesses that did had failed to follow security protocols.
It’s why experts say it’s so crucial to train everyone in the company on cyber security, from the front desk person to the CEO, rather than just delegate the issue to a select few in the IT department.
©2015 The San Diego Union-Tribune. Distributed by Tribune Content Agency, LLC.