|
Cybercrime: Hacker Series
Stephen Schroeder
Former Assistant U.S. Attorney
Tuesday, May 20, 2003; 1 p.m. ET
The global Internet has created a near-borderless world, where
information and ideas flow constantly at the speed of light. But a new
breed of criminal has emerged over the past decade to take advantage of
holes in computer network security. Hackers have proven adept at
raiding corporate and indivudal computers, stealing everything from
confidential financial information to intellectual property.
In a three-part series, The Washington Post this week explores how one
group of Russian hackers was able to shake-down U.S. companies to the
tune of millions of dollars.
Day 1: Internet Dreams Turn to Crime
Day 2: A Tempting Offer for Russian Pair
Day 3: Despite U.S. Efforts, Web Crimes Thrive
Interactive Graphic: Key Players and "Anatomy of a Hack"
Join former Assistant U.S. Attorney Stephen Schroeder on Tuesday, May 20 at 1 p.m. ET, to discuss his role in prosecuting a Russian hacker ring.
The transcript follows.
Editor's Note: Washingtonpost.com moderators retain editorial control
over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions.
Alexandria, Va.:
Even though I applaud the prosecution of people engaged in criminal activity; how could the court justify the FBI illegally (according to the FSB) enter a system in another country by not obtaining permission? It is absurb to think that their actions will not cause multiple future problems as other countries will take this as a sign that information based on computers in the US are to be accorded the same cavalier attitude!
Stephen Schroeder: The FBI simply preserved the files on a private system known to be controlled by the defendants. The actual file contents were not reviewed until a search warrant had been obtained from a Federal judge. In the Russian civil law system, criminal complaints can be intiated by private citizens -- in this case, Gorshkov's brother.
Laurel, Md.:
The computer industry and the politcal/legal system are both known for the speed at which they move -- very fast in one case and very slow in the other.
Do you often feel that in trying to create or enforce technology regulations that you're always a step behind the creation of new products and techniques. Are we reaching the point where technology just can't be regulated in a slow-moving democracy?
Stephen Schroeder: It is absolutely critical that the international law enforcement community continue to evolve standards for the immediate preservation of electronic evidence. The problem, of course, is to establish a reasonable balance between preserving privacy and holding people accountable for vicious, anti-solical conduct. In general, law enforcement has gained considerable ground against the bad guys in the last 10 years.
Laurel, Md.:
How big of a problem is it today that people in the legal profession simply are not educated in high-technology? Thinking of some examples:
In the Microsoft trial, Judge Jackson didn't really seem to understand what was distinct between Internet Explorer, Netscape and Mozilla.
The guy who sent the "I Love You" virus from the Phillipines was never prosecuted because that country didn't have any laws against it.
A friend of mine who works in the computer field says he has his name on a very stupid patent that should never have been issued, except the attorney at the Patent Office didn't understand why the software didn't do anything unique (it was a direct application of a well-known algorithm).
Are legal people usually at the mercy of expert testimony of self-serving witnesses in trying to understand technology issues?
Stephen Schroeder: Educating lawyers and judges about the realities of technology needs to be a priority. The program started by the Computer Crime and Intellectual Property Section of the U.S. Department of Justice in 1995 to train at least one prosecutor in each Federal District, might serve as a model. Seattle University is exploring the possibility of some joint courses between the Law School and the graduate school of engineering for law students interested in IT related law.
Olney, Md.:
Can you tell us more about what you found on Gorshkov and Ivanov computers? Were there files from many other companies?
Stephen Schroeder: At the Gorshkov trial, we presented evidence that scores of U.S. business networks had been intruded into. Also found on the tech.net.ru computers were numerous hacking tools and 56,000+ credit card accounts. Contrary to the statements that Ariana reported from Russia, all of those numbers were verified as real accounts.
San Jose, Calif.:
Wow what a smart operation you guys came up with! Can you tell me more about what other alternatives you considered? washingtonpost.com:
A Tempting Offer for Russian Pair (Post, May 19)
Stephen Schroeder: Thanks. Because the U.S. does not have an extradition treaty with Russia, the problem was one of how to get them to another country where they could be arrested.
New York, N.Y.:
Which laws (state, federal, and int'l) have the most bite or are most effective in prosecuting hackers? Are there legislation in the pipeline to watch out for? I realize that the answer would depend on where the hacker is based or the hacking occurred. Thank you.
Stephen Schroeder: The Federal Computer Fraud and Abuse Act (18 U.S. Code, Section 1030) effectively proscribes a range of computer related offense, from trespass to destruction of information. Most states also have effective laws. The national (and sometimes international) reach of the Federal government often makes it the most effective entity to investigate interstate and international activity.
Alexandria, Va.:
Is the international community currently working on a global cybercrime framework? What is the role of the U.N. or Interpol in coordinating this?
Stephen Schroeder: The U.S. is actively working with the G-8 nations, as well as many others, to put in place an effective framework to deal with computer crime. Concepts of national sovereignty and conflicting values remain barriers.
Bethesda, Md.:
Were you involved in prosecuting other computer-related crimes?
Stephen Schroeder: I prosecuted mostly computer crime cases for the last ten years. The cases ranged from network intrusions to web defacements, and included Internet fraud, copyright offenses, and theft of trade secrets. Through the Computer and Telecummunications Coordinator program established by the Computer Crime and Intellectual Property Section, there are numerous Federal prosecutors throughout the nation who work almost exclusively on computer crime cases.
Frederick, Md.:
Is the FBI always the lead agency on cybercrime involving foreign sources, or are there times when local law enforcement takes the lead?
Stephen Schroeder: Because it has a world-wide network of agents, the FBI is usually the lead agency in such cases. Local law enforcement can use the same resources to investigate, but in these times of shrinking revenues, ofter do not have the funds to do so.
McLean, VA:
Do you believe that the FBI and Secret Service have the personnel and resources to combat Cybercrime at this point in time? How about in the next 2-3 years?
Stephen Schroeder: The FBI and Secret Service have both made large gains in the past five years. I am hopeful that the new Homeland Security Department will be able to devote even more resources to the issues, and, of course, state and local law enforcement must be funded and trained to help with this huge problem.
Washington, D.C.:
What was the goal of your prosecution in this case: To punish these specific hackers, or to send a signal to hackers everywhere? If the latter, how much effect do you really think it had?
Stephen Schroeder: As a professional prosecutor, my job was to prosecute cases. Successful prosecutions, however, always have some general deterence effect. Hopefully, the case raised the perception of risk among the hacker community.
Vienna, Va.:
The rapid spread of computer hacking and other criminal activity shows that we may be simply trying to do TOO MUCH by computer nowadays. For instance, it would be much harder to steal someone's credit history if that whole history wasn't available in a database. Teenage kids couldn't break into NSA and CIA files if they weren't on a database to start with. I think it's time we started paying serious attention to DIS-automating a lot of what is on files and simply going back to paper and ink.
Stephen Schroeder: To some extent, I agree with you. There was a large-scale rush to get in on the E-commerce bonanza before the technology was capable of providing adequate security for the transactions. The genie is now out of the bottle, however, and I don't think that it is realistic to think that it can be put back. Hopefully the industry has learned to pay more attention to security and less attention to ease of access.
Cumberland, Md.: Would you say that the judge did not fully comprehend the magnitude of the crime to hand out such light sentences to these criminal?
Stephen Schroeder: Because the judge did not state his reasons for the sentence, I will not speculate on the subject, except to say that perhaps he had some empathy with the dismal conditions in Russia that Arian's article so effectively revealed.
Cumberland, Md.:
If I remember correctly the old USSR did not do anything to uphold international copyrights either. Has the situation improved on that front or is the new Russia still into "piracy" in a "big way"?
Stephen Schroeder: A couple of years ago, the Department of Commerce held a conference for a number of senior Russian officials on the issue of enforcement of copyright and other laws protecting intellectual property. I was privileged to participate in that conference. The Russian officials with whom I met told me that they were in the process of enacting effective intellectual property laws and intended to enforce them in order to attract investment money to Russia. I do not know the progress of the project, but it sounded hopeful.
Arlington, Va.:
Is the American Bar Association leading any efforts to ensure that lawyers are adequately trained/prepared to deal with computer crimes?
Stephen Schroeder: There are some nascent bar organizations to help educate lawyers on IT issues, and several law schools (G.W. Stanford, among them) have courses on the subject. Other law schools, including Seattle University, are moving in that direction. The issue of educating lawyers and judges remains a critical one.
Alexandria, Va.:
Did the two hackers provide for their own legal defense, or did they rely on court-appointed lawyers?
Stephen Schroeder: Both defendants had court-appointed counsel -- all, incidently, extremely competent and effective.
Cumberland, Md.: Should there be a system of international sanctions or even penalties enacted via US Legislations against countries which refuse to punish "hackers" when confronted with evidence of their violations?
Stephen Schroeder: Concepts of national sovereignty and national self-interest always drive a nation's response to international requests for assistance. Nations will respond when it is in their self-interest to do so. Negative impacts on commerce and investment may, ultimately, provide the biggest motivation to change their approaches to the issues. Economically depressed nations simply have more pressing problems to deal with at this time.
Seattle, Wash.:
How do you decide which agency gets a particular case? Whether it's the FBI or Secret Service or someone else who investigates? I've always been confused about this.
Stephen Schroeder: Here in the Pacific Northwest, we have a tradtion of cooperative behavior. Which of the two agencies gets a particular case often depends, simply, upon where the intial complaint is made, or which agency has the most available resources at the time. In reality, the two agencies have largely concurrent jurisdiction over many offenses. In the Gorshkov case, the two agencies worked closely together.
Arlington, Va.:
I am a high school junior and am interested in the computer forensics. What can you suggest is the right path to take in college? Do you recommend any types of colleges that specialize in this field? What are some of the requirements of the computer investigators?
Stephen Schroeder: Your question is a good one. Under current thinking, the two fields of computer forensics and investigattions are somewhat separate. If you are intereste in pure forensics, then computer science courses are the way to go. Seattle University offers a course in computer security and forensics (which, in the interest of full disclosure, I help to teach), and intends to expand in the near future. Analyzing the files and logs, however, is only part of the solution to crime. Once the computer has been traced, the age-old law enforcement issue of whose butt was in the chair in front of the computer is one that can be answered only by old-fashioned police work.
Orlando, Fla.:
Who will win out in this federal turf battle to police the web and financial fraud - the FBI or the Secret Service? -Roy
Stephen Schroeder: I don't have an answer to this one. The creation of the Homeland Security Department will almost certainly result in a reshuffling of the deck chairs, and I do not know how it will play out. So long as Congress continues to look to pure numbers of cases when making budget allocations, competition between agencies will continue.
Alexandria, Va.:
Has there been a cost/benefit analysis of prosecution of cybervandals who deface large numbers of web pages, sometimes in one fell swoop? How aggressively do you pursue such individuals.
Stephen Schroeder: There have been a number of projects designed to catch people involved in a particular type of computer crime, including some software piracy prjects. I do not know whether such a project has been considered for web defacements, although it would be difficult since they are often unrelated events. The reality is that web defacements (the new vandalism) are often done by script-kiddies and, aside from the embarrassment and nusance factor, generally do not result in large financial losses.
Rockville, Md.:
This is in relation to the answer to the first question posted.
I still don't understand the legality of accessing a private computer without the appropriate warrant. The warrant was only obtained after files were downloaded from the suspect's computers. Is this act legal because the computer was in another country?
I understand the reasons why this was done, I just fail to see the legality of it. I would greatly appreciate any clarifications. Otherwise, good job on catching these malicious hackers.
Stephen Schroeder: The District Court Judge, an able, experienced and smart judge, found that the conduct was legal. The short answer is that the intrusion was minimal and worked only to preserve the evidence until a proper court order could be obtained to review it. Any ramifications of the actions were political -- not legal.
Stephen Schroeder: Thank you for the uniformly intellegent and respectful questions. I enjoyed this exchange -- as I enjoyed prosecuting the case.
Baku, Azerbaijan:
What effect do you think having such an article published and your online chat will have on the computer professionals who commit these so called crimes?
Stephen Schroeder: My experience with computer professionals has been that they tend to care deeply about the medium and want to keep it safe and reliable. It is this group, I believe, that will drive the technology that is needed to solve this problem. I believe that the advent of the Internet is the biggest revolution in information sharing since the invention of movable type in the 15th century. Those of us working in the field must do our best to keep it safe and reliable, or government will ultimately take over.
Vienna, Va.:
Any chance that this discovery will initiate activity in Congress to hold Corporate CEOs liable for any and all damages resuling from information stolen from corporate systems?
If so, I can visualize the creation of thousands of jobs to professional systems engineers who will work very hard to make sure their intranets are totally secure.
Stephen Schroeder:
I do not know what response Congress might make. I have begun to hear rumblings about holding negligent companies civilally liable for damages that flow from defective programs and/or implimentations.
Automatically Update Page
| Get New Responses | Submit Question
© Copyright 2003 The Washington Post Company | 
