The outgoing executive assistant director of the F.B.I., Shawn Henry, is not leaving on an optimistic note. “We’re not winning,” the nation’s top cyber-cop told the Wall Street Journal. ”I don’t see how we ever come out of this without changes in technology or changes in behavior, because with the status quo, it’s an unsustainable model. Unsustainable in that you never get ahead, never become secure, never have a reasonable expectation of privacy or security.”
Increasingly, says Henry, the F.B.I. came across stolen information during the course of one investigation which revealed that another corporate network had been breached for months or even years without the company in questions having any idea they were ever under attack. We reported earlier this month on the 100 million people whose data was breached by Anonymous this year. But its seems increasingly clear that the hacking attacks which are made public are just the tip of the iceberg.
For example, testimony this Monday in front of Congress by the security firm Mandiant revealed that in the majority of cases traced back to Chinese hackers, the average company was unaware of the problem for 416 days before being alerted to the problem, often by a third-party security firm.
This grim portrait explains why some companies are getting more creative. VentureBeat chatted a bit yesterday with Richard Boscovich, the senior lawyer in Microsoft’s digital crimes division who led the Microsoft’s recent raids on the Zeus botnet. He says that big companies need to step up and plug the gap left by law enforcement and traditional corporate security. “We’re very lucky because our legal department is very forward thinking and allows us to get creative in order to address what is a rapidly growing problem,” Boscovich said.
Boscovich was actually waiting in a courthouse for a trail to begin and overheard a case being brought by a handbag manufacturer against a counterfeit ring. “I realized that we could use the same principles laid down in the Lanham Trademark Act of the 1940s to go after the botnet armies that use Microsoft’s name to further their malicious email.”
The actual criminal gangs behind the Zeus botnet are believed to be located overseas, but Boscovich says the idea is to change the ecosystem at home. “When we shut them down here, it makes it more expensive to do business. We can’t eliminate the threat entirely, but hopefully we can get to a point where crime doesn’t pay like it used to.”