Securing the world’s computer networks is essential, but jailing criminals who commit cyber crime is just as important, Preet Bharara told an audience at Fordham on Jan. 12.
Bharara, the U.S. attorney for the Southern District of New York, spoke at the Fordham School of Law on the third day of the 2012 International Conference on Cyber Security.
“As a United States attorney, many things I deal with are scary. The cyber threat, in all of its variety and complexity, worries me the most,” he said.
“It once may have been a hypothetical hazard, but it is no longer,” he said. “It is an intangible threat that can cause—and has caused—calamitous and concrete harm.”
This past year provided vivid examples of how the cyber threat is still not contained. The firm RSA, which issues devices that employees use to securely log onto corporate networks, was hacked in June. In December, the “hackitivst” group Anonymous took credit for a data breach at Stratfor Global Intelligence Service.
Bharara said these incidents show that online attacks are becoming more sophisticated, malicious and targeted.
There have been some success stories, too, most notably Operation Ghost Click, a two-year effort spearheaded by the FBI and prosecuted by Bharara’s office. Six Estonians and a Russian were convicted for infecting four million computers worldwide, including 500,000 in the United States, with malware that manipulated Internet advertising to generate at least $14 million in illicit fees.
“Policymakers and prosecutors have to understand that an existential threat to one nation is an existential threat to every nation,” he said.
As with Operation Ghost Click, the key to future prosecutions will be international cooperation, so that there are no safe havens for hackers to ply their trade.
“I have frequently said that the Southern District has one of the most international practices in the country, and our dedication to, and pursuit of, cyber criminals is no different,” Bharara said. “Our office has worked on cyber investigations with foreign countries including Estonia, Romania, Denmark, Germany, Australia, the Ukraine, Belarus, Lithuania, the Netherlands, the U.K., the Czech Republic and the Dominican Republic.”
Private industry needs to do its part by resisting the temptation to hesitate before reaching out to law enforcement when attacks happen.
“I have a message for anyone in private industry who insists on maintaining an outdated, outmoded, short-term mentality that is the equivalent of sticking one’s head in the sand,” he said. “Get over it.
“When industry delays in disclosing attacks, it is that much more difficult to get the bad guy, and when we don’t get the bad guy, other victims are injured, and justice is not done,” he said. “We must uncloak and punish the bad actors who are wreaking so much havoc and inflicting so much harm. To my mind, the investigation and prosecution of cyber crime represents the absolute cutting-edge of modern law enforcement.”