Now Nicholas Percoco invites Erik Rasmussen from the US Secret Service to join the discussion of cybercrime and answer questions from the community.
Nicholas Percoco: So, now what we’re going to do is we’re going to bring out a special guest, somebody I’ve been working with for a long period of time, my team works with him in his organization very often, working hand in hand in cybercrime investigations. So, please join me in welcoming Erik Rasmussen. He’s a special agent in the Criminal Investigative Division from United States Secret Service. Welcome Erik!
So, in this portion of the presentation, basically, what I decided to do is crowdsource, some of the questions I’m going to ask you today. I went out on Twitter a couple of weeks ago, and my Twitter followers and also people who are following #RSAC asked a question. So I’m going to show the question here, and what I wanted to do is, basically, if you can ask a US federal cybercrime investigator any question – what would it be? So we went through, we had about 40 different responses and picked the best 5 or 6 of those.
Erik Rasmussen: Pass…
Nicholas Percoco: You pass? Ok, let’s go to the next question. So, we have Dan Gleebits. He asked, basically, why the number of cyber investigators is not equal to the number of investigators. I guess he talked to someone in New York City and they told him there’re thousands of investigators, but very low cyber investigators.
Erik Rasmussen: That really stems, I think, sometimes from just not being sure about what the government, especially law enforcement, might be doing to combat problems. Since you hear about cyber in the news you might wonder, okay, shouldn’t everybody worry about that? And then of course as you dig a little deeper you realize that we in the law enforcement have other missions as well, including protective mission which is a huge part of what we do. So it just comes down to division of labor. We have to look at certain projects, certain investigative missions because of our own charter, and we can’t always look at the thing that people think we should be looking at all the time. We have several hundred agents among our thousands that are trained to investigate cyber, but they also cross-pollinate – look at white-collar crime and threats against the President. So, really, you just got to realize that not everybody can do that all the time because we have other things that we need to worry about. People are always asking for more agents to train for cyber. So if one day they do that and the next day they do cyber, then go back to protect the President – it’s getting covered at some point during that cycle.
Erik Rasmussen: I don’t know if I agree with “immeasurable odds”. It’s a little cynical for me, but I think the best way to describe that feeling for us is: “You’re #1 in public service”, so we serve the country, we serve our federal government, we serve our states, we serve our cities. And it’s our duty to do something like that, just like being in the military. So despite whatever odds might be against us, when you go to the 22 thousand people around here in the RSA Conference, somebody needs to know that we’re working on the cyber problem. If everybody’s seen “Zero Dark Thirty”, there’s a great line in there where it’s talking about who’s looking at Osama bin Laden; and the people in the room look around each other and realize: “Look, we’re the only ones doing it.” Nobody else has got the time to do it or decided this was going to be their mission. And I think, obviously, a select few of us inside the US Government and of course the local governments are now realizing we need to be active in this role. And it ends up being something that people think is immeasurable, but then you realize that tens of thousands of people that are focusing on it in private sector, focusing on it in research and development sectors, and then of course law enforcement – you realize that there’s actually a lot more people, the army is a lot bigger than maybe previously thought.
Erik Rasmussen: Very good question, especially with what you were talking about at the beginning of the presentation. I think because of the issues of timely detection and mitigation, it’s always good to have a victim be very prepared when somebody from law enforcement comes in at the initial stages of the investigation. And of course, you know, there’s sort of a shell shock problem due to the initial confusion that would occur when you’re getting attacked. But especially for Secret Service investigations, which involve lots of financial crime and theft, knowing what was normal activity and what was abnormal activity through your own internal risk assessments, through your own system administrators and how they keep up the network – the kind of information like that is extremely important.
When it comes to logs, people say “network logs” or “netflow”, but what does that mean? We are extremely interested in what gets inside the network. Obviously there’s all sorts of interesting network traffic that never gets inside of the network, and that’s obviously a lot of data. So, what we care about is what’s got in on the normal ports, because it’s very clear that the attacks are occurring on normal, open, usable ports that you have to have; and then also, let’s say, for instance, what’s an unusual port to be inside of your system? So, those kinds of things are important.
And, you know, if you’re willing to share the time before legal process sets in through subpoena or search warrants, have you ever had this kind of a problem before? If you look at that slide that you had up there for the types of attacks – SQL injection, some other sort of exploit – then we can kind of compare and see, okay, this company has had 17 SQL injections in the last 17 months; what does that mean? And all of a sudden this other attack occurs. That’s very interesting to know before you start your investigation.
Nicholas Percoco: Ok, great! We have another question here. This talks about the definition of cybercrime which typically varies depending on who you ask: since definition of cybercrime may not be obvious, where do you stop with crimes that aren’t 100% computer-related, for example phone scams?
Erik Rasmussen: Well, for the Secret Service, I guess you can delineate it between our investigative role and our forensic role. Our forensic role, federally, through our Electronic Crimes Task Forces, of which one is here in San Francisco as well, and through our actual working groups – we have all sorts of tools where a computer might be used in a robbery or homicide, or a cell phone, and our forensic investigators need to be a part of that investigation because of the tools. In investigative side of things, based on the core violations that the Secret Service investigates, well, the computer has to somehow be a central part of that investigation. With all the different definitions out there – you know, there has to be a server that retained all the personally-identifiable information; there has to be the attacking server; there has to be a laptop used by the suspect – they play sort of an integral role. And just the mere fact that some sort of electronic device, of which now there are thousands, is involved, doesn’t mean necessarily trigger a Secret Service investigation.
Nicholas Percoco: I think this is the last question here. Daya asks: “How much felony crime is undertaken using stolen identities?”
Erik Rasmussen: That’s a very tough question to answer when it comes to statistics. But under what we can do federally, you know, we have the United States Code which has all the different federal statutes, and of course there are various data breach laws that states have enacted, including some that are either on the books or being proposed, such as in California. Wire fraud, computer fraud, of course there is an Identity Theft Statute: USC – Section 1028 and USC – Section 1028A, which is aggravated identity theft – those are two of our most commonly used statutes that involve the theft or use of stolen information. And then you have mail fraud of course, this is another commonly used one; and then of course, if you’re working with the local investigator, any of the state equivalents that might be out there: you know, various forgery charges in states are things that we use to investigate the types of felony crime that would be part of our charter.