There certainly has been no shortage of cyber crime in 2014. You need look no further than the myriad problems outlined by Joseph Demarest, the FBI's assistant director, Cyber Division touched on during testimony before a Senate Committee on Banking, Housing, and Urban Affairs hearing on cyber security today.
"The FBI is engaged in a host of efforts to combat cyber threats, from efforts focused on threat identification and sharing inside and outside of government, to our internal emphasis on developing and retaining new talent and changing the way we operate to evolve with the cyber threat," Demarest said.
Demarest suggested three ways Congress could help evolve with that cyber threat. In particular:
- Update the Computer Fraud and Abuse Act. The Computer Fraud and Abuse Act (CFAA) constitutes the primary federal law against hacking, protecting the public against criminals who hack into computers to steal information, install malicious software, and delete files. The CFAA was first enacted in 1986, at a time when the problem of cyber crime was still in its infancy. Over the years, a series of measured, modest changes have been made to the CFAA to reflect new technologies and means of committing crimes and to equip law enforcement with the tools to respond to changing threats. The CFAA has not been amended since 2008, however, and the intervening years have again created the need for the enactment of modest, incremental changes. The Administration has proposed several such revisions to keep federal criminal law uptodate with rapidlyevolving technologies. Cyber threats adapt and evolve at the speed of light, and we need laws on the books that reflect the most current means by which cyber actors are committing crimes. Updating the CFAA to reflect these changes would help strengthen our ability to punish, and therefore to deter, the crimes we seek to prevent.
- Data Breach Notifications. We believe there is a strong need for a uniform federal standard holding certain types of businesses accountable for data breaches and theft of electronic personally identifiable information. Businesses should, for example, be required to provide prompt notice to consumers in the wake of a certain cyber attacks. Such a standard would not only hold businesses accountable for breaches, but would also assist in FBI and other law enforcement efforts to identify, pursue, and defeat the perpetrators of cyber attacks.
- Information Sharing. Although the government and the private sector already share cyber threat information on a daily basis, legislation can enhance the value and benefit of these information sharing relationships. The government and the private sector both have critical and unique insights into the cyber threats we face, and sharing these insights is necessary to enhance our mutual understanding of the threat. Similarly, the operational collaboration required to identify cyber threat indicators and to mitigate intrusions requires the exact type of sharing we seek in the first place. As such, the FBI supports legislation that would establish a clear framework for sharing and reduce risk in the process, in addition to providing strong and straightforward safeguards for the privacy and civil liberties of Americans. U.S. citizens must have confidence that threat information is being shared appropriately, and we in the law enforcement and intelligence communities must be as transparent as possible. We also want to ensure that all the relevant federal partners receive the information in real time.
"The bottom line, however, is that current levels of information sharing are insufficient to address the cyber threats we face, specifically with regards to the financial sector. The U.S. is currently facing sophisticated, wellresourced adversaries, and minimum security requirements are needed to harden our critical infrastructure networks," Demarest stated.
Demarest also outlined the cyber threat landscape noting a number of issues including:
- "Botnets, which can harness the power of an enormous web of computers for malicious purposes, continue to evolve as well. As I speak, estimates place the total damages caused by botnets at more than $9 billion in losses to U.S. victims and over $110 billion in losses worldwide. Approximately 500 million computers are infected globally per year--translating to 18 victims per second. As botnets become more sophisticated, our techniques must evolve to keep pace. The FBI and our partners may take down one botnet, for example, but coders may alter code and rebuild their bots in fairly short order. The power and scale of botnets is particularly worth noting, as botnets have been used to attack the financial sector through DDoS attacks, and the FBI has been deeply involved in preventing such attacks and in keeping such attacks from inflicting lasting damage."
- Vulnerabilities in mobile banking pose another new and highly sophisticated danger, as mobile banking vulnerabilities may exist on mobile devices that are not patched, and malware can be developed to specifically target the use of mobile devices. One example of this type of vulnerability is the Zeus-in-the-Middle malware, a mobile version of the GameOver Zeus malware, which itself was one of the most sophisticated types of malware the FBI ever attempted to disrupt. GameOver Zeus was designed to steal banking credentials that criminals could then use to initiate or redirect wire transfers to overseas bank accounts.
- All told, the malware infected over 1 million computers worldwide and caused over $100 million in estimated losses. Zeus-in-the-Middle has not caused the same level of damage or losses as GameOver Zeus, but its very existence illustrates the risk posed to mobile platforms, where devices can be infected by malicious apps or via spear phishing e-mails, and which can then enable cyber criminals to utilize the banking credentials of targeted users on a grand scale. Current open source reporting suggests that Android OS devices remain a prime target for mobile malware--according to the 2014 Cisco Annual Security Report, for example, 99% of mobile malware in 2013 targeted the Android platform, Demarest stated.
- Recent high-profile attacks, such as those on eBay, Sony, J.P. Morgan Chase, and others, highlight vulnerabilities in some of our nation's largest companies. Regarding the threats to the financial sector in particular, such threats range in complexity, and we continue to work closely with the Secret Service, DHS, and other partners across the government. Point of sale thefts, also known as POS scams, for example, are not new, but continue to pose serious threats to the financial services industry. According to Verizon's 2014 Data Breach Investigations Report, the physical installation of a "skimmer" on an ATM, gas pump, or POS terminal to read credit card data has targeted ATMs with an overwhelming specificity--87% of skimming attacks in 2013, for example, were on ATMs.