Does cybercrime pay? A conversation with author Don Pipkin on efforts to thwart hackers

When a bank is robbed, its manager reports the crime to police. But when businesses are victimized by “cybercriminals,” very rarely are those crimes reported. According to the FBI and Computer Security Institute, only 34% of businesses surveyed in their Computer Crime and Security Survey reported intrusions to law enforcement. Meanwhile cybercriminals remain free to commit crimes costing businesses millions of dollars each year (malicious code and hacking has cost $13.2 billion dollars worldwide).

The message is clear: cybercrime pays.

Don Pipkin believes businesses need to understand the legal recourses available when cybercriminals strike. Pipkin is the author of “Halting the Hacker,” a book that shows business and IT managers the laws broken by cybercriminals and the evidence needed to prosecute a cybercrimes such as intrusion and data theft. Pipkin is an Information Security Architect for the Internet Security Division of Hewlett-Packard and an internationally renowned security expert.

DANA GREENLEE: What is the profile of a typical cybercriminal or a hacker?

DON PIPKIN: Hackers today have really expanded over just a few years ago. We have those that attack for visibility – Web site vandalism, the viruses, the things that once they’re hit you know they’ve been hit. These attacks are done for notoriety or to prove to their friends that they can do it. There’s a whole other class of attack that is not visible — where someone is trying to steal credit card information or corporate secrets. Those types of attacks are as stealthy as possible so they can grab information. This is the kind of attack corporations must protect themselves against. Even though viruses are expensive for corporations to clean up, it’s the ones where information of what’s going on inside the company is revealed that can be really devastating.

GREENLEE: What are some examples of the most common types of cyber crimes against corporations?

PIPKIN: Companies have issues with internal attacks. People who know where the information is are looking to steal secrets to resell them: things like customer lists or credit card information, which is a very broad attack to sell those numbers. There’s a huge market out there for stolen credit card numbers.

GREENLEE: Do you see cyber crime growing or is the software industry’s clampdown causing crime to decline?

PIPKIN: Crime has certainly been growing online the last few years. There is a lot less likelihood that a criminal who uses the Internet to launch a crime will be captured. It’s hard to identify where those attacks come from. It’s hard to prove who actually instituted the attacks. There is also a bit of reluctance among companies to prosecute crimes or to make them public. So the Internet has made a safer environment for these attacks. The industry is still playing a catch-up game and focusing on the areas where companies are spending money to clean up things. There are a lot of Web site security products out there. But there aren’t as many companies addressing the heavy security problems of securing the environment where you keep your valuable corporate information.

GREENLEE: Offline companies are very aggressive about going after criminal activity. Why is there such reluctance to pursue and prosecute people committing cybercrimes?

PIPKIN: Part of it is the difficulty in capturing someone who is performing a cybercrime. You do have to work back through so many companies like Internet service providers who have to track where someone is coming from. The crime crosses so many geographic boundaries, which raises the complexity of tracking these people down and reduces the likelihood of prosecution and the success of being able to make a presentation to the judge or jury to successfully show that these were the people actually causing the events.

GREENLEE: Internet technology seems to be very traceable. It’s surprising to me that we haven’t been able to develop a better system to track crimes. Do you see the industry, the operating systems, and the governing bodies coming up with some overall protocols that will enable better tracking?

PIPKIN: There is a difference between those who don’t want to be tracked and the everyday user. Also, the Internet, being an international resource, struggles to develop protocols of how things should be done. How different countries look at the issues of privacy is significantly different. From country to country, certain protocols will or won’t be allowed because countries where privacy is strongly valued don’t want the information tracked. Then there are countries where the government itself wants to maintain a view of what all its online citizens are doing.

GREENLEE: Do you see particular countries being a source of cybercrime?

PIPKIN: Yes. Countries where Internet access is fairly limited do not have the financial requirements to have a good national network. If you look at a lot of the historical hacking, it involves the phone system. Lots of countries still have very antiquated phone systems that are easy to break into. In fact, a lot of the systems that become antiquated in the U.S. are sold to Third World countries just getting into this technology. So I don’t think were going to see a big improvement in the global environment until there is more equity in global technology as it pertains to the Internet.

GREENLEE: Is the face of a cybercriminal The Lone Wolf or organized mobs?

PIPKIN: The face of the cybercriminal varies depending on the crime. With credit card theft, there are a lot of organizations doing it. Web site vandalism and virus writers are more Lone Wolf. Sometimes they are activist groups with whatever they are up in arms to make a statement about.

The full audio interview with Don Pipkin can be heard anytime at Dana Greenlee is a web designer and co-host of the WebTalkGuys Radio Show, a Tacoma-based talk show featuring technology news and interviews.