Cyber crime isn’t like ordinary crime says Seth Berman of Stroz Friedberg. Think before you report it
Cyber crime is not the same as ordinary crime, and tackling it needs a different approach, says Seth Berman of Stroz Friedberg. He ran government hacking investigations as a US Department of Justice prosecutor, before moving to private consultancy. In this article, he argues that executives need to take a fresh view on basic questions – such as whether to involve the police.
While most victims of crime would immediately turn to the police, faced with the dawning realisation that your organisation has been hacked may require an entirely different mindset. Instead of spending valuable time and resources on tracking down individual perpetrators, the initial priority should be to establish what information has been stolen.
Cyber crime – do you call the police?
However, this is a task that may require access to secret corporate data and restricted networks. Even if law enforcement could investigate the crime, this approach has serious downsides and is a task that corporates need to direct.
By handing the investigation over to the police organisations lose control over timing and content of any public notification, which could prove a public relations disaster. As a result, there is a fine balance when or even whether to notify law enforcement authorities.
The best approach will generally be shaped by the type of data breach or hacking. Many hacking incidents are carried out by employees or former employees with a grudge. These types of perpetrators are relatively easy to track and locate, arming corporations with a range of civil enforcement options, including dismissing or suing the perpetrator. From a law enforcement perspective, there may be a number of avenues available, including charges related to theft, fraud, embezzlement and computer hacking.
In sharp contrast, attacks perpetrated by outsiders present a very different challenge, making it far harder to identify and bring individuals to justice. With the hacker thousands of miles away and, potentially, unknown to the victim, investigators will focus on some fundamental issues. These are likely to address how did the breach occur; has it stopped; how long has it been going on; and what data was stolen?
Forensics is intrusive
Forensic experts will secure and review copies of the network traffic logs and configurations, and make forensic images of infected computers. This is a very intrusive process that requires scanning the entire corporate network for virus signatures, copying key computers and servers in full and monitoring network traffic.
In an increasingly complex legal environment, a victim company may be required to notify regulators and the public of a data breach. Some jurisdictions require notification for certain industries, while others expect notification for any industry if the breached data includes personally identifying information about individuals. In such cases, the question of whether to notify the authorities may be less clear-cut, but there is still the question of when you notify law enforcement – before or after a private investigation is complete.
In my experience, most companies faced with this situation conduct a private investigation before notifying law enforcement. Three factors tend to drive this decision:
- It is not always immediately clear if a breach requiring notification has occurred and the only way to determine if a notification is required may be to complete the investigation yourself;
- If individuals need to be notified about the breach, only the company and its forensics experts are in a position to determine who needs to be notified, as law enforcement will not do that for a company;
- It is much easier to control the external communications strategy if the company knows the extent of the problem before it is announced.
In short, giving control to public authorities early in an investigation is rarely a viable option. However, few would dispute the value of involving law enforcement at some stage of a breach investigation, if only from a public interest perspective.
In addition to the deterrence effect, law enforcement is in a position to see patterns across victims and assist the wider community in preparing for and responding to hacking. Criminal investigations of one hacking often uncover evidence of additional victims. As a result, companies should probably err on the side of notifying law enforcement if they are victims, but typically only after their own investigation has established the nature and scope of the incident.
Adding to this challenge, there are proposals by the European Union to mandate reporting of data breaches involving personal data within 24 hours. There is support for such moves in some quarters, as witnessed by TechWeekEurope’s recent readership poll, in which more than 83 per cent of respondents said such moves would enforce openness.
Hacking is very different from other sorts of crime and though law enforcement can play a role, organisations working with outside experts must direct the investigation, so that the extent of the data breach and the requirement to notify regulators or the public can be established. Even in cases where law enforcement is able to identify and prosecute the hacker, companies must look further afield for the computer forensics and legal support that will allow the company to respond appropriately to an incident.
Seth Berman is executive managing director and UK head of Stroz Friedberg, a digital risk management and investigations company.
Are you a security expert? Try our quiz!