International Group on Cybercrime Needed, McAfee CEO Says

DeWalt pointed to the tangle of state and federal law enforcement here and abroad, where 22 European countries have yet to ratify the convention on cybercrime they drafted, as examples of how law enforcement is hampered in fighting cybercriminals. The law should also be modernized to better punish cybercriminals, he said.

Right now, he said, “the risk to do crime online is just amazingly low.” It’s difficult for law enforcement in different jurisdictions to interact, he said. Harmonizing laws among developed nations would help, he said in an interview, because much cybercrime does originate from Western countries, not just the usual suspects of Russia, China, or others. Also, cybercriminals sometimes operate in rings out of different countries, so some members of the ring could be in the U.S. or Europe, he said. If developing countries could then be persuaded to join in, the situation would be even better, he said.

In her keynote, Massachusetts Attorney General Martha Coakley agreed it’s very difficult to track down and prosecute perpetrators. It’s often easier, quicker and less expensive to simply write off losses. “People do not get prosecuted,” she said. Local law enforcement is hungry for information, she said. A survey of Massachusetts law enforcement that her office conducted two years ago found their top online concerns and complaints were credit card and identity theft, she said. Police departments are “besieged” by such complaints and often have no idea how to react, she said.

Responding to an audience question about whether current punishments effectively deter online criminality, Coakley said Massachusetts has had no major cases. The courts tend not to take cases seriously because they see them on a one by one basis, she said, rather than as a trend. Law enforcement can also be susceptible to this viewpoint, she said. For big cases, especially those that connect back to organized crime, the federal authorities must take the lead, she said. However, the U.S. attorney’s office has been consumed by homeland security and street gang concerns, she said. New Massachusetts legislation requires companies to notify the attorney general’s office if there’s been a breach of personal information, she said, and to notify customers and give them information on steps to take. She said enforcement will depend on complaints made to the attorney general’s office, with prosecution probably reserved for cases of intentional breach.

DeWalt said he was happy to hear Ellen Richey, deputy chief risk officer for Visa, announce that PCI DSS standards will become a global requirement for the largest retailers by September 2010. The PCI Security Standards Council for the payment card industry is a global forum to develop standards to protect account data. But there are no standards across the different industries that control infrastructure, he said. Further, he said, the Visa action is a private sector move. Governments need to come together on standards, he said. It took horrific acts for accounting standards to be enacted in Sarbanes-Oxley, he said in the interview; it shouldn’t take a horrific act for cyber standards to emerge.

The poor economy is making cybercrime more relevant, DeWalt said. His presentation included statistics showing McAfee traced a 500 percent increase in malware from 2007 to 2008. “Over the past one year we saw more malware than we saw in the past five years combined,” he said. Among the types of malware, he said, “we've seen an unprecedented rise in trojans.” The most egregious cases of data breach that have been in headlines lately could all have been prevented had the companies fully complied with established standards and used existing security tools, he said.