Some American companies are still unwilling to report to law enforcement they have been hacked, a reluctance that is making it more difficult to combat cybercrime, a top federal prosecutor told The Huffington Post.
Preet Bharara, the U.S. Attorney for the Southern District of New York, chastised businesses last year for failing to disclose that their computer systems have been breached.
In an interview last week, Bharara told HuffPost that silence from hacking victims “is still an issue" and is often complicated by many factors, including the desire of companies to protect their stock prices and reputations.
"It's not just a law enforcement problem; it's a corporate culture problem also," he said during an interview in his office in lower Manhattan, where he keeps a photo on the wall of his mother with his favorite musician, Bruce Springsteen.
“We can’t solve the problem overnight, but I think it’s gotten better,” he added. “When you talk to people, anecdotally at least, more and more understand it’s a problem." As time goes by, he says, more and more companies either have been hacked, or realize they have been hacked in the past and didn't know it at the time.
Bharara said companies should establish relationships with law enforcement before they are victims of a cyber attack, “so the question of what to do and how to behave doesn’t arise for the first time after there's an emergency.”
Since taking office in 2009, Bharara has prosecuted a wide range of offenders, from mobsters and street gangs to corrupt politicians and terrorists. He is perhaps best known for bringing indictments against corrupt Wall Street traders, which got him on the cover of Time magazine.
Yet he has said the "cyber threat, in all of its breadth, variety and complexity" is now his biggest concern, and he has been on a crusade of sorts to elevate the issue in the consciousness of corporate America.
Last year, he wrote a column in The New York Times about cybercrime and said businesses “are not doing nearly enough to protect themselves, their customers and their shareholders.” He created a new unit in his office to prosecute cyber cases, has spoken at conferences and symposiums to discuss the problem, and has brought charges against a variety of hackers in cases that have served to further highlight the online threat.
In May, Bharara announced that Jeremy Hammond had pleaded guilty to hacking a private intelligence firm and several websites, stealing e-mails and credit card data belonging to nearly 1 million people.
That same month, he announced charges against the operators of Liberty Reserve, an anonymous global currency exchange used by cyber criminals to trade, among other things, child porn and stolen identities. Bharara called the indictment "an important step towards reining in the ‘Wild West’ of illicit Internet banking."
The case reflects a unique strategy to combating cyber crime. By charging the operators behind Liberty Reserve, Bharara is not only going after the hackers; he is also targeting the financial infrastructure supporting them, an approach akin to how authorities have gone after money-laundering operations to disrupt drug cartels.
Still, Bharara said many corporate executives haven't yet absorbed the seriousness of the cyber threat. Some have the misguided notion that all hackers are very sophisticated -- "like Tom Cruise rappelling down the side of a building" -- when in fact most are simply exploiting lax security, he has said. Too often, companies leave the problem to the “computer geeks” in the IT department, when "it's something they need to think about at the highest levels," he said.
Some companies have become more open about how they are tackling the problem. As an example, Bharara said the nation’s largest banks have been deterring cybercrime by sharing data about hackers with each other and with the government, "so everyone is working together to make sure we get the bad guys and people's accounts are protected."
He said cases against computer hackers present several unique challenges. Cybercriminals hide behind the anonymity of the Internet and live in countries that often do not have extradition treaties with the United States. For example, Bharara charged two Russian citizens in July with illegally accessing and installing malicious software on NASDAQ's computers from 2008 through 2010, yet the hackers remain at large.
“It depends on where the folks are from and whether they can be found,” he said, but added, "That doesn’t mean individuals are necessarily beyond the reach of the law in this country."
But the Internet also presents new opportunities for law enforcement, he said. Last year, Bharara required all prosecutors in his office to undergo mandatory “cyber training” to learn how to collect and present digital evidence at trial, a reflection of how frequently technology can be exploited to win convictions.
“All sorts of old-fashioned criminals are now using computers and social media in a way that has increased the threat,” he said. “There are now cases being brought around the country where gang members are recruiting young girls into sex trafficking rings by using social media. There is all sorts of evidence you can derive from sources on the Internet to bring traditional bank robber cases, guns cases, narcotics cases, you name it."
"Everyone needs to be more educated about how the Internet works and how computers work," he added, "because to not do so would be committing prosecutorial malpractice.”