This article can also be found in the Premium Editorial Download "Information Security magazine: Help! Evaluating AV solutions and tech support."
Download it now to read this article plus other related content.
Attorney: Is it fair to say that, prior to March 24, 2000, you were not aware of [a] bug
that allowed someone to enter the system?
Bloomberg: That's correct. It's not just someone. You would have to work pretty hard to do it and have to be reasonably competent to do it.
Attorney: Would it be fair to say that that bug was a dangerous threat to the security of your system?
-Testimony of Michael Bloomberg, U.S. v. Zezev
New York City Mayor Michael Bloomberg endured more than an hour of cross-examination during the 2003 criminal trial of Oleg Zezev, a Russian citizen later convicted of hacking Bloomberg LLP's network and making extortion demands. Bloomberg didn't make excuses for weaknesses in the company's digital infrastructure. He met the issue head-on.
Is your CEO prepared to do that?
Your company will undergo intense scrutiny if a case against a cybercrime suspect goes to trial. Your employees, from the IT staff to the corner office, will be cross-examined by defense attorneys, who will attack their competence, challenge their statements and attempt to discredit corporate polices and processes. Internal, often sensitive, documents and information may become part of the public record, and, if the case generates enough buzz, it's fair game for CNN and The New York Times.
When your company takes the stand, you're asking for an open--and very public--security audit. Although you can't control everything that goes on in the courtroom, you can prepare your employees for the concentrated defense questioning.
If your IT security policies are strong, and if you have solid incident response plans, you'll be ready for the onslaught. If not, your secrets and flaws may be exposed in the worst possible light.
Prosecutors rely on corporate cooperation to convict cybercriminals, and most will try to limit the admissible evidence to avoid unnecessarily embarrassing the company or revealing sensitive information. Through the discovery process, the defense counsel has access to all seized evidence and can subpoena anything that may show negligence or weaken the case--possibly revealing holes in IT security policies, processes and infrastructure. If your security is weak, it's much more difficult to prove that a particular individual was responsible for the crime.
Much of what happens in court is dependent on pretrial maneuverings--when admissibility is argued and judges rule on motions to suppress evidence. This is the stage at which you can try to avoid exposing sensitive corporate security data.
"The company can communicate the big stuff that it doesn't want to come out--company trade secrets, information about response policies or vulnerabilities--to the [law enforcement] agent," says Richard Salgado, former senior counsel with the Computer Crime and Intellectual Property Section of the U.S. Department of Justice. "A motion may be made to exclude that kind of questioning."
Similarly, the prosecution may not agree to pursue charges--such as theft of trade secrets--that will expose highly sensitive information if they're confident they can get convictions on other charges, such as unauthorized intrusion and damaging a network.
"You only charge those crimes that don't implicate the keys to the castle of the company," says Salgado.
In fact, most cybercrime suspects accept plea bargains, in large part because they don't have the resources to mount an effective defense against a government with trained investigators at its disposal. O.J. Simpson and Martha Stewart had the deep pockets to hire legal dream teams; most hackers don't. Thus, in most cases, you have the advantage.
A Day in Court
Mayor Bloomberg, accustomed to the rough-and-tumble of New York politics and the corporate world, was well-equipped to handle questioning designed to needle him. But not all CEOs are.
Before you decide to prosecute and put your CEO in the courtroom hot seat, consider the following scenario:
A high-powered CEO is called to testify regarding his company's policies and procedures in a case against an intruder who stole customer information.
The CEO clearly isn't happy to be on the stand. In response to a question about whether the company has a written policy about unauthorized access, he replies, "I don't need to tell my staff where the cafeteria is, and they seem to figure it out."
The defense counsel plays him step by step, asking the CEO to explain a company policy that prohibits sharing of passwords and privileged access. When asked if anyone else has his password, he responds, "Only my secretary."
"So, you consider yourself above company rules?" the defense attorney asks, drawing an immediate objection from the prosecution. The question is withdrawn, but the damage is done; the defense has exposed an inconsistency.
He is then asked if customers were notified of the intrusion. Flustered by the previous question, he responds that the act of calling law enforcement was public notice. Asked if customers were notified that their personal data was compromised, he responds, "I'm not certain."
The CEO's testimony has now shifted the focus of the trial from the defendant to the victim. The defense has established reasonable doubt that the intrusion could have been performed by a number of people besides the defendant, since at least one other person had the CEO's credentials.
In this case, the company didn't have formal security policies and procedures, making it ripe for attack and leading its customers to conclude that the company was indifferent about informing them that their personal information was compromised.
Technical witnesses can be rattled, too.
Under direct examination, a sysadmin reveals that his company relies heavily on firewalls to protect what he admits are vulnerable internal systems. Under cross-examination, he's asked about the services permitted through the firewall and provides details about client connectivity and specialized applications. The problem? The firewalls supported so many services, they were porous.
He then testifies on the methods he used to investigate the intrusion: He ran commands on the system without realizing they were backdoored, triggering a "logic bomb" that destroyed data, and spent several hours trying to repair the damage before informing management.
The sysadmin then speculates—unsolicited--on the methods used to break into the system, drawing an objection from defense counsel on the grounds that he's now offering expert testimony. Once a witness has strayed into the realm of an expert, the defense counsel can attempt to discredit him with technical questions beyond his depth or that may raise doubts about his qualifications.
The sysadmin's testimony reveals shoddy procedures and poor direction from management. The customer database was poorly protected, which may open the company up to civil liabilities. In the absence of established incident response procedures, a sysadmin made decisions that should have been made by management, and the evidence he gathered is under a dark shadow.
"Defense cross-examination can be brutal," says Jonathan Klein, a senior security manager at IT service provider Calence, who testified as an expert witness for the defense in the Zezev trial. "Questions designed to undermine credentials can fluster even the most experienced technical investigator."
Further, the sysadmin broke a cardinal rule: Witnesses should only respond to questions; they should never volunteer information, qualified or not.
While you may not be able to prevent a particular security breach, you can control how the news is released.
The key is to stay in front of potential leaks. You don't want your customers, your partners or the public to hear about an attack through the media. In particular, if data is at risk, you should communicate quickly and directly with key customers and partners, making them aware of the severity of the situation.
Per your incident response plan--and you do need one of these--information should be disseminated through the corporate PR office, not your technical personnel, in coordination with management and legal; you don't want to let too much information out while the case is under investigation.
Work with law enforcement and your PR department to establish ground rules for public disclosure. While a company may want to keep details of an investigation quiet, management should draft a statement to the effect of, "Our clients' data is our primary concern. We are making every effort to ensure this data is secure. We firmly believe criminals should not get away with crimes and intend to prosecute them to the fullest extent of the law."
This process should extend through the trial itself. Who is designated to speak for the company and under what circumstances? Who will act as liaison to the prosecutors? What are the restrictions as to what can be said without jeopardizing the case?
You Make the Call
When prosecuting a cybercriminal, nothing in the cybercrime investigation or the legal process that follows should be left to chance. Responsibilities and procedures during the investigation and trial should all be detailed in your incident response plan. Spell out the roles of management, IT, HR, PR and legal in such situations. The initial decision to call law enforcement--and who should make the call--should also be triggered by criteria spelled out in the incident response plan.
One critical thing to remember: Once the authorities are involved, it becomes their investigation and their case. After investigating, the prosecutor's office--not your company--will decide whether to prosecute a suspect and what charges to pursue. As a practical matter, though, it's difficult, sometimes impossible, to prosecute without a company's cooperation.
There are pragmatic reasons for reporting and prosecuting cybercrime. In some cases, you won't have a choice: Someone breaks into your Web server and sets up a child pornography site; an intruder uses your network to launch an attack on a partner; you disclose an intrusion under terms of California's Database Security Breach Notification Act (SB 1386). In these situations, information about the attack is almost certain to become public, leaving your customers and partners wondering whose interests you're serving.
It's to your advantage that you establish a tough corporate reputation, sending the message to would-be miscreants: "Don't mess with us."
CAROLE FENNELLY (firstname.lastname@example.org) is president of Wizard's Keys, a security consultancy in the New York City area. She's also cofounder of the Hacker Court, a nonprofit group that produces mock cybercrime trials at the Black Hat conferences.
This was first published in October 2004