Improving Cyberthreat Info SharingFederal Prosecutor Highlights Key Steps
To improve cyberthreat and cybercrime information sharing, law enforcement officials and business leaders need to develop better working relationships, says federal prosecutor Erez Liebermann.
His advice to business leaders in all sectors is: "Before an incident occurs, start sharing and meeting the investigators and the prosecutors in your area. Then, when something occurs, that relationship will already be there."
Federal prosecutors have changed their approach in the past few years when collaborating with the private sector on cybercrime investigations, says Liebermann, deputy chief of the criminal division in the New Jersey district of the U.S. Attorney's office. They're willing to assure businesses that law enforcement will limit the scope of discovery in gathering evidence and withhold victims' names, he notes.
"It used to be we wouldn't do that; we gave the back of the hand to those issues," he says in an interview with Information Security Media Group (transcript below). "More and more today, we are giving very restrictive protective orders. ... Judges understand the importance of not 're-victimizing' a victim, including large corporations."
In the interview, he discusses:
- Factors that impede collaboration between government and business on combatting cyber-attacks;
- Ways government can build trust to get businesses to share cyberthreat and cyber-attack information; and
- How the National Security Cyber Specialists program is combatting cyberthreats to national security.
Liebermann recently gave a presentation at ISMG's Fraud Summit on the need for public/private collaboration. A video of his session is now available.
He supervises the cyber, white collar and national security units in the Newark, N.J., office of the U.S. Attorney. He also serves as the national security cyber-specialist for the office. His investigations and prosecutions include cases involving large-scale data breaches, botnets, distributed-denial-of-service attacks and insider threats.
Among those prosecutions is one against five individuals tied to Heartland Payment Systems hacker Albert Gonzalez, in which authorities allege the defendants compromised more than 160 million credit and debit cards in a massive fraud scheme (see Fraud Indictment: 160 Million Cards).
Inhibitors to Sharing Information
ERIC CHABROW: Where are the inhibitors of getting the government, including law enforcement, and business to share information about cyberthreats and cybercrime?
EREZ LIEBERMANN: On the business side, there are some fears of what we're going to do with that information and how it could harm the businesses. On the government side, there are some historic limitations in the way in which information sharing went. Today, I think we're making large strides. Businesses are aware that they can share with us and trust that it doesn't go to the wrong people and doesn't go to the competitors, whereas the government is learning that if we don't share back, it's really going to hamper the investigations, both by the government and by the businesses.
CHABROW: What can the government and law enforcement do better in getting businesses to cooperate?
LIEBERMANN: The first thing for both sides is to know each other. If we have more outreach, like I do when I give presentations and interviews, and more outreach when companies come to us, then we can develop these trust relationships which will be much stronger should an incident occur. That's happening more and more, and I would encourage companies to do it even more today. Before an incident occurs, start sharing and meeting the investigators and the prosecutors in your area. Then, when something occurs, that relationship will already be there.
CHABROW: Who are the people in the corporations who should be contacting you? In your presentation, you made it sound like sometimes the lawyers, which would be the logical people who may be in contact with law enforcements, are sometimes the inhibitors?
LIEBERMANN: Often I think there are fears among the lawyers. As I say, we are risk-averse as a legal profession. But lawyers, more and more, are learning how to cooperate. More businesses are starting a cybersecurity in-house counsel, and those individuals are really doing a good job of interacting with the information security officers on the one hand and with the regulators and the prosecutors on the other hand. That's one point. The other point is the information security officers, the investigators, should be touching base with the investigative agencies.
Working with Law Enforcement
CHABROW: When you look at an organization that's doing it right, how are they set up to deal with law enforcement?
LIEBERMANN: Organizations who are doing it right often have investigators who deal with the law enforcement in that community, and they have the lawyers, the in-house counsel, who know the community, know the lawyers in the field, know how to interact and they're doing active outreach. That relationship exists on a constant basis; they're working together, they really know each other and feel comfortable together.
CHABROW: When you talk about doing outreach, what's the environment in which they're doing the outreach?
LIEBERMANN: They literally pick up the phone and call the prosecutors in the area, the U.S. attorney's office, the FBI, and learn who they are. You would be surprised at how willing we are on the government side of talking without any case going on, without any investigation going on, because we know that this partnership is so critical for our success in our investigations and our nation's defense. They're doing the outreach even in that capacity.
Protecting Sensitive Information
CHABROW: One of the concerns that organizations have is they're fearful that protected information will be exposed and there will not be a protective order to limit discovery material as well as withholding victims' names. How are your processes changing to assure them that those areas are protected?
LIEBERMANN: It used to be we wouldn't do that. We kind of gave the back of the hand to those issues, and judges wouldn't always support that. More and more today we're giving very, very restrictive protective orders. We're asking defense counsel to sign them, and when a defense counsel balks, the judges are backing us up and saying, "You're not going to get this information if it's going to re-victimize a victim." People understand, and judges understand the importance of not re-victimizing a victim, including large corporations, which we don't normally think of as the victims in the criminal justice system.
CHABROW: The kind of cases you deal with, is there a characteristic of the types of organizations that are cooperative?
LIEBERMANN: The characteristic is they call us the moment an incident occurs, they work with us from the beginning and they're looking for a way to work with us as opposed to pulling teeth to work with them, and those are the differences. The cooperative ones want to share, they want to work together and they will make that happen, even if there are some roadblocks that we understand and will work with them. For others, everything I want will be like pulling teeth.
Influence of Top Leadership
CHABROW: How much does top corporate leadership play into cooperation of an organization?
LIEBERMANN: Since I'm not there, I can't speak precisely to that. But with companies in which I'm aware of how that works, when the attitude of corporate leadership is an attitude of cooperation and of doing the right thing, it sends that message right down the chain and it makes it very easy. When it's different, we hear from the investigators and from counsel that they can't really do it because that won't be viewed favorably, and it really hampers our ability to work with them.
CHABROW: What inhibits, from the government perspective, more information sharing? Are there security clearances the way the law is set up?
LIEBERMANN: Mostly, it's security clearances when we're dealing with those cases; not all cases have the security issue. Then it's just a historic method by which we receive the information and don't give back. It's not traditionally the case in which we work with corporations as victims as opposed to corporations as defendants. That scenario exists mostly in the cybersecurity field, unlike, for example, in the mortgage field or in the healthcare field where it's often very different; the corporations are defendants or targets. That scenario requires a changing of the way we think of each other and the way we treat each other.