Mueller Begs Companies to Break Silence on Network Breaches

“We certainly do not want you to feel victimized a 2nd time” in a federal inquiry, Mueller said Wed. He promised his agency’s investigations would be as unobtrusive as possible to business operations, with no proprietary information released during an inquiry. In some cases, such as those involving trade secrets, the govt. will seek court protective orders to prevent data disclosure, he said. He singled out for praise Microsoft for crucial efforts that, with Turkish and Moroccan authorities’ aid, helped secure arrests in the creation of the Mytob and Zotob worms.

The deputy asst. dir. of the FBI’s Cyber Div., Steven Martinez, speaking later, promised to “work with you in a discreet way that I think is of mutual benefit.” Mueller, formerly U.S. attorney in San Francisco, is well-informed on network security, Martinez said: “He’s very switched on.” Mueller has given the cyber division needed flexibility via such steps as changing success criteria to include cases in which foreign govts. do the prosecutions, Martinez said.

But in Q&A an anti-ID theft firm official spoke of his frustration with law enforcement. Only one ID thief in 700 is convicted, and when a case arises “we can’t seem to find anyone to take the onus of going after this person,” he said. Arif Alikhan, head of DoJ’s Computer Hacking & Intellectual Property Program, suggested the questioner start with the police. The federal govt. tries “to take cases that have the maximum deterrent effect” -- usually meaning lots of money is involved, he said. Alikhan urged people to report crimes no matter what the outcome because otherwise the problem can’t be confronted at all.

As the Council of Europe cybercrime treaty sits in the Senate awaits ratification, “we can’t sit back and wait for these formal means” of boosting international law enforcement collaboration, Martinez said. So for the first time the FBI has moved into Estonia, Romania and other countries. The Bureau doesn’t expect to take out cybercrime in those locales, but relationships developed with local authorities will stand it in good stead down the road, he said.

The past 18 months have gone well in cybersecurity for European law enforcement, said Danny de Temmerman of the Directorate Gen. for Justice, Freedom & Security at the European Commission. The data retention directive’s coming adoption is “a milestone for us” in making information available to investigators, he said. He also hailed the 2005 adoption of a European framework decision on attacks against information systems. “We have seen a positive evolution” toward law enforcement from prevention, he said. National cybercrime units now exist, but now they must come together across the Continent, he said. And law enforcement needs still “more flexible arrangements to put assistance in place” internationally. -- Louis Trager

RSA Conference Notebook

Congress is “very unlikely” to pass spyware legislation this year -- though distaste for a “patchwork” of state laws has overcome some technology companies’ aversion to federal regulation -- said Douglas Sabo, McAfee dir.-govt. & community relations. Spyware measures must compete for Hill attention with data-breach notification legislation, which has more momentum, he said. And there isn’t much work time left in Congress this year, Sabo said. But cutting the other way is members’ desire to show constituents an accomplishment against spyware, which hits home with many people, he said. And antispam legislation seemed similarly improbable when the CAN SPAM Act popped out, Sabo said. ----

The Anti-Spyware Coalition is pressing forward on multiple fronts, said Deputy Dir. Ari Schwartz of the Center for Democracy & Technology, a prime mover in the broader group. The coalition plans a public workshop May 16 in Ottawa, Canada. It will soon issue spyware tips for parents and teens, consumers in general, and big businesses, Schwartz said. And it plans to develop software best practices, he said.