Security Experts:

Building a Bridge for Information Sharing: The Industry Perspective

As I wrote in an earlier column, “The Optimist’s Cybercrime Predictions for 2011”, in recent years many efforts have been taken to improve the collaboration between various law enforcement agencies around the world. International task forces were established, and cybercrime conferences aimed at law enforcement provide important networking opportunities for agents, allowing them to build relationships with one another. These platforms have helped in creating a better working relationship between worldwide agencies, which have translated into many recent busts in countries that up until recently were considered “safe havens” for the bad guys to set up shop.

Security Information SharingThe FBI already has a permanent representation in Romania and the United States Secret Service recently announced that it will open a branch in Tallinn. However, as many have already realized, collaboration between law enforcement alone is not enough. There are many security companies, individual researchers and certain circles in academia that hold a wealth of information on cybercrime activities – crucial pieces of a large puzzle - that could be the difference between a bust and a cybercrime investigation that leads to a dead end. It’s not just about collaboration with other law enforcement agencies, but also about collaboration with the security industry.

As I am responsible for the collaboration of anti-fraud and cybercrime services with law enforcement, I’ve had the pleasure of coordinating information sharing with multiple agencies from all over the world. While some of these initiatives blossomed, turning into an on-going work relationship, some shriveled and died fairly quickly. Considering that the meaning for law enforcement of an on-going relationship, with any security company, is a constant supply of information in support of their investigation, it’s in their interest to learn how to make these relationships work. Yet, while some agencies seem to have become masters in building and maintaining these relationships, some simply do not understand what makes the industry “tick.”

Perhaps the biggest factor of a successful relationship between law enforcement and industry is the value of sharing information and intelligence. Just like in real life, relationships that are a one-way street simply don’t last. While this may sound obvious, some law enforcement agents do not discern between security companies or researchers and other sources of information. Traditionally, sources provide information, do not get information back, and are viewed as an asset for a specific investigation. In many places around the world, law enforcement is downright forbidden to discuss an on-going investigation with third parties, for obvious reasons. In most cases, the security industry is not seeking a selfish gain from working with law enforcement; most security companies and researchers want to work with them regardless of the return because it is simply the right thing to do.

However, the reality is that as with every organization, security companies and researchers are working with a limited amount of resources – mostly time – which are devoted to providing the best possible service to their customers. Naturally, research that provides little value to the customers will receive a lower priority than research that provides a higher value. This research, however, could be of great value to local and national law enforcement agencies around the world. For example, research on cybercriminal activities exclusively based in Asia may be of relatively little interest to customers if they’re mainly based in the United States, but it could be of great interest to local law enforcement. Now, imagine a company investing hours in such a report for a law enforcement agency and never receiving a reply, not even an acknowledgement that it has been accepted (a situation we have encountered more than once). How likely is it that the company will invest in similar research the next time around?

A second factor of a successful relationship is related to the first. What often dictates the level of openness and communication by law enforcement is the specific contact within the agency. Often, the contact may change depending on the findings and the investigation that is currently taking place. In one case, only after we found a second contact, were we able to open a communication channel within one particular law enforcement agency. It is also often unclear who to talk to within the very complex organizational structures that comprise many law enforcement agencies. As the contact has the power to make or break a new relationship, it may be worthwhile to define a single point of contact who will be tasked with communicating and building relationships within the private sector security industry.

Strengthening the relationship between the industry and law enforcement is an important undertaking. The security industry is best positioned to uncover highly valuable and relevant information on cybercrime, information that law enforcement could later translate into an arrest. It is in the best interest of both parties to work with one another. As with many things in life, much of it starts and ends with interpersonal relationships. Thus, conferences are an important platform for these relationships to occur, but they’re not enough. Law Enforcement agencies are also limited to what they can share back with third parties, whether it’s an on-going investigation or a list of high-profile suspects they are after. However, as they slowly change the laws and learn ways how to speed up the process of working with one another in cybercriminal investigations, the same could be done in regards to working with the industry. Both the industry and law enforcement agencies need to open up a two-way street for communication in order to derive the most value from our joint work and research in cybercrime and fraud prevention.

Realated Reading: Threat Sharing - A Necessary Defense Strategy

Subscribe to the SecurityWeek Email Briefing
view counter
Idan Aharoni is the Head of Cyber Intelligence for the FraudAction Intelligence team at RSA where he is responsible for gathering, analyzing and reporting intelligence findings on cybercrime and fraud activity. Mr. Aharoni joined Cyota (later acquired by RSA) in February 2005 as an analyst at the Anti-Fraud Command Center. During his service, he founded the FraudAction Intelligence team, which he leads today. Between his work at the Anti-Fraud Command Center, as well as the unique insight he has gained by the intelligence and discoveries gathered by his team, Mr. Aharoni offers vast expertise into the underground fraud economy and how cybercriminals operate.