Part Two of a Conversation with Patrick Dennis, CEO of Guidance Softwarehttps://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=iLast week, I had the chance to sit down with Patrick Dennis, CEO of Guidance Software, during Enfuse Conference 2016. Earlier this week, I discussed Dennis’s thoughts about the jurisdiction of cybersecurity events. Today, we get his view on how we should approach cybercrime’s law enforcement jurisdiction.
Dennis made the point that if our home or business were burglarized, we would call the police and expect them to show up and conduct an investigation. He then asked, “Who do you call when there is a cybercrime?” I joked that you can’t call Ghostbusters. Dennis chuckled but answered that Ghostbusters might be as effective as our current solution, adding:
We have built a regulatory framework that is ineffective at recognizing, let alone combatting, cybercrime. That puts business leaders and the FBI and the military in a position where they have one arm tied behind their back. If we were this lackadaisical about physical crime, there would be anarchy.
It is time to start thinking about cybercrime like we do physical crime, and that starts by getting society invested. Dennis compared it to neighborhood watches and the signs that are hung around a community, encouraging residents to report a crime or anything suspicious. In the neighborhood watch situation, the person being called is going to assume a positive intent from the caller and someone would respond to investigate. The responsibility for preventing neighborhood crime falls on the shoulders of all citizens. Dennis called it a non-victim mentality, where residents can behave in a way that creates a mindset where they refuse to be victimized.
We know that there is no “neighborhood watch” or an equivalent for cybersecurity. It is too easy for users to become victims. Dennis said it’s time to begin a greater focus on education for all users to understand how to avoid threats, as well as how to detect and report cybercrime. Dennis said:
It’s an awareness issue. The vast majority of the assets we have aren’t ‘turned on’ [to cybercrime and security]. We haven’t turned on the public in the right way. We haven’t turned on our national infrastructure in the right way – our law enforcement, FBI, military. Nor have we turned on our corporations.
Dennis would like to see companies step up and create a cybercrime neighborhood watch. Whenever they suspect cybercrime, they should go immediately to the FBI and present the evidence. If the FBI sees patterns coming from multiple organizations, they are then better equipped to take action. Right now, the way things are set up, if a company does alert the FBI, it sends off signals to the corporate legal team that there is a crisis situation, and that creates the headaches I mentioned in the previous blog.
As for law enforcement across borders, Dennis said there are no easy answers; the only cross-border structure that seems to be effective is NATO. So, he added, maybe the way to approach cybercrime law enforcement across borders is to rethink security in terms of commerce. If we made security into an economy issue, it may find its way into a path where people who deal with international banking, for example, may be able to use their business structure to better manage and monitor our digital society. This approach may take away the focus on cybercrime, briefly, but Dennis thinks that, just maybe, it would provide an opportunity to put security standards in place internationally.
On a smaller scale, he’d like to find a way to not punish companies that actively work with the FBI to solve cybercrime. He thinks the FBI and law enforcement would be more effective if they were engaged and worked with companies. Rather than compartmentalize our approach to dealing with cybercrime, it is time that everyone works together.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.