Cybercrime—Persistent Monitoring

Deep within a hardened concrete bunker designed to withstand a nuclear attack, security analysts peer at computer monitors, watching streams of code slip across the screens.^[1] Tucked into the middle of a Wiltshire, England hay meadow, the facility monitors internet traffic and cybercrimes 24 hours a day in 180 countries.^[2] There are no windows, “and the site is entered via an airlock consisting of four steel doors the thickness of sprung mattresses.”^[3] In the event of a nuclear attack, the facility, and those working inside, could survive for 40 days because of its proprietary power generators and air filtration center.^[4]

Deep within the command center, a large map of the world shows cyber attacks in real time, with eastern Europe and the east coast of the United States “glowing red with hotspots” by midmorning.^[5] Analysts at the facility are painstaking in their attention to detail, searching for the “minutest sign that something unauthorized might be going on.”^[6] If the team detects something that appears to be an attack, an alarm is raised, sometimes within 10 minutes of detection; if it appears to be a novel type of attack, data is forwarded to a response center in Dublin, “where teams of engineers create new ‘signatures’—information on how to recognise viruses.”^[7]

This facility may sound suspiciously like a new FBI command center, but it isn’t. It is yet one more example of the ever-expanding public-private responses to dealing with cybercrime. The facility is actually a Symantec monitoring center, one of four that the company maintains across the globe.^[8] The other three centers—located in Munich, Sydney, and Alexandria, Virginia—are nothing like the Wiltshire location; the other centers are located in typical office buildings.^[9] You can even see pictures of the centers on Symantec’s website.^[10] With the exponential rise in computer attacks, however, the nuclear bunker offers some advantages. According to Graeme Pinkney, Symantec Europe’s threat analysis manager, “An operation like this has to be 24/7—you can’t have any disruptions. … Because of our remote location, we can’t be taken out by fire, flood or other events.”^[11]

According to Symantec, cybercrimes are becoming less about destruction of data, but more about “silently steal[ing] data for profit without doing noticeable harm that would alert a user to its presence.”^[12] These threats “are gaining momentum through the use of crimeware, software tools built with the purpose of committing online scams and stealing information from consumers and businesses.”^[13] The company is also seeing a growth in the use of “modular malicious code,” which enters the system with limited functionality, but silently “update[s] itself with new, more damaging capabilities. Modular malicious threats often expose confidential information that can then be used in identity theft, credit card fraud, or other criminal financial activities. During the last six months of 2005, modular malicious code accounted for 88 percent of the top 50 malicious code samples reported to Symantec.”^[14]

Public-private response to cybercrimes was a key component of the Bush administration’s National Strategy for Homeland Security in 2002. Under this strategy, the administration noted that the private sector controls “85 percent of America’s infrastructure. … Government at all levels must enable, not inhibit, the private sector’s ability to carry out its protection responsibilities. The Nation’s infrastructure protection effort must harness the capabilities of the private sector to achieve a prudent level of security.”^[15] In December of 2003, “five task forces were formed by public and private sector leaders under the guidance of the Homeland Security Department”: home user and small business awareness, cyber security early warning, best practices and standards for corporate governance, best practices and standards for technologists, and secure software development.^[16]

---

[1] Maija Palmer, Sleuths on the Cybercrime Trail, Fin. Times, May 5, 2006, at 9.
[2] Id.
[3] Id.
[4] Id.
[5] Id.
[6] Id.
[7] Id.
[8] Id.
[9] Id.
[10] See Security Intelligence, Symantec.com, May 5, 2006, and look for “On Location.”
[11] Palmer, supra note 1.
[12] Symantec Internet Security Threat Report Tracks Notable Rise in Cybercrime Activity, Symantec.com, Mar. 7, 2006.
[13] Id.
[14] Id.
[15] Dept. of Homeland Security, The National Strategy for Homeland Security 33, Whitehouse.gov, Jul. 10, 2002 (PDF).
[16] See The Growing Emphasis on Public/Private Partnership, Symantec.com, Jul. 27, 2004.