25 June 2008

Transnational eCrime: Leaderless Networks...

Transnational crime and the multi-phase process of Collection, Monetization and Laundering is no better illustrated than in this Citibank case of this past year. This week more arrests have occurred as the informants intelligence has been utilized in capturing those who are part of this international criminal network. Kevin Poulson at Wired writes:

The FBI has recently made at least six more arrests in New York -- bringing the total to 10 -- thanks to information from arrested scam suspects, a lucky traffic stop, and an undercover operation that at one point had Eastern European hackers chasing a female FBI agent through the streets of New York, trying to mug her for ATM-card-programming gear. Six months after the 2007 breach, Wired.com is receiving scattered reports of Citibank customers still suffering mysterious withdrawals from their bank accounts.

The FBI believes the brains behind the operation is a Russian man, who's receiving the lion's share of the profits through international wire transfers and online-payment systems. While Citibank and federal officials are being closed-mouthed about the PIN theft and the ensuing fraud, the Citibank heist provides a rare look at how a single high-value breach reverberates through the international "carding" community of bank-card fraudsters. What's more, neither Citibank nor the third-party transaction processor involved in the breach has warned consumers to watch for fraudulent withdrawals, raising questions about the disclosure policies in the financial industry.

The case is unfolding in the media and the finger pointing will continue on where the breach occurred. Was it on a Citibank network or an outsourced third party supplier of 7-Eleven who operates the retail stores where the ATM's are located? ID Theft is not the real issue here as much as a bold database hack of accounts, PIN's and counterfeiting of ATM cards.

This facet of Operational Risk is another lesson learned about the safety and security of customer data especially when it is outside your own corporate domain. Service Level Agreements (SLA) are too often the only item that is consistently presented as evidence of the due diligence of auditing a third-party processor of customer data. The actual physical audits are few and typically are not done on a rigid schedule. Resources and funding are the excuse more often than a total lack of oversight.

Transnational crimes such as piracy, illegal traffic of drugs and humans, counterfeiting and intellectual property theft or espionage is not new to the Operational Risk Managers of global enterprises and international organizations. What the financial motivations are and where the proceeds are going is potentially the greatest challenge any investigator has on their agenda. Where does it all lead? What does the target plan to do with the money gained from these illegal activities and incidents?

The answer is that there is no single target. The target is a network. And like a starfish, it can reconstitute itself from any severed part; there is no brain. Douglas Farah captures the thinking on why leaderless networks are a continuous threat:

Any one piece of the leaderless network can reconstitute itself with little difficulty, without waiting around for someone to give an order and for that order to move down the chain of command.

Clearly, it seems, there are better and worse individuals within the network, and taking out the really good ones takes something of a toll. And leaderless groups are not highly efficient. But they survive.

If you have a system of enterprising freelance operations acting on impulses (the urge for profit, the urge to carry out attacks, the urge to acquire weapons etc.), these impulses will overlap. The actions will be taken to benefit all parties, and the networks can thrive with no one person making the important decisions.

This strikes me a perhaps the most dangerous mutation that both organized crime groups and terrorist groups (particularly Islamist terror groups, who seem more adept at moving through nerve impulses, without specific orders, than most), can take.

Successfully countering these groups and their growing reach will require a radical new assessment of both strategy and tactics in the military, intelligence community and law enforcement. But that will require a willingness to dump old assumptions and paradigms, something that has not really happened since 9-11.

18 June 2008

ESI: The Economics of Litigation...

The operational risk and complexity of eDiscovery is increasing and the economic impacts are becoming a Board Room topic of debate. This study from RAND by James N. Dertouzos, Nicholas M. Pace, and Robert H. Anderson opens up some of the serious implications of Electronically Stored Information (ESI) as it pertains to this research:

Business litigants display a mix of optimism and concern about the impact of the new federal rules on e-discovery that went into effect in December 2006. To some extent, the balkanization that marked federal decisions in this area is likely to be reduced, but the core concerns over uncertainty about what are reasonable steps to take in advance of and during litigation remain. Thus, it is apparent that further clarification and development of e-discovery rules that promote efficiency and equity for both defendants and plaintiffs are required. For example, the new federal rules require early and full disclosure of IT systems, but interviewees noted that many lawyers are unfamiliar with the modern and continuously evolving hardware, applications, and internal record-keeping practices of their clients. Lawyers risk significant sanctions for failing to properly carry out e-discovery duties that they may not be equipped to handle. Even technologically savvy attorneys voiced concerns that providing opposing parties with detailed IT “roadmaps” as envisioned under the new rules would lead to discovery demands designed solely to drive up costs. And as corporate clients increasingly move toward internalizing collection, review, and production tasks in order to limit litigation costs, their outside counsel may find themselves with reduced control over the process but nevertheless still vulnerable to sanctions.

Lawyers who are modernizing their efforts to review documents are partnering with new boutique firms to accomplish this because they have the tools and the technology subject matter expertise. However, these efforts may be increasing the cost of litigation to corporate clients even though the automation and outsourcing is enhancing their process of review and relevancy. This is because the lawyers are still charging their clients for manual review by associates in the firm who charge by the hour in most cases in excess of $300/hr.

eDiscovery and the costs and benefits of litigation are a constant dialogue on the golf course, the skybox and the private rooms of fine dining in New York, Washington, DC and most major metro areas. The reason has to do with the "Mathematics of Litigation".

The previous discussion makes it clear that e-discovery, by changing costs, creating new risks, and altering the flow of information, could alter litigant incentives to file suit, settle cases, and go to trial. For example, several interviewees claimed that the significant burdens of e-discovery outweighed the benefits of going to trial, especially in low-stakes cases. Thus, they were fearful of an increase in lawsuits of questionable merit in which defendants would settle rather than incur the costs of discovery. Viewed from another perspective, plaintiffs may choose to settle cheaply, dismiss their own cases, request less, or refrain from filing in the first place if their own costs of discovery (whether as producer or requestor) overwhelm the value of their claims.

The trend line for eDiscovery is clear. Corporations are bringing the eDiscovery mechanism in-house and are integrating the legal department with savvy staff in the IT ranks. Outside counsel will continue to remain a key aspect of the litigation process but are quickly being asked to take more traditional roles in the case. Outsourcing the automation tasks to the law firm will only increase the complexity and the potential liability of ESI related episodes or incidents.