chloeveltman.com > features

Beating cyber crime
1 March 2001

Michael Vatis set up America's first computer investigation unit and was soon tracing the hackers who had penetrated government, military and NASA systems reports Chloe Veltman

FEBRUARY 1998 was a particularly stressful month for Michael Vatis. The Harvard Law School graduate and legal golden boy, whose curriculum vitae boasts such weighty job titles as Associate Deputy Attorney General and Deputy Director of the Executive Office for National Security, had nearly reached his mid-30s when he was confronted with what looked like one of the world's first instances of information warfare.

Bill Clinton had just given Vatis a presidential nod to set up the National Infrastructure Protection Centre (NIPC), the FBI's cyber crime investigation and prevention unit, when a group of hackers penetrated more than 500 military, government and private sector computer systems, including NASA sites and seven air force bases.

Speedily pulling a team of experts together without so much as a moment to affix the nameplate to his office door, the NIPC's first director set about solving the case, codenamed Solar Sunrise.

At the time, tensions between the US and Iraq had grown sour over United Nations weapons inspections and the build-up of US military personnel in the Middle East. When it was revealed that some of the hackers' activities appeared to be coming from an internet service provider in the Middle East, some generals in the Pentagon assumed that Saddam Hussein had launched a cyber-attack. It took only a few days to trace the hackers. Far from being terrorists from the Arab world the perpetrators turned out to be a couple of Californian teenagers working under the mentorship of an Israeli hacker.

Juggling his time between co-ordinating a global investigation to catch the criminals, calming down military men and trying to get his fledgling organisation up and running, Vatis recalls his first few months at the NIPC as "a baptism of fire".

Lean, suave and dark, Vatis has the appearance of a Hollywood FBI agent and would not look out of place breaking down the door of a Chicago speakeasy. Yet performing dawn raids and interrogating suspects has little to do with running the NIPC. He says: "I'm not involved with taking apart a victim's computer or deciphering computer codes. I tell people when and how to move on a case."

Making speeches before the Senate, developing NIPC policy and deploying the troops from his desk at the FBI's Washington DC headquarters, Vatis's professional life couldn't be less like Agent Mulder's from the paranormal television programme The X-Files.

Not that running an organisation like the NIPC isn't fraught with obstacles. When he came up with the idea for a national organisation that would both investigate cyber crimes and warn the public and private sectors of potential viruses and other assorted forms of digital mischief in 1997, Vatis says: "There was no genuine system in place to help the government deal with specific cases of cyber crime."

Until recently, computer viruses and online credit card fraud were generally considered to be minor hazards rather than as significant threats to national security.

He says: "My first major challenge was to convince policy makers and the public that internet security was a serious problem that needed to be addressed."

Brandishing the rhetoric of a Judiciary Committee speech, Vatis says: "Cyber crime is not just a law-enforcement problem, nor a defence problem, nor a counter-intelligence problem, nor a business problem. It is all of these."

Although his department is affiliated with the FBI, giving the NIPC the legal authority to respond to incidents and issue warnings, Vatis says open exchange between the public and the NIPC is crucial to fighting cyber crime. "The organisation can only work by keeping communication channels open. We are striving to share information."

In January, the NIPC announced the national launch of its InfraGard programme, which promotes the exchange of information about computer vulnerabilities between the private sector and the NIPC through a secure website.

Then there is the issue of technology which is advancing daily and becoming increasingly global, and, as Vatis only knows too well, "the bad guys are becoming more and more technically sophisticated".

According to Vatis, the most common type of digital delinquent is the disgruntled employee who wants to get back at their boss for not getting a pay rise or promotion.

Hackers come in a variety of flavours, from the unwitting teenager messing about on a home PC, who, "doesn't usually mean any harm but ends up causing millions of dollars worth of damage," to the Bin Ladens of this world.

He adds: "Terrorist groups are already using technology for sophisticated communications and fund-raising activities. As yet we haven't seen computers being used by these groups as weapons to any significant degree, but this will probably happen in the future." He notes the havoc terrorist organisations could cause if they hacked into air traffic control systems or power grids.

Now other countries such as the UK, Japan and Canada are following the lead of the NIPC and establishing their own cyber crime units, which is a great relief to Vatis given the international nature of internet crime and the difficulties of co-ordinating investigations across borders.

He explains: "If a cyber crime takes place in the States, but the internet address is abroad, we are powerless to do anything. Cyber crime is a global issue and we routinely have to work with foreign partners."

The NIPC enjoys a particularly strong relationship with the UK's National Infrastructure Security Co-ordination Centre (NICC), established in late 1999. When a hacker from Wales known as Curador stole as many as 28,000 credit card numbers from e-commerce websites around the world, the NIPC and NICC worked with the Welsh police to track down the offender.

With all this mayhem, it's not surprising that Vatis, at 37, is moving on. He has no plans for the future, although he thinks technology will play a part in his next job. "I never intended to stay more than three years," he says of coming off the FBI payroll. "And it's been a three-year sprint."

Copright The Telegraph Group Ltd