Mr. Ujen, why has the number of new and ever-more-refined viruses increased so quickly?
Ujen: The spread of viruses – of damaging programs – increases with the spread of the general use of information technology. These days, a deep understanding of information technology is no longer necessary to manufacture a damaging program. So it’s no surprise that the majority of the most recent viruses are variations of familiar types – but that changes nothing about the danger they pose.
Which types of viruses are most dangerous for a company?
Ujen: There are no innocuous viruses. Even seemingly harmless viruses that don’t contain any explicit functions to do damage can lead to system crashes and data loss, depending upon the software installed on the computer. Viruses are distinguished by how difficult it is to fight them. The manner of infection (how the virus spreads) and the symptoms (the damage the virus does) – both play a role here. For example, you can contain the spread of viruses that are introduced exclusively as part of an already infected executable program by forbidding users to install the software. However, viruses that spread over the Internet by using the script functionality of the e-mail client or the Web browser are more difficult to combat. Only technical measures can help here, such as virus protection programs and regular software updates, both of which eliminate known security gaps. In term of damage, we regard viruses that we can recognize as preparation for attacks by hackers as the most dangerous. They open back doors in the system, spy out passwords or customer data, and change user authorizations.
Have viruses already forced companies to stop production?
Ujen: Not yet, although reports have come to the BKA indicating that virus attacks have already caused damage to businesses. That’s how denial-of-service attacks blocked the dial-in servers of an Internet service provider. The provider was unable to offer its customers Internet access for several days, which cost the company a great deal of revenue.
In the past year, which systems or networks were the favorite targets of virus attacks?
Ujen: Microsoft systems and products are at the top of the list because more systems are affected. But Trojan horses have also affected systems running the Linux operating system. Even PDAs (by Palm) have been affected. Generally, many viruses take advantage of security gaps that have been known for a long time. The failure of many users to update their systems and install the important security patches that are regularly provided by manufacturers only contributes to the situation.
How exactly can a company recognize the damage done by a virus?
Ujen: Direct damages are comparatively easy to specify. The first expense is the administrative effort required to secure, maintain, and reestablish the functions of a company network. Then consider the indirect damages that can occur, such as blocking an online ordering system or the cost of new hardware and software to improve security for the existing systems. The mass transmission of infected e-mails also creates higher costs for an Internet connection. These damages can be enumerated only if the company has developed a certain awareness of its IT costs and when it knows for certain that a virus has caused operations to halt.
Do the victims of viruses, such as companies and private persons, turn directly to the police?
Ujen: Those who suffer harm rarely involve the police with a formal criminal complaint, for example. According to a research and consulting firm in Hamburg, about 21persent of the workstations with computers in Germany were infected with the I Love You virus in 2000. But, our office is aware of only four complaints related to computer sabotage in that year. When faced with technical problems, companies tend to turn first to IT security firms or to a computer emergency response team (CERT), an industry-specific security center. In the United States, the first CERT was founded in 1988, after the Morris worm had created significant damage. As a preventative measure, a CERT shows companies how to close security holes and helps them obtain advice from international experts in the event of a crisis. CERTs and IT security firms do not normally turn to the police.
Isn’t that disconcerting? Shouldn’t a lot more complaints be issued to create an awareness of the criminal nature of virus infection?
In fact, that is disconcerting – to both law enforcement agencies and the companies themselves. Every case that does not result in a complaint and involve law enforcement only leads to the culprit or culprits learning that their actions have no consequences. In addition to the essential security activities, only consistent law enforcement can eliminate this type of crime. The failure to lodge a complaint because it might demand more effort on the part of the victim is counterproductive for a company.
What strategy does the BKA use to fight this type of criminality?
Ujen: The BKA has set up its own special services with detectives, scientists, and technicians. It can react to current and future technical developments. In addition, the BKA also works closely with the German Federal Office for IT Security (BSI). We’ll also invest in public–private partnerships in the future. We want to increase awareness and encourage companies to collaborate with law enforcement agencies.
To fight viruses that spread globally, the BKA must also work globally. Can it? Does it?
Ujen: The BKA is already an international police agency and has excellent connections abroad. To improve cooperation, international agreements have been ratified at the political level, such as the Cyber Crime Convention of the Council of Europe. In particular, this international agreement sets minimum legal requirements that should guarantee effective law enforcement in the area of computer crime. The BKA maintains and fosters contact with foreign agencies as part of international police collaboration with Europol, Interpol, and international agencies. For example, several years ago the G8 countries founded the G8 24/7 High-Tech Crime Network so that they could exchange relevant information among themselves. Good bilateral contacts with special services for high-tech crime also guarantee rapid collaboration. The BKA has continuously qualified its own personnel for several years. Right now we’re hiring additional computer scientists and engineers.
How high is the rate of successful solutions of virus infections?
Ujen: It’s difficult to speak of the solution rate of crimes related to the spread of viruses. Because most cases involve sending infected e-mails without the knowledge and agreement of those involved, it’s difficult to trace the virus to the individual who consciously spread it. New-generation viruses have their own dispersal and camouflage routines, so that it’s difficult to identify the original sender.
Do you already have profiles or typical motives for hackers who produce worms?
Ujen: We know that young hackers break into other computers because of their interests and to test their abilities – but without wanting to cause any damage. Other hackers want to make companies or software manufacturers aware of weaknesses in their systems. However, criminal hackers attempt to capitalize on this situation by blackmailing companies or to offer their assistance for a fee. Finally, there are serious criminals who break into other systems to perform business or even official espionage.
How are hackers punished?
Ujen: Determining punishment is the job of the courts, not the police. The courts work from the guidelines of the penal law that sets sentences. In principle, there’s no difference between a “fun virus” and consciously criminal activity. The spread of a computer virus is a crime in German law, regardless of its intent. In the best case, intention plays a role in determining the sentence.
Do we need to redefine the term “crime” in the age of computer worms?
Ujen: No. The criminality of computer crime in all its forms is defined adequately in German penal law. Appropriate punishment is also possible. However, the public must develop a new sensitivity to this type of crime. Quiet teenagers, who would never think of shoplifting anything, can cause damage costing millions at home with a computer keyboard while their parents sit in the next room watching a police show on TV.