The industry needs people who are bilingual in InfoSec AND law enforcement (LE), to translate between to the two groups. Law enforcement has to understand the resources available in the private sector, and the business people have to understand what they must deliver to LE to investigate the case.
Mr Selby believes it has to be a non-profit labor of love, supported by people on both sides. And in one year he still hasn’t found all the answers.
“Conferences like SecTor are excellent,” he said. “It’s a really big problem and there’s very little money to be made. There is money ultimately – when you are competent and show you’re trustworthy, then money shows up. There might be money to be made, yet I’m not sure how.”
Training initiatives are likely the initial phase, with sponsorship that covers administrative work. The kind of cross training he’s talking about might take place at SecTor, where LE and InfoSec pros come together.
“It’s very interesting what LEOs don’t know about cyber crime. It’s fascinating how little knowledge is out there, and the raw sums of money that can be made in a cyber attack. Most cops don’t understand it, thinking it’s something out of Dick Tracy. When they begin to hear the stories, the relative untraceable nature of it... I don’t understand why anybody would ever knock over a 7-11.”
What does he mean by that?
“I submit to you that with tools and off-the-shelf malware, one requires limited skills to launch a cyber attack. They skills are similar to walking in to rob a 7-11.”
The difference on the results side is huge. Robbery in the US – where Mr Selby lives – is a felony. For $800 or less, you’re going to be caught and jailed.
“If you commit a cyber crime you stand to make tens of thousands of dollars,” said Mr Selby. “It’s not clear if it’s a misdemeanor or a felony. Who investigates? From where? And it’s likely you won’t be caught.”