FBI agent: Growth of cybercrime ‘unbelievable,’ tougher penalties needed

The federal government is “way behind the times” in fighting cybercrimes and must do more to respond to growing, largely unchecked threats, an FBI agent told the Greater Des Moines Partnership Thursday. 

“Our cyber laws are actually way behind the times,” said Ken Schmutz, Omaha-based supervisory special agent and member of the Cyber Task Force for the FBI. “We really need our folks in Washington to step up and make hacking have more penalties than it does. We’re chasing Russians, all the time.” 

Schmutz spoke as part of a Partnership panel on cybercrimes.

Threats from criminals looking to extort money from companies have soared, Schmutz said. 

Ransomware growth top cybercrime

“The growth of ransomware is unbelievable,” Schmutz said. “At this time, it has fast become the number one cyber thing we’re targeting, because of the amount of money they are making. They are targeting large, medium and large businesses.”

Criminals use ransomware to take over a company’s or organization’s computer systems, then demand payment to return files or unlock the system. High-profile attacks in recent months have targeted meat giant JBS Foods, the Colonial Pipeline, Des Moines Area Community College and university foundations.

Cyberattacks now are part of organized crime, the FBI agent said.

“Definitely, it is growing. It’s growing into organized crime,” Schmutz said. “They are highly organized into different groups. There’s a group doing the first part where they get the intrusion into the company. Then they’ll sit on it and maybe sell it to another group that does just the ransomware. And then you have another group that moves the money through crypto (currency). 

“Now that they are so successful, it’s definitely the number one cyber threat that we’re seeing that’s growing, and we have a lot of concern about work getting shut down at specific companies because that does a lot of damage to companies and the public,” Schmutz said.

Companies need to acknowledge the threat. “I think number one for companies is the realization that they are being targeted. We hear a lot, ‘Why would we be targeted? We’re just a small fish.’ Everybody has been targeted,” Schmutz added.

The answer is a combination of limiting even employee access to critical files, and even considering what could be taken offline entirely, he added. 

‘We’re not going to stop cyber crime’

Meg Anderson, chief information security officer for Principal Financial Group, said a realistic goal is to reduce, rather than stop, cybercrime. But even that is tough.

“We’re not going to be able to stop cybercrime,” Anderson said. “I’m not saying we aren’t trying to stop it. I don’t think it’s reasonable to think cybercrime is going to go away. But we need to make the awards of cybercrime not worth the risk.”

Chris Heidemann, vice president of information technology for Premier Credit Union, said small companies can be as vulnerable as international giants such as Principal. 

“As a small company, we are as much of a target as Principal, just in different ways,” Heidemann said. “Principal is much bigger and probably is a bigger fish, but they’re more technologically advanced and have more controls in place. We’re not going to be able to recruit some of the people that a larger company has.”

Businessman: Russia-based criminals sometimes escape prosecution

Aaron Warner, CEO of ProCircular, a cybersecurity firm, said he once worked with the FBI to address a group of Russia-based hackers that had attacked an Iowa company, even working with an agent who spent a month in Germany working the case. Warner said he felt stymied because the hackers’ location in Russia made it hard to take action. 

Schmutz, the FBI agent, said the case was among many that point to the need for tougher federal penalties for ransomware crimes.

There may be additional ways to fight back.

In one case, Schmutz said, the FBI put out a notice that prevented an accused hacker in Russia from traveling. That appeared to be behind a call to the FBI from the person’s lawyer.

“He was willing to trade some information would remove that red note so that he can travel,” Schmutz said, citing one technique that could be employed. “At least we’re inflicting some kind of pain on him.”

Principal’s Anderson said a challenge is that some of the crimes are committed by governments. “Businesses are put in a position to defend themselves against government-sponsored attackers, or others who operate from countries with limited consequences to the actions.”

Added Anderson: “What are the consequences that are being inflicted on the cybercriminals, when we can identify them? That has gotten better over time, but I think there’s still some work to do there.”

Warner, of ProCircular, said the U.S. government has sanctioned Russia and has defined ransomware as terrorism, which expands enforcement options through Homeland Security and other agencies.