Cracking down on the outlaws of cyberspace Cybercop apprenticed in tough job

What’s it take to be America’s top cybercop?

“I was a hockey referee, so I’m used to being beaten up,” suggests Jim Christy, who is among those most often mentioned for the title.

And he’s been at it for only a decade.

But it’s a decade that’s seen the Internet grow from 8,000 users to an expected 50 million at the end of this year. And it’s a decade that’s seen computer crime go from a Hollywood scriptwriter’s fantasy to a real- life threat to commerce.

As a result, it’s seen Christy trade a higher-paying post as a Pentagon computer programmer to become the military’s first full-time civilian computer crime investigator.

Today, with the weighty title of Chief of Computer Crime Investigations & Information Warfare, he is one of 68 computer investigators in the Air Force Office of Special Investigations (OSI).

At 44, Christy’s part-time career as a professional hockey official has ended after four knee operations and a bionic eye implant necessitated by a slap shot to the head.

What he misses most, he says, is that as a referee “you are judge, jury and executioner, and justice is immediate.”

In law enforcement, justice is dispensed slowly. Especially, he notes, in cyberspace.

Christy, a Baltimore native, stumbled into the computer field. After drawing No. 35 in the draft lottery of 1971 during the Vietnam War, he joined the Air Force rather than waiting to be drafted. The aptitude test noted computer skills. He spent the next four years as a computer key punch operator, followed by 13 years as a civilian working computers at the Pentagon.

When he moved to OSI, Christy largely ceased his hands-on involvement with computers and systems.

“There are a whole lot of people who do that stuff a lot better than me,” he says.

His role now is to guide investigations — how to track the cybercriminals, who to talk to, when to get a warrant.

Christy has more experience chasing outlaws through cyberspace than anyone else. To those knowledgeable about computer crime and hackers, his cases are legend:

– He was the first investigator to take seriously Cliff Stoll’ s complaints about a 75-cent accounting error that led to the discovery of a hacker mucking about in the University of California-Berkeley computer.

The 1986 investigation eventually led to Hanover, Germany, and a group of students who were hacking into U.S. military systems and selling what they found to the Soviet KGB. Stoll describes the case in the book, The Cuckoo’s Egg.

– Christy took part in the “Morris Worm” investigation, helping track Robert Morris, whose program moved across the Internet entering and disabling individual computers and network systems, causing millions of dollars in losses.
– Christy helped solve a 1991 murder by using cardboard and tape to reassemble two floppy disks.

On the disks were love letters between Air Force Sgt. Joe Snodgrass and a lover; a letter to a pair of hitmen paid to kill Snodgrass’ wife; and a letter increasing life insurance coverage for his wife to $450,000. Snodgrass pleaded guilty and is serving life in prison.

– Christy helped solve a 1991-92 case of an Air Force colonel who used America Online to exchange child pornography with 88 others. The case yielded the first cyberspace search warrants. The colonel was convicted and dismissed from the military; no jail time was imposed.
– Christy worked on the 1994 Rome Labs case, in which a British teen-age hacker, with the guidance of a still-unidentified accomplice, cracked the security at the Rome Air Force Base in New York. The base is a premier military research facility, and the unidentified accomplice is suspected of being a foreign agent.

After weighing a series of high-tech options for chasing the hackers through cyberspace, Christy found an informant in an on-line chat room who led him to the British hacker. Charges are pending.

Since last fall, Christy has been on temporary assignment to the Senate Permanent Subcommittee on Investigations, helping them examine security in cyberspace.

“I like working up on Capitol Hill, because you can make a difference, ” Christy says.

“It’s still anarchy and like the Wild West out there on the Internet, ” he continues. “But I feel much better now than I did just a year and a half ago, because the decision makers are starting to take notice. ”

Three landmark cases

In the brief history of computer crime, these three cases are regarded as landmarks:

CITIBANK BREAK-IN: Bank robbery by hackers still rare

In 1994, Citibank came under attack by a group of cyberspace thieves, led by a mathematician in St. Petersburg, Russia.

In response, the bank called SAIC, a leading international security firm in McLean, Va. SAIC eventually traced the funds to accounts in San Francisco; Amsterdam, the Netherlands; Germany; Finland; and Tel Aviv, Israel.

The attackers had worked at Citibank affiliates for up to three years before the thefts. They installed backdoors to the computer and entered when they were ready.

Eventually, all but $400,000 of the $10 million stolen was recovered, and the company tracked down the intruders. Only then was the case turned over to the FBI, which arrested Vladimir Levin and four accomplices.

It remains the only case of a computer theft reported by a bank, the FBI recently told Senate investigators.

SAIC, whose board of directors and executive offices are populated by former high-ranking members of the military and intelligence community, declined comment.

According to the FBI, Levin took advantage of accounts where clients had opted for a lower level of security. All Citibank clients are now required to use higher- level security. Levin is battling extradition to the USA.

When the case hit the media in 1995, 20 of Citibank’s largest clients were approached by other banks with claims of better security, according to a recent report by the Senate Permanent Subcommittee on Investigations.

“There’s a huge disincentive to reporting these crimes,” says Mark Rasch at SAIC’s Center for Information Protection.

ARGENTINE HACKER: A tap on the Net spreads a wide net

In an investigation this past winter, authorities obtained the first court-ordered cyberspace wiretap.

The case underscores the complexities of preserving privacy rights in cyberspace.

The case involved a hacker using a Harvard University computer to steal passwords and gain access to government computers.

The problem: how to track the hacker in Harvard’s computer without listening to all the system activity, up to 300 users at a time.

Unlike a traditional wiretap, where authorities listen to a single conversation on a single phone line, in cyberspace police must review all the traffic on a system to identify the intruder’s packet of digital information.

“It’s like putting a bug (listening device) on home plate at Yankee Stadium and listening to every conversation and having to parse out the one conversation you’re looking for,” says Donald Stern, U.S. Attorney in Boston.

Investigators were able to draw a distinct profile of the intruder, such as specialized software he used. Authorities used software that monitored the Harvard system looking for that profile, alerting agents when they had a near match.

Even so, investigators twice read unrelated conversations. Authorities concede a clear profile is needed to preserve privacy rights.

“There will be cases where, no matter what you do, you will be unable to get a clear enough profile of the intruder,” says Stephen Heymann, the deputy chief of the U.S. Attorney’s criminal division in Boston.

By late December 1995, authorities say, the intruder was traced to Buenos Aires, Argentina, and identified as Julio Cesar Ardita, a computer science student. He faces U.S. charges, but Argentina won’t make an arrest.

INTEL CHIP CASE: Pentium prosecution required creativity

One of the rare cases of economic espionage that ended with a prosecution was that of Guillermo “Bill” Gaede, who pleaded guilty in March to charges of stealing the specifications for Intel’s Pentium and 486 computer chips.

Court papers set the value of the theft at $10 million to $20 million; Intel says the value could go up to $300 million.

“This is as big a case as anything we’ve seen in the ’90s,” says Leland Altschuler, chief of the U.S. Attorney’s Office in San Jose, Calif.

The Gaede case, while unique in its dimensions, was typical in another respect: It was an “inside” job, pulled off by a trusted employee with access to the computer system.

As a senior engineer at Intel in 1993-94, Gaede was able to access Intel’s computer system from his home computer.

However, Intel’s security system prevented anyone from copying files.

So Gaede set up a video camera and taped the blueprints off his computer monitor.

He sent a copy of the videotape to an Intel competitor. Instead of paying Gaede, the competitor promptly sent the video back to Intel and alerted authorities.

Intel tracked Gaede to Argentina, where the company initiated legal action. In the USA, Intel worked with the Justice Department to produce indictments against Gaede.

Gaede was captured when he returned to the USA in September 1995 to visit relatives. But, because Gaede only made a videotape of a computer file and never really stole anything in the physical sense, authorities had trouble deciding how to charge him.

Gaede pleaded guilty to mail fraud and interstate transportation of stolen property. In June, he received a 33-month sentence.

Copyright 1996, USA TODAY, a division of Gannett Co., Inc.

M.J. Zuckerman, Cracking down on the outlaws of cyberspace Cybercop apprenticed in tough job., USA TODAY, 07-02-1996, pp 04B.