Trae McAbee has been deeply entrenched in the fight against fraud and cybercrime for more than 10 years. As a former special agent in the United States Secret Service, he worked on electronic crimes, data breach investigations, money laundering, and cyber crime. McAbee is now an independent consultant. He spoke with Dennis Fisher about the challenges of investigating cyber crime and fraud, how much of a priority electronic crimes are for law enforcement, and how researchers and law enforcement can make a dent in the underground economy.
How did you get involved in security?
I come from a family that is business and accounting on one side and military, police, firefighter, farming, and construction on the other side. I was split down the middle and it took a while to strike a balance with my personality. While attending college for finance and accounting degrees, I worked security at the House of Blues in North Myrtle Beach, worked as a lifeguard during summers, and later a certified firefighter. I became a Certified Public Accountant with my first professional job following college. However, I’ve always had a desire to serve and was driven by the events of September 11, 2001 to do something more with my life. I split the difference of my upbringing when I became a Special Agent with the U.S. Secret Service in 2004. This was a perfect fit for me and brought together what was a double life to some extent as I began a career in law enforcement directed at financial and electronic crimes.
I spent close to ten years with the Secret Service, where in addition to normal duties, I entered into their Electronic Crimes Special Agent Program as a computer forensic examiner. I later served three years in the agency’s Cyber Intelligence Section in Washington, DC, where I engaged in data breach response, money laundering investigations, and intelligence gathering activities related to foreign based cyber criminals.
Is fraud prevention and enforcement a priority for the federal government?
I can say that fraud prevention is a priority for the Secret Service, as it is their original mandate going back to 1865. However, the rest of federal government doesn’t make it a top priority. Typically, during my time with the federal government, the prevention and enforcement budgets were focused heavily on terrorism. Over the last three to five years, there has been a shift toward cybersecurity as a priority as large scale databreaches drew media attention and drove political agendas. This is still a broad area that includes fraud, data security, privacy, national secrets, terrorist funding, and nation state concerns. With agencies like the FBI, CIA, and the NSA involved, fraud prevention and enforcement can quickly become a secondary concern. This was all in the face of overall decreasing budgets for these agencies as the economic downturn from 2008 began to have a ripple effect in the federal government for the years that followed.
What are the biggest challenges for law enforcement when it comes to investigating cybercrime and fraud?
First off, when it comes to the large scale data breaches, and even to the local sandwich shop that has its customers payment card data compromised, you rarely see an American citizen being arrested for committing this crime. The overwhelming majority of cyber criminals committing these acts have originated from Eastern Europe and Russia where laws regarding these type of crimes are often non-existent or not enforced. A tremendous amount of effort has been put in by the Secret Service, FBI, and the Department of Justice to engage these countries and their law enforcement to build task forces, provide training, and develop better laws and extradition treaties. These efforts are also made in partnerships with ally countries in Western Europe facing the same challenges as the United States. This is where law enforcement becomes a political dance of sorts.
When it comes to investigating cybercrime and large scale fraud, law enforcement is constantly behind the curve when it comes to training. There are definitely law enforcement officers that have a technology background, but the majority of investigators, like me, are basically tech savvy. We get it and with training, we can apply what we know to cybercrimes. That takes time, funding, and a lot of on the job training as well to gain a true understanding of these crimes and how to prosecute them. Agencies have made efforts over the past several years to hire investigators or investigative assistants with technology backgrounds to combat this issue. Regardless, an investigator has to continuously stay on top of new trends and changes in technology. I was lucky enough to receive a good amount of training, but there were many times where I found myself researching topics or new technologies used to commit a crime. It is a fast-paced and ever changing environment. Not to mention, we are up against those that are tech savvy, often highly trained or knowledgeable who spend their days and lives finding ways to circumvent our efforts in new and creative ways.
The legal landscape around privacy concerns is ever changing. While I agree that there is a need for clear privacy laws to protect consumers and information, this also makes it difficult for law enforcement to obtain the information needed to prosecute high tech crimes. It is often difficult enough to identify a person from a screenname or place a person behind the keyboard to convict them of the crimes committed. The legal process to obtain account information regarding email accounts, financial accounts, etc. can be cumbersome and delay an investigation for weeks or months sometimes. Not to mention when you are trying to do this in a foreign country. Many Internet based companies will also take extra efforts to limit the amount of information they have available on customers or mask it in a way to protect their customers’ privacy. As consumer, I can appreciate this. As a law enforcement officer, I knew there were certain companies that criminals would use because they knew we couldn’t obtain any worthwhile information from them. It’s a tough balance for companies when it comes to privacy protection and assisting law enforcement investigations.
When it comes to investigating cybercrime and large scale fraud, law enforcement is constantly behind the curve when it comes to training.
Do you think federal law enforcement truly understands the scope of the cybercrime problem and the technical challenges?
I think that federal law enforcement has a great understanding of the cybercrime problem. The key here is law enforcement’s effectiveness. Some of the biggest cybercrime operations originate outside of our borders and outside of our control. However, it is not outside of our realm of influence. This is where you see the efforts of the United States government and law enforcement taking action to build task forces with and providing training to foreign partners.
What needs to be done to make a dent in the underground economy?
The underground economy is a global economy and will take a global effort to truly combat its continued growth. There are no easy solutions nor is there a singular type of crime that defines it. Many countries are safe havens for cyber criminals due to lax or non-existent laws or reluctance from countries to turn over their citizens to be prosecuted for crimes committed against U.S. citizens. Many of these countries have begun to take steps forward, but they have a long way to go.
In my travels and experiences providing investigative support, presentations, or training, I have often found that many companies, industries, and even countries have a see no evil, hear no evil, speak no evil approach to the underground economy. Its existence doesn’t concern them until they become the next media headline.
What are the biggest mistakes you see businesses making in regard to security and fraud prevention?
The biggest problem I have seen in the private sector is the “check the box” or “what are we required to do” mentality. The focus is often not on understanding the problem and how it relates to their company or their industry. Company operations and profitability are of utmost concern and security and fraud programs regularly take a back seat with regard to funding and more importantly, the support of company leadership. It starts at the top. When leadership takes security and fraud prevention seriously the mentality will flow throughout the company. If company leadership doesn’t understand the scope of these problems and the havoc they can wreak if not effectively managed, then these programs will not be as effective as they could be and will likely lack the funding and personnel to do the job at hand. I have seen this repeatedly in companies across various industries.
Another point I would like to make is with regard to overall management of fraud, physical and information security operations. These have often been completely separate functions with little to no interaction with each other. This needs to evolve to keep pace with the risks each face. Physical security and fraud operations have become highly technical and rely on advanced technologies to be able to protect facilities, assets, and personnel. There is a large component of information security that requires that physical protection of systems from physical access and from internal fraud and abuse. At a minimum, these operations need to be regularly engaging with each other to address ongoing issues, provide risk assessments, and collaboratively plan for adverse incidents.
Why do you think companies still keep physical security, infosec and fraud as separate functions?
This has begun to shift over recent years to bring many of these departments or functions under one organizational group. This has included the areas of business continuity and privacy as well. I have seen this movement towards a company’s risk management organization, especially in the financial sector that has seen significant growth in risk management due to regulatory pressures. I have also seen some of these areas fall under a company’s legal organization.
To make this shift often requires significant changes in the company’s organizational chart. There is often an attitude of “this is the way it’s always been”, which is a phrase that makes me cringe in any context. There can also be some reluctance to make these changes as it can become political within company leadership fearing a power struggle over control and funding. I’ve also seen where company leaders treat these areas of responsibility as a proverbial “hot potato” that nobody wants to own. This all goes back to understanding what the tone is from the top. If security and fraud prevention is made a priority within the company, then the right moves can be made to build out effective and efficient programs that can support profit driven operations and overall company profitability.