Profile of a Profiler: An Interview with Bill Tafoya

by rthieme on April 2, 2001


April 2001

An Interview with BILL TAFOYA

Best known for creating an accurate profile of the Unabomber, retired FBI agent Bill Tafoya now works on identifying “the hollow men of hackerdom.”


Q:You’re known as a “police futurist.” What do you anticipate in terms of police work and computer crime? What’s on the horizon?

A:Over the last 10 years, there has been a downturn in crime statistics, but very soon we’ll see high-tech or computer-related crime start to move up. Computer crime will increase in frequency.


There aren’t enough cybercops, not enough trained people. It’s analogous to having cars stolen left and right and the police having no clue how to investigate, so they ignore complaints, shift responsibility elsewhere or don’t take the cases. But the cars are coming off the assembly line faster and faster, and they’re visible to thieves who see a profitable business.

US News and World Report and the History Channel both reported on your “eerily prescient” profile of the Unabomber. A previous FBI profile had argued that the suspect was in his mid-30s to early 40s, maybe a blue-collar aviation worker. But your analysis concluded that he was probably in his early 50s, with a graduate or doctorate degree and a background in science or math. You also speculated that he was an anti-technology Luddite. Is this an accurate portrayal of your profile and the role you played in the investigation?

It’s a fair representation. As one of my colleagues said, we don’t know what else might have been uncovered had they looked in the direction my profile indicated, instead of single-mindedly pursuing the wrong alternatives. The last two fatalities occurred long after their profile was prepared.

The head of the office at the time, Jim Freeman, claimed that my recollections are “less than objective.” Well, who’s totally objective about anything? But the agency is unlikely ever to portray things except in the best possible light.

What’s the essence of profiling as you practice it?

It requires investigative reports, forensic-analysis reports, crime-scene photographs and other related materials, like videotapes of crime scenes, rather than just still photos. All of those items relate to a single crime; what you need for a profile of a serial killer is three or more sets of materials to compare and contrast.

You have emphasized the importance of context for data collection. What contributed to your ability to identify critical details in the Unabomber case? How did you hone your intuition to notice what’s important?

That’s an interesting question. When I went to the FBI’s Behavioral Science Unit in the early ’80s, I worked with two colleagues on developing an “automated profiler.” We used artificial intelligence (AI) and what was then a state-of-the-art platform, a VAX 11785, to provide a cursory review of files coming into the FBI.

As profilers became more successful, the demand for their services grew, which led to increased complaints–like, “Why is it taking you guys so long?” We attempted to create a means by which the information could be scanned through an expert system, so that the preliminary information could speed up the profiling process. To do that, the three of us looked at every single case file that the National Center for the Analysis of Crime had on serial killers: cases that were closed–that is, archived–and cases still active and in the database. We looked at everything to find patterns.

I went through the FBI Academy’s training for profilers, but I also had all of these cases. I read more case files than any of the individual profilers, who read only files on the cases they worked. When you read everything, eventually you start to see patterns, which is exactly what we wanted–patterns in how killers pick victims.

I used that experience 10 years later, in the early ’90s, when I reviewed the material on the Unabomber case. I made the review not for the purpose of doing the profile, but in order to prepare a protocol for interviewing living victims of the Unabomber. I looked at all the closed cases, cases I had not worked before, and I had the advantage of hindsight. Profilers working before me worked with cases known at that point in time. But I had the whole historical file. So my intuition was helped considerably by fresh information that was very intense and concentrated.

In order to build an expert system, you start with an expert human who develops software, which in turn is used by other humans. Does the software remain at the level of expertise at which you developed it, or does it continue to learn and include new input?

There are both kinds of AI software out there, but the best programs continue to learn from new input. The early programs could only manipulate the information they had and could not ask questions. But the best stuff can do that, and we were trying to build along those lines.

We had five years to work on this system, with no other assignments initially, and we had a good team. I was the investigator, the FBI agent. One of my colleagues had a Ph.D. in social psychology and could work with stats, and the other had a Ph.D. in electrical engineering and had already written an AI program.

Let’s talk about computer crime in a way that builds on that work. You have said that serial killers often taunt their adversaries, which makes them visible. But there are spies like Aldrich Ames who seem to have had extraordinary discipline, so whatever ego-type needs they gratified did not require a public display. They strike me as the most dangerous people on the other side.

Absolutely. People who don’t need to say, “Look at how good I am” to someone else are the criminals who pose the greatest threat, regardless of their specialty. That kind of restraint happens to be unusual with criminal hackers or crackers. Most of these people seem to have a need to boast about their latest conquest on a listserv.

My guess is that, as technology becomes less expensive, more powerful and more pervasive, we’ll start to see “the Hannibal Lecters of cybercrime.” They will leave some kind of little taunt–an obvious message when you look at the code closely enough. There will be a little gotcha, some message meaningful to the cracker: a stenographic device or, as in the case of the Unabomber, a “See, I told you it would work.”

Those taunts indicate that the person feels omnipotent: “You haven’t been able to catch me, so I’m going to toy with you and show you how clever I am.” A lot of people suggest that criminals want to get caught–something that’s often said about Ted Kaczynski–but I don’t think that’s the case. As a criminologist, I don’t think people do it because they want to be caught. I think they mainly do it for egotistical purposes. They’re doing it to show how good they are, how close to the edge they can come. The guy who does rock climbing and hangs by his fingernails doesn’t want to fall; he wants to show how good he is–that he can defy gravity.

Do you distinguish between a hard-core criminal–say, a hit man–and someone like a serial killer? Professional killers sometimes speak of their work as a job, like taking out the garbage. Are they sociopathic and don’t have a conscience, or have they become desensitized to what they’re doing? Do they take pride in their work, but have no need to be recognized in a grandiose way?

My view is that both serial killers and hit men tend to be sociopathic. They don’t care about their victims. They depersonalize the victim by referring to him or her as “it.” The difference I see is that a hit man is motivated almost exclusively by remuneration–he does the job for money. The payback for the serial killer is almost exclusively internal; it’s gratification from committing the act, the things that lead up to it, the chase. Some of them say that once the victim is grabbed, the thrill is almost gone. They have to rejuvenate themselves by torturing the victim.

Let’s link that to computer criminals. Is there evidence at this point that computer criminals engage in the same kind of behavior?

There’s not enough evidence yet to support a formal generalization, but there are tantalizing anecdotes that suggest that the same kind of psychological motivations exist. For example, some of the very capable crackers who were in the former Eastern-bloc countries are very adept and operate like hit men. They’ll break into any system for money. There are also crackers like Kevin Mitnick, who don’t care about financial rewards, but do it for the thrill of the chase. I’m not aware of any empirical research that will let me go beyond that kind of characterization.

Marcus Ranum uses the term “ghosts” for crackers who are invisible and stealthy, who are quite good technically, whose names are unknown. They do their work, leave no tracks and don’t brag about their accomplishments. Have any of the criminal hackers working for the cartels or the Russian Mafia been caught?

Not a one–I don’t think we’ve caught a single one. I think such people have sufficient ego satisfaction from knowing that they’re so good they’re invisible. They’re the “hollow men of hackerdom.” They get satisfaction from seeing ink about what they’ve done, but don’t reveal it to anyone. They have enough self-control to restrain themselves.

A good example is [hacker handle omitted], whose real name I know. He’s a ghost in that sense of the word. I’ll tell students his handle and ask them to determine his identity. In three semesters, not one has uncovered his true name. He has gone to great pains not to have his name and hacker handle associated, and there are others like that out there. The ones who are known–Erik Bloodaxe, Phiber Optik–are not in that league.

Somebody recently told me that he thought a particular power outage was not an accident, that it was a “show of force” or a demonstration of power–at any rate, it was intentional. Another source in the power industry said that when industry and federal officials meet to discuss infrastructure protection, the body language and demeanor of the feds suggest that they are discussing things that have already happened, not theoretical events.

If it’s true that a “black” metanational has carried out such a demonstration, then it seems we have entered into an agreement to give them breathing room in exchange for keeping it quiet. What do you think? Has something like that happened?

My instinct tells me that it has happened, but I don’t know for sure, and I can’t point to a source to back up that suspicion.

We do hear of intrusions into banks.

During the Y2K scare, experts consistently indicated that, of all the industries that are potentially vulnerable, banks and financial institutions were really the least vulnerable because they put so many resources into protecting their information systems. Well, bankers tend to be frugal and won’t spend money without proof that they should spend it. I suspect that, if banks are now state of the art in terms of information security, there’s a good reason for that. And the reason is likely related to their having been victimized and having covered it up successfully. At the same time they learned the lesson that, whatever it takes, they must protect their stream of financial transactions.

A lot of people fear “Big Brother” universal surveillance, but the success of spies like Aldrich Ames suggests that these capabilities are exaggerated.

I like to tease people who ask about Big Brother by leaning close to them and whispering, “Yes, Big Brother exists, but he doesn’t work for the government.” No, Big Brother doesn’t have the capability to do the things the public believes he can. In cases like Aldrich Ames or John Walker, someone can spy like that for many years because their position of trust lets them maintain a level of confidence with the people who provide oversight of their activities. They don’t attract undue attention. Had Ames not spent money, he might never have been caught. When a person is able to maintain self-control, not alter his lifestyle, come to work every day and fit the expected norm of the corporate culture, he can go on forever.

Which implies that one danger of “groupthink” is that conformity provides the best cover.

To oversee ourselves at that level of surveillance, we would have to become so paranoid that we would be suspicious of everybody all the time. Do we want to have security to the point that we never have another Aldrich Ames? We would have to run our command staff like Hitler or Saddam Hussein, executing anyone who lifts an eyebrow. We accept the occasional traitor in a democracy, as appalling as that is, because we want to trust people at the public level. We want privacy, and we don’t want government intruding in our affairs. The same is true for the people who work for the government. If everything they did was checked and double-checked, their work would never get done. There has to be a certain amount of trust.

You said that context is critical in developing a profile. But in cyberspace, in its pure form, context is exactly what’s missing.

E-mail is often misinterpreted because it doesn’t carry context with it–a wink, a smile–to flavor the text. Do you think that the kind of computer-criminal database that could support profiling can be derived from their behaviors and actions in cyberspace alone?

It depends on how active the cracker is.

If he or she has communicated enough times, it’s possible to establish a pattern of grammar and syntax that can be identified. Don Foster, a literature professor at Vassar and an expert in linguistic forensics, wrote a fascinating book called Author Unknown. He speaks of attribution investigation or analysis, which can be applied to e-mail messages. If you have enough to work with, you can find nuances that, while not as unique as fingerprints, are pretty close. Foster says that no two persons write or speak in the same way. That would mean that we can trace surface patterns and connect anonymous writing or a hacker handle to a unique individual.

You’re currently leading a computer crime program at Governors State University. How did you develop it?

We created a sequence of new courses that enable students to pursue a minor in computer crime investigation. A student might be majoring in criminal justice and wants the sequence to prepare him for something down the road. Or, someone majoring in business who is fascinated by computer crime can take the courses as electives and develop a minor. The courses can also constitute a minor in computer science. They constitute a total of 15 credit hours, and we require all criminal justice students to take them.

At the same time, we want to develop a certificate program in intrusion detection. Students could take that program’s courses for credit. A police officer could take the certificate program, or a grad student could apply the credits to a master’s degree in computer science.

Is this program unique?

At the moment, yes. The University of New Haven has a program close to it. The Rochester Institute of Technology is trying to get one started. The University of Central Florida is also developing a program.

How does law enforcement recruit someone who has expertise in computer forensics, the mind of a cop and is willing to work for less than he would get in industry?

The mechanism to do that is in place and building. The federal government introduced a program last year that’s starting to take shape. People applying for a graduate degree in certain fields, like computer science or electrical engineering, can apply for funding as part of a cybercorps program. They will have their degree paid for by the government; in exchange for that, they will work for the government for three years after they receive their degree.

That’s already in the works. The national White Collar Crime Center was put into place, as was the National Cybercrime Training Partnership, to which I was appointed, and also the Federal Law Enforcement Training Center. So the mechanisms are now in place to get people trained. But it’s unfortunate that precipitating events have taken so long to motivate the powers that be, because now we’re behind the curve. These people won’t achieve novice-level experience for another three to five years.

I expect that, as incidents of reported high-tech crime increase, we will have some catastrophic event, the equivalent of an Oklahoma City bombing–a cyberspace incident of such magnitude that it will horrify the public into demanding that more be done.

Copyright © 2001 Information Security, a division of TruSecure Corporation

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: