Some years ago, I attended a training program sponsored by the United States Secret Service which was training cyber first responders such as state and local police departments, sheriff’s offices, county police, and other local law enforcement agents. I was struck by several things. First, how rudimentary the training was. Second, by the naiveté to think that local police were actually the “first responders” to a cyber incident. Nevertheless, with the possible explosion of cybercrime, and certainly with the explosion of cyber forensics and cyber evidence, there exists a genuine need to provide tools and training for local law enforcement agents.
On November 2, 2017, President Trump signed the “Strengthening State and Local Cyber Crime Fighting Act of 2017,“ which establishes within the United States Secret Service a new National Computer Forensics Institute. The institute’s purpose is to disseminate information related to the investigation and prevention of cyber and electronic crime and related threats, and to educate, train, and equip State, local, tribal, and territorial law enforcement officers, prosecutors, and judges. The intention is to train local cops on cyberthreats, electronic crimes, investigative and forensic techniques, challenges for investigation and prosecution (including electronic evidence) and incident response. In addition, the US Department of Justice (DOJ) Bureau of Justice Assistance (BJA) will now have funds to issue grants to study cybercrime and to train state and local police on issues related to cybercrime and investigations.
All great ideas. And long overdue. But will it work?
Who’s On First?
Certainly cybercrime, hacking, ransomware, cyberbullying, extortion, espionage (regular and corporate), cybertheft, identity theft and fraud, doxing, revenge porn, intellectual property theft and misappropriation, and other forms of cyber offenses are a real and growing problem—not just for the FBI, DHS and USSS, but also for every police department. In theory, the Internet Crime Complaint Center (IC3) acts as a national coordinator of complaints about cybercrime, but in practice cyber and cyber related crimes are reported randomly and haphazardly to police departments across the country—often with limited success. Some police departments have dedicated cybercrime offices, with tools and resources, forensic laboratories and trained staff. Most do not. They may have the ability to extract child pornography from a computer, but lack the training and tools to conduct an international cybercrime investigation.
The first issue is, of course, who is first? One of the goals of the new funds and NCFI is to train the “first responders,” but who are the “first responders” in a case of cybercrime? Is it the local police precinct? The cop on the street? The cybercrime units? The pornography and obscenity cops? State police? District attorneys’ offices? Who responds “first?” For a fire, the first responders are the firefighters. For an active shooter, it may be the local cops or the SWAT unit. But who is it for cyber crimes? Do we want to provide cyber training for every street cop, and if not, then who gets the training and tools? Do we want every one horse town to have a cyber capability, or is this reserved for larger cities, counties or localities?
In most cases, the actual first responder is the victim of the crime: the company that detects the data breach, the person who learns of the identity theft, or the ISP or MSP who detects the DDoS attack. The victim often fails to report the cybercrime to the “appropriate” authorities because they don’t know who those authorities are. That’s why a good deal of the training money appropriated to train local cops should also go to training the real first responders – victims – on what to do before they call the cops.
Who Gets Trained
Cybercrime investigation is a fairly specialized endeavor. It requires a knowledge of computer and communications technologies, computer forensics, evidence law and practice, as well as the myriad players in the manner in which data gets from point A to point B. For example, what are the data retention policies for ISPs in Bulgaria for retaining IP address information? How does a police department in Spokane, Washington compel an ISP in Philadelphia to produce documents and records? What is the difference between a search warrant, a subpoena, a 2703 order, a trap and trace, a pen register, a GPS device, and historic cell tower location records, and what do I need to get each of these – and from whom? Who do I contact to get someone’s Gmail information and what information do I ask for? How do I do forensics on an iPhone X? Can I require a fingerprint or facial exemplar to unlock an iPhone in Jersey City, New Jersey? Law enforcement agents need to be trained on a long list of things, including data retention and privacy rights of U.S. and non-U.S. persons. We are many years away from a consistently trained professional team of cyber investigators and prosecutors. Not to mention judges.
Training is a start, and a good one, if it’s the right training for the right people. Forensics is also a good start, if it’s the right stuff. But we should involve the entire community. White, black and grey hat hackers. Victims and civil rights organizations. ISACs and other information sharing organizations. Civil rights and civil liberties organizations. Professional forensics, licensing and certification organizations. Information security training organizations, community colleges, accredited colleges and universities, and other training and awareness groups. This is not just or even primarily a law enforcement problem, and we do ourselves a disservice if we treat it as such. It’s as much about training victims to work with cops as it is to train cops to work with victims.
Virtually every type of crime will have some sort of cyber forensics aspect to it. IoT and other monitoring devices will increasingly be evidence in court. Location data (both inculpatory and exculpatory) will be required to be preserved. Logs, chats and emails will be relevant in almost every case, as will evidence from police body and car cameras. The future police department will look less like RoboCop and more like Mr. Robot.