By Ben Gorban, Project Coordinator, State & Provincial Police Division, IACP
n a little over a decade, from 2000 to 2012, the number of Internet users around the world increased 566.4 percent, growing from 360 million to over 2.4 billion. This growth resulted in societies that are significantly more reliant on technology and more connected than ever before.1 This connectivity has facilitated the automation and storage of vast amounts of raw data and the use of increasingly complex analytic tools and technologies, has provided critical resources to improve operations and achieve greater efficiencies, and has dramatically increased information sharing capabilities. For all of the advantages associated with increased automation and greater connectivity, it has also rendered individuals, businesses, and law enforcement agencies much more vulnerable to cyber attacks, intrusions, and cybercrimes.
As IACP Immediate Past President, Chief (ret.) Craig T. Steckler recently noted, “businesses and individuals rely on computers for almost everything they do, making us all susceptible to national cyberthreats and cybercrimes.”2 In fact, it is the broad range of implications for both homeland security and hometown security that makes cybersecurity an increasingly key priority for state, local, tribal, and territorial (SLTT) law enforcement agencies. For SLTT law enforcement agencies, cybersecurity encompasses three spheres: (1) protecting and responding to individuals and businesses in their jurisdictions who have fallen victim to cyberthreats and cybercrimes; (2) protecting their own agency’s information systems, networks, online resources, and information; and (3) integrating state and local efforts with federal initiatives designed to enhance and ensure national security.3
Protecting Individuals and Industry
Two of the most common cybercrimes that specifically target individuals are social media fraud and spear phishing. The personally identifiable information available on many social media profiles—full name, date of birth, hometown, school and employment information, and even relationship status—can all be leveraged by criminals to steal identities, obtain false documents, open fraudulent bank accounts, obtain lines of credit, and even file fraudulent tax returns. Along similar lines, spear phishing is “the fraudulent practice of sending electronic messages claiming to be a legitimate company in order to induce individuals to reveal sensitive data such as user names, passwords, and credit card details.”4
Public and private industries are often the target of cyber intrusions and attacks. Public and private industries provide the hardware, software, and networks that support an ever-growing portion of our day-to-day lives. Shopping, banking and financial services, and utilities are increasingly moving online to streamline their processes and provide 24-hour accessibility to consumers. In many cases, these companies manage thousands of user names and passwords, credit and debit card information, and personal information such as names and shipping addresses, all stored on their networks, making them susceptible to cyber attacks and intrusions. Utility and power grids have also moved many day-to-day operations to networks and the Internet in an effort to save costs and streamline processes. This convenience, however, also makes these operations more susceptible to attacks and intrusions from outside parties.
It is the duty of SLTT agencies to “shield citizens and businesses from these threats and crimes.”5 Agencies and officers need to know what questions to ask, what information to collect, and how to file the appropriate reports. SLTT agencies should also know the appropriate contacts and channels of reporting with appropriate state and federal agencies that may be better equipped to conduct a full investigation when needed.
Protecting Agency Networks and Information
Advances in technology have also enabled law enforcement agencies of all sizes to leverage email, launch websites, and store troves of information electronically. A significant majority of SLTT agencies have already turned to computer-based automated records management systems (RMS), computer-aided dispatch (CAD) applications, and computer- and web-based crime analysis and reporting programs.6 Additionally, the availability of larger networks and the emergence and cost-effectiveness of cloud computing have facilitated the electronic storage of certain types of evidence, significant portions of case files, victim and perpetrator information, information about confidential informants and undercover personnel, criminal histories, and other sensitive data and information.
This landscape poses many security challenges for SLTT agency networks and information. SLTT agencies are being targeted by hacktivists and other criminals who seek to damage the ability of law enforcement to conduct their daily activities. According to a survey developed by the IACP Computer Crime and Digital Evidence (CCDE) Committee and the Canadian Association of Chiefs of Police (CACP), most respondents recognized that cyber attacks pose a real and serious threat to law enforcement.7 The survey (which was designed to better understand the nature of the cyberthreats facing SLTT law enforcement agencies, the actions these agencies have taken to combat the threat, and recommendations for additional actions to ensure the security of vital information resources) indicates that despite the awareness of the risks, only half of the responding agencies had implemented policies, practices, and technologies to sufficiently minimize their risk.8
The survey also indicated that some respondents were unable to answer questions about their agencies’ network security and potential breaches of agency information. A relatively high percentage of respondents indicated that they did not know the answers to a number of questions. Nearly 20 percent of respondents were unaware of whether their agency had ever been the victim of a cyber attack or intrusion. Even those who were aware that their agency had been the victim of a cyber attack or intrusion experienced difficulties in identifying the source of the attack.
In light of the fact that 25 percent of respondents revealed that one or more of their agency systems had fallen victim to an attack in which confidential information was accessed, it is critical that SLTT agencies and chief executives take steps to proactively protect their agency networks and information.9 Chief executives should be:
- Educated and aware of technology issues confronting their agencies. This includes understanding the general risks, being familiar with policy issues associated with cyber security, and being aware of critical steps to ensure that cybersecurity requirements are met by agency IT services;
- Involved in planning to assess and address vulnerabilities of agency information systems and resources, networks, infrastructure, and systems security. They should regularly conduct, or contract with government or industry partners to provide assessments and stress tests that evaluate and identify gaps, vulnerabilities, and weaknesses in agency IT resources;
- Committed to ensuring that proper policies, practices, and technologies are developed, deployed, and rigorously enforced to mitigate risks, and ensure secure and resilient information systems; and
- Persistent in their efforts.
Ensuring the security of networks and information resources is an ongoing task. Assistant Chief Scott Duggan, of the Scottsdale, Arizona, Police Department, recently noted that “One of the greatest challenges facing policing today, is our ability to keep pace with changing technology, technology that will transform the law enforcement profession.”10 Keeping abreast of emerging threats and vulnerabilities and making sure that appropriate steps are taken within the department to address them are essential to maintaining robust and secure information systems and networks.
Supporting National Security Efforts
The efforts of SLTT agencies also contribute to and complement numerous efforts being conducted by federal law enforcement and intelligence agencies. The significance of the cyberthreats confronting the United States has been reinforced by Director of National Intelligence, James Clapper, and FBI Director, James Comey. In his unclassified annual threat assessment to Congress in March 2013, Director Clapper noted, “State and nonstate actors increasingly exploit the Internet to achieve strategic objectives, while many governments—shaken by the role the Internet has played in political instability and regime change—seek to increase their control over content in cyberspace.”11 This was reiterated by Director Comey, who noted, “We have connected all of our lives—personal, professional, and national—to the Internet. That’s where the bad guys will go because that’s where our lives are, our money, our secrets.”12
As demonstrated by the 2003 power outage that affected more than 50 million people in the United States and Canada, software malfunctions can cause massive problems and significantly affect the economy.13 While this malfunction was merely an accident, it highlights the potential implications and impacts that a successful attack could have on the United States. Although distributed denial of service (DDoS) attacks and other cyber intrusions have brought down or temporarily defaced a variety of local, state, and federal government websites, an attack with an impact similar to or greater than the previously mentioned power outage could bring the economy to a standstill. More worrisome, attacks and intrusions that successfully reach military and defense tactics and information, financial systems, and other important data could debilitate the United States.
As former FBI Director Roberts S. Mueller noted earlier this year, “Improved collaboration and information sharing among federal agencies such as the CIA, NSA, DHS, and the FBI has been vital to our collective success against terrorism over the past decade. But equally critical to our success has been the integration of our state and local law enforcement counterparts through the establishment of Joint Terrorism Task Forces.”14 It is imperative that, as the challenges posed by cybercrimes and cyber attacks continue to emerge and expand, SLTT agencies recognize the important roles they play in addressing and countering these threats. The IACP Law Enforcement Cyber Center is designed to support SLTT law enforcement leaders by increasing their awareness, enhancing their knowledge, building their capacity, and expanding their access to tools and resources to effectively combat cybercrime.15 ?
1World Internet Facts, as of June 30, 2013, http://www.internetworldstats.com/stats.htm (accessed November 5, 2013).
2Craig T. Steckler, “IACP Announces Stop.Think. Connect. Campaign Partnership with Department of Homeland Security,” press release, IACP, October 21, 2013, http://theiacp.org/About/WhatsNew/tabid/459/Default.aspx?id=2011&v=1 (accessed November 5, 2013).
3International Association of Chiefs of Police, Cyber Security: Addressing the Needs of Law Enforcement, October 2013, http://www.theiacp.org/portals/0/pdfs/CyberSecurityBriefFINAL.pdf (accessed November 5, 2013).
4“Glossary,” IACP Center for Social Media, http://www.iacpsocialmedia.org/Resources/GlossaryTerms.aspx (accessed November 5, 2013).
5Steckler, “IACP Announces Stop.Think.Connect. Campaign Partnership with Department of Homeland Security.”
6David J. Roberts and Karen Lissy, “Incident-Based Reporting—The Foundation of Effective Police Operations and Management,” Technology Talk, The Police Chief 80 (September 2013): 64–65, http://www.policechiefmagazine.org/magazine/index.cfm?fuseaction=display_arch&article_id=3068&issue_id=92013 (accessed November 5, 2013).
7The IACP Computer Crime & Digital Evidence Committee (CCDE) includes chiefs and other ranking law enforcement practitioners, private industry subject matter experts, and solution providers. CCDE is actively developing resources for law enforcement, including research assessing current practices, emerging trends, and strategic priorities, as well as the development of guides to cyber security for law enforcement and “Tech Minute” videos addressing cybersecurity, cyberthreats, and related topics. In addition to CCDE, a variety of other IACP committees guide and contribute to its efforts to assist law enforcement, including the Communications and Technology Committee, Criminal Justice Information System (CJIS) Committee, Terrorism Committee, Private Sector Liaison Committee (PSLC), and the Law Enforcement Information Management (LEIM) Section.
8Results of the survey were presented in a workshop at the 2013 LEIM Conference and Technology Exposition. Slides from the presentation are available at http://theiacp.org/Portals/0/pdfs/LEIM/2013Presentations/2013%20LEIM%20Conference%20Workshop%20-%20Technical%20Track%20-%20State%20of%20LEA%20INFOSEC.pdf (accessed November 5, 2013).
10“IACP Law Enforcement Tech Minute: The Current Climate in Cyber Security” YouTube video, 9:55, http://youtu.be/o295sAFxgEU (accessed November 5, 2013).
11James R. Clapper, Director of National Intelligence, Statement for the Record: Worldwide Threat Assessment of the US Intelligence Community, Senate Select Committee on Intelligence, 113th Cong. (March 12, 2013), 1, http://www.intelligence.senate.gov/130312/clapper.pdf (accessed November 5, 2013)
12Greg Miller, “FBI Director Warns of Cyberattacks; Other Security Chiefs Say Terrorism Threat Has Altered,” National Security, Washington Post, November 14, 2013, http://www.washingtonpost.com/world/national-security/fbi-director-warns-of-cyberattacks-other-security-chiefs-say-terrorism-threat-has-altered/2013/11/14/24f1b27a-4d53-11e3-9890-a1e0997fb0c0_story.html (accessed November 5, 2013).
13Electricity Infrastructure Operations Center, Pacific Northwest National Laboratory, U.S. Department of Energy, “Looking Back at the August 2003 Blackout,” June 2013, http://eioc.pnnl.gov/research/2003blackout.stm (accessed November 5, 2013).
14Robert S. Mueller, “Working Together to Defeat Cyber Threats,” remarks at RSA Cyber Security Conference, February 29, 2013, http://www.fbi.gov/news/speeches/working-together-to-defeat-cyber-threats (accessed November 5, 2013).
15More details regarding recent IACP activities addressing cybersecurity, and the development of the IACP Law Enforcement Cyber Center, which is funded by the U. S. Bureau of Justice Assistance, can be found at http://www.theiacp.org/portals/0/pdfs/CyberSecurityBriefFINAL.pdf (accessed November 5, 2013).
Please cite as:
Ben Gorban, “Why Cybersecurity Should Be a Top Priority for Your Agency,” Technology Talk, The Police Chief 80 (December 2013): 88–89.