By Keith D. Squires, Commissioner, Utah Department of Public Safety
| Left to right: Keith D. Squires, commissioner, Utah Department of Public Safety; Michael Chertoff, principal, The Chertoff Group, and former secretary of U.S. Department of Homeland Security; Joseph Demarest Jr., assistant director, Cyber Division, Federal Bureau of Investigation; and Bart Johnson, executive director, IACP. (Cyber Attacks Plenary Workshop, IACP 2013)|
he advent of the Internet created great opportunities for mankind to share information, expand knowledge, develop new commerce, and make the world seem smaller and more connected. Unfortunately, it also provided a new environment ripe for criminals to target all types of victims. As this new technology expanded, so did the various ways that criminals use cyberspace to attack individuals, corporations, and governments. In the United States, these crimes have been largely left to the federal law enforcement agencies for investigation and prosecution with limited exceptions. The challenges of investigating cyber-related crimes are many. Suspects and victims cross local, state, and international jurisdictions. Until recently, whenever state and local law enforcement agencies discussed cyber issues, it was generally about cybersecurity, which is the process of taking defensive actions to protect agency computers and databases from attack. This article will describe how these agencies are beginning to partner with federal agencies to engage various cyber criminals through proactive enforcement.
In 2007, the author was appointed to his previous position as deputy commissioner of the Utah Department of Public Safety (UDPS) and the Governor’s Homeland Security Advisor. With limited resources and all of the services that the UDPS was responsible for statewide, not having to engage in cybercrimes investigations was easy to accept. Many cyber attacks against the State of Utah databases were taking place at that time. The Utah Department of Technology Services (DTS) is the agency that detects and protects the state from these cyber attacks, and their protocol was to report the intrusions and more significant attempts to the Federal Bureau of Investigation (FBI).
Beginning in 2010, DTS began to alert the UDPS deputy commissioner of increasing cyber attacks against the state. Those numbers of attacks continued to rise exponentially in the next years with increased sophistication. The spectrum of cyber attackers perpetrating crimes against Utah interests includes individual cyber criminals, domestic and international criminal organizations, hacktivist groups with political and social agendas, and state-sponsored activity directed by foreign governments. These cyber attacks can have a significant impact on a state, its residents, government officials, and businesses. For instance, in 2009, $2.5 million was electronically diverted from a State of Utah account to a private account in Texas.1 Once detected, DTS and the Utah State Department of Finance were able to prevent full distribution, but approximately $300,000 was never recovered. DTS communicated with counterparts in Texas and identified a computer routing that may have had ties to other crimes. Through their shared state-to-state information, DTS officials believed the theft had been committed by a criminal organization operating in that state; nonetheless, the case did not result in a successful investigation.
In January of 2012, the Utah legislature was in session. Senator Karen Mayne sponsored a bill intended to assist law enforcement agencies in curbing street gang activity. A loosely organized hacktivist group known as Anonymous identified the proposed law as unjust and targeted the sponsor as well as the Salt Lake City Police Department (SLCPD) in an apparent effort to thwart the bill’s passing. Criminal actors tied to Anonymous were able to access and exploit personal information from the senator. They also attacked the SLCPD’s website, accessing information from citizen reports on criminal activity and other information, and caused the website to be taken out of service as a result of the attack. A spokesperson representing Anonymous communicated its rationale (its opposition to the bill) for the attacks.2 Previously that same month, Anonymous claimed responsibility for accessing information from the Utah Chiefs of Police Association website and taking it down for another cause.
In March 2012, international criminals were able to break into a Utah Department of Health Medicaid server and download the personal information of approximately 780,000 Utah residents. To date, it appears that none of the extracted information has been used for further criminal purposes, but the State of Utah has spent over $3.4 million in mitigating this cybertheft and over $5 million in security assessments and upgrades.3 The Utah attacks have also been directly connected to national security—certain foreign governments that were attempting to access sensitive information also targeted UDPS administrators, staff, and computers. The sophistication of these types of attacks can be impressive, which makes them all the more dangerous. For example, in one case, the foreign actors were able to communicate using one of the commissioner’s deputy director's official state email account. From there, they attempted to obtain access to other classified government accounts and information. This activity was invisible to the legitimate user of the email address.
These are just a few examples of an ever-increasing amount of cyber attacks being perpetrated against Utah’s government agencies and public interests. They help illustrate the impact that this type of crime is having on state and local law enforcement agencies and the governments they represent. Cyber attacks against the State of Utah and its databases have been steadily increasing in recent years. In 2010, DTS reported peak levels of attacks against Utah state databases at between 25,000 and 30,000 in a 24-hour period. By early 2013, those numbers had increased to approximately 80 million, and by November 2013, over 300 million cyber attacks were taking place on some days. UDPS believes that these exponential increases represent worldwide attention that was increasingly being directed towards Utah because of a data center being constructed near Salt Lake City by the National Security Agency (NSA).
The Utah State Engagement
In January 2012, UDPS administrators brought together senior leadership from its State Bureau of Investigation, Statewide Information and Analysis Center (the state’s fusion center), and the DTS. Also included was the state’s chief information security officer (CISO). The CISO’s team of technology specialists who monitor and protect the state databases and networks looked historically at the high number and nature of the attacks against the state and identified that the FBI was able to investigate only a very small number of cases due to the limited resources and high thresholds for victim loss. UDPS administrators determined that although they did not have any new resources for cybercrime enforcement, it was important that they explore their potential to investigate this criminal activity. UDPS investigators and intelligence analysts began working with the state’s technology specialists to identify the best ways to share information and investigate the cybercrimes that were impacting the state. Although UDPS had been participating in Internet Crimes Against Children and Innocent Images Task Forces, as well as the FBI Regional Computer Forensics Lab, investigating myriad cybercrimes was uncharted waters for state law enforcement.
A key element for success with state law enforcement’s engagement into cybercrimes investigations will be utilizing the expertise of the state’s chief information officers (CIOs) with the database surveillance and protection work accomplished by their CISOs. Identifying the perpetrators of cyber attacks against a state and analyzing their methods can provide insight into what the private sector is experiencing. During 2012, UDPS began to work closely with DTS and the state CISO. They examined the various attacks on the state’s databases and discovered that some attackers were also going after other targets in various states. As a result of their monitoring, they identified public safety agencies around the United States that had been successfully hacked. In these cases, the victim agencies were not aware that their information had been extracted and was being exploited. As Utah officials contacted these agencies, they shared information on where the victim agencies’ data were being posted, what steps they could take to mitigate the damage, and how they could protect their systems in the future. The first thing Utah identified was that, unlike other criminal cases that state law enforcement agencies work state-to-state, there were not corresponding state police units with cybercrimes expertise to interact with. Working together with shared knowledge and expertise provides opportunities to effectively investigate individuals and organizations that are operating across state lines, yet within individual state criminal jurisdictions. Additionally, the established state-to-state networks for sharing criminal information via fusion centers and investigating crimes such as drug interdiction have become very coordinated and effective in recent years.
UDPS shared its project information with law enforcement agencies in other states through its affiliations with the International Association of Chiefs of Police (IACP), the Association of State Criminal Investigative Agencies (ASCIA), and the National Network of Fusion Centers. In November of 2012, an ASCIA conference call resulted in 30 states voicing interest in identifying ways to build cyber capacity and expertise within their law enforcement agencies so that they can identify best methods for working cases together in the future. An ASCIA cybercrimes working group was formed and is advancing this effort. In December of 2012, IACP hosted the first national cybercrimes enforcement meeting that brought together all of the various stakeholders from federal, state, and local agencies along with the Multi-State Information Sharing and Analysis Center known as MSISAC. At that meeting, UDPS presented information on their project and preliminary findings. This multidisciplinary meeting served as a platform for other meetings and the additional progress taking place today.
The FBI and Utah Department of Public Safety Cybercrimes Pilot Project
Over the last few years, the number of high-profile cyber-related intrusions has increased in the state of Utah—public safety agencies, government officials, private businesses, and individuals have increasingly been victimized by various cyber attacks. This rapid increase and expansion of cyber-related criminal activity inundated FBI Regional Cyber Task Forces with numerous investigative requests, and consequently (due to limited resources), the minimum threshold for investigative action by the FBI has increased. As a result, many states and localities have begun to include cyber-related investigations as a part of their investigative strategies.
In early 2013, UDPS Commissioner Keith Squires met with FBI Deputy Director Sean Joyce and Deputy Director Joyce’s senior leadership in Washington, DC. Commissioner Squires shared information regarding Utah’s and ASCIA’s engagement in cybercrimes enforcement and discussed increased FBI partnerships. FBI leadership proposed the establishment of a cybercrime pilot project in Utah between the UDPS and the FBI Salt Lake City Field Office, a concept supported by UDPS. In addition, UDPS administrators travelled with FBI leadership to their Internet Crime Complaint Center (IC3) facility in West Virginia, and they were very impressed with the IC3 team and resources available to assist them. The FBI advised that Internet fraud and other Internet-based crimes for profit cause billions of dollars each year; and in 2012, victims of Internet crime reported over $500 million in loss to IC3.4
UDPS leadership petitioned the Utah governor to include additional full-time employees in the 2013 budget to enhance the UDPS cyber-related mission. Additionally, presentations were provided to the Utah legislature, which then authorized the provision of additional resources for this endeavor.
This pilot, Operation Wellspring, is designed to enable the UDPS to assist the FBI in the investigation of cyber-related crimes at all levels, with specific opportunities to address criminal activity that does not appear to meet the minimum threshold for an FBI investigation. This initial focus of the pilot project is on Internet fraud and criminal intrusion, with expansion to national security planned upon issuance of appropriate security clearances. This innovative partnership between the FBI and the Utah Department of Public Safety brings personnel and resources together to improve the ability to fight cybercrime at the national, state, and local levels.
Operation Wellspring began in July 2013 with the following partners:
- FBI, Salt Lake City Field Office
- Utah Department of Public Safety’s State Bureau of Investigation and Statewide Information and Analysis Center (state fusion center)
- Internet Crime Complaint Center (IC3)
The IC3 is the lead entity for the receipt of complaints about Internet fraud taking place around the United States. IC3 aggregates cyber-related complaints received from citizens, law enforcement agencies, and other sources of information and identifies the most egregious (most victims, high-dollar loss amounts, etc.) and workable complaints, as well as commonalities among complaints. This information is analyzed, packaged, and provided to the task force lead. IC3 provides link analysis showing relationships between suspects and various victims in multiple jurisdictions. Some complaints may come in through the local FBI field office, UDPS, or local agencies, but the majority of the information is provided via the IC3. Having victims and law enforcement agencies report cybercrimes to IC3 through their website at www.ic3.gov is essential to the process and success of future investigations nationwide.
IC3 provides its investigative packages for review by task force members, including representatives from the UDPS (three investigators and two analysts) and FBI personnel. For potential cases that meet the FBI threshold, FBI representatives are assigned as the lead investigators; for cases that do not, at least initially, meet the FBI threshold, UDPS personnel are assigned as the lead investigators. However, all cases are worked in a coordinated manner, with knowledge and expertise shared across all investigative and analytic activities.
Training for this pilot project is a work in progress. A majority of the formal training for the state personnel has been online and through personal training from their FBI counterparts, but UDPS officers have participated in some on-site training at IC3 (at the West Virginia office). UDPS personnel are also attending cyber-related courses provided by the Department of Homeland Security (DHS) through the U.S. Secret Service at the National Computer Forensics Institute in Hoover, Alabama. Efforts are under way to develop a training program for task force partners that will address existing computer intrusion techniques (including Internet fraud) to further enhance the knowledge, skills, and abilities of investigators and analysts.
Results of Operation Wellspring
This project is demonstrating promising returns on investment for all stakeholders. Integrating UDPS personnel into the FBI task force has enhanced and increased resources to address cybercrimes at all levels and is having a positive impact on investigative activity and in building partnerships. This effort has also increased coordination among agencies, reducing duplication and redundancy while enhancing productivity and expertise. Early on in the pilot, FBI officials encouraged UDPS to use all of its regular resources in order to expand networks and improve information sharing related to Internet-based criminal activity. Utah is using its state fusion center to expand its cyber investigative, education, and protective efforts with local public safety agencies, the National Network of Fusion Centers, DHS, the public, the private sector, and other partnering stakeholders. Prosecutors are being identified at the state and local level as cases are being developed, so that state laws can also be enforced.
FBI regional representatives have reported that the pilot has exceeded expectations, and there is a need for this program throughout the United States. They have found it very beneficial to have the joint task force addressing cybercrimes that were previously below the threshold and not being fully investigated, and they are looking at the next agencies and areas of the United States in which to expand the program. UDPS representatives report that cooperation and partnership from the FBI headquarters and field office have been exceptional. This has generated excitement about increased and enhanced information sharing between agencies. Recent media stories on this pilot project in Utah have garnered excellent support by the public and many elected officials.5 This design will allow cybercrime victims to have many more opportunities for their cases to be investigated and increase the ability for law enforcement agencies to successfully prosecute and, thus, create greater deterrence. ♦
1Andrew Adams, “Thieves Steal $2.5 Million from State Funds,” KSL News, February 12, 2009, http://www.ksl.com/?nid=148&sid=5575095 (accessed November 29, 2013).
2Amy Joi O’Donoghue, “Group Hacks into SLCPD Website over Graffiti Bill,” KSL News, January 31, 2012,
http://www.ksl.com/index.php?nid=960&sid=19077893&fm=related_story&s_cid=article-related-3 (accessed December 1, 2013).
3Kirsten Stewart, “Report: Utah Health Data Breach Was a Costly Mistake,” Salt Lake Tribune, April 29, 2013,
http://www.sltrib.com/sltrib/news/56210404-78/security-breach-health-data.html.csp (accessed November 30, 2013).
4Information provided by FBI Cyber Division to author, October 2013.
5Participant interview information provided by Michelle Miller, Institute for Intergovernmental Research, December 11, 2013.
Please cite as:
Keith D. Squires, “Cybercrimes Enforcement: A State Perspective,” The Police Chief 81 (February 2014): 42–45.