Reports of extensive data breaches or other elaborate cybercrimes are increasing worldwide. The complexity and scope of these cases can present challenges that might seem insurmountable for most local law enforcement agencies. Even more troubling, police departments are increasingly the targets of cyberattacks, either for criminal purposes or as acts of “hacktivism.”¹

Malicious actors use cyberattacks on law enforcement and local government in attempts to exploit sensitive information or even induce a cascading impact to critical infrastructure in a region. Emergency services are highly dependent on communications, information technology (IT), and the capability to transport essential personnel and equipment to locations where they are most needed. Computer-aided dispatching; emergency alert systems; event tracking; monitoring transportation infrastructure; and the sharing of intelligence, alerts, and operational plans are all highly dependent on the ability to transmit information via the Internet.²

Law Enforcement Is a Target

An advanced persistent threat (APT) refers to persons engaged in technically sophisticated, stealthy, continuous computer hacking efforts, frequently orchestrated by international organized crime or adversarial nation states. An APT will often leverage malware to gain undetected access to an organization’s IT systems or to disrupt essential government services.³ Ransomware is a form of malware used to deprive users from access to critical data and systems. Once an organization’s systems are affected, the cyber criminals demand ransom payment in exchange for purportedly providing an avenue for the victim organization to regain access to the data. Recent ransomware attacks have utilized phishing emails to fool end users into introducing a malicious code into the victim organization’s network.⁴ Social engineering is utilized considerably more often by hackers than technical penetration. Put simply, it is easier to trick an unwitting person into letting hackers in than it is to defeat the security systems designed to keep them out.

In December 2016, a law enforcement agency near Dallas, Texas, was the victim of a ransomware attack when an employee clicked on a link in a phishing email that appeared to be from another law enforcement agency. The agency lost a substantial number of digital files, including video evidence.⁵ On March 22, 2018, a ransomware attack encrypted data on the City of Atlanta’s (Georgia) government servers, affecting various internal and customer facing applications, including those of the Atlanta Police Department.⁶ During the same month, the City of Baltimore, Maryland, had its dispatch system taken offline for more than 17 hours due to a cyberattack.⁷ At least 12 U.S. states in October 2016, experienced denial of service attacks affecting public safety 911 centers.⁸

Law enforcement agencies across the globe have also experienced a rise in hacktivism. Acts of hacktivism often coincide with themes of grievance stemming from events such as the adoption of controversial policies; agency decisions that draw scrutiny; or other high-profile events that receive media attention, such as officer-involved shootings. Many officers responding to the civil unrest in Ferguson in August 2014 were “doxxed,” meaning their home addresses, social security numbers, and phone numbers were published online, posing a significant threat to their personal safety and that of their families.⁹ In another particularly alarming cyberattack on law enforcement, the ISIS-affiliated Caliphate Cyber Army disclosed personally identifiable information of 36 Minnesota police officers, and called for the officers to be killed.¹⁰

In 2016, GCN.com, a public sector IT periodical, and the International City/County Management Association conducted a U.S.-wide survey of local government cybersecurity. The data showed that local governments are under “near-constant attack.”¹¹ The unauthorized access or loss of law enforcement data due to a cyberattack has serious operational and privacy implications. The importance of cybersecurity needs to be considered from multiple perspectives—those of employees, community members, crime victims, witnesses, informants, and prosecutors. A cyberattack could compromise an agency’s ability to protect life and maintain order, which could potentially affect the public’s confidence in local law enforcement, thus eroding trust and the credibility.¹² 

Many U.S. states have laws that mandate notification protocols if an organization suspects that their data have been breached in a manner that compromises the confidentiality of an individual’s personal information. Compliance can be both labor intensive and publicly embarrassing. Law enforcement agencies have an ethical obligation to maintain the security of their data and, increasingly, bear a legal obligation, as well. The monetary cost of a cyber breach could have substantial fiscal implications and disrupt essential government services for prolonged periods of time.

Cybersecurity in Police Departments

One of the critical issues facing all law enforcement organizations is the exponential increase of various types of digital evidence the agencies need to collect and store, including reports, pictures, videos, and other electronic records. Police departments must secure digital evidence to ensure the integrity of the information’s authenticity, while still providing access that offers verifiable accountability. Many law enforcement organizations rely on local government information technology (IT) staff to ensure cybersecurity, despite having no direct control over the hiring processes of IT employees or the technology that they use.

It may seem natural to defer to IT professionals to protect a police department from a cyberattack; however, it is ultimately the responsibility of an agency’s leadership to ensure all aspects of security, including cybersecurity, are sufficient for the organization’s needs. If a police department’s system is compromised, the community, media, and elected officials will seek answers from the chief law enforcement officer, not the IT personnel. Furthermore, the associated criminal investigation will be the responsibility of the police agency and its law enforcement partners.¹³

It is paramount that police leaders collaborate with IT professionals to ensure priorities and strategies are not developed in organizational silos. Mutual goals must be agreed upon to prevent a cyberattack, and procedures must be clear if one does occur. Having relationships and expectations already established can help ensure an effective investigation will be conducted that still allows for the rapid recovery of affected files and systems.¹⁴ Recommended preventative strategies include the following:

n Implement awareness and training programs. As email users are often targeted, all employees should understand the threat of ransomware and how it is delivered.

n Patch operating systems, software, and firmware on devices, including cellphones.

n Confirm that there are no older devices attached to the organization’s network that might be using unpatched software at greater risk of compromise.

n Confirm that anti-virus and anti-malware solutions are set to automatically update and that regular scans are conducted.

n Manage privileged accounts, adhering to the principle of minimal privilege needed (users should not have administrative permissions unless essential to their position).

n Adopt Office Viewer software to open Microsoft Office files transmitted via email instead of actual Office applications, which can be more vulnerable to common exploits.

n Back up data regularly, verifying the integrity of those back up files and ensuring that they do not remain constantly connected to the networks that they are backing up.

n Leverage encryption when possible to ensure confidentiality and integrity.¹⁵

n Adopt practices that protect both local, and wide-area networks from denial of service attacks.¹⁶

The Need for Cybersecurity Awareness Training

Technology cannot defend against schemes when human users fail to scrutinize and report suspected social engineering methods, such as phishing emails. In July 2017, DigitalGuardian.com reported that 91 percent of successful cyberattacks are launched via a phishing email.¹⁷ Between 2014 and 2017, Michigan auditors conducted a covert simulated “phishing attack” on 5,000 randomly selected state employees to see how they would deal with a potential “threat.” One-third of the recipients opened the email; one-quarter of them clicked on the simulated malicious link; and almost one-fifth provided their user ID and password.¹⁸ 

It is imperative that staff receive cybersecurity training at every level of an organization and that the training be specifically tailored to their area of access and responsibility. End users need to be aware of legitimate looking (but fake) email requests, hazards related to unapproved USB devices, proper password protocols, and preventative best practices such as dual-factor authentication. The following training is recommended based on role and tenure:

1. Basic digital awareness for academy recruits. This training block should cover topics such as best practices for digital evidence awareness and recovery and potential security vulnerabilities related to personal social media usage.

2. First responder training for incumbent officers that includes digital evidence awareness, emerging cybercrime trends, and digital forensics. The FBI LEEP portal offers a free online basic training curriculum that can be completed in less than six hours. The National White Collar Crime Center (NW3C) also offers free online cyber training for law enforcement.

3. Table-top scenario training for police leadership, IT professionals, and public information or media relations personnel to practice the collective response to a cyber incident. This exercise should include containment of the threat, restoration of essential services, data recovery, preservation of digital forensic evidence, and communication to internal stakeholders, the community, and the media.¹⁹

Employees must receive awareness training on best practices related to mobile devices, which should be mandatory for any devices that connect to an agency’s network. Users must understand the extent of permissions and access associated with applications that they install on their phones. Mobile applications can contain malware or serve as tools to harvest extensive information about users. Employees should also understand the risks of using unsecured Wi-Fi in places like coffee shops and hotels. Many employees are now using computer applications that sync with other devices, such as wearable fitness trackers. As such, they may keep their devices Bluetooth- and GPS-enabled at all times. Such practices create avoidable vulnerabilities that employees should be aware of.

Breach Response

Hacking techniques continue to evolve and become more sophisticated. It is not a defeatist stance to presume a police department’s technology will eventually be breached. Even with the most robust prevention measures in place, there is no guarantee against exploitation—so contingency and remediation planning are critical to ensure operational continuity and recovery following a cyberattack.²⁰ The following steps are necessary to effectively respond to an incident:

1. Identify who is needed, and what they need to do, before an attack occurs.
2. Detect and analyze the nature of the attack.
3. Contain the incident with attention to preserving digital evidence.
4. Mitigate the threat and protect unaffected IT infrastructure.
5. Recover systems and data.
6. Prepare an after-action report and implement adjustments to prevent future incidents.

IT professionals in organizations that are victims of a cyber incident might prioritize reimaging machines that have been infected with malware. However, any evidence is forfeited in this process.²¹ Policies and practices must be adopted to balance preserving evidence of the crime with the need to restore data access and systems.

The FBI does not recommend paying a ransom if one becomes the victim of a malware attack. Paying a ransom does not guarantee an organization will regain access to their data; in fact, many organizations that experienced malware attacks were never provided with decryption keys despite paying a ransom. Paying an adversary emboldens them to target other organizations and provides for an environment that entices other criminals to become involved.²²

It is imperative to prepare for and rehearse the response to a cyberattack. Past incidents have shown that virtually no organization has all of the resources necessary to mount a comprehensive response. If internal resources are insufficient, the services of external professionals may be necessary to manage aspects of the response. These needs might include detection, triage, digital forensics, evidence preservation, and network-based evidence processing. These specialized services will be less expensive if arranged in advance rather than procured during a crisis.²³

Penetration Testing and Assessment

Third-party security audits are regarded as one of the most effective ways to test an organization’s ability to withstand a cyberattack. A penetration test can be used to identify areas where improvement is necessary. The U.S. Department of Homeland Security’s National Cybersecurity Assessment and Technical Services Section provides assistance of this nature to state and local governments free of charge.

The Importance of Partnerships

Partnerships between public safety, information security managers, and fusion centers can increase a region’s ability to detect, prepare, train for, and respond to cyberthreats.²⁴ Such partnerships can be instrumental in sharing information about known threats, determining best practices, and leveraging combined resources in the event of an incident. In addition to relationships with public safety partners, it is essential for law enforcement to liaison with other sectors, particularly those in critical infrastructure, like transportation, energy, and health care.

Notes:

¹ Chris Francescani. “Ransomware Hacks Blackmail U.S. Police Departments,” NBC News, April 16, 2016.

² U.S. Department of Homeland Security (DHS), The Emergency Services Sector-Specific Plan, an Annex to the NIPP 2013 (Washington, DC: DHS, 2015).

³ Dell SecureWorks, “Advanced Persistent Threats: Learn the ABCs of APTs – Part A,” 2016.

⁴ Internet Crime Complaint Center (IC3), Ransomware, (Fairfax, VA: FBI, 2016).

⁵ Jason Trahan, “Cockrell Hill Police Lose Years Worth of Evidence in Ransom Hacking,” WFAA, January 25, 2017.

⁶ Susan Miller, “So Far, Atlanta’s Ransomware Costs Top $2.6 Million,” GCN.com, April 24, 2018.

⁷ Donald Norris et al., “Local Governments’ Cybersecurity Crisis in 8 Charts,” GCN.com, April 30, 2018.

⁸ DHS, “Intelligence Note: Telephony Denial of Service Against Public Safety Answering Points,” May 2017.

⁹ Aaron Boyd, “Alert: Public officials at Increased Risk of Hacktivist Attacks,” Federal Times, April 23, 2015.

¹⁰ Libor Jany, “Local Authorities, Feds Investigating Alleged ISIL ‘kill List’ for Minnesota Law Enforcement,” Star Tribune, March 15, 2016.

¹¹ Norris et al., “Local Governments’ Cybersecurity Crisis in 8 Charts.”

¹² IACP, Managing Cyber Security Risk: A Law Enforcement Guide (August 2017): 3.

¹³ IACP, Managing Cyber Security Risk, 3.

¹⁴ IC3, Ransomware.

¹⁵ National Security Agency (NSA), Defense in Depth, 2010.

¹⁶ NSA, Defense in Depth.

¹⁷ Anas Baig, “91% of Cyber Attacks Start with a Phishing Email: Here’s How to Protect against Phishing,” Digital Guardian, July 26, 2017.

¹⁸ David Eggert, “1 in 3 Michigan Workers Tested Opened Fake ‘Phishing’ Email,” Associated Press, March 16, 2018.

¹⁹ IACP, Managing Cyber Security Risk, 6.

²⁰ IACP, Managing Cyber Security Risk, 7.

²¹ Police Executive Research Forum (PERF) and Bureau of Justice Assistance, The Utah Model: A Path Forward for Investigating and Building Resilience to Cyber Crime, 2017.

²² IC3, Ransomware.

²³ IACP, Managing Cyber Security Risk, 7.

²⁴ Cyber Advisory Group, “Cyber Annex to the Regional Emergency Coordination Plan” (Washington, DC: Cyber Advisory Group, Metropolitan Washington Council of Governments, 2014).

Please cite as

Christian Quinn, “The Emerging Cyberthreat: Cybersecurity for Law Enforcement,” Police Chief online, December 12, 2018.