While cybercrime has often been thought of as a "federal matter," more and more local law enforcement agencies are starting to address and investigate crimes such as card-skimming, email compromises, or EFT fraud cases that are affecting their communities.
We spoke with Maggie Brunner, research associate at the Police Executive Research Forum (PERF) to understand more about cybercrime, its impact on law enforcement agencies, and its ever-expanding presence in our society.
Justice Clearinghouse Editors (JCH): Cybercrime, hacking, phishing attacks… They all seem to be perpetually in the news these days. Help us make this a little more manageable. How do these actions affect LOCAL law enforcement?
Maggie Brunner: Cybercrime is affecting all sectors of society— individuals, businesses, government. But there are special considerations for local law enforcement, from trying to help victims of complex internet crimes to trying to protect sensitive information that they are responsible for.
For any police officer who has sworn to uphold the Constitution and protect the public, the idea of people being victimized online with little recourse is reprehensible. Even though many financial institutions choose to write off cyber crime losses as a business expense, these crimes are not victimless. Business losses affect the whole economy, and losses are being passed along to consumers. And from an individual perspective, it can take years for a person to recover from crimes like identity theft. Cyber crime is also not exclusively financial. Online harassment, “swatting,” and “revenge porn,” for example, can have profound impacts on victims’ emotional and physical well-being. State and local police have a fundamental duty to protect people from the range of crime they are facing online.
Local police agencies also need to be cognizant of their role as safeguarders of sensitive information. Police databases include information about criminal suspects, confidential informants, or body-worn camera footage that can infringe on people’s privacy if it is released. Police agencies are also employers, and if their personnel records are compromised, it can threaten the safety of officers and their families.
Experts believe that police departments are the victims of purposeful hacking or intrusion more often than any other government entity, which may reflect the large amounts of sensitive information they possess. High-profile incidents like an officer-involved shooting or a sensationalized criminal case can result in interested parties or hacktivists trying to hack into police systems. And if there is a successful ransomware attack or hack of a police database, criminal investigations and convictions may be called into question.
Tight budgets also can play a role in police priorities. Information Technology budgets are often first on the chopping block when there are competing interests like putting more patrol officers on the street, or hiring more homicide detectives. Many local police departments also may have IT under the control of other government entities, which can be challenging.
Altogether, there is a range of ways that cybercrime affects state and local police departments that require a wide variety of responses.
Internet Crime Complaint Center (IC3) reported it received 298,728 complaints in 2016 of internet crimes
with an estimated $1.3 billion in losses.
But only an estimated 10% of fraud victims report their crimes to IC3.
JCH: How big of an issue is this for a local police department in terms of increased numbers of investigations?
Maggie: Part of the problem is that there are no good statistics on these issues. Cyber crime is grossly underreported, with victims not knowing how to report it, being unmotivated to report it, or simply unaware that they have been victimized. For example, a cyber criminal may gain access to a network system for months before IT administrators discover the intrusion. And if they do, it may be in an individual’s or a company’s best interest to keep the intrusion private.
In terms of police agencies’ crime reporting, many of the current systems like the Uniform Crimes Reporting (UCR) Program are ill-equipped to measure cyber crime in a clear fashion. So agencies vary in how they report and classify many cyber crimes.
We do have some statistics that can hint at the depth of the problem. For example, the Internet Crime Complaint Center (IC3) reported it received 298,728 complaints in 2016 of internet crimes with an estimated $1.3 billion in losses. But only an estimated 10 percent of fraud victims report their crimes to IC3.
Anecdotally, local police agencies report a significant increase in cyber crime and computer-enabled crime. More and more, individuals are turning to their local police stations to report their victimization, even if it is not representative of the whole picture. One promising trend is that state and local police agencies are deepening partnerships with private-sector organizations, including financial institutions, to increase reporting and to stay abreast of trends in cybercrime.
Even if you were able to measure the true extent of cyber crime, it would not give a picture of how many investigations are opened. Cyber crimes are so numerous that there is a fundamental truth in all investigative agencies: the volume and difficulty of the cases make it impossible to address every lead or report. Part of the difficulty is the capability of the internet to allow criminals to act with anonymity. Cyber crime investigators must do an extensive initial assessment of a report to ensure that there is enough evidence to even pursue an investigation.
JCH: Conversely – we know state and local government agencies can also become the targets of “hacktivists” etc. How many law enforcement agencies have been hacked or targeted?
Maggie: This is incredibly difficult to quantify, as there is no official government data on successful hacks against police networks. In 2014, PERF conducted a voluntary survey of its members, and 18 percent of respondents stated they have been victims of a cyber attack. But in the realm of cybercrime where things evolve so quickly, those figures are likely outdated now. If the survey were conducted again today, we believe that number would be much higher.
We suspect every agency in the country has faced some sort of attempted hack (after all, a phishing attempt intercepted by a firewall could qualify as an attempted hack). Like successful intrusions, there is no official data on attempted hacks.
We suspect every agency in the country
has faced some sort of attempted hack.
Maggie Brunner, PERF
JCH: How can police departments proactively begin to build a Cyber Investigations competency within their organizations? If you were to coach a department on how to get started, what’s the first step?
Maggie: There are a great number of considerations that police departments must be aware of when they build a cyber investigation capacity. Here are the most important steps in order to build a cyber capacity from the beginning:
- For many, the first step is securing funding for such efforts. Several police agencies across the country have obtained dedicated funding from state resources to supplement their regular budgets. Cyber crime units can be more expensive than other traditional units with the training and equipment required, so for many agencies, their current budgets are not equipped to absorb the additional work. Agencies that have been successful in obtaining funding have had to make the case with statistics, case studies, and arguments about how they believe cyber investigative units are crucial public safety resources. Policymakers, politicians, and police executives who may be unfamiliar with cyber crime need education from law enforcement leaders.
- Finding the right personnel for a cyber unit is also challenging. What is the right mix of civilian analysts and investigators? It can take police officers a significant amount of time to get trained on cyber investigations, and a longer period of time to feel proficient. With that in mind, police should carefully select the appropriate personnel who can gain the technical skills, and assemble a team who will not all promote out of the unit at the same time. For civilians, it can be a challenge to find seasoned professionals who want to work for law enforcement, where compensation is typically lower than the private sector. So police executives should prepare for high turnover of their civilian staff. Police should also proactively put in place performance measures and metrics that account for the realities of cyber crime. For example, clearance rates may not be an accurate metric, considering the great possibility of the internet for anonymization.
- Police executives will also need to find and pay for the appropriate training to give their investigators the baseline set of skills necessary for cyber crime investigations. One such solution is sending investigators to the United States Secret Service’s National Computer Forensics Institute in Hoover, Alabama, whose training is free for state and local law enforcement. There is a range of other training opportunities available for state and local law enforcement.
Experts believe that police departments are the victims of purposeful hacking or intrusion
more often than any other government entity.
Maggie Brunner, PERF
JCH: In your experience, what are the biggest roadblocks to a department building a cyber investigations area of expertise? How can this be overcome?
Maggie: One of the biggest challenges for state and local police agencies investigating cyber crime is its multi-jurisdictional nature. If there is a victim in one state and a perpetrator in another, which law enforcement agency “owns” that case? How do you prosecute cases that touch multiple locations and agencies? When the perpetrator is located abroad, how do you get probative digital evidence and how do you arrest someone in a foreign country?
Leveraging partnerships with federal agencies is an essential step for local and state agencies to effectively address the jurisdictional challenges associated with cyber crime. For example, the FBI can serve as a liaison to help agencies find state and local counterparts across the country and provide investigators with technical subject matter expertise. The FBI can also provide state and local agencies with a Legal Attaché for a foreign country where a suspect or evidence is located, who can help assist them with requests to obtain data. Agencies like ICE Homeland Security Investigations can help facilitate dark web investigations for international contraband like guns or drugs coming from overseas, which has been particularly important for law enforcement trying to build cases against individuals importing fentanyl from China and contributing to the opioid crisis. Partnering together allows state and local agencies to have what one PERF member called “local insight with a global reach.”
Another unusual aspect of cyber crime is that the eventual prosecution may end up in a different jurisdiction than the one that investigated the matter. This reflects not only the difficulty in dealing with multi-jurisdictional crime, but also the police commitment to pursuing cyber crime cases wherever they will have the best chance at success. Two years ago, the New York Times did a great piece about a cyber investigation where a gamer in Canada had perpetrated several swatting incidents against U.S. victims. Eventually, a U.S. detective built a case against the youth and turned the case over to Canadian prosecutors, who were able to get the juvenile the help he needed. Stories like that demonstrate the creativity of state and local investigators who are able to make a real difference for victims of cyber crime.
JCH: What organizations have done this well? Can you point to any case studies?
Maggie: Fortunately, there are many organizations that have taken a proactive approach to cyber crime and have established successful units.
PERF recently released a report, The Utah Model: A Path Forward for Investigating and Building Resilience to Cyber Crime, that highlights the efforts of the Utah Department of Public Safety’s Cyber Crimes Unit. The report breaks down the department’s steps in establishing its cyber crime unit, including its foundational philosophy and initial considerations; criteria for prioritizing which cyber incidents to investigate; changes the department has made internally to account for the special nature of cyber crime investigations; and partnerships with the private sector and FBI that were put in place to work multijurisdictional cases.
The report details the agency’s promising practices and lessons learned from its pilot program of Operation Wellspring, a partnership between IC3, FBI field offices, and state and local law enforcement agencies. The department is also implementing steps to integrate cyber concerns into state-level incident response planning. In short, Utah DPS has taken a proactive approach to cyber that sets out an effective model for the rest of the United States.
Through the course of our research, we also looked at other agencies that participate in Operation Wellspring and have found success investigating computer-enabled financial crimes. PERF spoke with the NYPD’s Financial Crimes Team, which has a cyber unit embedded in the FBI Cyber Task Force (New York City). Combining the FBI’s technical cyber expertise with the NYPD investigators’ extensive fraud experience has resulted in a force multiplier for each agency. As a result, the unit has been able to recover tens of millions of dollars in the past 2-3 years.
PERF also spoke to the Computer and Technology High-Tech Response Team (CATCH) located in San Diego under the San Diego County District Attorney’s Office. The team includes representatives from approximately 13 different agencies, and pools together a wide range of expertise in investigating cyber and computer-enabled crimes. This means that cases in the region are easily de-conflicted, and investigators can work closely with prosecutors from the onset of an investigation. The CATCH team, in the course of its 17-year existence, been able to establish strong working relationships with the private sector to increase reporting and heighten its knowledge of current cyber incidents affecting the greater population.
JCH: What do you think is the biggest myth or misconception police departments have about cybercrime?
Maggie: The biggest misconception that some state and local agencies have is that confronting cybercrime is only under the purview of the federal government.
The reality is that the federal government does not have the resources to pursue every cyber case. Perhaps a better division of labor would be for the federal government to investigate cyber-terrorism or complex intrusion cases rather than low-level computer-enabled crimes.
For too long, state and local law enforcement agencies have been ill-equipped to take a role in fighting cyber crime. But with a steady increase in computer-enabled crimes affecting the entire economy, the time for state and locals to invest in cyber units is now. Many jurisdictions are concerned about increased victimization of their elderly residents, and some cities are reporting that traditional criminal street gangs are moving into computer-enabled financial crimes.
So while there still may be a perception that federal law enforcement is better positioned to confront cyber crime, the tide is starting to change. More state and local agencies are standing up cyber capacities within their agencies.
JCH: Tell us a little about your organization, The Police Executive Research Foundation (PERF), how you became involved in the topic of cybercrime and the resources you provide law enforcement agencies.
Maggie: Founded in 1976 as a nonprofit organization, the Police Executive Research Forum (PERF) is a police research and policy organization and a provider of management services, technical assistance, and executive-level education to support law enforcement agencies. PERF helps to improve the delivery of police services through the exercise of strong national leadership; public debate of police and criminal justice issues; and research and policy development.
- PERF became involved in the topic of cyber crime because our members, who include police department leaders from across the country, considered it a pressing issue. They asked us to facilitate the sharing of promising practices in this area. PERF has several practitioner-friendly publications in the area that are useful resources to state and locals looking to establish or improve a cyber crime unit. For example, our 2017 publication, The Utah Model: A Path Forward for Investigating and Building Resilience to Cyber Crime, is a foundational resource for state and local agencies that provides a case study of successful practices for standing up a cyber crimes unit. And our 2014 report, The Role of Local Law Enforcement Agencies In Preventing and Investigating Cybercrime, was an early effort to define some of the issues.
PERF is also a partner in the DOJ’s Bureau of Justice Assistance Law Enforcement Cyber Center. The Law Enforcement Cyber Center is an open source, online repository for all state and local police agencies on cyber training, news, and resources.