U.S. Department of Justice Office of Justice Programs National Institute of Justice National Institute of Justice Research Report
Electronic Crime Needs Assessment for State and Local Law Enforcement U.S. Department of Justice Office of Justice Programs 810 Seventh Street N.W. Washington, DC 20531
Office of Justice Programs National Institute of Justice World Wide Web Site World Wide Web Site http://www.ojp.usdoj.gov http://www.ojp.usdoj.gov/nij Electronic Crime Needs Assessment for State and Local Law Enforcement
Hollis Stambaugh David S. Beaupre David J. Icove Richard Baker Wayne Cassaday Wayne P. Williams
March 2001 NCJ 186276 Project Management Team
National Institute of Justice Saralyn Borrowman Amon Young
TriData Corporation Hollis Stambaugh Teresa Copping
U.S. Department of Justice Wayne P. Williams (retired)
U.S. Department of State David S. Beaupre
U.S. Navy Space and Naval Warfare Systems Center, Charleston, Security Department Wayne Cassaday Richard Baker
U.S. Tennessee Valley Authority Police David J. Icove
This program was supported under award number 98ÐDTÐRÐ076 to the Tennessee Valley Authority by the National Institute of Justice, Office of Justice Programs, U.S. Department of Justice. Findings and conclu- sions of the research reported here are those of the authors and do not necessarily reflect the official posi- tion or policies of the U.S. Department of Justice.
The National Institute of Justice is a component of the Office of Justice Programs, which also includes the Bureau of Justice Assistance, the Bureau of Justice Statistics, the Office of Juvenile Justice and Delinquency Prevention, and the Office for Victims of Crime. iii
Preface
Just as the Industrial Revolution brought unprece- response team] has increased from 1,334 in dented opportunity two centuries ago, so too has 1993 to 4,398 during the first two quarters the Information Age. But the astronomical rate at of 1999.3 which global technology has grown has opened new windows of opportunity for crime as well as Attacks against computer systems or networks are economic progress. In 1996, the U.S. Department not new. One of the first highly publicized national of Justice said: electronic crime incidents occurred in November 1988. Then 23-year-old student Robert Morris Whether [technology] benefits us or injures launched a virus on the Internet. The “Morris us depends almost entirely on the fingers on Worm,” as it later became known, caused parts of the keyboard. So while the Information Age the Internet to collapse and drastically hampered holds great promise, it falls, in part, upon law electronic communications. Eventually, it infected enforcement to ensure that users of networks more than 6,000 computers of the roughly 60,000 do not become victims of New Age crime.1 systems linked to the Internet at the time. Many corporations and government sites disconnected The rapid proliferation of computer systems, themselves from the Internet as news of the inci- telecommunications networks, and other related dent spread. Costs to repair the infected systems technologies that we rely on daily has created com- were estimated to be approximately $100 million. plex and far-reaching interdependencies as well as The temporary loss of confidence in the Internet concomitant, widespread vulnerabilities. extracted a cost that reached far beyond the direct monetary losses. Morris was sentenced to 3 years’ Media reports of cyberthreats, whether perpetrated probation and a $10,000 fine, a relatively light sen- by hobbyist hackers, international terrorist organi- tence compared with the penalties that would apply zations, or trusted employees, are increasing. today. According to a report released in 1998 by the Center for Strategic and International Studies: In a current case, the Federal Bureau of Investigation (FBI) is investigating a gang that refers to itself as Almost all Fortune 500 corporations have “Global Hell.” The group is accused of hacking into been penetrated electronically by cybercrimi- the Web sites of the White House, the FBI, the U.S. nals. The FBI estimates that electronic Army, and the U.S. Department of the Interior, crimes are running at least $10 billion a year. among others. At least two gang members have been But only 17 percent of the companies victim- convicted as a result of a nationwide law enforce- ized report these intrusions to law enforce- ment investigation targeting more than a dozen sus- ment agencies.2 pects. Thus far it appears as though Global Hell is more concerned with gaining notoriety for defacing In addition, a recent U.S. General Accounting prominent Web sites than with destroying or captur- Office report on computer threats cites: ing sensitive information. Even so, Federal law enforcement officials had to spend hundreds of hours [T]he number of reported incidents handled tracking down members of this gang. Investigating by Carnegie-Mellon University’s CERT electronic crime is time consuming and costly—a [Computer Emergency Response Team] problem most State and local investigators and Coordination Center [a federally funded computer forensic specialists are confronting. Any iv potential for growth in electronic crime raises serious businesses increasingly are engaging in economic concerns about the capability of law enforcement espionage, and cyberterrorists exploit vulnerabilities resources to keep pace. in our Nation’s critical infrastructures.
In another high-profile case that attracted nation- The 1997 report of the President’s Commission on wide attention, State and local law enforcement offi- Critical Infrastructure Protection sums up the cers conducted an intense investigation and search urgency of the situation: for a suspect they believed created a malicious virus that spread worldwide. The search for the perpetra- We are convinced that our vulnerabilities are tor of the “Melissa” virus involved five agencies increasing steadily, that the means to exploit and culminated in the arrest of a computer program- those weaknesses are readily available and mer in New Jersey in April 1999. The suspect faces that the costs associated with an effective charges of interruption of public communications, attack continue to drop. What is more, the conspiracy, and theft of computer service—charges investments required to improve the situa- that carry a maximum penalty of 40 years in prison tion—now still relatively modest—will rise and a $480,000 fine. In this case, 7 search warrants if we procrastinate.4 and 11 communications data warrants were filed. In addition, the agency in charge of the investiga- As State and local law enforcement increasingly are tion, the New Jersey State Police High Technology relied on to protect us against these crimes, they Crimes and Investigations Support Unit, coordinat- need to be aware of what threats currently exist and, ed with America Online, Inc., to obtain Internet more important, be capable of handling present and account subscriber information and activity logs. emerging threats as they continue to arise. The Melissa virus affected hundreds of thousands of computers in workplaces across the country. The Notes total cost to repair these systems is estimated to be 1. White House, International Crime Control Strategy, in the millions of dollars. This case highlights the Washington, DC: The White House, 1998: 68. responsibilities that State and local authorities have in national electronic crime cases such as these. 2. Center for Strategic and International Studies, Global Organized Crime Project, Cybercrime . . . These examples give us a glimpse of the potential Cyberterrorism . . . Cyberwarfare . . . Averting an wave of electronic and online crime that could Electronic Waterloo, Washington, DC: Center for eventually affect most law enforcement agencies. Strategic and International Studies, 1998. Increasingly, our Nation’s State and local law enforcement officers will be called on to detect 3. U.S. General Accounting Office, Critical information technology crime, analyze electronic Infrastructure Protection: Comprehensive Strategy evidence, and identify offenders. Most electronic Can Draw on Year 2000 Experience, doc. no. crimes, such as the Morris Worm or those carried GAO/AIMDÐ00Ð1, Washington, DC: U.S. General Accounting Office, 1999: 8. out by Global Hell, are not national security threats but wreak havoc nonetheless. Citizens are fleeced 4. President’s Commission on Critical Infrastructure of millions of dollars, businesses suffer losses from Protection, Critical Foundations: Protecting America’s online fraud, drug dealers and organized crime Infrastructures, Washington, DC: President’s elements employ advanced encryption technology to Commission on Critical Infrastructure Protection, evade law enforcement, pedophiles use the anonymi- 1997: x. ty of cyberspace to stalk and molest children, v
Acknowledgments
The authors of this report extend their sincerest Border Research and Technology Center, San appreciation to the State and local representatives Diego, California: Chris Aldridge, Center Director; who took part in this study as well as to their and John Bott, Technical Director. agencies for allowing them to be a part of this important research project. Their contributions The authors recognize the Bureau of Justice form the basis for this report, and we are grateful Assistance and the National White Collar Crime for their willingness to share their experiences and Center (NW3C). In its capacity as the operations expertise in the field. We also acknowledge the center for the National Cybercrime Training valuable assistance provided by the four regional Partnership, NW3C spearheaded and funded a centers and the Border Research and Technology cybercrime training survey for State and local law Center of the National Institute of Justice’s (NIJ’s) enforcement agencies in 1997. That undertaking National Law Enforcement and Corrections laid the foundation for and helped to shape the Technology Center (NLECTC) system. The centers NIJ-sponsored assessment. Special appreciation is recommended law enforcement participants, sched- extended to the following individuals: Richard H. uled visits, and served as hosts for the workshops. Ward III, Deputy Director, Bureau of Justice Special appreciation is extended to the following Assistance, U.S. Department of Justice; and Richard individuals: Johnston, Director, National White Collar Crime Center. NLECTCÐNortheast (Northeastern Region), Rome, New York: John Ritz, Center Director; Fred The authors also recognize the contributions made to Demma, Operations/Technical Assistance; and this needs assessment effort by an advisory panel that Robert DeCarlo, Jr., Operations/Technical Assistance. was convened at the beginning of the project to assist with the formulation of the protocol. Members of NLECTCÐSoutheast (Southeastern Region), North the panel from NLECTC were Donald Buchwald, Charleston, South Carolina: Tommy Sexton, Center NLECTCÐWest; William Deck, NLECTCÐSoutheast; Director; William Nettles, Deputy Director; William Fred Demma, NLECTCÐNortheast, and Karen Deck, Law Enforcement Technologies; and Howard Duffala, NLECTCÐRocky Mountain. Other members Alston, Research and Development. included Dean Chatfield, NW3C; Barry Leese, Maryland State Police; Steve Ronco, Hi-Tech Crimes NLECTCÐRocky Mountain (Rocky Mountain Unit, San Jose Police Department; Daniel Ryan, Region), Denver, Colorado: James Keller, Center Science Applications International Corporation; Gail Director; Karen Duffala, Director, Outreach Thackeray, Maricopa County, Arizona, Attorney’s Programs; and Courtney Klug, Assistant to the Office; and Dick Johnston, NW3C. Director.
NLECTCÐWest (Western Region), El Segundo, California: Robert Pentz, Center Director; and Donald Buchwald, Computer Forensic Analyst. vii
Contents
Preface ...... iii
Acknowledgments ...... v
Executive Summary ...... ix
Introduction ...... 1 Background ...... 1 Study Challenges ...... 2 Organization of the Report ...... 2
Research Methodology ...... 5 Overview ...... 5 Validity, Reliability, and Expertise ...... 5 Selection Criteria ...... 6 Facilitators ...... 7 Structuring the Interviews and Group Discussions ...... 8
Findings ...... 11 State and Local Perspectives on Electronic Crime ...... 11 Profile of Types of Electronic Crimes and Investigation Needs ...... 17 System Vulnerability, Critical Infrastructure, and Cyberterrorism ...... 19 Forensic Evidence Collection and Analysis ...... 23 Legal Issues and Prosecution ...... 25 Training ...... 28
Commentary and the Critical Ten ...... 31 The Critical Ten ...... 31
Appendixes ...... 37 Appendix A: Participating State and Local Agencies ...... 37 Appendix B: Glossary of Terms and Acronyms ...... 41 Appendix C: Contact Information ...... 45 viii
Exhibits
Exhibit 1. The NLECTC System ...... 5 Exhibit 2. Number of Participants, by NLECTC Center ...... 7 Exhibit 3. Profile of Participants, by Title ...... 8 Exhibit 4. Investigative Priority of Electronic Crime Cases ...... 11 Exhibit 5. Percentage of Participants Involved in Task Forces, by Region ...... 12 Exhibit 6. Most Frequent Electronic Crime Targets ...... 14 Exhibit 7. Most Frequent Electronic Crime Offenders ...... 15 Exhibit 8. Capability of Investigators to Handle Encrypted Evidence ...... 19 Exhibit 9. Extent to Which Personal Equipment Must Be Used ...... 20 Exhibit 10. Is Internal Tampering a Concern? ...... 21 Exhibit 11. Capability of Laboratories to Decipher Encrypted Evidence ...... 24 Exhibit 12. Are Laws Keeping Pace With Electronic Crimes? ...... 26 Exhibit 13. Training Received, by Topic ...... 28 ix
Executive Summary
Not long ago, the incidence of crimes that involved consider six specific topic areas in providing their computers or electronic media was negligible. input about what is needed to combat electronic Currently, State and local law enforcement agencies crime: routinely encounter evidence of electronic crimes, including online fraud, child pornography, embez- State and local perspectives on electronic crime. zlement, economic espionage, and cyberstalking. Profile of types of electronic crimes and investi- Law enforcement also encounters crimes classified gation needs. as cyberterrorism. These incidents have included attempts to penetrate electronic systems that control System vulnerability, critical infrastructure, and critical infrastructures. The task of investigating and cyberterrorism. prosecuting electronic crimes and cyberterrorism is Forensic evidence collection and analysis. complicated by the anonymity afforded perpetrators through the Internet, by a “borderless” environment, Legal issues and prosecution. and by the variables in State and foreign laws. Training.
To address this growing problem, the National The project team analyzed the participants’ input Institute of Justice (NIJ), in conjunction with the and documented the findings in a draft report. The National Cybercrime Training Partnership—a high- project team assembled a group of subject matter technology training consortium led by the Computer experts in the field of electronic crime to review Crime and Intellectual Property Section of the U.S. and comment on the draft. Department of Justice—initiated a national study in fall 1998 to assess the needs of State and local law The Critical Ten enforcement agencies to combat electronic crime and cyberterrorism. Another objective of the study Today’s technological advancements occur with was to develop a better understanding of the various such frequency that keeping up to date on the latest aspects of electronic crime, such as the most preva- electronic-based systems and their associated tech- lent targets, offenders, and motives behind this type nologies (the new “weapons” of criminals) poses a of crime. daunting task for State and local law enforcement agencies with limited resources and personnel. NIJ established a project management team to over- Criminals operating in cyberspace continuously see all aspects of the study. The team tasked the employ new techniques and methods, thereby mak- four regional facilities and the Border Research ing it more difficult for law enforcement to keep and Technology Center of NIJ’s National Law pace. Notwithstanding state-of-the-art changes, the Enforcement and Corrections Technology Center critical State and local law enforcement needs men- (NLECTC) system to identify leading law enforce- tioned in this report are not likely to change in the ment representatives in the electronic crime field. near future. Although the participants identified Ultimately, 126 individuals representing 114 agen- more than 100 needs and issues that require atten- cies participated in the study. Collectively, they rep- tion to keep pace with the rapid escalation of com- resented a variety of urban and rural jurisdictions puter crime, the most frequently voiced concerns and a diverse selection of agencies that included are grouped into the “Critical Ten” in this report State police, city police, State bureaus of investiga- (chapter 4). A brief synopsis of the Critical Ten tion, sheriff’s departments, crime laboratories, and needs identified by the study’s participants follows. regulatory offices. The participants were asked to x
Critical need 1: Public awareness Critical need 5: Updated laws A solid information and awareness program is Effective, uniform laws and regulations that keep needed to educate the general public, elected and pace with electronic crime need to be applied on the appointed officials, and the private sector about the Federal and State levels. New technology developed incidence and impact of electronic crimes. Most for legitimate uses quickly can become a tool for individuals are unaware of the extent to which their the commission of a crime. As a result, the criminal lives, financial status, businesses, families, or priva- justice system needs to stay abreast of state-of-the- cy might be affected by electronic crime. Nor are art methods used to carry out these new types of they aware of how quickly the threat is growing. crimes. Also, the disparity in penal codes among Unless the public is informed of the increase in States impedes interstate pursuit of offenders, crimes committed using the Internet, cybercriminals among other complications. will continue to steal people’s money, personal identities, and property. Critical need 6: Cooperation with the high-tech industry Critical need 2: Data and reporting Increased cooperation between industry and government More comprehensive data are needed to understand provides the best opportunity to control electronic the extent and impact of electronic crime. Without crime and protect the Nation’s critical infrastructure. more complete data on incidents, offenders, forensic Private industry can assist by reporting incidents of problems, and case outcomes, it will be difficult to electronic crime committed against their systems, track regional or national trends in electronic crime. helping to sponsor training, joining task forces, and sharing equipment for examining electronic evi- Critical need 3: Uniform training and dence. Crime solvers need industry’s full support certification courses and cooperation to control electronic crime. Law enforcement officers and forensic scientists Critical need 7: Special research and need specific levels of training and certification to carry out their respective duties when investigating publications electronic crimes, collecting and examining evidence, Investigators, forensic laboratory specialists, and and providing courtroom testimony. Participants prosecutors need a comprehensive directory of were adamant that this training should reflect State training and other resources to help them combat and local priorities. Prosecutors, judges, probation electronic crime. State and local law enforcement and parole officers, and defense attorneys need agencies also are asking for a “Yellow Pages” of basic training in electronic crime. national and State experts and resources. A “who’s who” of electronic crime investigators, unit man- Critical need 4: Onsite management assistance agers, prosecutors, laboratory technicians, equip- for electronic crime units and task forces ment manufacturers, expert witnesses, and so forth would be a well-received guidebook for many prac- State and local law enforcement agencies need titioners who frequently noted the need for informa- assistance in developing computer investigation tion on how to contact their colleagues in other units, creating collaborative computer forensics communities. capabilities, organizing task forces, and establishing programs with private industry. Law enforcement Critical need 8: Management awareness personnel are seeking assistance about best prac- tices and lessons learned from existing, successful and support investigation units. Likewise, many of the agencies Many participants and facilitators expressed concern called for a county or regional task force approach that senior managers do not fully understand the to the technically challenging and time-consuming impact of electronic crime and the level of expertise job of investigating crimes involving electronic evi- and tools needed to investigate and prepare success- dence. ful cases for prosecution. Of the police chiefs and xi managers who are willing to support an investiga- evidence. The experts are divided over whether and tive capability for electronic crime, they often must how the duties of investigation and forensic analysis do so at the expense of other units or assign dual should be divided. State and local law enforcement investigation responsibilities to personnel. agencies suggested that new research be conducted to identify the key staffing requirement issues for Critical need 9: Investigative and forensic tools computer crime units. There is a significant and immediate need for up-to- date technological tools and equipment for State Conclusion and local law enforcement agencies to conduct elec- Whether the need is high-end computer forensic tronic crime investigations. Most electronic crime training or onsite task force development assistance, cases cannot be thoroughly investigated and devel- progress needs to be accomplished quickly and in a oped without the benefit of higher end computer coordinated manner. The sophistication of technology technology, which is beyond the budgets of many used by offenders is increasing at a pace that signif- law enforcement agencies. icantly taxes the resources of the public sector at the State and local levels. This report, which identifies Critical need 10: Structuring a computer the needs of State and local law enforcement agen- crime unit cies to combat electronic crime, should serve as an impetus for creating timely initiatives that address As communities begin to address electronic crime, these needs. Both immediate action and future study they grapple with how best to structure a computer are essential. (or electronic) crime unit that will both investigate crimes involving computers and analyze electronic 1
Introduction
Background Technical assistance is required in establishing computer crime units and task forces. On January 10, 1998, the National Cybercrime Training Partnership (NCTP), formerly known as There is a strong need for interconnectivity the Infotech Training Working Group, issued a sum- among laboratories to coordinate the analysis of mary report of focus group meetings with 31 chiefs computer evidence. of police held in San Francisco, California, and Charleston, South Carolina.1 The report was pre- NCTP continues to play a leadership role in national pared under the direction of Wayne P. Williams, then cybercrime training initiatives and works at all lev- Senior Litigation Counsel for the U.S. Department els of law enforcement to develop long-range strate- of Justice, Criminal Division, Computer Crime and gies, raise public awareness of the problem, and Intellectual Property Section. focus the momentum on numerous efforts.
The purpose of the NCTP focus group meetings In an effort to broaden the scope of information on was to elicit from participants the status of electronic crime needs, NIJ initiated a wider study, computer and high-technology crime and identify designed to augment the NCTP survey while both what training and technical assistance would be of expanding the number of participants and the topic greatest value to State and local law enforcement areas covered. NIJ wanted to hear from a range of agencies. The 31 representatives covered a training law enforcement agencies about their experiences to base of 84,000 persons. The Bureau of Justice date with electronic crime incidents and how they Assistance, an agency of the U.S. Department of are positioned to investigate, handle evidence from, Justice, sponsored these meetings. and prosecute this type of crime. NIJ created a man- agement team (see “Project Management Team”) to The following key issues were raised during the oversee the project and prepare findings. sessions: Project Management Team Awareness of the computer and high-technology crime problem among managers, the public, and National Institute of Justice politicians is low. Saralyn Borrowman Amon Young All participants endorsed the NCTP goals of creating and maintaining a knowledge base of TriData Corporation critical information, supporting research and Hollis Stambaugh development of cybertools for law enforcement, Teresa Copping and providing training with “train the trainer” U.S. Department of Justice assistance. Wayne P. Williams (retired) The demand for electronic crime-related training U.S. Department of State exceeds the availability of current courses. David S. Beaupre A strong demand exists for nontraditional training U.S. Navy Space and Naval Warfare Systems modalities, which include mobile training teams, Center, Charleston, Security Department CDÐROM-based training, and distance learning. Wayne Cassaday Due to tight budgets, the demand for cost- Richard Baker effective training has increased. U.S. Tennessee Valley Authority Police David J. Icove 2
This report presents the information about how the Electronic crime. Crimes including but not lim- study was structured. It also documents what State ited to fraud, theft, forgery, child pornography or and local law enforcement officials told the team exploitation, stalking, traditional white-collar about their experiences with electronic crime. Finally, crimes, privacy violations, illegal drug transac- the report comments on the implications of the tions, espionage, computer intrusions, or any research results and offers suggestions for future other offenses that occur in an electronic environ- endeavors. ment for the express purpose of economic gain or with the intent to destroy or otherwise inflict Study Challenges harm on another person or institution. (This defi- nition was compiled from various sources.) The two early challenges for the research were how to define electronic crime and how to present cyber- Cyberterrorism (or information systems ter- terrorism in the context of State and local experience. rorism). The premeditated, politically motivated There was consensus among the project team mem- attack against information systems, computer bers that the issue of systems vulnerability, from the programs, and data to deny service or acquire standpoint of critical infrastructure protection, would information with the intent to disrupt the politi- be included under cyberterrorism. Even though cal, social, or physical infrastructure of a target, Federal law enforcement agencies have the leading resulting in violence against the public. The role in a cyberterrorist incident, State and local law attacks are perpetrated by subnational groups or enforcement agencies will need to be increasingly clandestine agents who use information warfare vigilant and prepared to handle critical infrastructure tactics to achieve the traditional terrorist goals protection issues because they are the first and objectives of engendering public fear and responders. disorientation through disruption of services and random or massive destruction of life or property.2 The complexities involved in tracking a potential cyberterrorist incident, discovering the point of Organization of the Report entry, and resolving cross-jurisdictional issues make This report contains four major chapters: This chap- it difficult for many State and local law enforcement ter places into context the format and purpose of agencies to identify when a cyberterrorist incident the report. Chapter 2 summarizes the methodology has taken place. In most cases, it is not immediately employed by the management team for the study. clear whether an intrusion is being perpetrated by a Chapter 3 outlines the study’s findings by the six local recreational hacker impressing a friend with subject areas along with an analysis of the results. his skills, a cyberterrorist trying to disrupt the Chapter 4 comments on the top 10 needs identified Nation’s air traffic control systems, or a foreign through the study and what the data may indicate intelligence service accessing sensitive classified are gaps in State and local resources; suggestions government information. These scenarios can hap- are presented as to how those needs could be met. pen, and law enforcement will have to be prepared After a series of reviews by the management team, to deal with them when they occur. the facilitators, and the subject matter experts To ensure continuity throughout the assessment, defi- who reviewed the draft, several recurring themes nitions of electronic crime were developed to provide emerged. Those themes form the basis for the a baseline for the research. They also provided a point report’s conclusions. The report includes three of reference throughout the workshops. Because appendixes—a list of the participants by State, a crimes committed against and with computers and glossary of terms and acronyms, and contact infor- information systems can be defined and categorized mation for each of the report contributors. in many ways, there currently exists no universally The State and local participants were invited to accepted definitions of electronic crime and cyberter- express their views openly. A rule of nonattribution rorism. The definitions compiled for this study are was established and honored because the team derived from various sources and reflect widely wanted participants to voice their opinions without accepted terminology at this time. The management constraint. Many insightful statements were made team agreed on the following definitions: 3 during the workshops. These quotes are included in Crime and Intellectual Property Section, National chapter 3 to support the findings; however, they are Cybercrime Training Partnership, 1998. presented without reference to the particular speaker. 2. Pollitt, Mark M., 1997, “Cyberterrorism: Fact or Fancy?” Proceedings of the 20th National Information Notes Systems Security Conference, Baltimore. 1. Williams, W.P., T.A. Bresnick, and D.M. Buede, Summary Report of Focus Groups, Washington, DC: U.S. Department of Justice, Criminal Division, Computer 5
Research Methodology
Overview future roles in the delivery of technical and training assistance. Moreover, the centers had been involved This research initiative employed individual sessions in a previous inventory by NIJ that collected infor- and workshop groups composed of State and local mation on local and State technology needs to com- law enforcement officers and other criminal justice bat terrorism.1 officials who are directly involved in handling elec- tronic crimes. The National Institute of Justice’s Exhibit 1 shows the geographic distribution of the (NIJ’s) major instruction to the project team was to NLECTC system. ensure that the study covered a broad and represen- tative sample of participants, agencies, and geo- Validity, Reliability, and Expertise graphic regions. This was achieved by selecting participants from all 50 States who had experience The management team met in fall 1998 to develop in dealing with electronic crimes and who represent- and implement the new study. The team outlined ed a broad base of agencies from urban to more the tasks necessary to accomplish this work and rural jurisdictions. established a project timeline. Early deliberations revolved around the means to ensure: The four regional facilities and the Border Research and Technology Center of NIJ’s National Law Validity of the study results. Enforcement and Corrections Technology Center Reliability of the data. (NLECTC) system helped identify candidates for inclusion in the study. They also hosted the meet- Broad expert input into all phases of the project. ings where the research was conducted and identi- fied participants for consideration. The use of the The team implemented several steps to address centers was logical because of their diverse geo- validity and reliability measures. The team estab- graphic representations for law enforcement, their lished criteria to identify State and local law direct relationship with NIJ, and their potential enforcement representatives with knowledge of and
Exhibit 1. The NLECTC System
NLECTC–Northeast NLECTC–Rocky Mountain Rome, NY Office of Law Enforcement Denver, CO Standards Gaithersburg, MD
NLECTC–National Rockville, MD
NLECTC–West Office of Law Enforcement El Segundo, CA Technology Commercialization Wheeling, WV
Border Research and Technology NLECTC–Southeast Center Charleston, SC San Diego, CA
National Center for Forensic Science Orlando, FL 6 responsibility for electronic crime investigations and documenting the data, defining specific electronic enforcement to be study participants. The criteria crime issues, and handling questions uniformly in was applied to screen referrals from NIJ’s National the process of collecting information. Law Enforcement and Technology Center system, management team members, and leads obtained The management team also sought the benefit of through a literature review. many experts in the field to guide both the design and the implementation of the study. Early in the In addition to assigning specific criteria for State and process, the team established a national advisory local representatives, the team sought representation panel. The panel and the management team met at from all 50 States. The team was careful to accom- TriData to review the project’s goals and debate modate a reasonable balance among the types which issues and questions about electronic crime and sizes of jurisdictions represented, although an were most appropriate for the field work with State absolute representative sample was not attempted. and local law enforcement agency representatives. Indeed, there are many more small towns and cities These deliberations resulted in a study protocol that than there are metropolitan areas. However, the became the operational blueprint for the workshops. electronic crime caseloads of a community with a Advisory panel members included representatives population of 40,000 are generally not sufficient to from the NLECTC system, State and local police warrant a special electronic crime unit, and the study agencies, the National White Collar Crime Center, needed information from law enforcement agencies private industry, and a county attorney’s office. with some level of experience in investigating and prosecuting electronic crime. Thus, although smaller After the workshops were completed, TriData jurisdictions are critical to this report, to have had processed and analyzed the information and wrote them represented proportionate to their numbers a preliminary draft report. From that report, a draft would have netted less data about incidents. project report was produced. The team assembled a group of experts on electronic crime to provide The team took additional steps to enhance the relia- advice and comments (see “Subject Matter Experts”). bility and validity of study results. For example, a These subject matter experts met with the manage- profile listing the required experience and skills was ment team in Knoxville to dissect the findings, used to identify and select the facilitators—those review the first draft of the report, and offer con- individuals assigned to conduct the workshops. The structive criticism. facilitators attended a daylong training session at TriData Corporation in Arlington, Virginia, to pre- Selection Criteria pare for the field work. The training was intended to strengthen interfacilitator reliability and establish As previously mentioned, steps were taken to ensure uniform procedures for managing the workshops, that selected agencies and their representatives
Subject Matter Experts Frank S. Cilluffo Center for Strategic and International Studies, Washington, D.C. Al Evans Maryland State Police, Columbia, Maryland James H. Fetzer III U.S. Tennessee Valley Authority Police, Knoxville, Tennessee Mary R. Holt Alabama Department of Forensic Sciences, Birmingham, Alabama Stephen D. McFall Federal Bureau of Investigation, Knoxville, Tennessee Howard Schmidt Microsoft Corporation, Redmond, Washington Raemarie Schmidt National White Collar Crime Center, Fairmont, West Virginia William Tafoya Governors State University, University Park, Illinois David Vanzant FBI Academy, Quantico, Virginia Wayne P. Williams U.S. Department of Justice, Washington, D.C. (retired) 7 encompassed a range of jurisdiction types (cities, the project’s facilitators, including expertise in elec- counties, and metropolitan areas) and law enforce- tronic crime issues and strong interpersonal skills. ment functions (investigators, unit commanders, Facilitators also were required to commit at least 2 State police, district attorneys, forensics examiners, weeks to the project. Based on the requirements, sev- etc.). All the participants have responsibility for eral highly qualified candidates were recommended electronic crime in their respective agencies; most by members of the advisory panel, NLECTC repre- have served in the computer crime unit or forensic sentatives, and the management team. The manage- laboratory as an investigator or manager. ment team met in Washington, D.C., to discuss the candidates. After careful consideration, consensus A total of 126 individuals representing 114 agencies was reached, and seven facilitators were selected participated in this effort. Exhibit 2 depicts the from the pool of candidates. The facilitators, repre- number of participants by NLECTC center location; senting various backgrounds in law enforcement, a complete list of participants, grouped by State, is intelligence, and academia, were chosen based on provided in appendix A. their particular professional experience and proven track record for facilitating meetings and focus group Participants also were selected based on their expe- sessions (see “Facilitators”). rience, and a mix of investigators, chiefs, captains, sergeants, prosecutors, and others was achieved. Once selected, the candidates were hired as consult- Exhibit 3 profiles the participants by title. ants to the project. They were sent background material and a letter informing them of their obliga- Facilitators tion to attend a daylong training session at TriData At the beginning of the project, the management Corporation. A professional facilitator was hired by team developed a list of qualifications for selecting TriData to conduct the training. The training was
Exhibit 2. Number of Participants, by NLECTC Center
35
32 31 30 28 28
25
20
15 Number of participants
10
7
5
0 NLECTCÐ NLECTCÐNortheast NLECTCÐSoutheast NLECTCÐWest Border Research and Rocky Mountain Technology Center Center 8
Exhibit 3. Profile of Participants, by Title 1999; and Northeastern Region, March 23Ð25, 1999). The facilitators were briefed on the project objectives, the operative definitions, and the design Investigator Sergeant of the assessment protocol. They were also provid- 15% 13% ed with a common outline to capture information Special agent in the field and were given the opportunity to prac- Detective 11% tice interviewing one another. This allowed them 21% to become familiar with the assessment instrument and comfortable with the interviewing technique. District attorney 8% Police Afterward, the facilitators participated in a mock consultant Officer/trooper workshop in which they were subjected to inten- 1% 6% tional disruptions by the trainer that simulated Regulatory Manager/ potential field scenarios. The trainer gauged their 2% Captain Lieutenant commander responses and provided feedback on how they 3% 7% Chief 6% should handle each particular scenario. This por- 4% Other (e.g., technical tion of the training provided the facilitators with service coordinator) 3% “lessons learned” and an opportunity to work with the assessment instrument in a hands-on, live setting. Note: Values are rounded to the nearest number. At least two facilitators attended each of the four site visits. One facilitator led the group discussion; Facilitators the other took detailed notes. In some cases, a third facilitator assisted the notetaker or conducted inter- Ross Ashley views. After each session, the facilitators compared ISX Corporation notes to ensure that the information they gathered was accurate. When the site visits were complete, Kathleen Barch the facilitators submitted a summary of their obser- Ohio Attorney General’s Office vations and analysis of the information captured in James Cannady the field. These summaries assisted in the formula- Georgia Institute of Technology tion of the report findings and the “Critical Ten” needs outlined in chapter 4. In addition, three Thomas Kennedy facilitators met in Washington, D.C., to debrief Center for Technology Commercialization the management team on the most salient points gathered in the field. Barry Leese Maryland State Police Structuring the Interviews and Group Dan Mares Discussions Mares and Company, LLC Literature review G. Thomas Steele Maryland State Police Work on this project began with an extensive litera- ture review. Journal articles, speeches and testimo- ny, seminar reports, and newspaper articles were geared toward assuring that the assessment instru- collected from Internet searches. Several advisory ment—or protocol, which facilitators used to elicit panel members recommended books and papers on information from participants—would be uniformly electronic crime, cyberterrorism, and information administered during the four site visits (Southeastern warfare to review. Researchers kept abreast of topi- Region, March 2Ð4, 1999; Western Region/Border cal seminars and reports from those proceedings as Research and Technology Center, March 9Ð11, well. This research guided the development of the 1999; Rocky Mountain Region, March 23Ð25, assessment instrument. Moreover, the literature 9 review provided insight into how the study should Protocol development define the role of computers in electronic crime. For The assessment instrument was developed over a the purposes of this study, computer-related crime period of several months by the project team mem- was defined using three parameters: bers. It was based on the combined institutional knowledge of law enforcement officers, prosecutors, A computer can be used as a weapon—a means for perpetrating crimes. Computers can be used researchers, and technologists. The advisory panel, to attack another computer to acquire stored which included academia, industry, and Federal information, deny service, or damage a system. Government representatives, also contributed. The Computers can also be used to manufacture cur- protocol went through numerous critiques and sev- rency, certified checks, credit cards, and insur- eral reviews before it was used in the field. In addi- ance cards and policies. They also can facilitate tion to the advisory panel members, the protocol the acquisition of new identity information such was reviewed by State and local law enforcement as passports or birth certificates. Computers can representatives knowledgeable in electronic crime to be used in support of terrorist trade craft; that is, further enhance its substance and credibility within by using the Internet as a means to disseminate the State and local law enforcement community. terrorist propaganda, recruit others, or engage in The protocol ensured that the discussions remained fundraising activities. Intelligence gathering or structured, in both individual and workshop settings. economic espionage conducted by foreign intelli- “Summary of Workshop Protocol Topics” outlines gence services, terrorist organizations, hate the six major topics and their purposes. groups, and others also is a concern. These groups can probe the Internet for open source information or employ hacking techniques to gain Workshop procedures access to sensitive proprietary data from the pri- At the workshops, the facilitators introduced each vate sector or classified government systems. section by clarifying the purpose of the topic. For A computer as a target involves the computer example, the participants were told that the first as the actual object of an offense. Information section, State and local perspectives on electronic contained on a system can be manipulated, crime, was intended to “provide background informa- stolen, or compromised for fraudulent and other tion on your understanding, responsibilities, involve- criminal purposes. A hacker can gain unautho- ment, training, and agency experience in dealing with rized access and remove, alter, or destroy infor- electronic crime.” The design of each discussion mation or engage in a denial-of-service attack item within the individual sections ensured that a against a system. For example, the target of an logical progression of responses took place. The attack could be a 911 center or a computer-aided facilitators worked in pairs to direct the workshops dispatch service in which the system is flooded and individually for the one-on-one meetings. with calls, causing it to crash and be rendered inoperable. Infrastructure systems are vulnerable Two types of sessions were held; the same issues to attack because many rely on public switch were discussed in both formats: telecommunications and are interdependent. In many cases, a single-point failure from an attack Individual meetings, lasting approximately 1 results in more than one system being victimized. 1 /2 hours. Workshops generally involving three to six A computer can be a corollary to an offense as a storage medium—an electronic filing cabinet—of participants from different agencies, lasting potential evidentiary information. Individuals can approximately 3 hours. use a computer to store tools, information, or files. Child pornography, financial ledgers used Management of field work by drug dealers, potential terrorist target lists Performance in the field was closely managed. and attack plans, and other illicit activity can be One or more members of the management team stored on computers, thereby becoming recepta- was present to help conduct the workshops and cles of evidence. 10
Summary of Workshop Protocol Topics State and local perspectives on electronic crime: Forensic evidence collection and analysis: Obtain background information on the understand- Determine agency preparedness for identification ing, responsibilities, involvement, training, and and proper collection of forensic evidence. agency experience in dealing with electronic crime. Legal issues and prosecution: Assess agency Profile of types of electronic crimes and investiga- awareness concerning legal issues surrounding tion needs: Document agency readiness to respond electronic crime as well as what resources are to these events and to obtain feedback on what needed to handle electronic crime cases in court. obstacles might hinder these investigations. Training: Review the availability of electronic System vulnerability, critical infrastructure, and crime-related training and specify the unmet cyberterrorism: Determine the vulnerabilities of training needs. local public safety agencies’ systems and the inci- dence of attacks against critical infrastructures. assist the facilitators. As questions concerning the introduce the purpose and background of the project project arose, team members provided insight into at the beginning of each session, and ensure conti- the rationale behind the questions under discussion nuity throughout the workshops. and guided the workshops accordingly. In addition, a representative from each NLECTC facility also Note was available to handle other situations (e.g., logis- tics, setting up conference facilities). This allowed a 1. National Institute of Justice, Inventory of State and Local Law Enforcement Technology Needs to Combat member of the management team to closely monitor Terrorism, Research in Brief, Washington, DC: U.S. operations, provide constant feedback at each site, Department of Justice, National Institute of Justice, January 1999, NCJ 173384. 11
Findings
State and Local Perspectives on The investigative priority for electronic crimes may Electronic Crime not be keeping pace with the growth in caseload, according to the assessment results. Ninety-five out The researchers sought information from participants of 123 participants who responded (77 percent) to about their experiences with electronic crime cases as the survey discussed in this Research Report said well as their individual responsibilities, training, and electronic crime cases are assigned a low to medium level of management support in handling computer priority within their agency. The one exception to crimes. Discussions focused on trends in electronic this rule is with cases related to child pornography crime caseloads, awareness and support from upper and child exploitation, which often are given high management, and the priority level given to investi- priority. The low priority given to cases overall can gating and prosecuting electronic crime cases. A key be explained, at least in part, by the problems asso- discussion point in this section concerns profiling the ciated with accurately depicting the crime (see most common targets and offenders. exhibit 4).
Trends in caseload and priority status “They [management] are very aware that they are unaware. They know the problem [electronic More than 80 percent of the participants noted a crime] exists but don’t know what to do about it.” measurable increase in computer and electronic crimes reported to and investigated by their agen- “Child pornography cases get a high priority, even cies—in particular, traditional crimes such as fraud though generally all electronic crime gets a medi- and theft committed using computers and unlawful um to low priority in the agency.” activity committed via the Internet. The increase in reporting, they commented, is due to increased awareness of computer-related crime and a higher Exhibit 4. Investigative Priority of Electronic incidence of these crimes. A small minority of State Crime Cases and local representatives stated there was no change, and a few did not know. According to the 1999 50 Computer Security Institute/Federal Bureau of 45 44
Investigation (CSI/FBI) survey of 521 security pro- 40 fessionals in U.S. corporations, government agen- cies, financial institutions, and universities, the 35 33 number of people reporting electronic crime to law 30 enforcement has dramatically increased. Thirty-two 25 23
percent of the CSI/FBI survey respondents reported Percent electronic crimes to law enforcement, an increase 20 over the prior 3 years in which only 17 percent 15 reported these crimes to law enforcement.1 Although this increase is significant, corporations and citizens 10 are generally reluctant to report these crimes to law 5 enforcement for a variety of reasons. 0 Low priority Medium priority High priority “There has been a definite noticeable shift in the Priority level priority of [electronic] crime. It is far more media sensitive than ever.” Note: 124 of 126 participants responded. 12
“This field needs to be validated to the same level only regional or Federal task forces will be able to as homicide.” deal with electronic crime on an effective level.”
Electronic crime units The study data show there is a significant regional difference in task force involvement. Electronic crime Half of the agencies involved in the study (62 of task forces are far more common in the Western region 124) have a formal electronic crime unit within the (see exhibit 1, chapter 2) than in any other part of the agency. The unit is responsible for all special elec- country. More than half of the task forces identified tronic crime investigations. In some communities, through the assessment are located in Arizona, Cali- the “unit” consists of only one investigator. In oth- fornia, Nevada, Oregon, Texas, and Washington. One ers, several investigators work electronic crime possible explanation for this high representation of cases and evidence and prepare the cases for prose- task forces is that many Silicon Valley companies cution. Most jurisdictions without this type of unit have a strong, vested interest in enhancing State and believe it would be important to establish one in the local investigations and forensic capabilities. Cooper- near future. ation between the private and public sectors was more frequently cited by participants from this geographic “We need to build a team that handles forensic area as well. Exhibit 5 shows the breakdown of task evidence.” force participation by region. “Electronic crime is handled as part of the specific crime of which it is a part, e.g., fraud unit, vice Reporting electronic crime unit, narcotics unit. The command officer in each The vast majority of respondents expressed con- of these handles the electronic crime component. cern about the underreporting of computer crimes, We need a unit dedicated to computer crime.” notably in the private sector. Although caseloads are increasing in all parts of the country, computer “We don’t let a drug crime unit break down a crime investigators believe that is only the tip of the homicide site, why will we let them break down a iceberg. A common complaint is that there is a large computer crime scene?” number of unreported cases occurring in the private
Interagency electronic crime task forces Exhibit 5. Percentage of Participants Involved in Only about one-third of the study participants report- Task Forces, by Region ed that their agency is a member of a Federal, State, or local interagency electronic crime task force. For purposes of this study, the concept of a task force was 70 67 defined in broad terms to include formal operational task forces in which two or more law enforcement 60 agencies participate in a regional, State, or Federal task force configuration. Policy and advisory task 50 forces were not included. Only those that included a law enforcement entity were considered, and both 40
forensic and investigative task forces were covered. Percent 30 29 “Regional task forces are the way to go. You have 21 to bring in experts and have them help out the 20 smaller jurisdictions.” 11 10
“You’re not going to make the average police 0 department capable of dealing with a cybercrime; West Northeast Rocky Southeast it’s something that’s so technical and so fluid that Mountain Region 13 sector, especially the major information technology several individuals, the necessary manpower and and banking industries. Indeed, although few private- resources are not available to prosecute electronic sector cases are reported, the 1999 CSI/FBI survey crimes. “Prosecutors like traditional crimes, not data revealed that 62 percent of respondents experienced trails,” mentioned another official. computer security breaches.2 During the Northeastern Region workshops, some “Underreporting of these types of crimes is a seri- prosecution roadblocks that were mentioned ous problem, one that makes it almost impossible included: to validate this crime as a major problem.” The complainant (victim) does not want to Prosecution prosecute. When electronic crimes are reported to law enforce- The amount of time to prepare a case is too great. ment agencies, the cases tend to be accepted for There is a lack of resources to track offenders. adjudication. Like other types of cases, an electron- ic crime case must meet basic criteria governing the Cooperation among law enforcement, district alleged offender, the evidence chain of custody, and attorneys, and judges is poor. the quality of the investigation. For cases that do not go forward, the participants enumerated the reasons Targets of electronic crime why. For example, 21 of the respondents said some There were excellent discussions at all the sites con- of their cases get stalled because there is insufficient cerning the most frequent targets of electronic crime. evidence to prove the crime was committed or the The participants were asked to prioritize their choices guilty party was responsible. Others (34) identified in terms of the three most frequent targets. In many one or more of the following problems: instances, a particular target is the “victim”—the ulti- mate goal of the offender. However, several layers of Insufficient prosecutor knowledge and experience. “targets” between the first and the last entry and exit Electronic crime cases not a priority. points are used as launch pads and intermediaries to attack yet a different target. The interdependency of Lack of judicial interest in electronic crime cases. most systems is linked directly to the complexities in Lack of responding officer training. classifying victims of electronic attack.