Digital defense begins at home

   Cybercrime has many faces, from child exploitation, to fraud, to identity theft and more.

   But from a federal perspective it only seems to have one: protecting the nation's digital borders.

   Todd Shipley, president of the High Technology Crime Investigation Association (HTCIA), stresses infrastructure protection in terms of securing the online presence of the nation's power grids, communications networks, air and ground transportation, and financial transactions reigns incredibly important to national security. But he suggests it's just as important to examine how the average law enforcement agency will investigate cybercrimes.

   Right now local response to cyber-related crimes can be all over the map. Shipley says some local law enforcement departments tackle cybercrime response head-on, thinking it's solely their responsibility, and others ignore the crimes entirely, believing the job lies with the Feds. However, neither stance is correct.

   "It's not just a federal problem," Shipley says. "It's a state and local problem too because the victims are citizens of the local community."

   Securing digital borders from cyber miscreants involves more than dispatching victims to the Feds. "There are no pedestrians in cyber space," agrees Gen. Dale Meyerrose, who heads Harris Corp.'s National Cyber Initiative and once worked as the information sharing executive for the director of National Intelligence.

Taking in the big picture

   "Looking at digital crimes can be daunting, because every crime can have some sort of Internet tie-in," Shipley admits. "There's a huge space out there and without clear federal direction it becomes overwhelming."

   Parry Aftab, a lawyer specializing in Internet privacy and security law and the executive director of, thinks the tendency to lump all cybercrime together spurs this flawed thinking. There's a need to categorize cybercrimes as officials currently classify traditional crimes. "We have burglaries, we have assault and battery, we have rape, we have drunk driving — there are a million things people can do to violate the law," she says. "When we talk about cybercrimes, we have to break them into similar categories. And we need to realize every law enforcement official cannot be an expert in all of them."

   Jurisdictional issues drive much of the hesitance surrounding cyber investigations among the locals. Law enforcement typically focuses on obvious and tangible crimes such as burglary, robbery or assault — crimes with distinct jurisdictional boundaries — but when offenses occur in cyber space the borders are not so clear. The concept of "These are the borders of my town and this is the area I work" gets lost in a space where virtual connections bring people from other states and even other countries into citizens' homes.

   Officers must ready themselves for the multi-jurisdictional nature of cyber land. "They've got to be prepared to talk to the FBI, the Secret Service or a high-tech task force," Shipley says. "Just because you cannot investigate the crime doesn't mean you shouldn't know who can."

   Throw the tendency to connect online or cyber crimes solely to computers and you've got some real problems. Just as the old proverb proclaims, "There's more than one way to skin a cat," there's more than one means to get online. People use everything from computers and cell phones to their Xbox and PlayStations to gain Internet access, and all of these tools may house digital evidence.

   Understanding digital technologies, how they work and what they can do goes a long way in building a case. As Aftab says, "Law enforcement needs to think of digital technology as not having anything to do with the crime, but having to do with making their case."

   Aftab believes first responders should know the three C's of digital technology: Content, contact and cost.

   Content. What info might the device contain? This may be words, pictures or video.

   Contact. How is the device used to communicate? Does it log voice communications, chat logs, or whom the individual talks to?

   Cost. What are the legal risks of what individuals can do with the digital tool?

   Being familiar with digital technology helps first responders ask the right questions when determining the appropriate technology to seize. Armed with this knowledge, they know to ask things like: Do you have IT routers? Do you have hard-wired computers? Do you have cell phones? Do you have an Xbox or PlayStation? Where are they? Did the suspect or victim have access to them?

Good, old-fashioned police work

   Still wondering what to do when getting the cybercrime call?

   "Good, old-fashioned police work," says Aftab. "You can't make a cyber case if you don't know how to make a regular case."

   Here's where things get dicey: Sometimes first responders fail to take any action when cybercrime calls come in. "Depending on the agency, some will take a report and do something with it; some will take the report and do nothing with it; and some won't take a report at all," says Shipley.

   "But cybercrime is here to stay and it's affecting all of our citizens," he adds. "If agencies are not out there helping to address the crime problems plaguing this space, they are throwing their citizens to the wolves and failing to give them the protection they need."

   Unfortunately, the situation in many agencies mimics the one described on the National Center for Super Computing Applications (NCSA) Web site: "A law enforcement officer receives a complaint from a victim of Internet fraud or harassment, and while the officer does his best to capture the details, valuable information on the victim's computer goes uncaptured and never gets to those with the expertise to decipher it. When faced with this scenario, many law enforcement first responders are left scratching their heads, unable to do anything but take down the most basic information."

   "Many officers we've talked to admit being pretty nervous when they are called into anything related to the computer," says Randall Butler, director of the NCSA CyberSecurity Directorate.

   According to Butler, NCSA research found first responders take notes about the complaint; they may even get printouts. But the department high-tech expert often finds the collected information insufficient. Then, this individual, who often has more cases than he or she can handle, must revisit the scene to collect missed information — if it's still available.

   Enter a new tool — the Cyberinvestigation Law Enforcement Wizard (CLEW).

   The NCSA and the National Institute of Justice have teamed together to develop a live collection tool designed to simplify cyber data collection. The tool, slated for release in late 2010, enables first responders to quickly and easily gather evidence, ask the right questions and preserve evidence for further investigation.

   CLEW helps first responders navigate through consent-based searches involving digital media in order to collect actionable information. The officer plugs CLEW's USB stick into the system under investigation, which launches the triage tool and walks the responder through the investigation with a series of questions. The device then initiates live data collection. Later, the officer takes the USB back to the department where the data can be uploaded for further analysis.

Gathering the evidence

   Data collected from digital tools leads to further investigation, which can transcend to issues with obtaining data from Internet Service Providers (ISPs), Web sites or social networking platforms. Even with a search warrant in hand, it can take days to retrieve information, and by the time officers secure permissions from the ISP, the information may no longer exist, as most companies only house this data for a short time.

   Cybercrime investigators frustrated with the speed of gathering ISP information seek to alter the ground rules of online investigations. They want a national Web interface linking police computers with those of Internet and e-mail providers. They also wish to mandate that ISPs store user data up to five years and respond to police inquiries within hours instead of days.

   Sgt. Frank Kardasz of the Phoenix, Ariz., Police Department and director of Arizona's Internet Crimes Against Children (ICAC) Task Force, believes these changes will greatly aid law enforcement's ability to investigate cybercrimes. His department currently faxes subscriber information requests to the ISP then waits for a return fax. "This is a sometimes lethargic process that might be better facilitated through secure Internet communications," he says.

   ISP data storage also presents more than a few challenges. Different providers store data for differing lengths of time. "[They] typically do not preserve data for law enforcement investigative purposes unless a special request is made," Kardasz says. "In our work with crimes against children, we sometimes do not get the first complaint about an offense until months after it occurred. If the ISP has not retained basic subscriber data, that trail is cold and dead before we can even begin to find the offender."

   However, companies cannot hold this information forever. A recent survey showed teens alone send and receive an average of 2,300 texts per month, then there are e-mails, instant messages and social networking updates. "There's a huge cost for ISPs to hold on to all of that information; the storage needs would be tremendous," she says.

   And expect some pushback from privacy advocates. "As citizens, do we want law enforcement to have direct access to all of our communications content?" she asks. "When does it become too much surveillance?"

Too hot to handle

   The above changes are down the road, so what does the local department do now when a cyber case proves too hot to handle? The answer? Call in those with the high-tech expertise to take it on.

   "You've got to do something, even if your department cannot help," says Shipley. "You still need to take the report, collect preliminary information and get the appropriate agencies involved."

   That's not possible, however, if agencies do not know who to call in the first place. Aftab recommends reaching out to ISP providers, social networking sites, area high-tech crimes task forces, local experts and so on to compile contact info into a database or book that sits by every department phone and in every squad car.

   "You need to know who to call in the middle of the night," she explains. "If someone kidnaps a 4 year old during the night, you need to who to call at MySpace, Facebook, AOL, or wherever. You need to know who's available to help you with that case." (See "Recommended Partnerships" at right.)

   Develop a plan for how to work with these experts. Shipley holds up ICAC task forces as prime examples of how such cooperation should look. This organization gathered state and local agencies to discuss Internet predators then collaborated with them to form national response teams. "This is a group that's worked on a national level to develop a strategy of response to a national problem using local and state resources," he says. "And they've done a very, very good job."

   National attention to cybercrime must continue, he adds, but it must drill down to the local level for any strategy to be successful. Answers are needed as to how state and local agencies can and will be involved, what guidance the federal government will provide, what first responders need to know and do, and how these cases will be investigated and built.

   Protecting digital borders involves everything from securing U.S. infrastructure from international cyber attacks to shielding U.S. citizens from cyber miscreants. "It's an issue that involves everybody but it's one that's been overlooked for a long, long time," Shipley says. "The Internet is a global network — it has a lot of victims. It's certainly a much bigger problem than all of us. But we have a responsibility to our community to take it on."

   Ronnie Garrett, formerly the editorial director of the Cygnus Law Enforcement Group, is a freelance writer and photographer living in Wisconsin. She may be reached through her Web site at

Recommended Partnerships

   Parry Aftab, a lawyer specializing in Internet privacy and security law and the executive director of, recommends reaching out to the following organizations as well to form partnerships in advance of a case.

  • Anti-Phishing Working Group. A global pan-industrial and law enforcement association focused on eliminating fraud and identity theft resulting from phishing, pharming and e-mail spoofing.
  • Internet Crimes Against Children (ICAC) Task Forces. ICAC Task Forces are available to help law enforcement agencies with investigative response to offenders using the Internet, online communication systems, or other computer technology to sexually exploit children. There are presently 61 regional task force agencies.
  • Cyber Law Enforcement. A network of officers specializing in cybercrime investigation, training other law enforcement officers and assisting cybercrime victims online.
  • FBI.
  • U.S. CERT. Charged with providing response support and defense against cyber attacks for the Federal Civil Executive Branch as well as information sharing and collaboration with state and local government, industry and international partners.
  • National White Collar Crime Center. Provides training, investigative support and research to agencies and entities involved in the prevention, investigation and prosecution of economic and high-tech crime.
  • Loading