The digital targeting of law enforcement personnel has become a common occurrence for many agencies today. With the growing reliance within law enforcement on technology and digital tools, today’s targeted cyberattack campaigns have quickly become a critical danger to personnel and operations. The resulting effects on law enforcement operations and the public served cannot be overlooked.
A panel discussion at the 2021 IACP conference sought to answer four key questions about these increasingly common, and costly, attacks:
- Who are the perpetrators?
- Why does law enforcement continue to be vulnerable?
- What is the impact on law enforcement operations?
- How should law enforcement protect its people/organizations?
The members of the panel were:
Brett Johnson, Cybercrime & Identity Theft Consultant
Andre Mintz, Chief Information Security Officer, Newport Group
Bryan Vorndran, Federal Bureau of Investigation
David Smith, United States Secret Service
Memorable Quotes
“When I was a police officer back in the late 80s/early 90s, the most important thing they told us about keeping our professional and personal lives separate was varying your commute to and from work. That is no longer what you have to do today. Your life is blended. If you have any type of technology, you are leaving a digital footprint everywhere you go.” — Andre Mintz
“A few key reasons why law enforcement equipment can be vulnerable is that we can’t take users out of the equation.” — David Smith
“Everyone’s information is available. Doesn’t matter who you are.” — Brett Johnson
“There used to be off-limits entities. We don’t think those entities are off limits [anymore].” — Bryan Vorndran
“Ten years from now, we will be living in a largely unimaginable digital setting.” — David Smith
“It’s a matter of when, not if, it happens. If you’re running a computer network, there are only two kinds: those that have been hacked and those that just don’t know it yet.” — Andre Mintz
Top Takeaways
The panelists shared many valuable tips on how law enforcement agencies and their personnel can protect against cyberattacks. Here are three top takeaways:
1. Think of everyone as an attacker
While cybercriminals come from a variety of backgrounds and with a variety of intentions, a common theme runs among 99% of them, said cybercrime expert Brett Johnson: They operate as hackers for hire.
Bryan Vorndran of the FBI’s Cyber Division reiterated this point. Even though cyberattacks across a variety of sectors are becoming both more numerous and more costly, he said, “it’s not that the individual hackers alone have necessarily become more sophisticated; they are now able to rent those sophisticated capabilities and deploy them against targets at will.”
What this essentially boils down to, said Johnson, is that anyone with a grudge against law enforcement only needs to visit the dark web to access the expertise necessary to carry out any number of potentially devastating attacks.
“If you tick a criminal off,” he asked, “what’s the likelihood that one of these guys may decide to try to get even?” This is, unfortunately, more likely today than ever before.
2. Think of everyone as a potential target
The conventional wisdom used to be that if you were a smaller organization with fewer resources, you didn’t need to worry too much about becoming the target of a cyberattack. But as we’ve seen in recent months, this couldn’t be farther from the truth today:
- Inside the sophisticated cyberattack that had Texas communities struggling for days, July 26, 2021
- Ransomware gang threatens release of DC police records, May 12, 2021
- Ransomware gangs get more aggressive against LE, May 9, 2021
- ‘BlueLeaks’ exposes files from hundreds of US police departments, June 23, 2020
And it isn’t just agencies that are at risk – individual officers need to stay as much on their toes as any organization because of how ubiquitous connected technology has become in both our personal and professional lives.
“We’re close to 20 billion connected devices today,” said former police officer and CISO Andre Mintz, “half of those being just Wi-Fi enabled things like your phone, but the other half are things called the internet of things or IoT. These are very, very small devices, and we haven’t thought a lot about them. Your refrigerator, your toaster, your doorbell – all of these things are connected to the internet.”
And it’s this connectivity that opens the door for an attack. If a hacker gains entry to a baby monitor on your home’s network, for example, there isn’t much stopping them from in turn accessing sensitive information stored on your laptop. Smart lights and thermostats could also be manipulated from a distance as a type of psychological warfare, Johnson pointed out.
“You can easily see how reachable you are if I can access something as simple as your baby’s monitor,” said Mintz. “The same thing applies to all of the devices on your law enforcement networks.”
Even with dedicated IT staff, police networks have been breached with alarming consequences: Police surveillance cameras have been hacked and shut down, and an entire archive of dashboard camera video has been destroyed. It’s also entirely possible for criminals to gain access to police cruisers and literally stop them in their tracks, Mintz said.
While these devices are “generally connected for our benefit,” said David Smith of the Secret Service’s Office of Investigations, “all of these tools can be breached for nefarious reasons.”
3. Training, training and more training
This isn’t to say, however, that both officers and departments are sitting ducks; there are a variety of tools and practices that, if used correctly, can protect networks from intrusion.
But the key phrase here is “used correctly,” Johnson explained. “Humans often disregard the tools” because they either don’t trust or don’t understand how they work.
Case in point: Even with cybersecurity best practices in place like multifactor authentication, segmented networks, up-to-date software, application whitelisting and encryption, it only takes one staff member clicking on a link in an email rigged with malware for a system to be compromised.
Indeed, more than 90% of hacks stem from phishing emails, Vorndran said.
That’s where training comes in, said Mintz. “One of the things we do in the private sector is that we ensure we conduct annual training; we’re [also] continually sharing with our people when new attack scenarios come out, making sure that we test our people using threat modeling.”
These threat-based scenarios are posed to team members without any advanced knowledge to test their responses in real-time. Policies and procedures can then be adjusted as needed.
Federal resources can also keep departments informed on the latest threats and security best practices, including CyWatch, the FBI’s 24/7 operations center and watch floor; the Internet Crime Complaint Center; FBI Cyber Task Force, accessible via the agency’s 56 local field offices; and the National Cyber Investigative Joint Task Force.
The National Computer Forensics Institute also offers training to state and local LEOs, prosecutors and judges in cyber incident response and investigations.
Conclusion
Being prepared as both an individual and an agency has never been more important. “One of the things I want to impress upon you is just how prevalent this is, how these attacks are growing in frequency, and how they will continue to grow in frequency,” said Mintz.
Being knowledgeable about these threats, however, isn’t just integral to protecting sensitive data and operations; it will play a critical role in future investigations as well, said Smith.
As our world grows ever more connected, and cybercrime grows ever more common, agencies will likewise have to up their technological game.
“In the future,” said Smith, “investigations regarding cybercrime will routinely require the processing of big data, requiring law enforcement to have the necessary technical expertise and equipment to oppose the threat.”
To put it another way, said Mintz: “What can you do to skate to where the puck is going, not to where the puck is?”