RSAC 2011: Forming a bridge between law enforcement and securityby Steve Ragan - Feb 21 2011, 21:00
Last week, during the RSA Conference, The Tech Herald attended a separate and honestly compelling event called BSides. We attended a talk given by Nick Selby that raised awareness on what we feel is an important issue the security and business world’s face today, communication problems with law enforcement.
There is a growing disconnect between the two worlds, and Selby has an idea that could create a strong bond between them.
[Note: The BSides talks are created by, and presented for, the security community. The list of locations where BSides events are held is growing. If you are interested in hosting your own BSides talk in your area, or just want to see what it is all about, head here for more information.]
Nick Selby is the Managing Director of Trident Risk Management, and a sworn law enforcement officer in Texas. He also established the security practice at The 451 Group in 2005. With his law enforcement experience and his InfoSec background, he knows the communication gap inside and out.
But he is only one man. So his talk at BSides San Francisco centered on getting help from the security community to create a non-profit organization that would address the communication divides between the two professional groups.
According to a report from Arbor Networks, 61-percent of the organizations they spoke to during a recent study said they will never report a cybercrime to local, state, or federal law enforcement. Some of the reasons included internal policy and low confidence in investigative efficacy.
At the same time, a small number of those who spoke to Arbor said they had formed a mutually beneficial relationship with law enforcement. These relationships led to more incident referrals.
“It is our hope that this formula can be replicated elsewhere, leading to greater and more fruitful law enforcement involvement in the identification, prosecution and incarceration of Internet criminals,” Arbor stated in their report at the time.
After a security incident, InfoSec professionals have a hard time talking to police and explaining to them exactly what happened in terms that non-technical investigators can understand. Being technically inclined is not a requirement to join the police force. Yet, this doesn’t mean that local or state police don’t care about cybercrime.
They do care, but they need better information to articulate the loss an organization is faced with up the chain within the justice system. They cannot assume the scope of a given loss or crime, and they wouldn’t anyway because assumptions don’t carry much weight in court.
“So [InfoSec professionals are] not good at telling the police exactly what happened, in terms that police can understand and actually work with. Computer crimes are illegal in almost all states…In Texas, intrusion of computer networks, stealing of digital assets, credit card, or gift card theft, all of these things are illegal," Selby told us in an interview.
Not all law enforcement officers understand the process of getting a solution from an InfoSec standpoint, but they are crystal clear when it comes to getting one from a legal perspective.
Selby’s idea is to form a group who will act as a non-profit, comprised of InfoSec professionals and law enforcement officers which can aid each other by essentially translating information crucial to both sides of the equation.
This group would work alongside other groups, such as InfraGard. InfraGard is an information and intelligence sharing program between the FBI and the private sector. There are chapters all over the U.S. and the roster of members is rather large.
However, the focus of this newly proposed group will help organizations who face an incident that might not be large enough to need FBI involvement. Sometimes a cybercrime investigation can stay local, such as city, county, or state police, but there is still a need for translators who can talk to them.
In addition, when InfoSec professionals communicate with law enforcement, they should be aware that reported crimes go through triage. Law enforcement agencies, especially the larger ones, have the resources to investigate cybercrimes. The problem is time. So a loss of about $1,000 will take a lower priority to an incident that led to $100,000 in losses.
When the communication between an InfoSec professional and law enforcement officer clicks, the investigating agency can use it to confirm something happened and articulate this information to the prosecutor. The prosecutor can then show what was taken, its value, and who is responsible for the loss.
The value of any recovery costs or actual data stolen is important, as it will help the law enforcement agency determine the grade of crime. There is a huge difference between a misdemeanor and a felony, and value is part of how this is determined. The more information that is shared, including all the financials, the more likely an organization is to see a successful result during the incident recovery.
“In order for a police officer to understand how he can proceed with an investigation; he has to know that a crime was committed…and they have to understand what the damages are. Cops want to stop crime. That’s why they became cops. If you’re dealing with a cop who can understand you, the cop can help you and do what their job is. That gives them a great deal of satisfaction,” Selby added.
When reporting a cybercrime to local or state law enforcement, even to federal levels, InfoSec professionals also need to show why investigating the incident is worth the law enforcement agency’s time.
Selby explained that law enforcement officers are often concerned that if they do start investigating, and it turns out that the organization’s crime is greater than it first appeared, countless hours and days of work could be spent before another agency takes over. If this happens, then the local or state law enforcement agencies fear they wouldn’t get any credit for all of their labor.
Selby’s goal is one that will see InfoSec professionals help law enforcement understand the realm of the possibilities during the initial part of an investigation. And law enforcement professionals would help set realistic expectations for InfoSec, and help InfoSec better articulate their problems in a manner useful to law enforcement.Having a certified forensics person from a large organization, one who can offer assistance by providing information such as what is and what is not possible with computer forensics, would go a long way towards helping a law enforcement agency take things forward after a security incident.
That is the key. While most of the processes and examples Selby gave in his talk would make it seem like he wants to turn cops into InfoSec professionals and vice versa, that isn’t the case at all. Cybercrime is still a crime, and that is something for law enforcement to deal with.
The InfoSec professionals who work in Selby’s group are not doing law enforcement’s job. They’ll point out resources and available information, explaining what’s practical if needed. From there, law enforcement is able to complete the investigation process.
“What we’re doing is comparative to having a trusted translator in a place where you don’t speak the language. If you go do business in Brazil, but you don’t speak Portuguese, you’re local translator is not going to cut the deal for you. They’re going to help you understand the terms, so that you can make your business decision. That’s exactly what we’re doing here,” Selby said.
The group isn’t complete. Selby’s talk was to share his idea and show how it could work. However, before this new group can take off, he needs the community’s help. What, if anything, is wrong with his idea or the concept itself? What is right with it?
These were all things he asked of the audience at BSides San Francisco.
As he said in his talk, if you want to join him and do your part to help protect the flock, he can be reached here.