Cybersecurity & Tech

What Law Enforcement Really Needs for Investigations in the Digital Age

Susan Landau
Monday, February 12, 2018, 11:00 AM

A recent New York Times article on cyber crime told not the sort of data-breach story with which readers have become familiar but, instead, focused on vast unknowns in the sphere of cyber crime.

Published by The Lawfare Institute
in Cooperation With
Brookings

A recent New York Times article on cyber crime told not the sort of data-breach story with which readers have become familiar but, instead, focused on vast unknowns in the sphere of cyber crime. Writing about how police have, and haven’t, tracked the distribution of fentanyl online or followed the digital channels criminals use to sell stolen phones, reporter Al Baker highlighted the absence of organized methods for collecting such information. Simply put, while police focus on street crime, which has fallen to historic lows, at least some crime has moved online and law enforcement has been slow to follow.

Technological advances, of course, have helped to inhibit some criminal activity. Chip-and-pin technology, for instance, makes it harder to duplicate credit cards and has diminished in-person use of counterfeit cards. But with that avenue for illicit profit narrowed, credit-card fraud has shifted toward using stolen account information online, where the security provided by chip-and-pin technology isn't available. It’s hard to know exactly how much crime has been displaced to online realms, but significant criminal activity has clearly shifted to digital arenas where police investigation has often been lacking.

A 2014 Rand study describes "a playground of financially driven, highly organized, and sophisticated groups." Academic researchers have found thriving black markets in stolen documents, drugs, firearms and more. Even hacking tools are for sale. But while the criminals moved online, police have been slow to follow.

And while many computer crime investigators are technically savvy, there are far too few of them. In the course of my efforts on the Crypto Wars, I've seen a real lack of sophistication among many law-enforcement authorities conducting investigations of phones and online activity. In 2011, during hearings on encryption, Mark Marshall, then president of the International Association of Chiefs of Police, told Congress how hard it was for smaller police departments to handle emerging communications technologies: "We need a place, particularly for the smaller and mid-sized agencies, that don't have the capabilities to be able to go out, to be able to get those tools, to be able to retrieve that data,” he said. “We need that place that we can make that call, that we would have that one-stop shop, if you would. That would at least, it may not have the information but would at least be able to direct us to be able to get that information." This was in the days before locked iPhones presented an issue; then, the variety of operating systems and devices was itself doing in less technically capable police departments.

Investigators' problems with technology are myriad. Just a few of the facets I have observed include: hearing a senior FBI official in the computer crime division complain in 2016 that handling metadata from different companies was really difficult because the data is in different formats. A simple computer program can handle this. (Indeed, 15 years ago, AT&T built a tool to handle a much harder problem: unstructured data.) A senior investigator working computer crime cases wondered whether software programs had more than a single vulnerability that could be exploited; investigators could exploit a vulnerability to enable wiretapping by hacking into a device (this would be used in case communications were encrypted). The answer: yes, large programs have many vulnerabilities—though not all of them are equally useful for lawful hacking.

Addressing this lack of capabilities won't be easy or cheap. But solutions must be pursued. Though it has been clear for some time that criminal activity is moving online, that knowledge has, by and large, not been translated into training and expanding police expertise into the world of digital investigations. (Cy Vance's Cyber Lab is an exception.)

At the federal level, the government needs much greater capability in computer crime investigations. For one thing, these jobs must be made attractive for those with the right set of skills. That would include creating suitable career paths within the FBI for technical folks so that the bureau is a not simply a way station to lucrative jobs in Silicon Valley.

Far more also needs to be done for police on the street. Except for the biggest police departments in the United States, developing expertise in cyber investigations is probably not feasible at the state and local levels. Technology changes incredibly rapidly and it’s not reasonable, in terms of time and money, for state and local law enforcement operations to keep up. Instead, such organizations will need to rely on capabilities provided at a national level.

(Using federal law enforcement to help in state and local investigations raises jurisdictional issues and those concerns will have to be carefully explored. Of course, there are also privacy issues raised by law-enforcement monitoring of online activity. These are articles for another day.)

While there are information-sharing schemes between the FBI and state and local police, the services offered handle only very specific aspects of larger issues. For example, the Justice Department’s National Domestic Communications Assistance Center provides "technical knowledge and resources for issues involving real-time and stored communications to address challenges posed by advanced communications services and technologies." But it does not provide desperately needed investigative guidance. In other words, the center can tell state or local police how to request phone records from various providers, but it won't tell them how to run an online investigation.

The FBI runs Regional Computer Forensic Laboratories—15 offices around the country—that help police recover evidence from digital devices. The FBI reports that "examiners are capable of locating deleted, encrypted or damaged file information that may serve as evidence in a criminal or terrorism investigation." This sounds promising. Now consider that in 2016 the laboratories received just under 6,000 requests for aid, examined 15,760 devices, and helped with more than 1300 searches. Putting this number in context, the Bureau of Justice Statistics reported that there were more than 15,000 police and sheriff departments in 2013 (the most recent year for which I found data). That means on average the RCFLs helped fewer than half the police departments in the nation in a single investigation in 2016. To give you a sense of scale, the Manhattan district attorney’s office estimates that more than 25 percent of its annual cases deal with “digital evidence, or data stored on devices.” The help provided by the RCFL is also of a limited nature; local law enforcement receives aid in investigating seized devices, not in running an online investigation. So unless a small department has tech-savvy staffersor a technically knowledgeable colleague at the local FBI office who also has the time and inclination to help—they're on their own.

Addressing these problems will take money and significant skill. And new capabilities can’t be developed overnight. There’s a shortage of computer security investigators, which means it will take any federal center time to build up. That means interim solutions will also be needed as digital-age investigative skills are created for police forces. But there is no other choice. As criminal activity takes on ever more sophisticated digital components, it is imperative that police have the knowledge and skills to investigate those aspects of crimes. Otherwise our law enforcement will effectively be left to chase bank robbers on foot while the thieves drive getaway cars.


Susan Landau is Professor of Cyber Security and Policy in Computer Science, Tufts University. Previously, as Bridge Professor of Cyber Security and Policy at The Fletcher School and School of Engineering, Department of Computer Science, Landau established an innovative MS degree in Cybersecurity and Public Policy joint between the schools. She has been a senior staff privacy analyst at Google, distinguished engineer at Sun Microsystems, and faculty at Worcester Polytechnic Institute, University of Massachusetts Amherst, and Wesleyan University. She has served at various boards at the National Academies of Science, Engineering and Medicine and for several government agencies. She is the author or co-author of four books and numerous research papers. She has received the USENIX Lifetime Achievement Award, shared with Steven Bellovin and Matt Blaze, and the American Mathematical Society's Bertrand Russell Prize.

Subscribe to Lawfare