By Valarie Findlay
Research Fellow, Police Foundation
Law enforcement organizations, unlike any other, occupy a unique position in the consequences of cyber threats – often the forefront of investigative, interdiction or enforcement capacity, it’s becoming more common that they are the target.
From the operational experience, law enforcement comes into contact with various cyber technologies used for malicious and illegal means by relatively unsophisticated criminals to organized crime and terrorist groups. As part of facilitating other crimes or as a crime unto themselves, they run the gamut of theft of funds and data from individuals and large corporations, funds laundering and transfer illegal goods and services, and fundraising for other illegal activities.
When turned on the organization, the impact can be catastrophic to public safety, privacy, integrity of evidence and the judicial process. As seen in recent years, several US law enforcement organizations and agencies have targeted by socio-political groups, as well as ransomware. Although most scenarios so far have spanned theft and destruction of information and data, the disruption of systems, including communications, and modification of evidence data can’t be ruled out as future targets.
In short, for law enforcement cyber threats are truly ‘glocal’; manifesting locally but originating or impacting globally. Whether viewed from the perspective of protecting organizational assets or investigating cyber crime, today’s cyber threats have become more asymmetric, surreptitious and persistent, and require countermeasures or means of interdiction that are very much the same. The axioms of cyber security present a challenge; remaining largely unchanged for decades, they undermine the robust technological capabilities seen in the new threat landscape.
Even old-school concepts, such as ‘shared responsibility’ between stakeholders or enforcement through pseudo-regulatory measures, have been outpaced by the speed of technology and are utterly ineffective against these threats. Although, security controls and risk management remain important as preventative measures in cyber security, we need to start looking across the many domains – policy, resource, intelligence, physical levels, etc. – to physically and conceptually harden assets, securitize our systems and resources, and to share intelligence.
While the ‘white-hat’ technologists (the good guys) have made advancements in preventing and detecting cyber threats, it’s become clear that as long as there are assets deemed valuable by malicious actors, there will be threats and risks.
“They Weaponized Pikachu!”
It’s true. They did. Although the Pokemon malware was a low-level of technological sophistication that extracted credit card numbers and recorded data from unsuspecting Pokemon-Goers (and silently installed more viruses), the malware fed the coffers of who knows who.
Often paired with ransomware or crypto-viruses, the weaponization of technology remains one of the most serious advancements in recent decades and is a reflection of the sophistication of threats and their ability to leverage the various security domains: the more domains that are accessed to breach sensitive information, the more difficult to counter and respond to the threat.
In the “Art of War”, Sun Tzu said, “… if you know your enemies and know yourself, you can win a hundred battles without a single loss.” While lofty, it holds substantial truth. Knowledge is everything. And proficiency with various weapons doesn’t hurt either.
Sharing Worst Practices
Intelligence and attribution die a fast death when isolated or kept in a jurisdictional vacuum. Imagine if, in law enforcement, we refused to share lessons learned or intelligence with other levels of policing and the impact this would have on maintaining law and order and facilitating justice. In cyber security practices of many organizations, this has been the accepted but flawed logic.
Slowly changing, in 2014 we saw important lessons come out of the SONY Hack: never underestimate the attractiveness or leverage (blackmail) of an asset by malicious actors, one layer of anti-‘anything’ safeguards is not enough, security strategies and frameworks are exclusive not a ‘copy-paste-replace’ exercise, and that most security risk and responsibility cannot be avoided or transferred. The SONY Hack also underscored the importance of post-attack information sharing by exploited organizations to develop true threat intelligence, identify actors and improve practices.
Also recently, we’ve seen evidence of information sharing in the post-attack (response and recover) of WannaCry and then in the Massive Coordinated Cyber Invasion that shut-down key targets across the Ukraine: both seriously up-ending normal operational states. What was important with the Ukraine malware logic was how advance and surgically precise it was: it intercepted passwords, captured privileges, deleted logs, destroyed data and exercised exceptions through hash logic, leaving some assets intact. But even simple attacks, like email floods and denial of service attacks, have brought systems, cities and countries to a screeching halt.
Intelligence sharing in the above attacks, played a key part in slowing distribution of the malware across geographic expanses and shutting down of command and control. However, sharing the conditions that contribute to vulnerabilities to help mitigate threats in the prevention phase is entirely different; it’s a controversial proposition, making organizations nervous. But if all cyber exploits were treated as fundamental national security concerns, rather than individual breaches that affect single organizations or sectors, intelligence sharing would quickly be a mandatory strategic response. One that would drastically shorten the threat lifecycle.
Single Point of (Domain) Failure
Single domain vulnerability or failure is when only the most obvious domains are secured, such as an organization’s network or connected devices, and software updates, patch management, employee screening or access policies allowing unauthorized, uncredentialed access to sensitive assets, are weak or non-existent. Maintenance breaks down, security posture collapses and vulnerabilities creep in.
Several years ago, this wasn’t an issue as exploits occurred mainly through network vulnerabilities, but today threats are designed to capitalize and exploit multiple domains, finding many avenues of opportunity for information gathering and asset exploitation. A cross-domain, multi-layered approach balances the risk-stress over several domains to close gaps and to act as a fail-back. Anything less amounts to leaving the lights on and doors open for the malicious actors.
A crucial step in moving beyond ‘technology as a solution’ is the development and implementation of an effective, well-implemented, cross-domain cyber security framework, as well as instituting supportive processes and accurately identifying organizational assets and their value to threat actors. If the problem is anchored in exploiting multiple domains, the solution must address the vulnerabilities of all domains.
Although cross-domain (or multiple domain) and multi-layered security approaches will increase initial resource costs, the downstream benefits will make up for the upfront costs. Also, higher degrees of compartmentalization and isolation will improve countermeasure selection and increase ease of maintenance and agility of the environment. These some examples of domain categories that would be applied to assets through a framework and eventual security assessment:
- Corporate security policies and procedures – documentation that makes the organization and its resources act and behave in a certain way;
- Physical security – traditional hard-wall, room and building security;
- Resource security – your people, their screening and their access to things;
- Device security – techy stuff;
- Network security – more techy stuff;
- Network and Application Development (as in OSI layers) security – really techy stuff;
- … and more depending on the organization
All Will Fail If You Don’t Think Like The Criminals
Now you’re ready to revitalize your cyber security framework and maybe your cyber or e-crime programs, right? Well, before all of this frame-working and planning starts, consider the three concepts below to create a shift in mindset.
- Think and plan like the ‘bad guys’ — Face it, the ‘bad guys’ are winning, mostly because it’s their full-time job and it’s lucrative. With technology outpacing our efforts to implement countermeasures, cyber security approaches must mirror the approaches of the actors behind cyber threats; they must be cross-domain, target and asset-focused and differentiated by committed, skilled resources. This becomes even more important where electronic assets – such as telemetry, biometrics and evidentiary records – require a higher level of integrity due to its applied value.
- Targets are as important as assets — No one puts a lock on a door to prevent the theft of the door. Often we forget to securitize targets along with assets. Not unlike a property crime, there is the thing you want to get and the things you have to break to get it. Targets are the things that need to be broken, such as laptops, devices and databases that store information assets, device firmware that stores configuration values, electronically-locked rooms that store documentation, controlled substances ammunition, evidence, etc. or network connections that transmit asset data. Assets are the Holy Grail for your threat actors and vary in criticality, classification, integrity and availability.
- Threat actors are less important than threat scenarios — As much as profiling a threat actor is important to downstream intelligence, in the earlier stages of prevention and detection the focus needs to be on actual threat scenarios: theft, modification, destruction, disruption and, in some instances, planning and executing (surveillance, etc.). This considers the possibility and probability of damages should the asset be breached and forces the valuation of the asset from the perspective of the malicious actor.
Lastly, There Is No End Game
Not unlike countering any other criminal activities, communication and collaboration remain effective methods to help ‘close command and control’ of an active threat. Mastering a dialogue and means to share preventative information will make cyber security a part of the daily conversation of law enforcement organizations and their partners.
For now, behind every malicious threat is a human, so cementing a proven cyber security framework will be easier under current conditions than when the Internet of Things, machine-to-machine learning and custom cipher technology bear down on our systems. Right now, the focus needs to be on agile, continuous improvement, instead of a non-existent end game.
Valarie Findlay is an IACP and CACP eCrimes Committee member and research fellow for the Police Foundation, with two decades of expertise in cyber security and technology initiatives. She holds a master’s degree in terrorism studies from the University of St. Andrew’s. She also writes often for various security and law enforcement magazines on the organizational aspects of law enforcement and their impact on society, and on strategic initiatives in cyber security.