OnPolicing Blog

Welcome to the OnPolicing series.

PF On Policing logo final versionOnPolicing captures the thoughts of some of the country’s most important voices on contemporary policing. It is intended to stimulate debate about the state of policing and the myriad of challenges involved in controlling crime, disorder, and terrorism in a democracy like ours. The opinions are the authors’ own and may not represent the official position of the National Police Foundation. All comments are welcome—especially contrarian ones. We reserve the right to remove hateful or profane posts.

Please refer to the essay entitled “An Introduction to OnPolicing for an in-depth introduction to the series by the National Police Foundation’s former president and founder of the OnPolicing blog, Jim Bueermann. If you would like to contribute to the OnPolicing series, please send your 500-1000 word essay to info@policefoundation.org.

 

 

 

31August
2017

Police-community relations


By Tracy Miller
Orange County (CA) Assistant District Attorney

Every day police officers risk their lives to keep our communities safe. Unfortunately, law enforcement’s heroic efforts are often not recognized by local communities.  One way we are building stronger community relationships with law enforcement and highlighting their outstanding work is through an innovative program, OC GRIP.

OC GRIP (Orange County Gang Reduction & Intervention Partnership) shows the community the great work of local police officers, while focusing on preventing minors from joining a criminal street gang. OC Grip has more than 300 partners in 13 cities in Southern California. These partners include police and probation departments, private businesses and non-profit and faith-based organizations.

For over 10 years, through OC GRIP, we have had great success in inspiring children to resist participating in gangs, while improving the community’s relationship with law enforcement. Read More & Share

18August
2017

Building police legitimacy through measuring and managing performance

By Chief Cameron S. McLay (ret.)

These are tough times for those of us in policing…

The crisis of confidence and legitimacy that characterizes post-Ferguson policing illustrates a vital lesson for local governments and their police.  We, the police, must hold ourselves accountable for the outcomes of our policing services. We must measure our work and our outcomes based on a broader number of measures than simply measuring crime rates, and must continually reexamine our efforts in response to feedback and performance short-falls.

As with education and health care, policing would be well served by becoming more outcome-based. If the purpose for police interventions is to reduce crime, fear and disorder, to create safe communities suitable for normal civic life to occur, the question “Are we being successful in achieving these outcomes” must be part of the calculus. In other words, each police agency must operate as an open system, using feedback as a learning loop for constant performance improvement — becoming more responsive to to public needs and mindful of the impact of our efforts. Read More & Share

14August
2017

How do police use VR? Very well

By Deputy Chief Eddie L. Reyes (ret.)
Police Foundation Senior Law Enforcement Project Manager

In the very beginning the law-enforcement arena had a difficult time establishing an effective training program. If you can’t simulate a hot situation, you have to train with real weapons that are made safe, the law enforcement officer doesn’t really feel that the training is real and you have to bring in lots of role players sometimes, often members of the community.

That’s where we were in the 1980s, early ‘90s — using real people. But it wasn’t the real effect. Then in the mid-‘90s some new training came into play that used video scenarios on a big screen and you would have to interact with it (MILO | FATS). These systems were very expensive costing as much as $100,000 and often the scenarios were not very interactive with the law enforcement officer being trained, because the people in the video didn’t respond appropriately to the commands that were being given out

Virtual reality isn’t new.  The gaming industry has been using it for years.  With the advent of virtual reality goggles, virtual reality training has taken off in military and law enforcement training. Now you’ve got this virtual reality training, and with a smaller investment than the traditional training systems — a pair of goggles and some basic acoustics– the training incident becomes very realistic. It’s so realistic you honestly get scared about the situation you’re in because everything around you is blocked out and you really feel as if you are in the scenario. Read More & Share

4August
2017

Documentary helps manage aftermath of shootings

By Patrick W. Shaver
Director, Officer Involved

My wife looked at me funny when I told her that I thought we could make a movie. I was a police officer in a big city and she was a nurse, but neither of us were filmmakers.

What she said next I’ve rebroadcast when we’ve shown our film across the country: “It’s probably not the most expensive idea you’ve ever had.”

I had watched one friend go through an officer-involved shooting and then had another friend ask me about shooting the tires off a car instead of having to shoot the driver. “Let me find a documentary and we’ll watch it together,” I told him. My intention was to find something on film that showed the reality of what officers experienced in the line of duty, offering to translate what I had seen in one friend to the next. Read More & Share

21July
2017

Give me a cup of coffee and a conversation over a new-fangled piece of fancy new equipment any day

By Dean M. Esserman
Police Foundation Senior Counselor

I keep reading about how drones, artificial intelligence and facial-recognition technologies are going to take our industry of policing to an entirely new level.

Technology will improve safety, they say. Cops will make quicker arrests, they argue. The world will be a better place for all, they assure.

That’s all well and swell, but from my perspective, the future of policing remains firmly in the able and quite human hands of the men and women in law enforcement who spend every day of their lives protecting their communities.

Want to know why I believe this? What better example of policing can take place than what happened this week? Across the country, officers celebrated National Coffee with a Cop Day on Wednesday by having a cup of joe with community members.

Read More & Share

14July
2017

Cyber threats against police

By Valarie Findlay
Research Fellow, Police Foundation

Law enforcement organizations, unlike any other, occupy a unique position in the consequences of cyber threats – often the forefront of investigative, interdiction or enforcement capacity, it’s becoming more common that they are the target.

From the operational experience, law enforcement comes into contact with various cyber technologies used for malicious and illegal means by relatively unsophisticated criminals to organized crime and terrorist groups. As part of facilitating other crimes or as a crime unto themselves, they run the gamut of theft of funds and data from individuals and large corporations, funds laundering and transfer illegal goods and services, and fundraising for other illegal  activities.

When turned on the organization, the impact can be catastrophic to public safety, privacy, integrity of evidence and the judicial process. As seen in recent years, several US law enforcement organizations and agencies have targeted by socio-political groups, as well as ransomware. Although most scenarios so far have spanned theft and destruction of information and data, the disruption of systems, including communications, and modification of evidence data can’t be ruled out as future targets.

In short, for law enforcement cyber threats are truly ‘glocal’; manifesting locally but originating or impacting globally. Whether viewed from the perspective of protecting organizational assets or investigating cyber crime, today’s cyber threats have become more asymmetric, surreptitious and persistent, and require countermeasures or means of interdiction that are very much the same. The axioms of cyber security present a challenge; remaining largely unchanged for decades, they undermine the robust technological capabilities seen in the new threat landscape.

Even old-school concepts, such as ‘shared responsibility’ between stakeholders or enforcement through pseudo-regulatory measures, have been outpaced by the speed of technology and are utterly ineffective against these threats. Although, security controls and risk management remain important as preventative measures in cyber security, we need to start looking across the many domains – policy, resource, intelligence, physical levels, etc. –  to physically and conceptually harden assets, securitize our systems and resources, and to share intelligence.

While the ‘white-hat’ technologists (the good guys) have made advancements in preventing and detecting cyber threats, it’s become clear that as long as there are assets deemed valuable by malicious actors, there will be threats and risks.

“They Weaponized Pikachu!”

It’s true. They did. Although the Pokemon malware was a low-level of technological sophistication that extracted credit card numbers and recorded data from unsuspecting Pokemon-Goers (and silently installed more viruses), the malware fed the coffers of who knows who.

Often paired with ransomware or crypto-viruses, the weaponization of technology remains one of the most serious advancements in recent decades and is a reflection of the sophistication of threats and their ability to leverage the various security domains: the more domains that are accessed to breach sensitive information, the more difficult to counter and respond to the threat.

In the “Art of War”, Sun Tzu said, “… if you know your enemies and know yourself, you can win a hundred battles without a single loss.” While lofty, it holds substantial truth. Knowledge is everything. And proficiency with various weapons doesn’t hurt either.

Sharing Worst Practices

Intelligence and attribution die a fast death when isolated or kept in a jurisdictional vacuum. Imagine if, in law enforcement, we refused to share lessons learned or intelligence with other levels of policing and the impact this would have on maintaining law and order and facilitating justice. In cyber security practices of many organizations, this has been the accepted but flawed logic.

Slowly changing, in 2014 we saw important lessons come out of the SONY Hack: never underestimate the attractiveness or leverage (blackmail) of an asset by malicious actors, one layer of anti-‘anything’ safeguards is not enough, security strategies and frameworks are exclusive not a ‘copy-paste-replace’ exercise, and that most security risk and responsibility cannot be avoided or transferred. The SONY Hack also underscored the importance of post-attack information sharing by exploited organizations to develop true threat intelligence, identify actors and improve practices.

Also recently, we’ve seen evidence of information sharing in the post-attack (response and recover) of WannaCry and then in the Massive Coordinated Cyber Invasion that shut-down key targets across the Ukraine: both seriously up-ending normal operational states. What was important with the Ukraine malware logic was how advance and surgically precise it was: it intercepted passwords, captured privileges, deleted logs, destroyed data and exercised exceptions through hash logic, leaving some assets intact. But even simple attacks, like email floods and denial of service attacks, have brought systems, cities and countries to a screeching halt.

Intelligence sharing in the above attacks, played a key part in slowing distribution of the malware across geographic expanses and shutting down of command and control. However, sharing the conditions that contribute to vulnerabilities to help mitigate threats in the prevention phase is entirely different; it’s a controversial proposition, making organizations nervous. But if all cyber exploits were treated as fundamental national security concerns, rather than individual breaches that affect single organizations or sectors, intelligence sharing would quickly be a mandatory strategic response. One that would drastically shorten the threat lifecycle.

Single Point of (Domain) Failure

Single domain vulnerability or failure is when only the most obvious domains are secured, such as an organization’s network or connected devices, and software updates, patch management, employee screening or access policies allowing unauthorized, uncredentialed access to sensitive assets, are weak or non-existent. Maintenance breaks down, security posture collapses and vulnerabilities creep in.

Several years ago, this wasn’t an issue as exploits occurred mainly through network vulnerabilities, but today threats are designed to capitalize and exploit multiple domains, finding many avenues of opportunity for information gathering and asset exploitation. A cross-domain, multi-layered approach balances the risk-stress over several domains to close gaps and to act as a fail-back. Anything less amounts to leaving the lights on and doors open for the malicious actors.

A crucial step in moving beyond ‘technology as a solution’ is the development and implementation of an effective, well-implemented, cross-domain cyber security framework, as well as instituting supportive processes and accurately identifying organizational assets and their value to threat actors. If the problem is anchored in exploiting multiple domains, the solution must address the vulnerabilities of all domains.

Although cross-domain (or multiple domain) and multi-layered security approaches will increase initial resource costs, the downstream benefits will make up for the upfront costs. Also, higher degrees of compartmentalization and isolation will improve countermeasure selection and increase ease of maintenance and agility of the environment. These some examples of domain categories that would be applied to assets through a framework and eventual security assessment:

  • Corporate security policies and procedures – documentation that makes the organization and its resources act and behave in a certain way;
  • Physical security – traditional hard-wall, room and building security;
  • Resource security – your people, their screening and their access to things;  
  • Device security – techy stuff;
  • Network security – more techy stuff;
  • Network and Application Development (as in OSI layers) security – really techy stuff;
  • … and more depending on the organization  

All Will Fail If You Don’t Think Like The Criminals

Now you’re ready to revitalize your cyber security framework and maybe your cyber or e-crime programs, right? Well, before all of this frame-working and planning starts, consider the three concepts below to create a shift in mindset.

  1. Think and plan like the ‘bad guys’ — Face it, the ‘bad guys’ are winning, mostly because it’s their full-time job and it’s lucrative. With technology outpacing our efforts to implement countermeasures, cyber security approaches must mirror the approaches of the actors behind cyber threats; they must be cross-domain, target and asset-focused and differentiated by committed, skilled resources. This becomes even more important where electronic assets – such as telemetry, biometrics and evidentiary records – require a higher level of integrity due to its applied value.
  2. Targets are as important as assets No one puts a lock on a door to prevent the theft of the door. Often we forget to securitize targets along with assets. Not unlike a property crime, there is the thing you want to get and the things you have to break to get it. Targets are the things that need to be broken, such as laptops, devices and databases that store information assets, device firmware that stores configuration values, electronically-locked rooms that store documentation, controlled substances ammunition, evidence, etc. or network connections that transmit asset data. Assets are the Holy Grail for your threat actors and vary in criticality, classification, integrity and availability.
  3. Threat actors are less important than threat scenarios — As much as profiling a threat actor is important to downstream intelligence, in the earlier stages of prevention and detection the focus needs to be on actual threat scenarios: theft, modification, destruction, disruption and, in some instances, planning and executing (surveillance, etc.). This considers the possibility and probability of damages should the asset be breached and forces the valuation of the asset from the perspective of the malicious actor.

Lastly, There Is No End Game

Not unlike countering any other criminal activities, communication and collaboration remain effective methods to help ‘close command and control’ of an active threat. Mastering a dialogue and means to share preventative information will make cyber security a part of the daily conversation of law enforcement organizations and their partners.

For now, behind every malicious threat is a human, so cementing a proven cyber security framework will be easier under current conditions than when the Internet of Things, machine-to-machine learning and custom cipher technology bear down on our systems. Right now, the focus needs to be on agile, continuous improvement, instead of a non-existent end game.

 

Valarie Findlay is an IACP and CACP eCrimes Committee member and research fellow for the Police Foundation, with two decades of expertise in cyber security and technology initiatives. She holds a master’s degree in terrorism studies from the University of St. Andrew’s. She also writes often for various security and law enforcement magazines on the organizational aspects of law enforcement and their impact on society, and on strategic initiatives in cyber security.

7July
2017

How do cops feel about the American flag?

By Craig W. Floyd
President of the National Law Enforcement Officer Memorial Fund

There is no question that the American flag is intrinsically linked to the men and women who make up the various police forces sprinkled across the United States.

Seems only natural, right? Well, consider this. The United States does not have a national police force, which was intentional because the Founding Fathers made sure that our national government did not control a law enforcement agency that had such widespread power. The Founding Fathers wanted to be sure that police officers would enforce local- and state-enacted laws.

And yet, right there on the shoulder or chest of so many officers, are patches or decals of Old Glory. Some departments do issue medals that end up on an officer’s uniform, but those instances are pretty rare, and often are only worn in official settings, not while out working the streets. Read More & Share

30June
2017

Social media has become a critical part of law enforcement

By Kaitlyn Perez
Sarasota County (Fla.) Sheriff’s Office Community Affairs Director

More than ever these days, people want transparency out of their policing agencies.

Here at the Sarasota County Sheriff’s Office, we have found that being active on social media by showing the good – and the bad – is a great place to start.

That means showcasing the outstanding work that our deputies do on a daily basis. Just recently, we posted a YouTube video and Facebook photos of a deputy helping to corral an alligator found in a citizen’s swimming pool. The video went viral and recently passed 1.3 million views.  Read More & Share

23June
2017

The barbershop: where real conversations take place

By Chief Mark Holtzman
Greenville (NC) Police Department

What police department in America is not looking for a way to bridge the gap between the police and the community we serve?  Skipping right to the issue at hand, the trust and relationships between our police and the African American community is an equation we [Chiefs and Commanders] are trying to solve.

Like most, after doing a thorough review of our current community-policing outreach initiatives, we recognized that something was still missing.  We still weren’t bridging the gap.

But could the Barbershop really be the answer?   Read More & Share

16June
2017

As mass casualty attacks proliferate, new model to prevent them emerges

Professor John D. Cohen
Rutgers University

On June 14 a lone gunman open fired on a group of Congressmen practicing for an upcoming softball game, wounding six, one critically.

The shooter was stopped when two Capitol Hill Police Officers engaged the gunman, killing him.

That same day, a disgruntled employee open fired on co-workers at a San Francisco UPS facility killing three and wounding two other people.

As a nation we are experiencing a significant increase in mass casualty attacks by individuals using guns, knives, motor vehicles and even bombs.

Some of these attackers have self-connected to a terrorist or other ideological cause while others are motivated by some other perceived grievance.

Extensive research and analysis have revealed that many of these attackers share common behavioral and psychological characteristics, and this is important because understanding the dynamics of this offender population allows us to develop strategies to prevent these attacks in the future. Read More & Share