Electronic Crime Needs Assessment for State and Local Law ...

U.S. Department of Justice

Office of Justice Programs

National Institute of Justice

National Institute of JusticeR e s e a r c h R e p o r t

Electronic Crime NeedsAssessment for State and LocalLaw Enforcement

U.S. Department of JusticeOffice of Justice Programs810 Seventh Street N.W.Washington, DC 20531

Office of Justice Programs National Institute of JusticeWorld Wide Web Site World Wide Web Site http://www.ojp.usdoj.gov http://www.ojp.usdoj.gov/nij

Electronic Crime Needs Assessment for State and Local Law Enforcement

Hollis StambaughDavid S. Beaupre

David J. IcoveRichard Baker

Wayne CassadayWayne P. Williams

March 2001NCJ 186276

The National Institute of Justice is a component of the Office of Justice Programs, which also includes theBureau of Justice Assistance, the Bureau of Justice Statistics, the Office of Juvenile Justice and DelinquencyPrevention, and the Office for Victims of Crime.

This program was supported under award number 98–DT–R–076 to the Tennessee Valley Authority by theNational Institute of Justice, Office of Justice Programs, U.S. Department of Justice. Findings and conclu-sions of the research reported here are those of the authors and do not necessarily reflect the official posi-tion or policies of the U.S. Department of Justice.

Project Management Team

National Institute of JusticeSaralyn Borrowman

Amon Young

TriData CorporationHollis StambaughTeresa Copping

U.S. Department of JusticeWayne P. Williams (retired)

U.S. Department of StateDavid S. Beaupre

U.S. Navy Space and Naval Warfare Systems Center, Charleston, Security DepartmentWayne CassadayRichard Baker

U.S. Tennessee Valley Authority PoliceDavid J. Icove

Preface

Just as the Industrial Revolution brought unprece-dented opportunity two centuries ago, so too hasthe Information Age. But the astronomical rate atwhich global technology has grown has openednew windows of opportunity for crime as well aseconomic progress. In 1996, the U.S. Departmentof Justice said:

Whether [technology] benefits us or injuresus depends almost entirely on the fingers onthe keyboard. So while the Information Ageholds great promise, it falls, in part, upon lawenforcement to ensure that users of networksdo not become victims of New Age crime.1

The rapid proliferation of computer systems,telecommunications networks, and other relatedtechnologies that we rely on daily has created com-plex and far-reaching interdependencies as well asconcomitant, widespread vulnerabilities.

Media reports of cyberthreats, whether perpetratedby hobbyist hackers, international terrorist organi-zations, or trusted employees, are increasing.According to a report released in 1998 by theCenter for Strategic and International Studies:

Almost all Fortune 500 corporations havebeen penetrated electronically by cybercrimi-nals. The FBI estimates that electroniccrimes are running at least $10 billion a year.But only 17 percent of the companies victim-ized report these intrusions to law enforce-ment agencies.2

In addition, a recent U.S. General AccountingOffice report on computer threats cites:

[T]he number of reported incidents handledby Carnegie-Mellon University’s CERT[Computer Emergency Response Team]Coordination Center [a federally funded

iii

response team] has increased from 1,334 in1993 to 4,398 during the first two quartersof 1999.3

Attacks against computer systems or networks arenot new. One of the first highly publicized nationalelectronic crime incidents occurred in November1988. Then 23-year-old student Robert Morrislaunched a virus on the Internet. The “MorrisWorm,” as it later became known, caused parts ofthe Internet to collapse and drastically hamperedelectronic communications. Eventually, it infectedmore than 6,000 computers of the roughly 60,000systems linked to the Internet at the time. Manycorporations and government sites disconnectedthemselves from the Internet as news of the inci-dent spread. Costs to repair the infected systemswere estimated to be approximately $100 million.The temporary loss of confidence in the Internetextracted a cost that reached far beyond the directmonetary losses. Morris was sentenced to 3 years’probation and a $10,000 fine, a relatively light sen-tence compared with the penalties that would applytoday.

In a current case, the Federal Bureau of Investigation(FBI) is investigating a gang that refers to itself as“Global Hell.” The group is accused of hacking intothe Web sites of the White House, the FBI, the U.S.Army, and the U.S. Department of the Interior,among others. At least two gang members have beenconvicted as a result of a nationwide law enforce-ment investigation targeting more than a dozen sus-pects. Thus far it appears as though Global Hell ismore concerned with gaining notoriety for defacingprominent Web sites than with destroying or captur-ing sensitive information. Even so, Federal lawenforcement officials had to spend hundreds of hourstracking down members of this gang. Investigatingelectronic crime is time consuming and costly—aproblem most State and local investigators andcomputer forensic specialists are confronting. Any

iv

potential for growth in electronic crime raises seriousconcerns about the capability of law enforcementresources to keep pace.

In another high-profile case that attracted nation-wide attention, State and local law enforcement offi-cers conducted an intense investigation and searchfor a suspect they believed created a malicious virusthat spread worldwide. The search for the perpetra-tor of the “Melissa” virus involved five agenciesand culminated in the arrest of a computer program-mer in New Jersey in April 1999. The suspect facescharges of interruption of public communications,conspiracy, and theft of computer service—chargesthat carry a maximum penalty of 40 years in prisonand a $480,000 fine. In this case, 7 search warrantsand 11 communications data warrants were filed.In addition, the agency in charge of the investiga-tion, the New Jersey State Police High TechnologyCrimes and Investigations Support Unit, coordinat-ed with America Online, Inc., to obtain Internetaccount subscriber information and activity logs.The Melissa virus affected hundreds of thousandsof computers in workplaces across the country. Thetotal cost to repair these systems is estimated to bein the millions of dollars. This case highlights theresponsibilities that State and local authorities havein national electronic crime cases such as these.

These examples give us a glimpse of the potentialwave of electronic and online crime that couldeventually affect most law enforcement agencies.Increasingly, our Nation’s State and local lawenforcement officers will be called on to detectinformation technology crime, analyze electronicevidence, and identify offenders. Most electroniccrimes, such as the Morris Worm or those carriedout by Global Hell, are not national security threatsbut wreak havoc nonetheless. Citizens are fleecedof millions of dollars, businesses suffer losses fromonline fraud, drug dealers and organized crime elements employ advanced encryption technology toevade law enforcement, pedophiles use the anonymi-ty of cyberspace to stalk and molest children,

businesses increasingly are engaging in economicespionage, and cyberterrorists exploit vulnerabilitiesin our Nation’s critical infrastructures.

The 1997 report of the President’s Commission onCritical Infrastructure Protection sums up theurgency of the situation:

We are convinced that our vulnerabilities areincreasing steadily, that the means to exploitthose weaknesses are readily available andthat the costs associated with an effectiveattack continue to drop. What is more, theinvestments required to improve the situa-tion—now still relatively modest—will rise if we procrastinate.4

As State and local law enforcement increasingly arerelied on to protect us against these crimes, theyneed to be aware of what threats currently exist and,more important, be capable of handling present andemerging threats as they continue to arise.

Notes1. White House, International Crime Control Strategy,Washington, DC: The White House, 1998: 68.

2. Center for Strategic and International Studies,Global Organized Crime Project, Cybercrime . . .Cyberterrorism . . . Cyberwarfare . . . Averting anElectronic Waterloo, Washington, DC: Center forStrategic and International Studies, 1998.

3. U.S. General Accounting Office, CriticalInfrastructure Protection: Comprehensive Strategy Can Draw on Year 2000 Experience, doc. no.GAO/AIMD–00–1, Washington, DC: U.S. GeneralAccounting Office, 1999: 8.

4. President’s Commission on Critical InfrastructureProtection, Critical Foundations: Protecting America’sInfrastructures, Washington, DC: President’sCommission on Critical Infrastructure Protection,1997: x.

v

Acknowledgments

The authors of this report extend their sincerestappreciation to the State and local representativeswho took part in this study as well as to theiragencies for allowing them to be a part of thisimportant research project. Their contributionsform the basis for this report, and we are gratefulfor their willingness to share their experiences andexpertise in the field. We also acknowledge thevaluable assistance provided by the four regionalcenters and the Border Research and TechnologyCenter of the National Institute of Justice’s (NIJ’s)National Law Enforcement and CorrectionsTechnology Center (NLECTC) system. The centersrecommended law enforcement participants, sched-uled visits, and served as hosts for the workshops.Special appreciation is extended to the followingindividuals:

NLECTC–Northeast (Northeastern Region), Rome,New York: John Ritz, Center Director; FredDemma, Operations/Technical Assistance; andRobert DeCarlo, Jr., Operations/Technical Assistance.

NLECTC–Southeast (Southeastern Region), NorthCharleston, South Carolina: Tommy Sexton, CenterDirector; William Nettles, Deputy Director; WilliamDeck, Law Enforcement Technologies; and HowardAlston, Research and Development.

NLECTC–Rocky Mountain (Rocky MountainRegion), Denver, Colorado: James Keller, CenterDirector; Karen Duffala, Director, OutreachPrograms; and Courtney Klug, Assistant to theDirector.

NLECTC–West (Western Region), El Segundo,California: Robert Pentz, Center Director; andDonald Buchwald, Computer Forensic Analyst.

Border Research and Technology Center, SanDiego, California: Chris Aldridge, Center Director;and John Bott, Technical Director.

The authors recognize the Bureau of JusticeAssistance and the National White Collar CrimeCenter (NW3C). In its capacity as the operationscenter for the National Cybercrime TrainingPartnership, NW3C spearheaded and funded acybercrime training survey for State and local lawenforcement agencies in 1997. That undertakinglaid the foundation for and helped to shape theNIJ-sponsored assessment. Special appreciation isextended to the following individuals: Richard H.Ward III, Deputy Director, Bureau of JusticeAssistance, U.S. Department of Justice; and RichardJohnston, Director, National White Collar CrimeCenter.

The authors also recognize the contributions made tothis needs assessment effort by an advisory panel thatwas convened at the beginning of the project to assistwith the formulation of the protocol. Members of the panel from NLECTC were Donald Buchwald,NLECTC–West; William Deck, NLECTC–Southeast;Fred Demma, NLECTC–Northeast, and KarenDuffala, NLECTC–Rocky Mountain. Other membersincluded Dean Chatfield, NW3C; Barry Leese,Maryland State Police; Steve Ronco, Hi-Tech CrimesUnit, San Jose Police Department; Daniel Ryan,Science Applications International Corporation; GailThackeray, Maricopa County, Arizona, Attorney’sOffice; and Dick Johnston, NW3C.

vii

Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii

Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Study Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Organization of the Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Research Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Validity, Reliability, and Expertise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Selection Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Facilitators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Structuring the Interviews and Group Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11State and Local Perspectives on Electronic Crime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Profile of Types of Electronic Crimes and Investigation Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17System Vulnerability, Critical Infrastructure, and Cyberterrorism . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Forensic Evidence Collection and Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Legal Issues and Prosecution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Commentary and the Critical Ten . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31The Critical Ten . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Appendixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Appendix A: Participating State and Local Agencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Appendix B: Glossary of Terms and Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Appendix C: Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

viii

Exhibits

Exhibit 1. The NLECTC System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

Exhibit 2. Number of Participants, by NLECTC Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Exhibit 3. Profile of Participants, by Title . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

Exhibit 4. Investigative Priority of Electronic Crime Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Exhibit 5. Percentage of Participants Involved in Task Forces, by Region . . . . . . . . . . . . . . . . . . . . . .12

Exhibit 6. Most Frequent Electronic Crime Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Exhibit 7. Most Frequent Electronic Crime Offenders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Exhibit 8. Capability of Investigators to Handle Encrypted Evidence . . . . . . . . . . . . . . . . . . . . . . . . .19

Exhibit 9. Extent to Which Personal Equipment Must Be Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

Exhibit 10. Is Internal Tampering a Concern? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

Exhibit 11. Capability of Laboratories to Decipher Encrypted Evidence . . . . . . . . . . . . . . . . . . . . . . .24

Exhibit 12. Are Laws Keeping Pace With Electronic Crimes? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26

Exhibit 13. Training Received, by Topic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28

ix

Executive Summary

Not long ago, the incidence of crimes that involvedcomputers or electronic media was negligible.Currently, State and local law enforcement agenciesroutinely encounter evidence of electronic crimes,including online fraud, child pornography, embez-zlement, economic espionage, and cyberstalking.Law enforcement also encounters crimes classifiedas cyberterrorism. These incidents have includedattempts to penetrate electronic systems that controlcritical infrastructures. The task of investigating andprosecuting electronic crimes and cyberterrorism iscomplicated by the anonymity afforded perpetratorsthrough the Internet, by a “borderless” environment,and by the variables in State and foreign laws.

To address this growing problem, the NationalInstitute of Justice (NIJ), in conjunction with theNational Cybercrime Training Partnership—a high-technology training consortium led by the ComputerCrime and Intellectual Property Section of the U.S.Department of Justice—initiated a national study infall 1998 to assess the needs of State and local lawenforcement agencies to combat electronic crimeand cyberterrorism. Another objective of the studywas to develop a better understanding of the variousaspects of electronic crime, such as the most preva-lent targets, offenders, and motives behind this typeof crime.

NIJ established a project management team to over-see all aspects of the study. The team tasked thefour regional facilities and the Border Researchand Technology Center of NIJ’s National LawEnforcement and Corrections Technology Center(NLECTC) system to identify leading law enforce-ment representatives in the electronic crime field.Ultimately, 126 individuals representing 114 agen-cies participated in the study. Collectively, they rep-resented a variety of urban and rural jurisdictionsand a diverse selection of agencies that includedState police, city police, State bureaus of investiga-tion, sheriff’s departments, crime laboratories, andregulatory offices. The participants were asked to

consider six specific topic areas in providing theirinput about what is needed to combat electroniccrime:

● State and local perspectives on electronic crime.

● Profile of types of electronic crimes and investi-gation needs.

● System vulnerability, critical infrastructure, andcyberterrorism.

● Forensic evidence collection and analysis.

● Legal issues and prosecution.

● Training.

The project team analyzed the participants’ inputand documented the findings in a draft report. Theproject team assembled a group of subject matterexperts in the field of electronic crime to review and comment on the draft.

The Critical TenToday’s technological advancements occur withsuch frequency that keeping up to date on the latestelectronic-based systems and their associated tech-nologies (the new “weapons” of criminals) poses adaunting task for State and local law enforcementagencies with limited resources and personnel.Criminals operating in cyberspace continuouslyemploy new techniques and methods, thereby mak-ing it more difficult for law enforcement to keeppace. Notwithstanding state-of-the-art changes, thecritical State and local law enforcement needs men-tioned in this report are not likely to change in thenear future. Although the participants identifiedmore than 100 needs and issues that require atten-tion to keep pace with the rapid escalation of com-puter crime, the most frequently voiced concernsare grouped into the “Critical Ten” in this report(chapter 4). A brief synopsis of the Critical Tenneeds identified by the study’s participants follows.

x

Critical need 1: Public awareness

A solid information and awareness program is needed to educate the general public, elected andappointed officials, and the private sector about theincidence and impact of electronic crimes. Mostindividuals are unaware of the extent to which theirlives, financial status, businesses, families, or priva-cy might be affected by electronic crime. Nor arethey aware of how quickly the threat is growing.Unless the public is informed of the increase incrimes committed using the Internet, cybercriminalswill continue to steal people’s money, personal identities, and property.

Critical need 2: Data and reporting

More comprehensive data are needed to understandthe extent and impact of electronic crime. Withoutmore complete data on incidents, offenders, forensicproblems, and case outcomes, it will be difficult totrack regional or national trends in electronic crime.

Critical need 3: Uniform training and certification courses

Law enforcement officers and forensic scientistsneed specific levels of training and certification tocarry out their respective duties when investigatingelectronic crimes, collecting and examining evidence,and providing courtroom testimony. Participantswere adamant that this training should reflect Stateand local priorities. Prosecutors, judges, probationand parole officers, and defense attorneys needbasic training in electronic crime.

Critical need 4: Onsite management assistancefor electronic crime units and task forces

State and local law enforcement agencies needassistance in developing computer investigationunits, creating collaborative computer forensicscapabilities, organizing task forces, and establishingprograms with private industry. Law enforcementpersonnel are seeking assistance about best prac-tices and lessons learned from existing, successfulinvestigation units. Likewise, many of the agenciescalled for a county or regional task force approachto the technically challenging and time-consumingjob of investigating crimes involving electronic evi-dence.

Critical need 5: Updated laws

Effective, uniform laws and regulations that keeppace with electronic crime need to be applied on theFederal and State levels. New technology developedfor legitimate uses quickly can become a tool forthe commission of a crime. As a result, the criminaljustice system needs to stay abreast of state-of-the-art methods used to carry out these new types ofcrimes. Also, the disparity in penal codes amongStates impedes interstate pursuit of offenders,among other complications.

Critical need 6: Cooperation with thehigh-tech industry

Increased cooperation between industry and governmentprovides the best opportunity to control electroniccrime and protect the Nation’s critical infrastructure.Private industry can assist by reporting incidents ofelectronic crime committed against their systems,helping to sponsor training, joining task forces, andsharing equipment for examining electronic evi-dence. Crime solvers need industry’s full supportand cooperation to control electronic crime.

Critical need 7: Special research and publications

Investigators, forensic laboratory specialists, andprosecutors need a comprehensive directory oftraining and other resources to help them combatelectronic crime. State and local law enforcementagencies also are asking for a “Yellow Pages” ofnational and State experts and resources. A “who’swho” of electronic crime investigators, unit man-agers, prosecutors, laboratory technicians, equip-ment manufacturers, expert witnesses, and so forthwould be a well-received guidebook for many prac-titioners who frequently noted the need for informa-tion on how to contact their colleagues in othercommunities.

Critical need 8: Management awareness and support

Many participants and facilitators expressed concernthat senior managers do not fully understand theimpact of electronic crime and the level of expertiseand tools needed to investigate and prepare success-ful cases for prosecution. Of the police chiefs and

xi

managers who are willing to support an investiga-tive capability for electronic crime, they often mustdo so at the expense of other units or assign dualinvestigation responsibilities to personnel.

Critical need 9: Investigative and forensic tools

There is a significant and immediate need for up-to-date technological tools and equipment for Stateand local law enforcement agencies to conduct elec-tronic crime investigations. Most electronic crimecases cannot be thoroughly investigated and devel-oped without the benefit of higher end computertechnology, which is beyond the budgets of manylaw enforcement agencies.

Critical need 10: Structuring a computercrime unit

As communities begin to address electronic crime,they grapple with how best to structure a computer(or electronic) crime unit that will both investigatecrimes involving computers and analyze electronic

evidence. The experts are divided over whether andhow the duties of investigation and forensic analysisshould be divided. State and local law enforcementagencies suggested that new research be conductedto identify the key staffing requirement issues forcomputer crime units.

ConclusionWhether the need is high-end computer forensictraining or onsite task force development assistance,progress needs to be accomplished quickly and in acoordinated manner. The sophistication of technologyused by offenders is increasing at a pace that signif-icantly taxes the resources of the public sector at theState and local levels. This report, which identifiesthe needs of State and local law enforcement agen-cies to combat electronic crime, should serve as animpetus for creating timely initiatives that addressthese needs. Both immediate action and future studyare essential.

1

Introduction

BackgroundOn January 10, 1998, the National CybercrimeTraining Partnership (NCTP), formerly known asthe Infotech Training Working Group, issued a sum-mary report of focus group meetings with 31 chiefsof police held in San Francisco, California, andCharleston, South Carolina.1 The report was pre-pared under the direction of Wayne P. Williams, thenSenior Litigation Counsel for the U.S. Departmentof Justice, Criminal Division, Computer Crime andIntellectual Property Section.

The purpose of the NCTP focus group meetingswas to elicit from participants the status of computer and high-technology crime and identifywhat training and technical assistance would be ofgreatest value to State and local law enforcementagencies. The 31 representatives covered a trainingbase of 84,000 persons. The Bureau of JusticeAssistance, an agency of the U.S. Department ofJustice, sponsored these meetings.

The following key issues were raised during thesessions:

● Awareness of the computer and high-technologycrime problem among managers, the public, andpoliticians is low.

● All participants endorsed the NCTP goals ofcreating and maintaining a knowledge base ofcritical information, supporting research anddevelopment of cybertools for law enforcement,and providing training with “train the trainer”assistance.

● The demand for electronic crime-related trainingexceeds the availability of current courses.

● A strong demand exists for nontraditional trainingmodalities, which include mobile training teams,CD–ROM-based training, and distance learning.

● Due to tight budgets, the demand for cost-effective training has increased.

● Technical assistance is required in establishingcomputer crime units and task forces.

● There is a strong need for interconnectivityamong laboratories to coordinate the analysis ofcomputer evidence.

NCTP continues to play a leadership role in nationalcybercrime training initiatives and works at all lev-els of law enforcement to develop long-range strate-gies, raise public awareness of the problem, andfocus the momentum on numerous efforts.

In an effort to broaden the scope of information onelectronic crime needs, NIJ initiated a wider study,designed to augment the NCTP survey while bothexpanding the number of participants and the topicareas covered. NIJ wanted to hear from a range oflaw enforcement agencies about their experiences todate with electronic crime incidents and how theyare positioned to investigate, handle evidence from,and prosecute this type of crime. NIJ created a man-agement team (see “Project Management Team”) tooversee the project and prepare findings.

Project Management TeamNational Institute of JusticeSaralyn BorrowmanAmon Young

TriData CorporationHollis StambaughTeresa Copping

U.S. Department of JusticeWayne P. Williams (retired)

U.S. Department of StateDavid S. Beaupre

U.S. Navy Space and Naval Warfare SystemsCenter, Charleston, Security DepartmentWayne CassadayRichard Baker

U.S. Tennessee Valley Authority PoliceDavid J. Icove

2

This report presents the information about how thestudy was structured. It also documents what Stateand local law enforcement officials told the teamabout their experiences with electronic crime. Finally,the report comments on the implications of theresearch results and offers suggestions for futureendeavors.

Study ChallengesThe two early challenges for the research were howto define electronic crime and how to present cyber-terrorism in the context of State and local experience.There was consensus among the project team mem-bers that the issue of systems vulnerability, from thestandpoint of critical infrastructure protection, wouldbe included under cyberterrorism. Even thoughFederal law enforcement agencies have the leadingrole in a cyberterrorist incident, State and local lawenforcement agencies will need to be increasinglyvigilant and prepared to handle critical infrastructureprotection issues because they are the first responders.

The complexities involved in tracking a potentialcyberterrorist incident, discovering the point ofentry, and resolving cross-jurisdictional issues makeit difficult for many State and local law enforcementagencies to identify when a cyberterrorist incidenthas taken place. In most cases, it is not immediatelyclear whether an intrusion is being perpetrated by alocal recreational hacker impressing a friend withhis skills, a cyberterrorist trying to disrupt theNation’s air traffic control systems, or a foreignintelligence service accessing sensitive classifiedgovernment information. These scenarios can hap-pen, and law enforcement will have to be preparedto deal with them when they occur.

To ensure continuity throughout the assessment, defi-nitions of electronic crime were developed to providea baseline for the research. They also provided a pointof reference throughout the workshops. Becausecrimes committed against and with computers andinformation systems can be defined and categorizedin many ways, there currently exists no universallyaccepted definitions of electronic crime and cyberter-rorism. The definitions compiled for this study arederived from various sources and reflect widelyaccepted terminology at this time. The managementteam agreed on the following definitions:

● Electronic crime. Crimes including but not lim-ited to fraud, theft, forgery, child pornography orexploitation, stalking, traditional white-collarcrimes, privacy violations, illegal drug transac-tions, espionage, computer intrusions, or anyother offenses that occur in an electronic environ-ment for the express purpose of economic gain or with the intent to destroy or otherwise inflictharm on another person or institution. (This defi-nition was compiled from various sources.)

● Cyberterrorism (or information systems ter-rorism). The premeditated, politically motivatedattack against information systems, computerprograms, and data to deny service or acquireinformation with the intent to disrupt the politi-cal, social, or physical infrastructure of a target,resulting in violence against the public. Theattacks are perpetrated by subnational groups orclandestine agents who use information warfaretactics to achieve the traditional terrorist goalsand objectives of engendering public fear anddisorientation through disruption of services andrandom or massive destruction of life or property.2

Organization of the ReportThis report contains four major chapters: This chap-ter places into context the format and purpose ofthe report. Chapter 2 summarizes the methodologyemployed by the management team for the study.Chapter 3 outlines the study’s findings by the sixsubject areas along with an analysis of the results.Chapter 4 comments on the top 10 needs identifiedthrough the study and what the data may indicateare gaps in State and local resources; suggestionsare presented as to how those needs could be met.After a series of reviews by the management team,the facilitators, and the subject matter experts who reviewed the draft, several recurring themesemerged. Those themes form the basis for thereport’s conclusions. The report includes threeappendixes—a list of the participants by State, aglossary of terms and acronyms, and contact infor-mation for each of the report contributors.

The State and local participants were invited toexpress their views openly. A rule of nonattributionwas established and honored because the teamwanted participants to voice their opinions withoutconstraint. Many insightful statements were made

3

during the workshops. These quotes are included inchapter 3 to support the findings; however, they arepresented without reference to the particular speaker.

Notes1. Williams, W.P., T.A. Bresnick, and D.M. Buede,Summary Report of Focus Groups, Washington, DC: U.S.Department of Justice, Criminal Division, Computer

Crime and Intellectual Property Section, NationalCybercrime Training Partnership, 1998.

2. Pollitt, Mark M., 1997, “Cyberterrorism: Fact orFancy?” Proceedings of the 20th National InformationSystems Security Conference, Baltimore.

5

OverviewThis research initiative employed individual sessionsand workshop groups composed of State and locallaw enforcement officers and other criminal justiceofficials who are directly involved in handling elec-tronic crimes. The National Institute of Justice’s(NIJ’s) major instruction to the project team was toensure that the study covered a broad and represen-tative sample of participants, agencies, and geo-graphic regions. This was achieved by selectingparticipants from all 50 States who had experiencein dealing with electronic crimes and who represent-ed a broad base of agencies from urban to morerural jurisdictions.

The four regional facilities and the Border Researchand Technology Center of NIJ’s National LawEnforcement and Corrections Technology Center(NLECTC) system helped identify candidates forinclusion in the study. They also hosted the meet-ings where the research was conducted and identi-fied participants for consideration. The use of thecenters was logical because of their diverse geo-graphic representations for law enforcement, theirdirect relationship with NIJ, and their potential

future roles in the delivery of technical and trainingassistance. Moreover, the centers had been involvedin a previous inventory by NIJ that collected infor-mation on local and State technology needs to com-bat terrorism.1

Exhibit 1 shows the geographic distribution of theNLECTC system.

Validity, Reliability, and ExpertiseThe management team met in fall 1998 to developand implement the new study. The team outlined the tasks necessary to accomplish this work andestablished a project timeline. Early deliberationsrevolved around the means to ensure:

● Validity of the study results.

● Reliability of the data.

● Broad expert input into all phases of the project.

The team implemented several steps to addressvalidity and reliability measures. The team estab-lished criteria to identify State and local lawenforcement representatives with knowledge of and

Research Methodology

Office of Law Enforcement Technology CommercializationWheeling, WV

Office of Law Enforcement StandardsGaithersburg, MD

NLECTC–Southeast Charleston, SC

NLECTC–NortheastRome, NY

Border Research and Technology CenterSan Diego, CA

NLECTC–West El Segundo, CA

NLECTC–Rocky Mountain Denver, CO

NLECTC–NationalRockville, MD

National Center forForensic ScienceOrlando, FL

Exhibit 1. The NLECTC System

6

responsibility for electronic crime investigations andenforcement to be study participants. The criteriawas applied to screen referrals from NIJ’s NationalLaw Enforcement and Technology Center system,management team members, and leads obtainedthrough a literature review.

In addition to assigning specific criteria for State andlocal representatives, the team sought representationfrom all 50 States. The team was careful to accom-modate a reasonable balance among the typesand sizes of jurisdictions represented, although anabsolute representative sample was not attempted.Indeed, there are many more small towns and citiesthan there are metropolitan areas. However, theelectronic crime caseloads of a community with apopulation of 40,000 are generally not sufficient towarrant a special electronic crime unit, and the studyneeded information from law enforcement agencieswith some level of experience in investigating andprosecuting electronic crime. Thus, although smallerjurisdictions are critical to this report, to have hadthem represented proportionate to their numberswould have netted less data about incidents.

The team took additional steps to enhance the relia-bility and validity of study results. For example, aprofile listing the required experience and skills wasused to identify and select the facilitators—thoseindividuals assigned to conduct the workshops. Thefacilitators attended a daylong training session atTriData Corporation in Arlington, Virginia, to pre-pare for the field work. The training was intended tostrengthen interfacilitator reliability and establishuniform procedures for managing the workshops,

documenting the data, defining specific electroniccrime issues, and handling questions uniformly inthe process of collecting information.

The management team also sought the benefit ofmany experts in the field to guide both the designand the implementation of the study. Early in theprocess, the team established a national advisorypanel. The panel and the management team met atTriData to review the project’s goals and debatewhich issues and questions about electronic crimewere most appropriate for the field work with Stateand local law enforcement agency representatives.These deliberations resulted in a study protocol thatbecame the operational blueprint for the workshops.Advisory panel members included representativesfrom the NLECTC system, State and local policeagencies, the National White Collar Crime Center,private industry, and a county attorney’s office.

After the workshops were completed, TriDataprocessed and analyzed the information and wrote a preliminary draft report. From that report, a draftproject report was produced. The team assembleda group of experts on electronic crime to provideadvice and comments (see “Subject Matter Experts”).These subject matter experts met with the manage-ment team in Knoxville to dissect the findings,review the first draft of the report, and offer con-structive criticism.

Selection CriteriaAs previously mentioned, steps were taken to ensurethat selected agencies and their representatives

Subject Matter ExpertsFrank S. Cilluffo Center for Strategic and International Studies, Washington, D.C.

Al Evans Maryland State Police, Columbia, Maryland

James H. Fetzer III U.S. Tennessee Valley Authority Police, Knoxville, Tennessee

Mary R. Holt Alabama Department of Forensic Sciences, Birmingham, Alabama

Stephen D. McFall Federal Bureau of Investigation, Knoxville, Tennessee

Howard Schmidt Microsoft Corporation, Redmond, Washington

Raemarie Schmidt National White Collar Crime Center, Fairmont, West Virginia

William Tafoya Governors State University, University Park, Illinois

David Vanzant FBI Academy, Quantico, Virginia

Wayne P. Williams U.S. Department of Justice, Washington, D.C. (retired)

7

encompassed a range of jurisdiction types (cities,counties, and metropolitan areas) and law enforce-ment functions (investigators, unit commanders,State police, district attorneys, forensics examiners,etc.). All the participants have responsibility forelectronic crime in their respective agencies; mosthave served in the computer crime unit or forensiclaboratory as an investigator or manager.

A total of 126 individuals representing 114 agenciesparticipated in this effort. Exhibit 2 depicts thenumber of participants by NLECTC center location;a complete list of participants, grouped by State, isprovided in appendix A.

Participants also were selected based on their expe-rience, and a mix of investigators, chiefs, captains,sergeants, prosecutors, and others was achieved.Exhibit 3 profiles the participants by title.

FacilitatorsAt the beginning of the project, the managementteam developed a list of qualifications for selecting

the project’s facilitators, including expertise in elec-tronic crime issues and strong interpersonal skills.Facilitators also were required to commit at least 2weeks to the project. Based on the requirements, sev-eral highly qualified candidates were recommendedby members of the advisory panel, NLECTC repre-sentatives, and the management team. The manage-ment team met in Washington, D.C., to discuss thecandidates. After careful consideration, consensuswas reached, and seven facilitators were selectedfrom the pool of candidates. The facilitators, repre-senting various backgrounds in law enforcement,intelligence, and academia, were chosen based ontheir particular professional experience and proventrack record for facilitating meetings and focus groupsessions (see “Facilitators”).

Once selected, the candidates were hired as consult-ants to the project. They were sent backgroundmaterial and a letter informing them of their obliga-tion to attend a daylong training session at TriDataCorporation. A professional facilitator was hired byTriData to conduct the training. The training was

3231

28 28

7

0

5

10

15

20

25

30

35

NLECTC–Rocky Mountain

NLECTC–Northeast NLECTC–Southeast NLECTC–West

Nu

mb

er o

f p

arti

cip

ants

Center

Border Research andTechnology Center

Exhibit 2. Number of Participants, by NLECTC Center

1999; and Northeastern Region, March 23–25,1999). The facilitators were briefed on the projectobjectives, the operative definitions, and the designof the assessment protocol. They were also provid-ed with a common outline to capture informationin the field and were given the opportunity to prac-tice interviewing one another. This allowed themto become familiar with the assessment instrumentand comfortable with the interviewing technique.

Afterward, the facilitators participated in a mockworkshop in which they were subjected to inten-tional disruptions by the trainer that simulatedpotential field scenarios. The trainer gauged theirresponses and provided feedback on how theyshould handle each particular scenario. This por-tion of the training provided the facilitators with“lessons learned” and an opportunity to work withthe assessment instrument in a hands-on, live setting.

At least two facilitators attended each of the foursite visits. One facilitator led the group discussion;the other took detailed notes. In some cases, a thirdfacilitator assisted the notetaker or conducted inter-views. After each session, the facilitators comparednotes to ensure that the information they gatheredwas accurate. When the site visits were complete,the facilitators submitted a summary of their obser-vations and analysis of the information captured inthe field. These summaries assisted in the formula-tion of the report findings and the “Critical Ten”needs outlined in chapter 4. In addition, three facilitators met in Washington, D.C., to debrief the management team on the most salient pointsgathered in the field.

Structuring the Interviews and GroupDiscussions

Literature review

Work on this project began with an extensive litera-ture review. Journal articles, speeches and testimo-ny, seminar reports, and newspaper articles werecollected from Internet searches. Several advisorypanel members recommended books and papers onelectronic crime, cyberterrorism, and informationwarfare to review. Researchers kept abreast of topi-cal seminars and reports from those proceedings aswell. This research guided the development of theassessment instrument. Moreover, the literature

geared toward assuring that the assessment instru-ment—or protocol, which facilitators used to elicitinformation from participants—would be uniformlyadministered during the four site visits (SoutheasternRegion, March 2–4, 1999; Western Region/BorderResearch and Technology Center, March 9–11,1999; Rocky Mountain Region, March 23–25,

8

Investigator15%

Detective21%

Police consultant

1%

Regulatory2%

Other (e.g., technical service coordinator)

3%

Captain3% Chief

4%

Lieutenant7%

Manager/commander

6%

Officer/trooper6%

District attorney 8%

Special agent11%

Sergeant13%

FacilitatorsRoss AshleyISX Corporation

Kathleen BarchOhio Attorney General’s Office

James CannadyGeorgia Institute of Technology

Thomas KennedyCenter for Technology Commercialization

Barry LeeseMaryland State Police

Dan MaresMares and Company, LLC

G. Thomas SteeleMaryland State Police

Exhibit 3. Profile of Participants, by Title

Note: Values are rounded to the nearest number.

9

review provided insight into how the study shoulddefine the role of computers in electronic crime. Forthe purposes of this study, computer-related crimewas defined using three parameters:

● A computer can be used as a weapon—a meansfor perpetrating crimes. Computers can be usedto attack another computer to acquire storedinformation, deny service, or damage a system.Computers can also be used to manufacture cur-rency, certified checks, credit cards, and insur-ance cards and policies. They also can facilitatethe acquisition of new identity information suchas passports or birth certificates. Computers canbe used in support of terrorist trade craft; that is,by using the Internet as a means to disseminateterrorist propaganda, recruit others, or engage infundraising activities. Intelligence gathering oreconomic espionage conducted by foreign intelli-gence services, terrorist organizations, hategroups, and others also is a concern. Thesegroups can probe the Internet for open sourceinformation or employ hacking techniques to gainaccess to sensitive proprietary data from the pri-vate sector or classified government systems.

● A computer as a target involves the computer as the actual object of an offense. Informationcontained on a system can be manipulated,stolen, or compromised for fraudulent and othercriminal purposes. A hacker can gain unautho-rized access and remove, alter, or destroy infor-mation or engage in a denial-of-service attackagainst a system. For example, the target of anattack could be a 911 center or a computer-aideddispatch service in which the system is floodedwith calls, causing it to crash and be renderedinoperable. Infrastructure systems are vulnerableto attack because many rely on public switchtelecommunications and are interdependent. Inmany cases, a single-point failure from an attackresults in more than one system being victimized.

● A computer can be a corollary to an offense as astorage medium—an electronic filing cabinet—ofpotential evidentiary information. Individuals canuse a computer to store tools, information, orfiles. Child pornography, financial ledgers usedby drug dealers, potential terrorist target listsand attack plans, and other illicit activity can bestored on computers, thereby becoming recepta-cles of evidence.

Protocol development

The assessment instrument was developed over aperiod of several months by the project team mem-bers. It was based on the combined institutionalknowledge of law enforcement officers, prosecutors,researchers, and technologists. The advisory panel,which included academia, industry, and FederalGovernment representatives, also contributed. Theprotocol went through numerous critiques and sev-eral reviews before it was used in the field. In addi-tion to the advisory panel members, the protocolwas reviewed by State and local law enforcementrepresentatives knowledgeable in electronic crime tofurther enhance its substance and credibility withinthe State and local law enforcement community.

The protocol ensured that the discussions remainedstructured, in both individual and workshop settings.“Summary of Workshop Protocol Topics” outlinesthe six major topics and their purposes.

Workshop procedures

At the workshops, the facilitators introduced eachsection by clarifying the purpose of the topic. Forexample, the participants were told that the firstsection, State and local perspectives on electroniccrime, was intended to “provide background informa-tion on your understanding, responsibilities, involve-ment, training, and agency experience in dealing withelectronic crime.” The design of each discussionitem within the individual sections ensured that alogical progression of responses took place. Thefacilitators worked in pairs to direct the workshopsand individually for the one-on-one meetings.

Two types of sessions were held; the same issueswere discussed in both formats:

● Individual meetings, lasting approximately 11/2 hours.

● Workshops generally involving three to six participants from different agencies, lastingapproximately 3 hours.

Management of field work

Performance in the field was closely managed.One or more members of the management teamwas present to help conduct the workshops and

10

assist the facilitators. As questions concerning theproject arose, team members provided insight intothe rationale behind the questions under discussionand guided the workshops accordingly. In addition,a representative from each NLECTC facility alsowas available to handle other situations (e.g., logis-tics, setting up conference facilities). This allowed amember of the management team to closely monitoroperations, provide constant feedback at each site,

introduce the purpose and background of the projectat the beginning of each session, and ensure conti-nuity throughout the workshops.

Note1. National Institute of Justice, Inventory of State andLocal Law Enforcement Technology Needs to CombatTerrorism, Research in Brief, Washington, DC: U.S.Department of Justice, National Institute of Justice,January 1999, NCJ 173384.

Summary of Workshop Protocol TopicsState and local perspectives on electronic crime:Obtain background information on the understand-ing, responsibilities, involvement, training, andagency experience in dealing with electronic crime.

Profile of types of electronic crimes and investiga-tion needs: Document agency readiness to respondto these events and to obtain feedback on whatobstacles might hinder these investigations.

System vulnerability, critical infrastructure, andcyberterrorism: Determine the vulnerabilities oflocal public safety agencies’ systems and the inci-dence of attacks against critical infrastructures.

Forensic evidence collection and analysis:Determine agency preparedness for identificationand proper collection of forensic evidence.

Legal issues and prosecution: Assess agencyawareness concerning legal issues surroundingelectronic crime as well as what resources areneeded to handle electronic crime cases in court.

Training: Review the availability of electroniccrime-related training and specify the unmet training needs.

44

33

23

0

5

10

15

20

25

30

35

40

45

50

Low priority Medium priority High priority

Priority level

Per

cen

t

11

Findings

State and Local Perspectives onElectronic CrimeThe researchers sought information from participantsabout their experiences with electronic crime cases aswell as their individual responsibilities, training, andlevel of management support in handling computercrimes. Discussions focused on trends in electroniccrime caseloads, awareness and support from uppermanagement, and the priority level given to investi-gating and prosecuting electronic crime cases. A keydiscussion point in this section concerns profiling themost common targets and offenders.

Trends in caseload and priority status

More than 80 percent of the participants noted ameasurable increase in computer and electroniccrimes reported to and investigated by their agen-cies—in particular, traditional crimes such as fraudand theft committed using computers and unlawfulactivity committed via the Internet. The increasein reporting, they commented, is due to increasedawareness of computer-related crime and a higherincidence of these crimes. A small minority of Stateand local representatives stated there was no change,and a few did not know. According to the 1999Computer Security Institute/Federal Bureau ofInvestigation (CSI/FBI) survey of 521 security pro-fessionals in U.S. corporations, government agen-cies, financial institutions, and universities, thenumber of people reporting electronic crime to lawenforcement has dramatically increased. Thirty-twopercent of the CSI/FBI survey respondents reportedelectronic crimes to law enforcement, an increaseover the prior 3 years in which only 17 percentreported these crimes to law enforcement.1 Althoughthis increase is significant, corporations and citizensare generally reluctant to report these crimes to lawenforcement for a variety of reasons.

“There has been a definite noticeable shift in thepriority of [electronic] crime. It is far more mediasensitive than ever.”

The investigative priority for electronic crimes maynot be keeping pace with the growth in caseload,according to the assessment results. Ninety-five outof 123 participants who responded (77 percent) tothe survey discussed in this Research Report saidelectronic crime cases are assigned a low to mediumpriority within their agency. The one exception tothis rule is with cases related to child pornographyand child exploitation, which often are given highpriority. The low priority given to cases overall canbe explained, at least in part, by the problems asso-ciated with accurately depicting the crime (seeexhibit 4).

“They [management] are very aware that they areunaware. They know the problem [electroniccrime] exists but don’t know what to do about it.”

“Child pornography cases get a high priority, eventhough generally all electronic crime gets a medi-um to low priority in the agency.”

Exhibit 4. Investigative Priority of ElectronicCrime Cases

Note: 124 of 126 participants responded.

12

“This field needs to be validated to the same levelas homicide.”

Electronic crime units

Half of the agencies involved in the study (62 of124) have a formal electronic crime unit within theagency. The unit is responsible for all special elec-tronic crime investigations. In some communities,the “unit” consists of only one investigator. In oth-ers, several investigators work electronic crimecases and evidence and prepare the cases for prose-cution. Most jurisdictions without this type of unitbelieve it would be important to establish one in thenear future.

“We need to build a team that handles forensicevidence.”

“Electronic crime is handled as part of the specificcrime of which it is a part, e.g., fraud unit, viceunit, narcotics unit. The command officer in eachof these handles the electronic crime component.We need a unit dedicated to computer crime.”

“We don’t let a drug crime unit break down ahomicide site, why will we let them break down acomputer crime scene?”

Interagency electronic crime task forces

Only about one-third of the study participants report-ed that their agency is a member of a Federal, State,or local interagency electronic crime task force. Forpurposes of this study, the concept of a task force wasdefined in broad terms to include formal operationaltask forces in which two or more law enforcementagencies participate in a regional, State, or Federaltask force configuration. Policy and advisory taskforces were not included. Only those that included alaw enforcement entity were considered, and bothforensic and investigative task forces were covered.

“Regional task forces are the way to go. You haveto bring in experts and have them help out thesmaller jurisdictions.”

“You’re not going to make the average policedepartment capable of dealing with a cybercrime;it’s something that’s so technical and so fluid that

only regional or Federal task forces will be able todeal with electronic crime on an effective level.”

The study data show there is a significant regionaldifference in task force involvement. Electronic crimetask forces are far more common in the Western region(see exhibit 1, chapter 2) than in any other part of thecountry. More than half of the task forces identifiedthrough the assessment are located in Arizona, Cali-fornia, Nevada, Oregon, Texas, and Washington. Onepossible explanation for this high representation oftask forces is that many Silicon Valley companieshave a strong, vested interest in enhancing State andlocal investigations and forensic capabilities. Cooper-ation between the private and public sectors was morefrequently cited by participants from this geographicarea as well. Exhibit 5 shows the breakdown of taskforce participation by region.

Reporting electronic crime

The vast majority of respondents expressed con-cern about the underreporting of computer crimes,notably in the private sector. Although caseloads are increasing in all parts of the country, computercrime investigators believe that is only the tip of theiceberg. A common complaint is that there is a largenumber of unreported cases occurring in the private

West Northeast Rocky Mountain

Southeast

Per

cen

t

Region

67

29

21

11

0

10

20

30

40

50

60

70

Exhibit 5. Percentage of Participants Involved inTask Forces, by Region

13

sector, especially the major information technologyand banking industries. Indeed, although few private-sector cases are reported, the 1999 CSI/FBI surveyrevealed that 62 percent of respondents experiencedcomputer security breaches.2

“Underreporting of these types of crimes is a seri-ous problem, one that makes it almost impossibleto validate this crime as a major problem.”

Prosecution

When electronic crimes are reported to law enforce-ment agencies, the cases tend to be accepted foradjudication. Like other types of cases, an electron-ic crime case must meet basic criteria governing thealleged offender, the evidence chain of custody, andthe quality of the investigation. For cases that do notgo forward, the participants enumerated the reasonswhy. For example, 21 of the respondents said someof their cases get stalled because there is insufficientevidence to prove the crime was committed or theguilty party was responsible. Others (34) identifiedone or more of the following problems:

● Insufficient prosecutor knowledge and experience.

● Electronic crime cases not a priority.

● Lack of judicial interest in electronic crime cases.

● Lack of responding officer training.

● Lack of cooperation in extradition requests.

Many opinions were expressed about the status ofelectronic crime within the criminal justice system.A representative from the Southeast had encoun-tered the attitude, “There are so many other cases todeal with that are more important.” Several of theparticipants who met with project facilitators duringthe Western Region sessions commented about thelack of forensic expertise and expert witnesses, howagencies are overwhelmed by research requirementsand the lack of data mining, and how pursuing elec-tronic crime cases is costly. Concern also wasexpressed about incidents in which untrained offi-cers inadvertently had tampered with the evidence.

The Rocky Mountain Region’s series of meetingsalso drew several comments. Participants noted thatpoor computer crime laws stipulate that computercrimes can be processed only as a parallel crime toa charge that carries a greater penalty. According to

several individuals, the necessary manpower andresources are not available to prosecute electroniccrimes. “Prosecutors like traditional crimes, not datatrails,” mentioned another official.

During the Northeastern Region workshops, someprosecution roadblocks that were mentionedincluded:

● The complainant (victim) does not want to prosecute.

● The amount of time to prepare a case is too great.

● There is a lack of resources to track offenders.

● Cooperation among law enforcement, districtattorneys, and judges is poor.

Targets of electronic crime

There were excellent discussions at all the sites con-cerning the most frequent targets of electronic crime.The participants were asked to prioritize their choicesin terms of the three most frequent targets. In manyinstances, a particular target is the “victim”—the ulti-mate goal of the offender. However, several layers of“targets” between the first and the last entry and exitpoints are used as launch pads and intermediaries toattack yet a different target. The interdependency ofmost systems is linked directly to the complexities inclassifying victims of electronic attack.

A hypothetical example to illustrate this point is atelecommunications system that is attacked in Florida.A hacker or cyberterrorist breaks into and steals astudent’s account at the University of California anduses that account to conduct the hack into the tele-communications system in Florida. The hacker,however, is located in Sweden. Although the tele-communications system is the intended victim, thestudent’s computer in California was exploited andused as a launch pad to mask the intrusion in Florida,making it harder for authorities to trace where theattack originated.

For this assessment, participants were asked tostate the most frequent targets from their experi-ences in dealing with electronic crimes, regardlessof launch pad or exit and entry scenarios. Overall,participants ranked businesses, individuals, andfinancial institutions as the first, second, and thirdmost frequent targets, respectively. Exhibit 6 depictsthe overall results.

14

Electronic crime offenders

In addition to determining the most frequent targets,the researchers also were interested in determining,from State and local perspectives, who are the mostfrequent offenders with respect to electronic crime.Describing these offenders also posed a challenge.Exhibit 7 summarizes the information about whomState and local participants, based on their experi-ences, indicated are most frequently responsible forelectronic crime.

Overall, sex crime offenders—those involved inexploiting children and distributing child pornogra-phy through the Internet—were cited most frequent-ly (103 of the individuals prioritized it among thetop three). A distant second were employees orinsiders and criminal offenders. They received 69and 67 “votes,” respectively, for the top three choic-es. Hackers, mentioned 50 times, ranked fourth.

Two anomalies emerged from the groups’ responsesto the question of electronic crime offenders. Indi-viduals meeting in the Western Region selectedcriminal offenders twice as often as Rocky MountainRegion and Northeastern Region officials and sixtimes more frequently than the representativesmeeting in the Southeastern Region. The explana-tion for this is uncertain. Conversely, southern juris-dictions appear to experience more problems withdrug dealers pursuing their crime through electronicmeans than in any other region, but they have farfewer problems with criminal offenders.

One of the researchers’ goals for this section was toascertain the characteristics of the typical electronicoffender. From discussions with State and local lawenforcement officials and prosecutors, it is evidentthat there is no common description that can beapplied to these offenders. There are different typesof electronic crime offenders: employees, sex crimi-nals, drug dealers, and common criminals. The onecharacteristic they have in common is that they usenew electronic means to facilitate traditional crimes,such as theft, child pornography, and fraud. Severalrespondents suggested that the Federal Governmentmay eventually need to profile electronic criminalsin much the same way as the FBI currently does forserial killers and rapists.

This assessment was not intended to be an indepth,incident-based study of offenders who use comput-ers to commit crimes; however, it allowed theresearchers to derive a view of the socioeconomiccharacteristics of these criminals. In broad terms,electronic crime offenders tend to be males, rangingin age from the mid-teens to upper 50s, high schoolto college educated, middle to upper middle class,technically oriented, and skilled with a computer.This description does not vary significantly fromregion to region. Variances to the general descriptionare apparent, however, when respondents describehackers and criminal offenders. For example, hackerstend to be younger males and usually more skilledwith a computer than the other types of offenders.Criminal offenders can be either male or female.

The following subsections summarize the character-istics of the top five types of electronic crimeoffenders, followed by a paragraph describing theremaining types, as defined by the participants.

Sex crime offenders. Of all the descriptions, theone for sex crime offenders drew the greatest con-sensus among the project participants. All the respon-dents described sex crime offenders as males. Theage span is large: from 16 to 57, with the majorityusually in their mid- to upper 30s and 40s. Sex

Financial institution 16%

School13%

Government8%

Medical facility3%

Other2%

Armed forces1%

Business29%

Individual28%

Exhibit 6. Most Frequent Electronic Crime Targets

Note: Participant mentions totaled 360. Participants were asked to listtheir top three choices.

15

offenders operating through the Internet generallyhave at least a high school education; the majorityreceived their college degrees. They tend to havemoderate to high technical ability; have few, if any,prior arrests; and generally come from a middle-class background. Some are single while others aremarried; some have children. Many offenders fre-quently interact with young people or volunteer withlocal organizations and church groups.

Sex crime offenders also typically are described asloners or social outcasts who combine good organi-zational skills and recordkeeping abilities withmeticulous and methodical attention to their crimi-nality—specifically their efforts to lure children forsex—to lessen their chances of being targeted by theauthorities. They also possess high-end computerequipment with large amounts of memory space tostore thousands of pictures of high-quality resolu-tion. They often employ sophisticated encryptiontechnology, enabling them to secretly communicatewith others involved with the child pornographyunderworld. In addition, more than any other offense,the computer and its associated technologies haveenabled this crime to spread. The safe haven of the Internet and the privacy safeguards of societyembolden these criminals. The anonymity that is

afforded sex criminals has opened doors to manypeople who otherwise would have hesitated to per-petrate such activity.

Employees or insiders. As with the sex crimeoffender description, there are no discernibleregional differences with the employee or insiderdescription. Of all the types, however, this is themost complex—employees or insiders who commitelectronic crimes are of both genders, range in agefrom 20 to 45, come from all social and economicbackgrounds, and are of all marital statuses (single,married, or divorced).

According to the participants, the typical employeeor insider is in his or her mid-30s and harbors sig-nificant resentment toward his or her employer fora variety of reasons. The main motives are revengeand greed. These offenders are usually trustedemployees who have easy access to the company’scomputer systems. Some have prior convictions,but for the most part they are first-time offenders.They have good computer skills, knowledge of thesecurity features within the company, and an abili-ty to mask their intrusions. Some of these offend-ers manipulate company information or attemptto destroy the information outright to harm thecompany’s ability to conduct business.

The employees usually are longer term workers,work extra hours, and feel the company does notappreciate them or owes them something. Others,unlike their disgruntled counterparts, simply wantmore money than they are being paid, so theymanipulate the company’s payroll system out ofgreed. Some employees also engage in cargo theftof software, computers, or other electronic equip-ment from the company for monetary gain. Stateand local law enforcement officials cited numerouscases documenting the abovementioned examples.

Criminal offenders. The standard criminal offend-er, like that of the employee or insider, is of bothgenders. The age range generally is from the early20s to the mid-40s, and their economic status andincome tend to be low to middle class. Most crimi-nal offenders are described as possessing average toadvanced equipment and computer skills. The com-mon underlying theme among all of them is theirmotive—greed. More often than not, criminaloffenders have high rates of recidivism with prior

Stalker4%

Other5%

Organized criminal or unit

4%

Cyberterrorist1%

Internet gang1%

Sex crime offender 28%

Employee/insider 19%Criminal offender

18%

Hacker14%

Drug dealer 6%

Exhibit 7. Most Frequent Electronic Crime Offenders

Note: Participant mentions totaled 360. Participants were asked to listtheir top three choices.

16

convictions in forgery rings, credit card fraud, andstolen check-cashing schemes. These criminals usecomputers and other electronic means to enhancetheir ability to conduct these fraudulent activitiesand facilitate their operations.

Hackers. Of the five offenders described by therespondents, hackers comprise the youngest group.They tend to fall between the ages of 15 and 25 andalmost always are males. They usually are intelli-gent and are social outcasts or loners—not unlikesex crime offenders. There was a consensus amongthe participants that hackers are the most technicallysuperior of the offenders and usually are the mostchallenging for law enforcement to track. Theirsuperior skills in masking their activities, not tomention the highly sophisticated equipment theyuse, present obstacles for all but the most well-equipped and -trained computer forensic units.

Many hackers have had previous problems in schoolor lack positive outlets for their talents. Many arecollege students who engage in such activity torelieve boredom or impress their friends, not neces-sarily to damage the computer or institution thatthey attack. Others are highly skilled criminals whouse their expertise to unlawfully gain access to aninstitution’s computer systems to maliciously wreakhavoc or otherwise disrupt the flow of information.Their actions ultimately cause financial loss dueto the cost of repairing damaged systems and theamount of time required to fix computers and otherequipment that is rendered inoperable.

Drug dealers. Drug dealers are normally malesin their early 20s to mid-30s who supplement theirlow- to mid-range incomes through criminal activi-ty. The advent of new technology affords drugdealers more effective means with which to storetheir information as well as to conceal their commu-nications by encrypting electronic messages andtelephone conversations. They are not necessarilytechnically skilled; rather, they hire people to keeptrack of their transactions and handle the sophisti-cated communications equipment. They make useof high-end laptops, cellular phones, and otherequipment that is easy to conceal and transport fromone drug deal to the next.

Stalkers, organized criminals or units, cyberter-rorists, and Internet gangs. The final categorycombines five types of electronic crime offendersthat are not frequently encountered by State andlocal law enforcement. The information obtainedfrom the field is inadequate to describe each offend-er in detail. Generally speaking, some organizedcrime elements employ sophisticated and advancedtechniques as part of their modus operandi, such asencryption and hacking. They use these methods toconceal their activities, evade law enforcement,gather intelligence on others, or commit other crimesthat support their illegal activities. Cyberstalkersalso use advanced computers and equipment,enhancing their ability to mask their threatening,harassing, or criminal communications over theInternet. Internet gangs, including some hategroups, vary so significantly that a description ofthem would be almost impossible. Finally, cyberter-rorists are rarely encountered by State and local lawenforcement.

Support for electronic crime investigations

One of the most frequently heard complaints at theworkshops pertained to awareness and support fromupper level managers and policymakers. Althoughnot the case universally, individuals holding uppermanagement positions generally are older and usu-ally have worked with computers at a basic level.Many of the respondents believed this in partexplains why many senior officials do not fullyappreciate the seriousness of the rapidly growingproblem of electronic crime or what law enforce-ment needs to keep pace with these criminals. Of122 responses, 84 indicated that managers are eitherunaware or only somewhat aware of computercrime issues.

“Managers are at the embryonic stage of under-standing the importance of [electronic crime]because so many other crimes take precedence.This is viewed as victimless. You cannot take a picture of it or get your arms around it.”

“The city councils are not aware—they could careless about [this type] of crime.”

“In my case they [management] are very aware,but they can’t necessarily do much about it

17

because it’s a resource issue. There isn’t enoughfunding and manpower to address the problem.”

“Management awareness of electronic crime? . . .Can you say ‘ostrich’?”

The first quote points to a real problem that elec-tronic crime investigators confront. Working at the grassroots level, they have a good idea of theextent to which electronic intrusions and the crimi-nal use of computers is occurring and how difficultit is to conduct forensic examinations and track theperpetrators. How does one sufficiently communi-cate that to others without concrete numbers tovalidate the problem? Statistics on drug crimes and homicides, for example, are not hard to find,and those data are routinely used to enhance lawenforcement’s capacity to counter those crimes.But there is currently no standard in place to sys-tematically collect information about crimes com-mitted against electronic systems or facilitated bythese systems.

Significant underreporting of computer crimes

Most participants in the study believe that the vastmajority of computer-related crimes are not report-ed to authorities as a criminal matter. For example,companies may choose to write off a loss, handle it internally, or pursue the case as a civil matter,according to the view of many participants. Sincebudgetmakers and policymakers rely heavily onnumbers and on the priorities voiced by voters, thedearth of hard data and general awareness hurtsmost efforts to build stronger State and local crime control measures against electronic crime.Anecdotal information often is the only availableevidence that can be used to capture management’sattention. Many of those who participated in theassessment noted that if the actual losses and impactof computer-related crime could be studied and doc-umented, the public and, by extension, public offi-cials would begin to understand how serious thiscomponent of crime has become.

Profile of Types of Electronic Crimesand Investigation NeedsIt is important to have case procedures in place todetect, investigate, and prosecute electronic crimes.In this section of the assessment, the researchers

asked State and local law enforcement officials andprosecutors to describe how they investigate crimesin which computers are involved. The researchersalso wanted to know what tools and resources arebeing used and which ones are needed but currentlyunavailable either because of a lack of funds orbecause the agency has placed a low priority onpurchasing the required tools.

Although all law enforcement agencies follow normal search-and-seizure protocols for evidencehandling and investigations, many (though not amajority) rely on standard evidence collection pro-cedures rather than on procedures uniquely tailoredto electronic evidence. Because uniform electroniccrime guidelines do not exist (as with NIJ’s DeathInvestigation: A Guide for the Scene Investigator3),many agencies have adopted Federal guidelines.

Tools to detect and identify intrusion crimes

A large majority (75 percent) of the agenciesinvolved in the assessment do not possess the neces-sary equipment or tools to effectively detect andidentify computer or electronic intrusion crimes.There was a regional variance in this response. Ofthe 34 participants who answered this question inthe Western Region, 15 claimed they are adequatelyequipped to detect and identify computer or elec-tronic intrusion crimes. At each of the other threesites, few representatives believed they had suffi-cient resources. When queried about what tools theyneeded most, the answers covered everything fromtraining to both basic and advanced tools (see“Commonly Identified Needs”).

Profile of electronic crime

A major part of the effort in this section centeredaround which electronic crimes the agencies findmost prevalent in their jurisdictions as well as whichones are the most challenging for their agencies tohandle. To facilitate discussion, the types of crimeswere grouped according to five categories:

● Harmful content crimes—crimes that includechild pornography and child exploitation, stalk-ing, harassment, threatening communications,proliferation of bomb-making information, andso forth.

18

● Fraudulent activity—crimes that cover telemar-keting fraud, Internet fraud (e.g., online shoppingschemes), electronic funds transfer fraud, elec-tronic commerce fraud, and theft of identity.

● Technology- or instrumentality-basedcrimes—crimes, not including fraud, that employadvanced technology such as encryption to cloakcriminal activities, organized crime, drug traffick-ing, economic or industrial espionage, and thelike.

● Hacking—crimes that include malicious disrup-tion of electronic systems or recreational thrillseekers.

● National security threats4—crimes that are pri-marily electronic attacks against critical infra-structures or are classified as cyberterrorism.

Harmful content crimes, particularly child pornog-raphy cases, ranked as the most prevalent. Agencyrepresentatives from all the regions spoke at lengthabout the high incidence of this type of electroniccrime. A close second was fraudulent activity, whichis aided by the speed and connectivity of electronicsystems. Those crimes classified as technology- orinstrumentality-based ranked third, followed byhacking and national security threats. The last cate-gory understandably is not commonly encountered,nor is it the type of electronic-related crime thatmany non-Federal agencies would be expected tohandle. It was included in this assessment in theevent that a community may have been exposed tosome form of cyberterrorism, particularly in termsof infrastructure attack.

There is a direct, inverse relationship between therank order of the most prevalent and the most challenging electronic crimes. Most agency repre-sentatives believed that a threat to national securityperpetrated electronically would be the most diffi-cult to handle. Speaking from a base of experienceon the remaining four categories, participants rankedhacking as a substantial challenge and noted thatmost hackers are extremely computer literate andcompetent. Close behind hacking was technology- or instrumentality-based crime, which frequentlyinvolves encryption technology and savvy criminalsoperating at the higher end of computer systems.Fraud committed through computers is not easy tosolve, but it is less difficult than the higher rankedcategories. Finally, while having the highest inci-dence among the categories of electronic crime,harmful content crimes were judged to be the leastchallenging to solve. Investigation experience isgreater with this type of crime, and such experienceis being shared among computer crime investiga-tors. “Comparison of Electronic Crimes” presentsthe most prevalent and most challenging crimes.

Resources

Whether law enforcement agencies are pursuing a computer hacker or a child molester operatingthrough the Internet, by and large they are poorlyequipped and do not have adequate resources. Ofthe assessment participants, 112 told facilitatorsthey need more training, 121 need an adequatenumber of personnel, and 130 need equipment—their top three priorities. Another finding is that97 respondents evaluated their in-house ability toeffectively deal with encrypted data as either “low”or “doesn’t exist.” This included basic and high-enddecryption capabilities. The latter is rarely availableat State and local levels. Basic decryption capabilitiesare primarily stymied because many jurisdictionsdo not have the funds to purchase the necessarysoftware.

Forty-four of the representatives “frequently” or“always” use their own equipment to supplementthat supplied by their agency. Budget constraintsand lack of management awareness are the primaryhindrances to acquiring more resources, accordingto participants.

Commonly Identified Needs● Encryption-breaking technology

● Recovery equipment

● Forensic laboratory

● Courses on hacking

● Contacts for assistance

● Software to collect input and output data

● Office space

● Network intrusion detectors

19

“We have been waiting for money for a new photocopy machine for 3 months.”

“It’s hard to sell the boss on resources neededbecause it’s hard to justify without data.”

“Support from the community is lacking.”

“There is no champion for this area of crime.”

“There is way too much red tape within theagency.”

“The political climate is not supportive.”

“Management does not want to commit people full time to computer crimes.”

“Our funding comes from forfeitures in othercrimes—there needs to be direct funding for electronic crime units.”

Exhibits 8 and 9, respectively, highlight the agen-cies’ ability to handle encryption and the extent towhich participants use their personal equipment toinvestigate electronic crime.

System Vulnerability, CriticalInfrastructure, and CyberterrorismIn May 1998, President Clinton signed PresidentialDecision Directive 63 (PDD 63),5 which called for astrategic plan to defend the Nation against cyberat-tacks. PDD 63 builds on the recommendations ofthe President’s Commission on Critical InfrastructureProtection (PCCIP), chaired by Robert T. Marsh,which issued its report in October 1997.6 PDD 63 isthe culmination of an intense interagency effort toevaluate the recommendations from the Commissionand produce a workable and innovative frameworkfor critical infrastructure protection. The directive

calls for an investment of $1.46 billion in fiscalyear 2000 to defend the Nation’s critical infrastruc-tures. Critical infrastructures include power genera-tion systems, banking and financial institutions,transportation networks, emergency services, andtelecommunications. The directive also sets a goalof a reliable, interconnected, and secure informa-tion system infrastructure by 2003.

This section of the assessment was concerned withthree areas. First, the researchers wanted to deter-mine if any of the agencies represented had beenvictims of an electronic attack and, if so, whatactions had been taken to prevent future attacks.Second, the researchers wanted to ascertain whether

Comparison of Electronic CrimesMost Prevalent Crimes Most Challenging Crimes● Harmful content crimes ● National security threats● Fraudulent activity ● Hacking● Technology- or instrumentality-based crimes ● Technology- or instrumentality-based crimes● Hacking ● Fraudulent activity● National security threats ● Harmful content crimes

Per

cen

t

Doesn’t exist

Low Medium High Don’t know

Capability

22

58

11

4 5

0

10

20

30

40

50

60

Exhibit 8. Capability of Investigators to HandleEncrypted Evidence


20

answering specific questions about access controland redundant systems because again the responsi-bility for systems security falls to the informationtechnology (IT) department. Even within thesame jurisdiction, agencies with related missionsare not always communicating as well as theymight. As one agency representative from theRocky Mountain Region site noted, “No informa-tion is transferred or exchanged between us andthe IT department.”

System vulnerability

The widespread use of computers and the Internethas created the possibility for an individual to causedrastic harm to public health and safety by damag-ing or shutting down computers. Thirty-four partici-pants stated that their computer systems had beenaccessed without authorization. Half of them werefrom the agencies that met in the Western Region.By comparison, only five participants from theNortheastern Region, six from the SoutheasternRegion, and seven from the Rocky Mountain

electronic attacks had occurred at any of the criticalinfrastructures and if the agency participants wereaware of any response plans established with thecritical infrastructure providers in their jurisdictions.Finally, the researchers were interested in deter-mining how the participants perceived the level ofinteragency cooperation and intelligence sharingconcerning potential cyberterrorist incidents.

This section was difficult to address in the field. Assuggested earlier, most State and local law enforce-ment agencies do not have extensive experience indealing with cyberterrorism or issues pertaining tocritical infrastructure protection. Because a clear,delineated Federal response plan for cyberterrorismdoes not exist, there is a fundamental lack of under-standing at the State and local levels in addressingthis relatively recent threat. The uncertainty expressedby many of the participants when responding toquestions posed during this section highlights thelack of awareness regarding critical infrastructureprotection issues and cyberterrorism at the State andlocal levels. Many of the participants also had trouble

Exhibit 9. Extent to Which Personal Equipment Must Be Used

15

28

19

27

9

2

0

5

10

15

20

25

30

Never Rarely Sometimes Frequently Always Don’t know

Frequency of use

Per

cen

t


21

Region had experienced computer intrusions. Incomparison, 51 participants said they had not expe-rienced a computer intrusion, and 38 participantsindicated they were not sure whether their systemshad been accessed.

Regarding the means used to protect against a net-worked electronic intrusion, participants said theiragencies employ audit trails, sniffers, investigativesoftware, periodic inspections and monitoring,intrusion software, and other tools. Seventy-twopercent of the representatives indicated their securi-ty systems have features that audit access to or dis-seminate sensitive information.

Systems can suffer from both external and internalintrusions. Three-quarters of the participants agreedthat the threat of internal tampering is a concern andtheir agencies have taken actions to prevent this. “Weare much more concerned with internal rather thanexternal tampering of our agency’s systems,” one par-ticipant said. Indeed, at a June 1999 American Societyfor Industrial Security conference in Washington,D.C., Dr. Jerrold Post, a political psychology profes-sor at George Washington University and a terrorismexpert, noted that in industry, insiders continue tobe the biggest threat. According to Dr. Post, the “useof information technology by insiders will increas-ingly become mainstreamed, both operationally andtactically.”7 According to the 1999 CSI/FBI survey,unauthorized access by insiders increased for thethird straight year. In most cases, insiders are trust-ed employees and use that trust to gain access tosystems without being monitored. The CSI/FBI sur-vey revealed that 55 percent of respondents (out of521) reported intrusions by insiders, while only 30percent reported intrusions by perpetrators from theoutside. In addition, 97 percent reported insiderabuse of Internet access privileges.8 These percent-ages seem to substantiate the finding that manyagencies are vulnerable to insider abuse.

A number of individuals deferred to the IT staff foranswers about how they deter internal intrusions.A few believed that no actions have been taken toprevent tampering from within, although it is aconcern of their agencies. Background checks, pass-words, built-in audit trails, new employee orienta-tions, firewalls and protocols, keyword detection,and e-mail monitoring are some of the ways publicsafety agencies are protecting their electronic

systems from harm. One participant said he has“faith in the network people to keep the securitystrong at his agency.” Exhibit 10 shows the percent-age of agencies concerned with internal tamperingof their systems.

According to the participants, it is not commonpractice for their law enforcement agencies to conduct formal periodic risk assessments of vari-ous security functions to deter electronic crimes.However, when risk assessments are carried out on a regular basis, they generally are conducted forphysical security functions and communicationssecurity. Personnel and operations risk assessmentshappen less frequently. About half of the studyparticipants say their agencies have a plan in placein the event their network communications systemsare rendered inoperable, although 22 percent werenot certain.

Critical infrastructure and cyberterrorism

In October 1997, the President’s Commission onCritical Infrastructure Protection noted:

A satchel of dynamite and a truckload of fertilizer and diesel fuel are known terroristtools. Today, the right command sent over a

0

10

20

30

40

50

60

70

80

Yes No Don’t know

Response

Per

cen

t

76

20

4

Exhibit 10. Is Internal Tampering a Concern?


22

network to a power generation station’s con-trol computer could be just as devastating asa backpack full of explosives, and the perpe-trator would be more difficult to identify andapprehend.9

The difficulties encountered by law enforcementin identifying and apprehending perpetrators of acyberterrorist incident pale in comparison to largerobstacles such as multijurisdictional coordinationand cooperation and law enforcement operationsand mindsets that are sometimes steeped in anti-quated procedures.

Law enforcement has become accustomed to dealingwith threats in the physical world, but it will increas-ingly need to cope with emerging threats in thecyberworld. According to terrorism expert Dr. NeilLivingstone in an American Society for IndustrialSecurity speech given in Arlington, Virginia, in June1999, “The Carlos [the Jackal] of the future will besomeone with a laptop.” As one of the participantsin the survey discussed in this Research Reportnoted, “This arena [cyberterrorism] is unexploredat the State and local levels.” The tools and methodsthat have assisted law enforcement in combatingtraditional crime will no longer suffice in the yearsahead. Outdated methods and operations will even-tually need to give way to new ones geared towardcrime in the Information Age. The Commissionreport summarized this need for new thinking whenit stated:

Because it may be impossible to determinethe nature of a threat until after it has materi-alized, infrastructure owners and operators—most of whom are in the private sector—must focus on protecting themselves againstthe tools of disruption, while the governmenthelps by collecting and disseminating the lat-est information about those tools and theiremployment. This cooperation implies amore intimate level of mutual communica-tion, accommodation, and support than hascharacterized public-private sector relationsin the past.10

Indeed, the private sector and government will needto cooperate to defend our critical infrastructuresfrom attacks.

A national protection plan cannot be accomplishedwithout private and public partnerships becausemany of the key targets for cyberattacks—powerand telecommunications grids, financial flows,and transportation systems—are in private hands.Public involvement is not only a role for the FederalGovernment. State and local governments must beinvolved because they own and operate many of thecritical infrastructures and their agencies often arethe first responders to a crisis.

Forty-five of the participants were aware ofinstances in which the computer or electronic sys-tem of a local infrastructure was attacked. Targetshave included the telecommunications system,banks, emergency services, and government ser-vices. Intelligence sharing among law enforcementagencies is important to solving all types of crime.Study participants generally agreed that coopera-tion among law enforcement agencies in terms ofpotential cyberterrorist incidents or those involvingunauthorized access and malicious disruption ofnetwork computer systems is adequate. However,some clearly believe the intelligence-sharing appa-ratus currently in place requires considerableimprovement.

“The Feds should be saying, ‘Let us help you.’There needs to be a partnership between State andlocal law enforcement agencies and the Fedsregarding cyberterrorism.”11

“The more information and intelligence that isgiven to us ahead of time, the more prepared weare to make an effective decision and take appro-priate action.”

“National security threats are not necessarily chal-lenging to handle in terms of technical challenges,but more so because of the jurisdictional problemsthat occur.”

To ensure that all areas potentially related to cyber-terrorism were covered in the assessment, the partici-pants were asked an open question: What other areasrelated to cyberterrorism need to be addressed? Theyoffered excellent suggestions and insights on manyapproaches, but the most frequently mentioned needwas for stronger cooperation with industry to combatcyberterrorism.

23

“Some of the Internet service providers are notalways keeping the necessary records so that lawenforcement can track cyberterrorists.”

“A lot of people don’t realize the significance ofthis [cyberterrorism], especially when dealing withextremist groups.”

Forensic Evidence Collection andAnalysisProperly seizing and processing electronic evidenceis critical to making a good case that prosecutors canaccept for prosecution. The researchers were interest-ed in how State and local law enforcement agenciesare handling electronic evidence, from the crimescene to the laboratory. A majority of the agenciesrepresented follow special procedures for collectingelectronic evidence. As one participant noted, “It’sa crime scene within a crime scene” and, therefore,must be handled as such. For example, electronicevidence needs to be separately maintained in a con-trolled environment and requires unique tools andexpertise to analyze. The Computer Crime andIntellectual Property Section at the U.S. Departmentof Justice identifies four challenges.

Finding evidence in the information ocean.Advances in technology will soon provide allAmericans with access to a powerful, high-capacitynetwork that will transport all their communications(including voice and video), deliver entertainment,allow access to information, and permit storage oflarge quantities of information most anywhere. Insuch an environment, finding important evidencecan be nearly impossible. Separating valuable infor-mation from irrelevant information, for either communications or stored data, requires extraordi-nary technical efforts. Determining the locationwhere evidence is stored is also quite difficult;electronic surveillance is often necessary but ismade difficult by anonymity, the lack of traceability,and encryption.

Anonymity. Computer networks permit persons toeasily maintain anonymity, which prevents account-ability and thus tempts people to commit crimeswho would otherwise not break the law out of fearof being caught. The problem with the Internet isthat everyone knows everyone else’s “name” but notwho they really are. Much like the citizen band

radio craze of the 1980s, most Web surfers have a“handle,” a false name or identity. As a result, thetypes of crimes that are facilitated by anonymity,such as making threats and manipulating stocks, areexpected to increase as more people realize comput-ers allow them anonymity.

Traceability. Related to anonymity, traceabilityrefers to how difficult it is to establish the sourceand destination of communications on computersand communications networks, such as the Internet.Because everything on the Internet is based on com-munications, traceability is essential to determiningidentity in cases arising from it. However, traceabilityis becoming more difficult because of the prolifera-tion and easy availability of multiple communicationsproviders. Communications on the Internet, for exam-ple, can easily pass through 10 different providers(such as America Online and AT&T), each of whichmust provide information (often in real time) totrace a communication.

Encryption. Shortly, the vast majority of data andcommunications will be encrypted. This will assistin protecting data confidentiality of law-abidingpersons, but as criminals also increasingly adoptthis technology, law enforcement will be less able to obtain communications and stored data forinvestigations.

An official at the Western Region meetings remarkedthat a member of his electronic crime unit has to bepresent to collect the evidence. Another representa-tive mentioned that “evidence is treated like evi-dence, but electronic evidence is different becausethey only keep backups, not originals.” RockyMountain Region participants commented that digi-tal evidence differs from other physical evidencebecause it is easily altered or changed and thereforemust be handled more carefully, preferably by aspecially trained person. In general, it was acknowl-edged that every type of evidence has its own set ofprotocols that varies according to the type of evi-dence involved. Many agencies only now are in theprocess of drafting special procedures for electronicevidence handling.

A large majority (73 percent) of the individualsinvolved in the field meetings have received trainingon the collection of electronic evidence. Whenasked whether evidence analysis and reports could

24

be fast tracked on priority cases where an arrest orindictment is imminent, 65 percent said this couldbe done, 25 percent said no, and 10 percent did notknow. Thus, even if the laboratory turnaround timeis generally slow, when needed, the evidence resultscan be provided quickly more often than not.

Field personnel use various types of laboratories toprocess and examine seized computers and digitalevidence recovered at a crime scene, ranging fromlaboratories internal to the agencies to Federal andprivate industry laboratories.

A majority (57 percent) of participants believed thatlaboratories follow a standard operating procedureor protocol particular to the examination of elec-tronic evidence; however, 23 percent said they didnot believe this was true, and 20 percent were notsure. More participants (60 percent) than not com-mented that the laboratories they use do not havesufficient capability to process and analyze thecases submitted to them. Many complained that thelaboratories are understaffed, lack advanced equip-ment for “higher end” analysis, have insufficientspace, need better trained examiners for advancedanalysis, and require more tools for decryption.“We are literally running a shoestring operation,”

admitted one of the Rocky Mountain Region siteparticipants. In the Southeastern Region, one of theofficials present commented on his agency’s ownlimitations, “We don’t have the training to evenknow what to ask for.”

Encrypted evidence poses a special challenge.Sixty-two percent of the respondents told the facili-tators that their ability to work with encrypted evi-dence is weak or nonexistent, and 20 percent wereunsure of their laboratory’s capabilities. Exhibit 11shows how State and local participants evaluatedlaboratory capabilities vis-a-vis encrypted data.

This inability to handle encrypted evidence is espe-cially noteworthy in light of recent studies on the useof encryption for criminal purposes. The 1997 reportby Dorothy E. Denning and William E. Baugh, Jr.,Encryption and Evolving Technologies as Tools ofOrganized Crime and Terrorism, states that the totalnumber of criminal cases involving encryptionworldwide is increasing at an annual growth rate of50 to 100 percent.12 Encryption is an effective tool toprotect privacy when used lawfully. However, it canhinder law enforcement investigations and increasecosts because of the problems associated with crack-ing the encryption.

According to the Denning and Baugh study, encryp-tion also poses challenges in terms of terroristthreats. The study’s central claim is the following:

[T]he impact of encryption on crime and terror-ism is at its early stages. . . . Encryption policymust effectively satisfy a range of interests: infor-mation security, public safety, law and order,national security, the economic competitivenessof industry in a global market, technology leader-ship, and civil liberties.13

Law enforcement will need to increase its encryptedevidence capability if it expects to keep pace withcriminals. The participants discussed what wouldenhance their capabilities in working with electronicevidence. Some of the most widely shared requestsincluded:

● Nationally recognized standards for handling,collecting, and analyzing electronic evidence.

● Portable laboratories.

0

10

20

30

40

50

None Weak Average Highly efficient

Don’t know

Capability

Per

cen

t

48

14 13

6

20

Exhibit 11. Capability of Laboratories toDecipher Encrypted Evidence


25

For example, Missouri could have 20 victims whocomplain to their State attorney general about a“failure to render” Internet scam that took theirmoney, $250 each for a complete personal computersystem, a total loss of $5,000. The Web site theyordered from and sent money to is located in Florida.But the FBI in St. Louis does not want to pursuefraud cases unless they meet the prosecution guide-lines threshold of $25,000. The Missouri attorneygeneral issues a subpoena to the service provider inFlorida for basic account information (i.e., whopays for the Web site). How can this subpoena beenforced? The same question arises if bank recordsin another State are being sought.

Currently there is no formal legal mechanism toallow for the enforcement of State subpoenas inother States. Cooperation can be achieved when oneState attorney general’s office voluntarily assists asister State authority in either serving an out-of-State subpoena or seeking an in-State court order toenforce the out-of-State subpoena. However, thereliability and consistency of this procedure is notuniform, and the ability to secure enforcement of anout-of-State subpoena on a recalcitrant party isquestionable at best.

To enhance the authority of State and local lawenforcement to investigate cybercrimes that are toosmall to justify the investment of Federal resourcesbut nevertheless require interstate process, moreeffective tools are required for enforcing State sub-poenas in other jurisdictions. There are at least twopossible models for creating these tools. One modelis to develop an interstate compact that would estab-lish procedures for signatory States to follow inenforcing out-of-State subpoenas. The Uniform Actto Secure the Attendance of Witnesses from Withouta State in Criminal Proceedings is a comparablelegal regime that has been adopted in the 50 States,the District of Columbia, Puerto Rico, and the VirginIslands (e.g., D.C. Code 1981, §§ 23–1501–1504).

A second model involves a Federal statute empow-ering the Federal courts to issue “full faith andcredit” orders enforcing out-of-State criminal subpoenas. This alternative might avoid the com-plexities of developing and adopting an interstateagreement, but it could possibly raise federalismconcerns. Whichever type of approach is pursued,

● Technical support for investigations, including acentral repository of information for referenceand networking.

● Guidelines on what a laboratory should acquire.

● Nontraditional operating systems training.

● Technical assistance.

● Improved analytical software to speed up theexamination process.

● Joint training for investigators and attorneys.

● Legislative awareness to garner support forfunding laboratories to increase electronic evidence analysis capabilities.

● Training in evidence search and seizure.

● Wireless communication capability.

● Patrol officer training.

● Clearinghouse of electronic crime cases.

● Library of hardware and software.

● Dedicated resources for computer crimes.

Legal Issues and ProsecutionDuring the past decade, the use of computers andthe Internet has grown exponentially, and individu-als have increasingly become dependent on technol-ogy in their daily lives. Yet as computer use hasblossomed, so too have criminals increasinglyexploited computers to commit crimes and to threat-en the safety and security of others. Deterring andpunishing such wrongdoing requires a legal struc-ture that will support detection and successful pros-ecution of offenders. The laws defining computeroffenses and the legal tools needed to properlyinvestigate such crimes have lagged behind techno-logical and social changes.

State and local law enforcement entities will faceever-increasing challenges in investigating and pros-ecuting Internet and other high-tech crimes. This isbecause the Internet and high-tech telecommunica-tions have created an environment in which inter-personal and commercial relationships increasinglywill involve interstate and international transactions,but State and local authorities remain bound bymuch narrower jurisdictional limitations on theirinvestigative authority.

26

action is necessary in this area to ensure that vic-tims of Internet crime have an effective recourse towhich they can turn for protection and enforcement.

In addition, one Federal statute has hindered com-puter crime investigations for most Federal, State,and local investigators. The Privacy Protection Act(PPA) has shielded criminal activities from legitimatelaw enforcement investigations. This unintendedconsequence of PPA has resulted from the exponen-tial growth in computer use during the last decade.With the advent of the Internet and widespreadcomputer use, almost any computer can be used,in effect, to “publish” materials. Thus, althoughCongress intended to limit government searches of places such as newspaper offices when it passedPPA in 1980, currently the act potentially applies to almost every search of any computer. Moreover,because computers now commonly contain enor-mous data storage devices, wrongdoers can usethem to store material for publication—material thatPPA protects—while simultaneously storing childpornography, stolen classified documents, or othercontraband or evidence of crime.

Notwithstanding the best efforts of those involved incrafting the Electronic Communication Privacy Act(ECPA) in 1986, the statute no longer effectively bal-ances the competing interests of telecommunicationsusers, service providers, and the legitimate needs ofgovernment investigators. The problems principallystem from two factors: the explosive growth of theInternet and inconsistencies and gaps in ECPA itself.With the widespread use of computers and theInternet, the proportion of criminal activity occur-ring online or with telecommunications technolo-gies has increased enormously. E-mail, voice mail,user access logs, and remotely stored files play animportant—and in many cases, critical—role ininvestigating and prosecuting crimes ranging fromextortion and murder to large-scale consumer fraud.

This section of the research was designed to de-termine agency awareness about the legal issuesof electronic crime, prosecutor concerns aboutpreparing and presenting this type of case, andresource requirements for courtroom presentations.Indications from the participants show that thegreat majority (73 percent) have someone on staffwho is knowledgeable about the legal issues, proce-dures, and laws affecting electronic crime investiga-

tions and prosecutions. Although most jurisdictionsare operating with a good understanding of the lawsand rules of procedure on electronic crime, themajority (66 percent) find that the laws themselveshave not kept pace with the increasing complexitiesof electronic crime. Exhibit 12 depicts these results.

“I think it is impossible for the laws to keep pace . . . the technology is changing too rapidly.”

The overriding theme throughout the discussionswas that current laws do not encompass the newways that crimes are being committed. Moreover,a wide disparity exists among the States in whatis considered to be an electronic crime. What is afelony in one jurisdiction is a misdemeanor inanother, which complicates extradition requests and cooperation among law enforcement agencies.According to one participant, the lack of commit-ment to sustaining an electronic crime unit is drivensomewhat by the fact that the laws dealing withelectronic crime are not stringent enough. Somepeople within law enforcement, according to thisparticipant, have to deal with the following mindset:“I could put you in tennis shoes, and you could goout and get felony drug arrests. Why should I payfor computers and training to get misdemeanors?”

0

10

20

30

40

50

60

70

Yes No Don’t know

Response

Per

cen

t

21

66

13

Exhibit 12. Are Laws Keeping Pace WithElectronic Crimes?


27

All the groups offered suggestions for how the lawsand legal system could be improved so that crimi-nals can be held more accountable for their actions.The list of ideas covered many issues, such as theneed to change laws to allow for more wiretaps.

“Those drafting the laws should be close to thoseworking the crimes. . . . [T]hey do not understandthe technology they are writing laws about.”

“We still have legislatures dealing with 8-tracktape technology.”

“Computer crimes need to be upgraded from misdemeanors to felonies.”

“The issues surrounding electronic crime are specific and complex, and the laws are too broadto address the issues.”

“The legislative process needs to be speeded up to keep laws in pace with technology changes.”

“We need more laws dealing with the Internet.”

“Penalties need to be harsher.”

“The States should adopt some of the Federal lawsdealing with electronic crime.”

Investigators and prosecutors feel stymied, not onlyby inadequate laws but with the challenges involvedin presenting technical electronic evidence in thecourtroom. Here again, many participants expressedconcern that awareness, training, and resources arelacking on the prosecution side as well as on theinvestigation side. Generally, the participants believethat if a case is too complex, it will not be prosecut-ed. “Prosecutors are not comfortable with the topic”and “Prosecutors have a hard time explaining techni-cal terms to a jury” were commonly voiced opinions.Difficulties in presenting these cases occur not sim-ply because a prosecutor may be unfamiliar withelectronic terminology and systems but because jurymembers may be even less knowledgeable. A seriousconcern is the extent to which evidence can be sim-plified for the purposes of presentation without inad-vertently crossing the line to tampering.

“Presenting technical evidence to a nontechnicalaudience is the biggest problem. It takes too much

time and energy to present the evidence, and wedo not have enough funding to support it.”

Among the attorneys represented in the groups,several called for more sophisticated courtroompresentation equipment. “We have to be proactivein coming up with different models for presentingevidence in the court,” stated one district attorney.Another mentioned that a media presentation unitwithin the agency was needed to handle technicalpresentations. A special course on electronic crimeand case presentation concepts for prosecutors wasa well-received suggestion by prosecutors andinvestigators alike. Vertical prosecution for elec-tronic crime was proposed by one participant, anidea most applicable to larger jurisdictions withsizable caseloads.

Many ideas were circulated about how to further thesuccessful investigation and prosecution of electron-ic crime cases. Participants consistently supportedthe view that the Internet should eventually be regu-lated by Federal laws, particularly sex sites, “other-wise child exploitation crimes will continue to rise.”Echoing that opinion, another participant stated:“Nothing can prevent kids from accessing these[pornographic] sites. Federal law, therefore, mustregulate the Internet, or these problems will contin-ue to get worse.”

In the Southeastern Region, participants called fortechnical assistance and information on case studiesof successfully prosecuted cases and electronic pre-sentations in court, list servs, software libraries, andgeneral resource sharing among electronic crimeinvestigators and prosecutors nationwide. The repre-sentatives meeting in the Western Region concurredwith those ideas and also called for high-qualityexperts who can be called on for assistance andimmediate access to specific case findings forFederal and State case law and discovery findings.Other solutions forwarded from the Western Regionincluded standardizing the training offered in elec-tronic crime, establishing dedicated computer crimeunits, and clearly defining what constitutes a foren-sic expert. Better defense training also was suggest-ed as a way to avoid future appeals for incompetentor ineffective defense.

The meetings in the Northeastern Region drew sug-gestions for prosecutor training, computer forensics

28

laboratories, and better equipment to use in court. Inthe Rocky Mountain Region, a significant emphasiswas placed on increased cooperation and network-ing between organizations and States. Several par-ticipants want to see statewide teams with subjectmatter experts to answer questions and help solvecase problems.

“A rapid procurement policy for electronic crimecase resources [is needed].”

“Undercover capability to conduct proactive,online investigations [is necessary].”

TrainingThe availability of electronic crime training—at alllevels—was a concern heard consistently from par-ticipants throughout the country. In particular, moretraining at both the basic and advanced levels isneeded to ensure that electronic crime cases areadequately identified and brought to trial. A largemajority (75 percent) of the officials who participat-ed have received some electronic crime training.

Deficiencies appear to be for entry-level patrol offi-cers (e.g., preventing inadvertent harm, protectingthe electronic crime scene) and for upper levelcomputer forensics specialists. Awareness trainingfor prosecutors, politicians, and judges ranks highon the needs list as well. Only 37 percent of theagencies represented offer basic computer crimeawareness and evidence collection training to entry-level or front-line personnel. Exhibit 13 showswhether training in electronic crime has beenreceived, and if so, the topics that were covered.

“Basic electronic crime training for all officers is vital.”

“Technical assistance is needed for the front-lineofficers and street cops to deal with electroniccrimes that are occurring more frequently.”

One issue that can seriously affect training is thepotential for turnover within the unit as promotionsoccur. Often, a jurisdiction’s promotion policiesundermine the retention of uniquely trained andexperienced personnel. The loss is felt most keenly

Exhibit 13. Training Received, by Topic

67

57

67

27

55

30

61

29

0

10

20

30

40

50

60

70

Investigation Laboratoryforensics

Search and seizure

Offenderprofiling

Legal Casemanagement

Collecting andstoring evidence

Intrusionssecurity

Topic

Per

cen

t

Note: 75 percent of participants reported receiving electronic crime training.

29

in special operations units in which there has been aheavy investment in training. New personnel mustbe “trained up,” which is time consuming andexpensive. Nearly 80 percent of the participantsindicated that it would not or might not be possibleto advance in their careers while remaining in theelectronic crime field.

“Promotion means I go back to patrolling thestreets.”

“I lost two highly trained people to promotion.Now how do I replace that knowledge base?”

Retaining trained electronic investigators and labo-ratory personnel is a problem at all levels of govern-ment. Expertise is lost, not only to promotions andtransfers but to the private sector, where the appealof higher pay and, often, shorter hours attracts manyspecially qualified personnel.

Respondents identified more than two dozen spon-sors of the training they have received, includingthe Agora Group, American Society for IndustrialSecurity, Association of Certified Fraud Examiners,Computer Analysis Response Team, FBI, FederalComputer Investigation Committee, Federal Emer-gency Management Agency, Forensic Association ofComputer Technologists, High Technology CrimeInvestigation Association, International Associationof Chiefs of Police, International Association ofComputer Investigative Specialists, NationalAssociation of Attorneys General, National WhiteCollar Crime Center, NLECTC–Northeast, andState Departments of Justice.

Many agencies and associations are responding tothe growing need for electronic crime and evidencetraining by offering a plethora of seminars andtraining. A national certification program wouldestablish professional levels of skill and knowledgeand would serve as the basis for future coursedevelopment. State and local practitioners also wantinput into what the electronic crime training coursepriorities should be to ensure their needs are beingfulfilled. (See “Training Topics Suggested byParticipants.”)

The respondents believed that field courses offeredon site will have the highest value to them, followedclosely by courses at in-residence regional training

sites. Even though the quality of in-residence Federalcourses (e.g., at the FBI or the Bureau of Alcohol,Tobacco and Firearms) is ranked high, these coursesare not easily accessible for many jurisdictions noton the East Coast, and they place strict limitations onwho can attend. Airfare costs alone can place thesecourses out of reach. Training provided through satel-lite hookups and on CD-ROM are valuable as a sup-plement to other forms of training, according to theparticipants, and probably the only viable option inmore remote, less populated jurisdictions.

The topic about which there was the most signifi-cant consensus is that the gap in public- and private-sector information and resource sharing is wide.The participants noted that private industry can be a resource, insofar as identifying electronic crimeincidents and having the technology to help inves-tigate them. The vast majority of participantsexpressed concern that electronic crime units andindustry function as completely separate entities,with only occasional overlap, such as in the sam-pling of existing private-public task forces generallyfound in southern California. It is widely held thatbringing in the private sector is vital. Some partici-pants specifically noted how important it is for the

Training Topics Suggested byParticipants● Forensic tools

● Undercover (cyber) investigations training

● Hacks, cracks, and profiling

● Front-line officer training

● Politician and supervisor training

● Intrusions and security training

● Operating systems and network training

● Evidence collection and processing

● Network expertise

● Password and encryption training

● Prosecutor training

● Systems analysis training

● Search-and-seizure training

30

private sector to keep law enforcement in mindwhen developing cybertools.

Several participants offered examples of industry’sefforts to cooperate, including a special resource poolin Austin, Texas. Microsoft, for example, has a 24-hour, 7-day-per-week hotline to respond to all con-cerns about electronic crime relating to its products.

Notes1. Power, Richard, Computer Security Issues & Trends:1999 CSI/FBI Computer Crime and Security Survey 5 (1)(Winter 1999): 1.

2. Ibid., 3.

3. National Medicolegal Review Panel, DeathInvestigation: A Guide for the Scene Investigator,Research Report, Washington, DC: U.S. Departmentof Justice, National Institute of Justice, November1999, NCJ 167568.

4. As mentioned previously, Federal law enforcement hasthe lead role in a cyberterrorist incident or an attack thataffects the Nation’s critical infrastructures. State andlocal law enforcement agencies have minimal experiencewith this type of electronic crime.

5. The Clinton Administration’s Policy on CriticalInfrastructure Protection: Presidential Decision Directive63, White Paper, 1998. Retrieved October 4, 2000, fromthe World Wide Web: http://www.whitehouse.gov/WH/EOP/NSC/html/documents/NSCDoc3.html.

6. President’s Commission on Critical InfrastructureProtection, Critical Foundations: Protecting America’sInfrastructures, Washington, DC: President’s Commis-sion on Critical Infrastructure Protection, 1997.

7. Post, Jerrold, speech given at the American Society forIndustrial Security Conference, Washington, D.C., June1999.

8. Power, Computer Security Issues & Trends, 4.

9. President’s Commission on Critical InfrastructureProtection, Critical Foundations, x.

10. Ibid., x.

11. This is the same recommendation as that from NIJ’searlier assessment of State and local needs to combatterrorism of all types. See National Institute of Justice,Inventory of State and Local Law Enforcement Tech-nology Needs to Combat Terrorism, Research in Brief,Washington, DC: U.S. Department of Justice, NationalInstitute of Justice, January 1999, NCJ 173384.

12. Denning, Dorothy E., and William E. Baugh, Jr.,Encryption and Evolving Technologies as Tools ofOrganized Crime and Terrorism, Washington, DC:National Strategy Information Center, 1997.

13. Ibid.

31

Commentary and the Critical Ten

Electronic crimes and the ability of law enforcementin the United States to detect, investigate, and prose-cute these incidents are areas of increasing concern.It is generally held that the United States is at riskfrom domestic and international threats. State andlocal law enforcement participants who contributedto this assessment provided a firsthand perspectiveof the technology, policies, research, training, anddirect assistance they require to combat electroniccrime. The participants related their experiences withelectronic crime and their concerns for the future. Indoing so, they provided valuable insight and infor-mation about all aspects of the problem.

The Critical TenThe participants mentioned dozens of needs for allaspects of combating electronic crime, which weredocumented, categorized, and evaluated. Ten areasof concern dominated the discussions, and they areidentified as the “Critical Ten” (See “The CriticalTen”).

In addition to the top 10 needs, two overarchingissues emerged from this assessment. Whether theneed is high-end computer forensic training oronsite task force development assistance, progressneeds to be accomplished quickly and in a coordi-nated manner through a centralized gateway. Whythe sense of urgency and the focus on coordination?Simply put, the window of opportunity for lawenforcement to at least keep pace with electroniccrime (let alone get ahead of the problem) is quiteshort. Mostly, this is because the capacity of tech-nology being used in the commission of electroniccrimes is increasing exponentially and at a pace thatsignificantly challenges the resources of criminaljustice agencies. The emphasis on a coordinatedapproach is both practical and logical—there is littletime to accomplish a lot with limited resources.Therefore, time is of the essence in crafting andimplementing solutions.

The most important aspect of these unique chal-lenges is time sensitivity. Unless a national effort islaunched expeditiously, electronic crimes likely willoutpace the resources of most State and local lawenforcement agencies.

To maximize investments in new or expandedtools, training, onsite assistance, and research, theU.S. Department of Justice’s mission to assistcriminal justice agencies in supporting electroniccrime and counterterrorism initiatives should becarried out in full.

The Critical Ten needs are described below; theyare not prioritized.

Critical need 1: Public awareness

A solid information and awareness program isneeded to educate the general public, elected andappointed officials, and the private sector about theincidence and impact of electronic crime.

The Critical Ten1. Public awareness

2. Data and reporting

3. Uniform training and certification courses

4. Onsite management assistance for electroniccrime units and task forces

5. Updated laws

6. Cooperation with the high-tech industry

7. Special research and publications

8. Management awareness and support

9. Investigative and forensic tools

10. Structuring a computer crime unit

32

With many cases undetected or unreported and withthe dearth of hard data on electronic crime trends,most individuals are unaware of the extent to whichtheir lives, financial status, businesses, families,or privacy might be affected by electronic crime.Neither are most people aware of how quickly thethreat is growing. A multifaceted information andawareness campaign is needed to clearly documentand publicize how electronic crimes affect our soci-ety. Unless the public is made aware of the growinguse of technology to commit crimes, cybercriminalswill continue to steal people’s money, personalidentities, and property.

Critical need 2: Data and reporting

More comprehensive data are needed to establish aclearer picture of the extent and impact of electroniccrime and to monitor trends.

In response to the Computer Fraud and Abuse Act,the FBI amended its Uniform Crime Reporting(UCR) Program to address electronic crime. Itplaced a question in the National Incident-BasedReporting System (NIBRS) to document if a crimi-nal offender used a computer in the commission ofa crime. However, additional details about the useof computers in crime are needed to measure fullythe incidence of electronic crime.

Without more data, detailed analysis, or a crime vic-timization study, it is difficult to track regional ornational trends in electronic crime. Hard data areneeded to better understand this era of electroniccrime and to communicate it to budgetmakers andpolicymakers as well as to citizens.

Of interest is the extent to which “traditional”crimes (such as fraud, theft, forgery, and drug traf-ficking) involve the use of a computer. It also iscritical to document “new” crime vis-a-vis electron-ic systems; for example, a cyberattack. Debate isunder way about whether society should considerexpanding the current crime classifications—“crimes against persons” and “crimes against prop-erty”—to include a third, “crimes against suchintangibles as information, data, and communica-tions.” Currently, there is no method to classifythese offenses at the crime index level.

Critical need 3: Uniform training and certification courses

Law enforcement officers and forensic scientistsneed specific levels of training and certification tocorrectly carry out their respective roles when inves-tigating electronic crimes, collecting and examiningevidence, and providing courtroom testimony. Thistraining should reflect State and local priorities.Prosecutors, judges, probation and parole officers,and defense attorneys also need basic training inelectronic crime.

Both entry-level and advanced training are neededfor law enforcement officers and investigators, pros-ecutors and defense attorneys, probation and paroleofficers, and judges. First-line officers who securethe initial crime scene need training on basic foren-sic evidence recognition and collection techniques.National standards should be developed and appliedtoward a certification program that ensures uniformskill levels. Prosecutors and judges require aware-ness training and case histories on electronic crimeincidents.

State and local law enforcement representatives notedrepeatedly that advanced computer and forensics-related classes are difficult to find. Another concernwas that the level of sophistication of the equip-ment, software tools, and training needed farexceeds the budgets of most departments. This isespecially problematic for courses offered out ofState. Attendance is expensive in terms of both per-sonnel time and tuition, travel, and per diem costs.

Within the U.S. Department of Justice, threeresources support State and local law enforcementinformation training requirements. The NationalCybercrime Training Partnership (NCTP)—anorganization chaired by the Computer Crime andIntellectual Property Section of the Department ofJustice and involving partners from Federal, State,and local law enforcement agencies—has respondedby placing the development and delivery of prioritycourses dealing with electronic crime on the fasttrack. The National White Collar Crime Center(NW3C) located in Fairmont, West Virginia, servesas the operations center for NCTP. NW3C providesa full-time staff and consists of highly skilledinstructors, curriculum development specialists, and

33

researchers to support the training needs of Stateand local law enforcement agencies around thecountry. NIJ’s National Law Enforcement andCorrections Technology Center system providesclearinghouses for State and local electronic crimetraining. The centers are located throughout thecountry and are an important focal and outreachmechanism for the delivery of electronic crimetraining.

Another avenue of approach that State and localagencies can consider adopting is the Cyber Corpsconcept. Cyber Corps addresses the shortage ofhighly skilled computer science programmers in theFederal Government by enabling agencies to recruita cadre of experts to respond to attacks on computernetworks. As planned, individuals pursuing a com-puter security education would receive financial aidin return for a commitment to work after graduationfor the U.S. Government.

Critical need 4: Onsite management assistancefor electronic crime units and task forces

State and local law enforcement agencies needimmediate assistance in developing computer inves-tigation units, creating regional computer forensicscapabilities, organizing task forces, and establishingprograms with private industry.

A majority of the agencies represented in this studycalled for a county (or regional) investigative taskforce approach to the technically challenging andtime-consuming job of investigating crimes involv-ing computers. Agencies are seeking hands-onassistance from experts in electronic crime and incriminal task force development to enhance theirability to combat electronic crimes at all levels.Simply stated, investigative task forces are anextremely effective tool in fighting crime, as hasbeen proven with drug and arson task forces.

Direct assistance in forming electronic crime taskforces is urgently needed for several reasons.Specially trained examiners and dedicated, costlyequipment are needed to analyze the evidence con-tained in a computer’s hard drive and recover thedata elements pertinent to a criminal case.Electronic evidence is likely to implicate individualsfrom other, often distant, jurisdictions. Also, for

many prosecutors, presenting high-tech evidence in court is challenging in terms of both ferretingthrough highly technical terms and making it under-standable for the jury.

Combining forces among agencies makes it moreaffordable to acquire the high-tech tools used inanalyzing computer evidence and to coordinatestrategies and procedures to deal with electroniccrime. State and local agencies suggest that throughtask forces, investigators from neighboring jurisdic-tions can pool their knowledge, sponsor training,and collaborate on cases. They can adopt a standardinvestigation protocol and reporting format that inturn would make it easier for prosecutors to evalu-ate the merits of cases. Suggestions on how to begina dialogue with business and industry and to engen-der partnerships with them should be included inany technical assistance provided to criminal justiceagencies. The experience of interagency task forcesthat operate to solve other complex crimes, such asarson, offer strategies that could be applied to elec-tronic crime task forces.

Critical need 5: Updated laws

Effective, uniform laws and regulations that keeppace with electronic crime need to be promulgatedand applied at the Federal and State levels.

The pace of technology is so rapid that legislatorscannot keep abreast of the changes. No sooner is a new technology announced and introduced forlegitimate use then it becomes available for thecommission of a crime as well. As a result, lawsand regulations fall behind, and the criminal justicesystem must play catchup to deal with the newcrimes and state-of-the-art electronic methods usedby offenders. One solution suggested by partici-pants in this study would be for State and localgovernments to adopt the provisions stipulated inFederal laws and their amendments.

In many States, legislators meet only severalmonths per year. Thus, it is difficult for State lawsto keep pace with rapidly changing technology andthe criminal implications for society. Often, elec-tronic crimes outpace legislation, such as with thelatest trends in cyberstalking and hate e-mail. Modellegislation is needed for adoption on a national basis.

34

The disparity in penal codes among States impedesinterstate pursuit of offenders. This is a major issuewith electronic crime because it almost alwaysoperates outside discrete physical and jurisdictionalboundaries. For example, State investigators workingan electronic child pornography case in which thecrime is a felony will encounter roadblocks in gettingthe offender extradited if the offender lives in a Statethat defines child pornography as a misdemeanor.This type of situation is not an uncommon occurrence;investigators are routinely hampered in developinga case for prosecution by vastly different statutes.

Critical need 6: Cooperation with the high-tech industry

Perhaps more often than with most other crimes, theinvolvement of industry is essential to the success-ful containment of electronic crime. Crime solversneed full support and cooperation to control elec-tronic crime.

Private industry can assist by reporting incidents ofelectronic crime committed against them, helping tosponsor training, joining task forces, and sharingequipment and expertise for the examination ofelectronic evidence. Michael A. Vatis, Director ofthe National Infrastructure Protection Center, FBIheadquarters, Washington, D.C., observed:

This year’s CSI/FBI study confirms the needfor industry and government to work togetherto address the growing problem of computerintrusions and cybercrime generally. Only by sharing information about incidents, andthreats, and exploited vulnerabilities can webegin to stem the rising tide of illegal activityon networks and protect our Nation’s criticalinfrastructure from destructive cyberattacks.1

Many firms have their own information securityunits that detect and investigate electronic crime.For reasons involving public image, stock value,and so forth, these incidents frequently are notreported. This limits law enforcement’s ability totrack offenders’ modus operandi and document andprosecute them. Also significant is the lack ofexchange of technical information between lawenforcement and experts in private industry.Increased cooperation between industry and gov-ernment provides the best opportunity to control

electronic crime and protect the Nation’s criticalinfrastructures from electronic attack.

Some companies are creating innovative solutionsto meeting the needs of local crimefighting agen-cies. In Austin, Texas, a community-based supportgroup for law enforcement has been established.The foundation contributes money and physicalgoods to the police department to augment theirinformation technology budget. This has proven tobe especially beneficial in obtaining necessaryequipment and software on a priority basis. Whenitems are needed and can be justified, they are pur-chased immediately with cash made available fromthe fund. The foundation also accepts donations ofequipment from industry.

Critical need 7: Special research and publications

Investigators, forensic laboratory specialists, andprosecutors need a comprehensive directory of elec-tronic crime training. They also stipulated the needfor a directory of resources to help them combatelectronic crime.

The Federal Government, State governments, col-leges and universities, trade associations, and pri-vate industry are responding to the need for diversetraining in the field of electronic crime. It is criticalto publicize the availability of training and profes-sional seminars if these offerings are to be used totheir maximum advantage. A training directoryciting current sources of electronic crime training(produced in both hardcopy and electronic versions)would be extremely valuable. The directory shouldidentify the following information:

● Name and address of organization.

● Course profile.

● Level of difficulty.

● Location, dates, and times of course.

● Cost.

● Prerequisites for enrollment.

● Credit toward certification or degree.

State and local law enforcement agencies also areasking for a comprehensive directory of national

35

and State experts and resources. A “who’s who” ofelectronic crime investigators, unit managers, prose-cutors, and expert witnesses, as well as listings oflaboratories and equipment suppliers, would be awell-received guidebook for practitioners who frequently noted the need for information on how to contact their colleagues in other communities.Much can be learned about the nuances in investiga-tions and case preparation from others who havehandled similar crimes. Sometimes, the most valu-able information is what to avoid or has provedunsuccessful. This information can save lawenforcement personnel time and effort and lead tobetter case outcomes.

Many investigators and prosecutors are calling fora clearinghouse of information and technical guid-ance. One such successful nationwide law enforce-ment network is the FBI’s Law Enforcement Online(LEO). However, many law enforcement officersneed access to broader information than what iscontained on LEO, including access to private-sector specialists and technical data. It is believedthat a multilevel secure network would address thisneed. FBI Agent Steven McFall, one of the study’ssubject matter experts, suggests establishing a net-work of computer forensic examiners. This networkwould link all Federal and State computer forensiclaboratories and would promote the sharing of tech-nical expertise, training, and solutions to technicalproblems in the complex and fast-paced computerforensics field.

Critical need 8: Management awareness and support

Senior law enforcement managers and elected offi-cials need to be more aware of the growth of elec-tronic crime and its impact on their communities.

Many participants and facilitators expressed con-cern that senior managers do not fully understandthe impact of electronic crime and the level ofexpertise and tools needed to investigate and pre-pare successful cases for prosecution. It is often thecase that managers:

● Do not realize the impact of Internet and electronic crime in their jurisdiction or in society in general.

● Lack statistical data on electronic crime.

● Have insufficient funding and personnelresources to create electronic crime units.

● Are unconvinced that electronic crime deservesmuch attention.

Police chiefs and managers who are willing to sup-port an investigative capability for electronic crimeoften must do so at the expense of other units orassign dual investigation responsibilities to personnel.

Managers need data to justify new programs andpersonnel assignments. However, no reportingmechanism is in place to allow the collection andanalysis of electronic crime incidence data, otherthan the one question in NIBRS. The lack of viableinformation is a real problem, and better statisticsand case histories are urgently needed to capture thetrue nature of the problem. With numbers, cost fig-ures, and impact data in hand, management thenwould have the information needed to justify theallocation of personnel and resources.

Critical need 9: Investigative and forensic tools

There is a significant and immediate need for up-to-date technological tools and equipment for Stateand local law enforcement agencies to conduct elec-tronic crime investigations.

Most electronic crime cases cannot be thoroughlyinvestigated and developed without the benefit ofhigher end computer technology. Computer sys-tems, software, hardware, intrusion detection tools,decryption technology, and other forensic equip-ment are expensive and beyond the budgets of mostlocal law enforcement agencies. Even when specialequipment is available, it is frequently out of date orunusable in forensic investigations. Insufficient datastorage capacity to properly copy and analyze evi-dence also is a common problem.

For most agencies, a limited number of personnelare assigned to computer crime investigations.Unfortunately, these cases often require lengthyinvestigations, made even more difficult if the inves-tigator has only a 120-MHz system equipped with a2- or 4-GB drive, but is pursuing a case involving a450-MHz system with a 12-GB drive. Cumbersomeacquisition policies and procedures also hamperinvestigators and forensic specialists in their questfor better equipment. Lengthy specifications and bid

36

requirements can delay equipment purchases for 6 months or more. Physical space for a forensiclaboratory or computer workstation to conductinvestigations is a pressing need in many agenciesas well. For these reasons, regional computer foren-sic laboratories with private-sector support aregrowing in number.

Critical need 10: Structuring a computer crime unit

As communities begin to address electronic crime,they grapple with how best to structure a computer(or electronic) crime unit that will both investigatecrimes involving computers and analyze electronicevidence.

Where does the electronic crime unit belong? Whoshould be a part of the unit? How should the dutiesof investigation and the duties of forensic analysisbe separated, if at all? The experts are divided onthese questions, especially over the issue of whetherit is better to staff computer forensic laboratorieswith specially trained investigators or civilian sys-tems technicians.

On one side of the argument is the contention thatnonsworn information technology employees bringa greater depth of technical training and knowledgeto the table. Their backgrounds in the sciences,math algorithms, and formula-based problem solving are critical to the forensic examination ofelectronic evidence. Others note that expertise ininvestigating crime is the more important skill and

that good training can fill the gap on the evidenceanalysis side to cover most of the types of forensicslocal units can be expected to handle. They pointout that in any case, a State or local unit rarely willhave at its disposal someone who can crack high-end encryption, much less master various computerlanguages, because it is not feasible to hire oneperson for each language. According to FBI AgentMcFall:

The blurring of the line between the investigativeresponsibilities and the forensic analysis of evi-dence leads to many operational and trainingproblems by making the responsibilities of anemployee too broad.

State and local law enforcement agencies would beprovided a valuable service if research was under-taken on the issues that arise when police agenciesbegin to establish better electronic crime investiga-tion capabilities. The experience of successful,existing units should be thoroughly documentedalong with measures of impact related to differentstaffing configurations. Results of such researchshould be widely distributed and considered to be a necessary part of direct technical assistance that is provided to State and local agencies.

Note1. Computer Security Institute, “Cyber attacks rise fromoutside and inside corporations; Dramatic increase inreports to law enforcement,” March 5, 1999, pressrelease, retrieved December 5, 2000, from the WorldWide Web: http://gocsi.com/prelea990301.htm.

37

Appendix A: Participating State and Local Agencies

State City Organization Participant

AK Fairbanks University of Alaska, Fairbanks Police Department Mark Poeschel

AL Montgomery Alabama Bureau of Investigation, Criminal George IrelandInformation Center

AL Tuscumbia Colbert County Sheriff’s Office Jimmy Collier

AR Little Rock Little Rock Police Department Clement Papineau

AZ Phoenix Arizona Department of Public Safety David Arnett

AZ Phoenix Arizona Securities Division Phillip Hofling

AZ Tucson Pima County Sheriff’s Department Kathleen Brennan

CA Anaheim Anaheim Police Department Mel Vyborney

CA Anaheim California Department of Motor Vehicles Investigations Jack Somers

CA Irvine Irvine Police Department Ron Carr

CA Long Beach Long Beach Police Department Howard Williamson

CA Los Angeles Los Angeles Police Department Terry Willis

CA Sacramento Sacramento County Sheriff’s Department Jan Hoganson

CA San Bernardino San Bernardino County Sheriff’s Department Timothy Miller

CA San Diego California Highway Patrol, Investigative Services Unit Robert Petrackek

CA San Diego San Diego County District Attorney’s Office, David DeckerComputer Crimes Unit

CA San Diego San Diego Police Department, Fraud Task Force David Hendron

CA San Jose San Jose Police Department Steve Ronco

CA Stockton Stockton Police Department Tom Morris

CA Stockton Stockton Police Department Henry Freeman

CA Torrance Torrance Police Department Rick Louk

CO Arvada Arvada County Police Department Sandra Fliethman

CO Denver Colorado Attorney General’s Office Gary Clyman

CO Denver Colorado Attorney General’s Office Marlin Peterson

CO Denver Colorado Attorney General’s Office Don Quick

CO Denver Colorado Bureau of Investigation Charles Davis

CO Denver Denver District Attorney’s Office Henry Reeve

CO Englewood 18th Judicial District Attorney’s Office Jim Peters

CT Meriden Connecticut State Police Andy Russell

CT Rocky Hill Office of Chief State’s Attorney John Blawie

CT Rocky Hill Office of Chief State’s Attorney Vickramjit Sharma

38

DE Dover Delaware State Police, Special Intelligence Unit Dan Willey

DE Dover Delaware State Police, Special Intelligence Unit Robert Moses

FL Ft. Lauderdale State Attorney’s Office Teresa BeazleyWidmer

FL Miami Miami-Dade Police Department Laurrick Ingram

FL Tallahassee Florida Department of Law Enforcement Jeffery Herig

FL Tampa State Attorney’s Office Charles Korff

GA Atlanta Metropolitan Atlanta Rapid Transit Authority John Dankel

GA Decatur Georgia Bureau of Investigation Vickie Adams

GA Smyrna Smyrna Police Department Henry Cambron

HI Honolulu Honolulu Police Department Aaron Correia

IA Davenport Davenport Police Department Greg Glandon

IA Des Moines Iowa Department of Public Safety, Division of Jerry BrownCriminal Investigation

ID Boise Ada County Sheriff’s Office Lon Anderson

ID Boise Boise Police Department Mike Gibbons

IL Chicago Chicago Police Department Charles Padgurskis

IN Indianapolis Indiana State Police Michael Flynn

IN Indianapolis Indianapolis Police Department Joe Mason

KS Topeka Kansas Bureau of Investigation Kevan Pfeifer

KY Frankfort Kentucky State Police Rick Yetter

KY Lexington Lexington Police Department Harold Cottrell

LA Baton Rouge Louisiana Department of Justice Kathleen Petersen

MA Brockton Massachusetts Office of the State Auditor Paul Daley

MD Columbia Maryland State Police Al Evans

ME Augusta Maine State Police Robert Ducasse

MI Detroit U.S. Customs, Computer Forensics Unit (previously Paul Kellywas with the Detroit Police Department)

MN St. Paul Minnesota Department of Commerce John Edwards

MN St. Paul St. Paul Police Department Brook Schaug

MO St. Louis St. Louis Police Department John Wondracheck

MS University University Police Department Michael Bryant

MT Billings Billings Police Department Tim O’Connell

MT Billings Montana Department of Justice, Gambling Control Tom OberweiserInvestigations Bureau

MT Bozeman Montana Criminal Investigations Bureau Lee Johnson

NC Charlotte Charlotte Police Department Terry Sult

NC Raleigh North Carolina State Bureau of Investigation Michael Smith

ND Bismarck North Dakota Bureau of Criminal Investigation, Jeff WhiteCriminal Division

39

ND Fargo North Dakota Bureau of Criminal Investigation, John FuglebergCriminal Division

ND Mandan Morton County State’s Attorney’s Office Brian Grosinger

NE Lincoln Lincoln Police Department Ed Sexton

NE Omaha Omaha Police Department Tom Maille

NH Concord New Hampshire State Police, Department of Safety Nicholas HalaisDivision

NH Keene Keene Police Department James McLaughlin

NJ Mays Landing Atlantic County Prosecutor’s Office Edward K. Petrini

NJ Mays Landing Atlantic County Prosecutor’s Office Mark R. Gage

NJ Oakhurst Township of Ocean Police Department William E. Koch

NM Albuquerque Albuquerque Police Department, White Collar Carl HuguleyCrime Unit

NM Albuquerque Albuquerque Police Department, White Collar Tim ByrneCrime Unit

NM Albuquerque Bernalillo County District Attorney’s Office Ellen Wadley

NV Carson City Nevada Attorney General’s Office Jeanette Supera

NV Reno Reno Police Department Todd Shipley

NY New York New York City Police Department, Detective Bureau James Doyle

NY Oneida Nation Oneida Nation Police Department Ted Palmer

NY Utica Oneida County District Attorney’s Office Bill Webber

NY Utica Utica Police Department Michael Hauck

OH Cincinnati Hamilton County Sheriff’s Office Dave Ausdenmoore

OH London Ohio Bureau of Criminal Identification and Jim HawkeInvestigation

OK Oklahoma City Oklahoma City Police Department Greg Taylor

OK Oklahoma City Oklahoma City Police Department Rick Elder

OK Stillwater Oklahoma State Bureau of Investigation Mark McCoy

OR Hillsboro Hillsboro Police Department, High Tech Crime Team Tom Robinson

OR Portland Portland Police Bureau Steve Russelle

OR Salem Oregon State Police, District 2, Criminal Division Stephen Payne

PA Philadelphia Philadelphia Police Department, Edward K. MonaghanInternal Investigations

PA Philadelphia Philadelphia Police Department, Special Operations William Jeitner

PA West Hazleton Pennsylvania State Police Michael McTavish

RI North Scituate Rhode Island State Police James Lynch

SC Charleston Charleston Police Department David Boylston

SC Charleston Charleston Police Department Robert Flynn

SC Columbia South Carolina State Law Enforcement Division Mark Hugeley

SC Mt. Pleasant Mt. Pleasant Police Department David Geddings

40

SD Rapid City South Dakota Division of Criminal Investigation Chad Evans

SD Sioux Falls Sioux Falls Police Department Arden Georing

SD Sioux Falls Sioux Falls Police Department Robert Thompson

TN Nashville Tennessee Bureau of Investigation William Benson

TX Austin Austin Police Department Scott Ehlert

TX Austin Texas Department of Public Safety Rick Andrews

TX Austin Travis County District Attorney’s Office Randall Joines

TX Brownsville Brownsville Police Department Chris Ortiz

TX Dallas Dallas County District Attorney’s Office Brian Flood

TX Dallas The University of Texas Police Larry Coutorie

TX El Paso El Paso Police Department, White Collar Crime Unit David Norman

TX El Paso El Paso County Sheriff’s Department Larry Wilkins

UT Murray Utah Department of Public Safety, Criminal Daniel HooperInvestigations Bureau

UT Provo Utah County Sheriff’s Office Jeff Robinson

VA Richmond Virginia State Police Mike Monroe

VT Waterbury Vermont State Police, Commissioner of Crime Jim ColgenIntelligence Unit

WA Bellevue Bellevue Police Department Michael Cate

WA Kent King County Police Department, Fraud Unit Brian Palmer

WA Olympia Washington State Patrol, Computer Forensics Don WilbrechtLaboratory

WA Olympia Department of Corrections Donald Price

WA Tacoma Pierce County Prosecutor’s Office Franklin Clark

WI Madison Wisconsin Department of Justice, Division of Criminal Martin KochInvestigation

WI Milwaukee Milwaukee Police Department Richard Porubcan

WV Fairmont West Virginia State Police Chris Casto

WV Wheeling Wheeling Police Department Kevin Gessler

WY Cheyenne Wyoming Division of Criminal Investigation Tim Olsen

41

Glossary of TermsAttack. A debilitating action of malicious intentinflicted by one entity on another. An entity mightattack a critical infrastructure to destroy or incapaci-tate it.

Banking and finance. A critical infrastructure char-acterized by entities (e.g., investment institutions,exchange boards, trading houses, reserve systems)and associated operational organizations, govern-ment operations, and support activities that areinvolved in all manner of monetary transactions,including its storage for saving purposes, its invest-ment for income purposes, its exchange for paymentpurposes, and its disbursement in the form of loansand other financial instruments.

Critical infrastructure. An infrastructure that is sovital, its incapacitation or destruction would have adebilitating impact on defense or economic security.Presidential Decision Directive 63 designated eightcritical infrastructures: emergency services, electri-cal power systems, telecommunications, gas and oil,banking and finance, transportation, water supplysystems, and continuity of government services.

Cyberterrorism (information systems terrorism).The premeditated, politically motivated attackagainst information systems, computer programs,and data to deny service or acquire information withthe intent to disrupt the political, social, or physicalinfrastructure of a target resulting in violenceagainst noncombatants. The attacks are perpetratedby subnational groups or clandestine agents whouse information warfare tactics to achieve the tradi-tional terrorist goals and objectives of engenderingpublic fear and disorientation through disruption ofservices and random or massive destruction of lifeor property.

Cyber Corps. By order of Presidential DecisionDirective 63, this program is designed to encouragegovernment agencies to recruit expert-level computer

security workers to respond to future computer crises.This program will use existing scholarship and finan-cial assistance programs and examine new scholarshipprograms to retrain, retain, and recruit computer sci-ence students to work in the public sector.

Defense (or national security). The confidence thatAmerican lives and personal safety, both at homeand abroad, are protected and the United States’sovereignty, political freedom, and independence,with its values, institutions, and territory intact, aremaintained.

Electrical power system. A critical infrastructurecharacterized by generation stations and transmis-sion and distribution networks that create and supplyelectricity to end users so that end users achieve andmaintain nominal functionality, including the trans-portation and storage of fuel essential to that system.

Electronic crime. Crime that includes but is notlimited to fraud, theft, forgery, child pornography or exploitation, stalking, traditional white-collarcrimes, privacy violations, illegal drug transactions,espionage, computer intrusions, or other offensesthat occur in an electronic environment for theexpress purpose of economic gain or with the intentof destroying or otherwise inflicting harm on anoth-er person or institution.

Emergency services. A critical infrastructure characterized by medical, police, fire, and rescuesystems and personnel that are called on when anindividual or community is responding to emergen-cies. These services are typically provided at theState and local levels (county and metropolitanareas). In addition, State and Federal response plans define emergency support functions to assist in response and recovery.

Encryption. The act of encoding text into anunreadable form called ciphertext through a mathe-matical process. It can be read only by decoding thetext with a key that “unlocks” the encoded text.

Appendix B: Glossary of Terms and Acronyms

42

Entry point. The point of convergence at which aperson first accesses a computer system. For exam-ple, a hacker accesses a system and uses it as alaunch pad to attack another system, making itharder for authorities to trace where the attack firstoriginated. The first system accessed is consideredthe entry point.

Exit point. The point at which a trace is discovereddetailing that a person has stopped accessing onecomputer and enters another.

Facilitator. For this project, the contract personnelselected and trained to conduct the workshops andone-on-one discussions with the participants in thefield.

Gas and oil production, storage, and transporta-tion. A critical infrastructure characterized by theproduction and holding facilities for natural gas,crude and refined petroleum, and petroleum-derivedfuels; the refining and processing facilities for thesefuels; and the pipelines, ships, trucks, and rail sys-tems that transport these commodities from theirsources to systems that depend on gas and oil inone of their forms.

Information security (or cybersecurity). Actionstaken to decrease system risk, specifically in reduc-ing the probability that a threat will succeed inexploiting critical infrastructure vulnerabilitiesusing electronic, radio frequency, or computer-basedmeans.

Information warfare. Action taken to achieveinformation superiority by compromising adversaryinformation and information systems while leverag-ing and protecting one’s own information and infor-mation systems. Offensive information warfare (IW)may be carried out through physical attacks, the useof special technologies, computer intrusion andcomputer warfare, electronic warfare, psychologicaloperations, and the use of deceptions supported byintelligence collection and analysis. IW attacks gen-erally are carried out to disrupt operations or infra-structures with the intent to implement individual,terrorist, or national objectives.

Infotech Training Working Group. The name ofthe predecessor project to the National CybercrimeTraining Partnership. The informal network was

formed in 1996 under the auspices of the U.S.Department of Justice (DOJ) and was composed oflocal, State, and Federal agencies.

Infrastructure. The framework of interdependentnetworks and systems comprising identifiableindustries, institutions (including people and proce-dures), and distribution capabilities that provide areliable flow of products and services essential tothe defense and economic security of the UnitedStates, the stable functioning of governments at alllevels, and society as a whole.

Law Enforcement Online. Established by theFederal Bureau of Investigation (FBI) to providelaw enforcement agencies a secure network andclearinghouse of information available on theInternet.

National Cybercrime Training Partnership. Theorganization funded in 1998 by DOJ to provideguidance and assistance to local, State, and Federallaw enforcement agencies in an effort to ensure thatthe law enforcement community is properly trained,prepared, and equipped to address electronic andhigh-technology crime.

National Institute of Justice. A component of theOffice of Justice Programs, the National Institute ofJustice (NIJ) is the research agency of DOJ. Createdby the Omnibus Crime Control and Safe Streets Actof 1968, as amended, NIJ is authorized to supportresearch, evaluation, and demonstration programs;develop technology; and disseminate both nationaland international information for DOJ.

National Law Enforcement and CorrectionsTechnology Center. The National Law Enforce-ment and Corrections Technology Center (NLECTC)is a component of NIJ’s Office of Science and Tech-nology. NLECTC provides criminal justice (lawenforcement, corrections, and the courts) profes-sionals with information on technology, guidelinesand standards for these technologies, objective testingdata, and science and engineering advice and sup-port to implement these technologies. The NLECTCsystem is made up of the national center in Rockville,Maryland; four regional centers operating in Rome,New York (Northeastern Region), North Charleston,South Carolina (Southeastern Region), Denver, Col-orado (Rocky Mountain Region), and El Segundo,

43

California (Western Region); and four specialty cen-ters: the Office of Law Enforcement Standards inGaithersburg, Maryland, the Office of Law Enforce-ment Technology Commercialization in Wheeling,West Virginia, the National Center for Forensic Sci-ence in Orlando, Florida, and the Border Researchand Technology Center in San Diego, California.

Offender. In this report, anyone who commits anelectronic crime.

President’s Commission on Critical Infrastruc-ture Protection. Commission chaired by Robert T.Marsh and appointed by President Clinton in 1996to study the critical infrastructures that constitutethe support systems of the Nation, determine theirvulnerabilities, and propose a strategy for protectingthem into the future. The Commission’s report waspublished in October 1997.

Presidential Decision Directive 63. Announced by President Clinton in May 1998, PresidentialDecision Directive (PDD) 63 sets a goal of a reli-able, interconnected, and secure information systeminfrastructure by 2003 and a significant increase insecurity to government systems by 2000. It estab-lished the National Infrastructure Protection Centerat the FBI to warn of and prevent cyberattacksagainst the Nation’s infrastructures. The increase infunding proposed by PDD 63 calls for research anddevelopment to safeguard key computer systems,with a focus on developing tools that can identifypotential threatening activities within computernetworks.

Protocol. For this report, the assessment instrumentused to elicit information from participants in thefield.

Task force. For this report, formal operational taskforces that comprise two or more law enforcementagencies working together to investigate and solveelectronic crimes. Forensic and investigative taskforces are included in this definition.

Target. The intended victim of an attack.

Technology. Broadly defined, includes processes,systems, models and simulations, hardware, andsoftware.

Telecommunications. A critical infrastructure char-acterized by computing and telecommunicationsequipment, software, processes, and the people whosupport the processing, storage, and transmissionof data and information; the processes that—andpeople who—convert data into information andinformation into knowledge; and the data andinformation themselves.

Threat. A foreign or domestic entity possessingboth the capability to exploit a critical infrastruc-ture’s vulnerabilities and the malicious intent ofdebilitating defense or economic security.

Transportation. A critical infrastructure character-ized by the physical distribution system vital tosupporting the national security and economic well-being of the Nation, including the national airspacesystem, airlines and aircraft, and airports; roads andhighways, trucking, and personal vehicles; ports andwaterways and the vessels operating thereon; masstransit, both rail and bus; pipelines, including natu-ral gas, petroleum, and other hazardous materials;freight and long-haul passenger rail; and deliveryservices.

U.S. Department of Justice. The lead Federalagency enforcing U.S. laws and protecting U.S.citizens. DOJ also provides Federal leadership inpreventing and controlling crime, seeking just pun-ishment for those guilty of unlawful behavior,administering and enforcing the Nation’s immigra-tion laws fairly and effectively, and ensuring fairand impartial administration of justice for allAmericans.

Vulnerability. A characteristic of a critical infra-structure’s design, implementation, or operation thatrenders it susceptible to destruction or incapacitationby a threat.

Water supply system. A critical infrastructurecharacterized by the sources of water, reservoirsand holding facilities; aqueducts and other transportsystems; filtration, cleaning, and treatment systems;pipelines; cooling systems; and other delivery mech-anisms that provide for domestic and industrialapplications, including systems for dealing withwater runoff, wastewater, and firefighting.

44

Acronyms

ASIS American Society for Industrial Security

BJA Bureau of Justice Assistance (DOJ)

CART Computer Analysis Response Team

CCIPS Computer Crime and Intellectual Property Section (DOJ)

CSI Computer Security Institute

DOJ U.S. Department of Justice

FACT Forensic Association of Computer Technologists

FBI Federal Bureau of Investigation

FCIC Federal Computer Investigation Committee

FEMA Federal Emergency Management Agency

FLETC Federal Law Enforcement Training Center

HTCIA High Technology Crime Investigation Association

IACIS International Association of Computer Investigative Specialists

IACP International Association of Chiefs of Police

IT information technology

ITWG Infotech Training Working Group

IW information warfare

LEO Law Enforcement Online

NCTP National Cybercrime Training Partnership

NIBRS National Incident-Based Reporting System

NIJ National Institute of Justice

NIPC National Infrastructure Protection Center

NLECTC National Law Enforcement and Corrections Technology Center

NW3C National White Collar Crime Center (FBI)

OJP Office of Justice Programs

OSI Office of Special Investigations, Air Force

PCCIP President’s Commission on Critical Infrastructure Protection

PDD Presidential Decision Directive

RF radio frequency

SEARCH National Consortium for Justice Information and Statistics

SPAWAR Space and Naval Warfare Systems Command

TVA Tennessee Valley Authority

UCR Uniform Crime Reporting Program (FBI)

45

Appendix C: Contact Information

Ross AshleyDirectorLaw Enforcement TechnologyISX Corporation2000 North 15th Street, Suite 1000Arlington, VA 22201703–247–7852; 703–247–7895 (fax)[email protected]

Kathleen BarchDeputy DirectorOhio Attorney General’s Office1560 State Route 56 SWLondon, OH 43140740–845–[email protected]

Richard BakerElectrical and Computer EngineerU.S. NavySpace and Naval Warfare Systems Center,

CharlestonP.O. Box 190022North Charleston, SC 29419–9022843–974–4437; 843–974–5099 (fax)[email protected]

David S. BeaupreIntelligence AnalystBureau of Diplomatic SecurityU.S. Department of State515 22d Street NW (SA–2)Washington, DC 20037202–663–2205; 202–663–2485 (fax)[email protected]

James CannadyResearch Scientist IIGeorgia Tech Research InstituteGeorgia Institute of TechnologyAtlanta, GA 30332–0832404–894–9730; 404–664–8329 (PCS phone);404–894–9081 (fax)[email protected]

Wayne CassadayU.S. NavySpace and Naval Warfare Systems Center,

CharlestonP.O. Box 190022North Charleston, SC 29419–9022843–974–[email protected]

Frank S. Cilluffo DirectorTask Force on Information Operations and

Information AssuranceCenter for Strategic and International Studies1800 K Street N.W., Suite 400Washington, DC 20006202–775–[email protected]

James H. Fetzer IIISecurity SpecialistU.S. Tennessee Valley Authority Police400 West Summit Hill Drive (WT 3A–K)Knoxville, TN 37902–1499865–632–4010; 865–632–4063 (fax)[email protected]

46

Mary R. HoltDirectorAlabama Department of Forensic Sciences 1001 13th Street, SouthBirmingham, AL 35205205–933–6621; 205–933–8020 (fax)[email protected]

David J. Icove, Ph.D., P.E.InspectorOperations Support DivisionU.S. Tennessee Valley Authority Police400 West Summit Hill Drive (WT 3D–K)Knoxville, TN 37902–1401865–632–2527; 865–632–2473 (fax)[email protected]

Thomas KennedyExecutive DirectorPublic Safety Technology CenterCenter for Technology Commercialization1400 Computer DriveWestborough, MA 01581508–870–0042

Barry LeeseLieutenantComputer Crimes Unit Maryland State Police 7155 Columbia Gateway Drive, Suite CColumbia, MD 21046410–290–[email protected]

Dan MaresMares and Company, LLCP.O. Box 464429Lawrenceville, GA 30042–4429770–237–8870; 770–237–8815 (fax)[email protected]

Stephen D. McFallSpecial AgentFederal Bureau of Investigation710 Locust Street, Suite 600Knoxville, TN 37902423–544–0751; 423–544–3590 (fax)[email protected]

Howard SchmidtCorporate Security OfficerMicrosoft Corporation1 Microsoft WayRedmond, WA 98052425–936–[email protected]

Raemarie SchmidtSupervisor of Instructor DevelopmentComputer Crime SectionNational White Collar Crime Center1000 Technology Drive, Suite 2130Fairmont, WV 26554304–366–9094; 304–366–9095 (fax)[email protected]

Tommy SextonDirectorNLECTC–SE5300 International BoulevardNorth Charleston, SC 29418843–760–[email protected]

Hollis StambaughDirectorInvestigations and Public SafetyTriData Corporation1000 Wilson Boulevard, 30th FloorArlington, VA 22209–2211703–351–8300; 703–351–8383 (fax)[email protected]

G. Thomas SteeleChief Information and Communications OfficerMaryland State Police1201 Reisterstown RoadPikesville, MD 21208301–776–[email protected]

William Tafoya, Ph.D.University Professor of Criminal JusticeGovernors State UniversityUniversity Park, IL 60466–0975708–534–4022; 708–534–7895 (fax)[email protected][email protected]

47

David VanzantSupervisory Special AgentCART Resource Program ManagerFBI AcademyElectronic Research Facility, Room C207Quantico, VA 22135703–632–[email protected]

Wayne P. Williams6613 22nd PlaceHyattsville, MD 20782–1752301–422–[email protected]

Amon YoungProgram ManagerNational Institute of Justice810 Seventh Street N.W.Washington, DC 20531202–514–[email protected]

Electronic Crime Needs Assessment for State and Local Law ...

Documents

Transcript of Electronic Crime Needs Assessment for State and Local Law ...