NATIONAL CYBERCRIME TRAINING PARTNERSHIP

THE NATIONAL CYBERCRIME TRAINING PARTNERSHIP

By

Wayne P. Williams, Senior Litigation Counsel Computer Crime and Intellectual Property Section U.S. Department of Justice Washington, D.C.

Reprint of an article in the Police Chief Magazine

E

xplosive growth in the use of computers and electronic networks such as the Internet poses a difficult and rapidly expanding challenge for all levels of law enforcement.

Information technology is not an unqualified good. “Whether it benefits us or injures us depends almost entirely on the fingers on the keyboard. So while the Information Age holds great promise, it falls in part upon law enforcement to ensure that users of networks do not become victims of New Age crime,” Attorney General Janet Reno said recently.

Investigators in every agency and every jurisdiction are confronted daily with new investigative and evidentiary issues that demand a high order of technical knowledge and skill. The pace of change is relentless. Computer technology now overtakes itself with a new generation roughly once every three years. Like investigators, prosecutors are scrambling to effectively present cases in this rapidly changing technical world, while judges are confronted with the novel legal questions it presents. Meanwhile, increasingly sophisticated and computer-literate criminals ¾ free of the time-consuming procedures needed to justify public spending ¾ employ new technologies virtually as soon as they appear.

“How do we meet the 21st Century with a criminal justice structure that ensures that people control the technology and that the technology does not control the people?” asked Ms. Reno.

Working in partnership with state, local, federal and international law enforcement agencies, the U.S. Department of Justice has developed the National Cybercrime Training Partnership (NCTP) as an important element in the national answer to that question and to the problem of electronic crime in particular. The NCTP’s role is not to dictate, but to leverage and coordinate a wide spectrum of resources. NCTP will work with all levels of law enforcement to:

  • Develop and promote a sound long-range strategy for high-tech police work in the 21st Century, including interagency and inter-jurisdictional cooperation, information networking, and technical training.
  • Garner public and political understanding of the problem and generate support for solutions.
  • Serve as a pro-active force helping focus the momentum of the entire law enforcement community to ensure that proposed solutions are fully implemented.

The effects of electronic crime are ¾ at least so far ¾ not as apparent to most of the public as crimes of violence and traditional property crimes. As a result, many police agencies are under pressure to devote scarce resources to traditional crimes at the expense of initiatives to fight electronic crime. But these new age crimes present a significant, real, and immediate threat to public order and national security. Educating the public and key decision-makers about these crimes, their effects, and necessary responses has therefore become critical for the NCTP.

“If you have criminals that can buy and use technology, this organization has got to be proactive in making sure we have some of our best technical people and infrastructure,” said FBI assistant director Carolyn Morris. “I’ve got to be ahead of the criminals if I’m going to catch them.”

The task facing NCTP and law enforcement at all levels is urgent. The dollar cost of electronic crime ranges in some estimates to as high as ten billion dollars per year. The latest (1998) joint survey of 520 computer security practitioners by the FBI and the Computer Security Institute recorded financial losses from computer security breaches alone of $136.8 million, an increase of 36 percent over losses estimated in the 1997 survey. Telecom fraud has been estimated to cost half a billion dollars a year. Annual losses from counterfeiting paper and credit cards are enormous. A complete accounting of the true rate and annual cost of high-tech and computer crime is virtually impossible, however. For a variety of reasons, too many victims don’t report the crime and simply choose to absorb the loss.

But the costs of these crimes go beyond financial loss. Wholly aside from the corrosive effects of any crime on our society, a single high-tech crime can generate multiple ripples of traditional offenses. For example, the trade in high-value computer chips has inspired such crimes as violent factory invasions and truck hijackings to steal the chips, and stolen chips have become barter in criminal drug transactions.

Hate crimes are also seeping into the Internet and other networked systems. Erol’s Internet service was hit in 1997 when someone sent an obscene racist message to all of its then 140,000 subscribers. This is only one out of scores of similar examples that adversely impacts our society.

One of our gravest worries is that critical elements of the national infrastructure are at risk of catastrophic failure caused by terrorist or criminal intrusion. Such a failure in a major power or communications grid could take with it emergency management communications systems that law enforcement itself uses.

“It’s like any other crime,” said Jim Petroni of the California Specialized Training Institute in San Obispo. “It’s just a matter of time before someone puts together the mode, the opportunity and the motivation. Somebody will pull it all together.”

John Deutch, director of the Central Intelligence Agency, recently told Congress that computer-generated terrorism is “the ultimate precision-guided weapon.”

Hackers have already proven themselves capable under certain circumstances of locking up major parts of the Internet and phone systems, choke points through which virtually every net in the web of our national infrastructure increasingly passes, from water to electric power to phone service. For example, hackers tapped into Welcom, one of the nation’s largest world wide web service providers and wiped out more than 3,000 sites for 40 hours.

If you think high-tech crime is somebody else’s problem, imagine 40 hours of trying to run a police agency without electrical power, telephones, or radios during some sort of civil crisis, perhaps itself generated by a computer attack on infrastructure networks.

Computer Crime: Scope and Impact

A brief survey of a few increasingly common electronic crimes demonstrates their relevance to all law enforcement agencies and the kind of problems they present.

At one level, criminals are simply using highly technical means to commit traditional crimes. Stealing trade secrets is a good example. In the earlier day of paper files and locked doors, a business interested in stealing a competitor’s secrets had either to corrupt a rival employee or commit some form of physical intrusion, usually accompanied by carrying off a document or other tangible property. Today, most business records are kept on computers, and most businesses are linked to a public network like the Internet. Every such business is vulnerable to electronic intrusion and theft of its secrets, accomplished through the transmission of ephemeral electrons and elusive bits of data.

Cell phone fraud is another example. Instead of stealing a tangible thing, crooks snatch codes and passwords from the airwaves and create electronic “clones” to rack up enormous charges long before the victim is aware of the theft. The advent of inexpensive scanning devices to convert documents into digital information inside a computer and user-friendly desk-top publishing software has spawned an enormous growth in counterfeiting of all sorts of financial and other documents.

The list is seemingly endless. Child pornography can be generated (in some cases even digitally created by computer “morphing” techniques), stored electronically and transmitted instantly through computers and international networks. New forms of extortion have appeared, such as cases in which prominent figures like celebrities have been threatened with the public exposure of allegedly compromising but entirely fictional images, again “morphed” by computer.

But computers today are not only tools to commit crime. They are also important sources of evidence and investigative leads for crimes of all sorts. Many criminal enterprises are exactly that ¾ enterprises that have much the same information storing and handling needs that legitimate businesses have. An important difference from the past is that newer generations of criminals are computer-literate and comfortable with electronic record keeping and communications networking.

Thus, for example, the hard drives of drug traffickers may be packed with financial records and data about shipments and customers, bookmakers with records of bets and bettors, and prostitution rings with employees and their customers. In some cases, the crime and the record are virtually inseparable within the computer, such as highly sophisticated fraud operations. Detailed plans for the commission of a murder have been recovered from a perpetrator’s computer.

The more advanced criminal enterprises are turning from stand-alone PCs to networked systems, and several were found to be using a main frame computer. To complicate matters further, data may be easily erased, and widely available encryption software means that the data may be impossible to read without sophisticated decryption.

This means that execution of a warrant of almost any sort in today’s law enforcement environment may well turn into an immediate challenge involving both law and technology, as we attempt to secure and preserve electronic evidence and investigative leads. If the first responder, the cop-on-the-beat or detective, is not prepared to recognize and react appropriately to that challenge, the evidence may be effectively lost forever, if not physically then certainly in an evidentiary sense.

Finally, law enforcement agencies and officers themselves have become the victims of cyber-criminals. For example, police communications systems can be compromised by technical means, as in the case of the Northeastern police department that learned from an informant in the midst of a major drug investigation that the targets were intercepting the agency’s cellular phone communications. Harassment of investigators has become a significant concern throughout the country, as computer hackers have stolen credit information and run up credit charges, entered bogus liens, and caused other disruptions in the officers’ lives by affecting computer records.

In short, high-tech and computer crime affects the operations of law enforcement agencies of every sort, in one way or another, no matter where they are located. Yet this crime is difficult for any single agency to address in isolation. It crosses state and even international boundaries electronically. And the smoking gun – if it exists – is not in traditional forms of human or physical evidence, but rather electronic impulses and programming codes. As a result, virtually all law enforcement personnel and prosecutors will have to be computer literate at some level in the near future. Many will also have to able to translate that literacy into effective investigation and prosecution of electronic crimes of all sorts. Some will have to become experts in an ever-changing science.

Toward an Effective Law Enforcement Response

Yet law enforcement has fallen behind the curve. As difficult as an effective law enforcement response may be for large metropolitan jurisdictions, it is virtually impossible for many smaller jurisdictions, which may lack the resources to devote manpower and equipment to address electronic crime.

Surveys taken in 1997 and 1998 at focus group sessions sponsored by the Infotech Training Working Group, the NCTP’s predecessor, revealed that public awareness of the problem remains low. Most seriously of all, there is a greater demand for training than there is training available, especially for seizure, handling and processing of computer-based evidence, and even where there is training, there is often no clear career path to effectively utilize the trained officer’s skills. It is therefore clear that police chiefs and managers need to become actively involved in a national cooperative effort to understand the problem and educate each other and their staffs in effective responses.

It was to address this environment that the National Cybercrime Training Partnership came into being. NCTP’s prime mission is to train federal, state and local investigators and prosecutors, and it grew naturally out of the Justice Department’s developing role in responding to electronic crime.

Although the Internet came into being in 1969, it took some time for the law enforcement community to become aware of the burgeoning criminal activity related to it. But a string of dramatic cases beginning in the late 1980s caught the attention of federal authorities. The investigation by astronomer and systems administrator Clifford Stoll of a 75 cent discrepancy in accounting at Lawrence Berkeley Laboratory in 1986 led to the discovery of German hackers probing for defense information for the KGB. In 1988, Cornell University graduate student Robert T. Morris, Jr. unleashed the Morris “worm,” which attacked computers throughout the Internet, consumed their memories, and crippled over 6,000 computers at a cost of $98 million in about 48 hours. Finally, in 1990 a hacker group known as the Legion of Doom penetrated Bell South and gained the ability to alter and disrupt local telephone service, including the 911 emergency phone system.

In the wake of these and other events, the Justice Department established a Computer Crime Initiative in the Criminal Division. (The original Computer Crime Unit was upgraded to the current Computer Crime and Intellectual Property Section in 1996. For convenience, it will be referred to here as the Section). Among other things, the Section published in 1994 federal guidelines for searching and seizing computers.

It soon became clear, however, that training was a critical issue for law enforcement agencies at all levels. Accordingly, the Section organized the Infotech Training Working Group (ITWG). Meeting for the first time in October, 1996, the ITWG brought together representatives of a diverse group of state, local, federal and international criminal investigative and regulatory agencies to develop strategies, guidelines and methods to provide high-technology training for law enforcement at all levels. Subsequently, the ITWG inventoried available training courses, established its objectives and set up a structure of subcommittees, and, in conjunction with Bureau of Justice Assistance and National White Collar Crime Center, conducted focus group meetings that included groups such as the International Association of Chiefs of Police (IACP) and the National Sheriff’s Association (NSA).

In the meantime, Attorney General Janet Reno became personally interested in the work of the group. In addition to soliciting the active support of key federal executive agency heads to embrace the vision of collaboration and cooperation across all levels of law enforcement, she initiated efforts to fund the group. As the vision of the ITWG flourished, its ranks grew beyond that of a traditional working group. In April 1998, the charter working group members reached consensus to change the group’s name and formally adopted the new name of the National Cybercrime Training Partnership. They felt that the new name more accurately reflected the cooperative nature, the training focus, and expanding mission of the partnership.

Today the NCTP is open to any law enforcement organization whose mandate includes electronic crime investigation, prosecution, or training. In addition to local, state, federal and international law enforcement agencies, the partnership includes technology research institutions, regulatory agencies whose functions impact law enforcement personnel (such as securities fraud and telemarketing) and law enforcement professionals, training and research organizations.

Prioritizing Training Needs

The following are some principal action elements of the NCTP program.

The NCTP has developed a set of priority training courses, discussed in more detail below, and continues to address a number of other critical issues related to electronic crime. Our first priority is to lead the training community in developing a new paradigm for the training of law enforcement personnel in an electronic environment. This paradigm must feature multilevel, multi-tiered, decentralized, and continuous training. In other words, it must provide for multiple recognized levels of expertise. It should be available to multiple types of law enforcement personnel (e.g., investigators, prosecutors, and specialists). It should be decentralized to reach law enforcement personnel in all geographic regions and at all levels of government. And it must be continuous in order to remain current with the changing technology and associated threat.

Some immediate practical steps the NCTP is pursuing to reach this new paradigm are identifying existing training for investigators and facilitating their attendance, developing a national training curricula (see first menu of courses in more detail below), encouraging non-traditional training modalities (training that can “come to them,” such as mobile teams, CD-ROM based training, instructional videotapes, Internet-based training, and video-teleconferencing, etc.), and putting emphasis on training that trains the trainers.

In addition to these elements directly related to training, NCTP is pursuing a number of collateral objectives. These include creating and maintaining a clearinghouse (“knowledge base”) to provide points of contact to all law enforcement agencies for technical, legal and policy issues, and training; developing a secure communications network for the NCTP community that provides a common platform and protocol among law enforcement agencies to develop and deliver training; providing sources of expert guidance to investigators and trainers; and through partners of the NCTP, such as the National Institute of Justice (NIJ), to support research and development of cyber tools for law enforcement.

As noted above, the core of NCTP’s mission is developing training curricula, seeing that training is delivered and providing related technical assistance. Accordingly, an NCTP “fast track” sub-group is developing a set of six priority courses to be developed and offered to law enforcement at all levels and in accordance with the new paradigm described above. The Partners agreed that all courses designed by NCTP would be developed in accordance with the Instructional System design (ISD) which is a universally accepted model used by performance-based trainers and educators.

The first thing that must be taught at all levels is “do no harm.” Officers must be able to recognize and preserve evidence. Obviously, although more courses are needed, our six priority courses are:

  • The Electronic Crime Scene.
  • This is a basic course for “first responders” to an electronic crime scene. It will introduce them to the basic hardware, and teach them how to identify, obtain, and preserve evidence in the electronic environment. Legal issues and procedures touched on will include such essentials as how to draft affidavits for warrants and how to secure an electronic crime scene and secure a computer system as part of the execution of a search warrant. This course will provide the minimum baseline guidance and best practices for officers. It is designed to avoid non-uniform procedure, and bad case law stemming from such haphazard procedures.

  • Basic Data Recovery and Analysis
  • . This will be the basic course for computer crime investigators, teaching the “do’s” and “don’ts” of data recovery of digital evidence. It will include discussion of advanced hardware, the physical and logical architecture of computer drives, the boot process and operating system basics, imaging, media analysis and evidence recovery on a stand-alone personal computer (PC) in a DOC/Windows environment, and case documentation and presentation.

  • Intermediate Data Recovery and Analysis
  • . This will be a more advanced course, continuing from Basic Data Recovery.It will cover advanced operating systems, compressed drives, introduction to networking, introduction to the Internet, steganography (hiding data in other data, such as files in images) and public and private key encryption.

  • Networking
  • . This course will provides an in-depth overview of networking, including NOS protocols, hardware components, LANS, WANS, etc.

. The course will teach both conducting Internet investigations and using the Internet as an investigative tool. . Designed to train more trainers in high technology skills. A train-the-trainer process will be developed specifically for the type of subjects and learning environments required for technical training. This program will serve as a template for teaching the combination of (1) technical, (2) communications, and (3) facilitation skills required for the effective transfer of technical-investigative knowledge and skills.

Delivery Systems and Other Assistance

NCTP is vigorously pursuing multiple tracks for delivering training to all levels of law enforcement. Our state-of-the-art training facility will be established in Fairmont, West Virginia (the site of the NWCCC Computer Crime Section’s training headquarters). This facility will feature some 60 computer stations and a high technology courtroom. It will allow cross- training of investigators and prosecutors, so that each better understands the needs and problems of the other in cases involving the electronic environment. Mock trials, putting all of the participants and their respective skills together, will be held.

But because not every agency in the country can be accommodated at the facility, NCTP is exploring ways to leverage existing resources. For example, we will expand the use of our mobile training facilities and use interactive training networks to instruct a wide array of law enforcement personnel and bring the training to them. Finally, NCTP will develop distance learning aids, such as CD ROM and video presentations, including regular supplements with self-testing to keep course graduates up to date with the latest developments.

As already noted, the NCTP is also pursuing collateral technical assistance programs. A priority among them is creation of a high-tech training clearinghouse and points of contact database. We now have a special domain in the FBI’s LEO (law enforcement on-line) system, and are exploring other options, including interconnectivity of law enforcement via the Internet. This secure platform will ultimately provide the means to disseminate widely such technical assistance as how to create, staff, and fund a computer crime investigative unit. We will also be able to provide pointers to model legislation, laboratory assistance, and legal assistance. With the help of its partner agencies, particularly the NIJ, Office of Science and Technology, the NCTP is conducting a comprehensive assessment of the needs of state and local law enforcement in the electronic crime arena. NIJ will complete and deliver the assessment report in November 1999.

Finally, a word about our organization. NCTP has adopted a “free-form” organizational structure. This structure, intended to overcome the negative effects of traditional “line and box” bureaucratic structures, is particularly appropriate to a cooperative enterprise like the NCTP. It can be described as a set of overlapping ovals, contained within a larger oval representing the entire partnership.

Working within the larger oval, the Department of Justice, through the Computer Crime and Intellectual Property Section, chairs the organization and provides continuing guidance and leadership to carry out NCTP’s goals. The NWCCC provides a full-time, operational staff, including instructors, curriculum development specialists, researchers, etc. to support these goals. A Vision and Policy Committee is made up of representatives of partner agencies and chaired by CCIPS.

And, of course, there are the partners, who range from all the major federal law enforcement agencies, through national organizations like IACP, to state and local police agencies. Each is expected to actively participate in our meetings, share their expertise and training curricula and resources, respond to requests for comment and be seriously committed in general to our goal of developing and disseminating quality training to the law enforcement community.

There is, of course, much more to the story of electronic crime, its effect on the nation and its law enforcement agencies, and the role NCTP plays in fighting back. But there are three simple messages all of law enforcement must understand.

First, the problem is everybody’s problem. No agency, no matter where located, will escape its effects. Second, the very nature of electronic crime requires that we work cooperatively, putting away old jurisdictional boundaries and protective attitudes. Finally, training, training, and more training are key. We may be behind the technology curve today, but we can pull ahead through intense and cooperative efforts like the NCTP. We welcome your joining us. ***

If your organization is interested in participating as a Partner, contact the author, at 1001 G St., N.W., Washington, D.C. 20001, (202) 514-0823, or e-mail to wwilliams@cybercrime.org and/or wwilliams@leo.gov.