Archive for the ‘Legal & Policy Issues’ Category

A Cyber-Investigator’s Introduction to IPv6

Wednesday, July 13th, 2011

This article is a guest post from Jonathan Abolins, who will be leading the next webinar in our Online Investigations Series: “Internationalised Domain Names, Foreign Language Websites, & Investigations.” While the two topics are unrelated, they do have one thing in common: both present previously uncharted challenges for online investigators.

There’s no place like home.
There’s no place like 127.0.0.1. (IPv4 version)
There’s no place like ::1. (IPv6 version)

Introduction

The widely used Internet Protocol (Version 4) – IPv4 – was created approximately 30 years ago and it has served us well. But it’s also showing its age. Back in the early 1980s, it was almost impossible to anticipate the growth in the demand for IP addresses. Now we are running out of IPv4 addresses (”IPv4 address exhaustion”). Also various people have been seeing the need for various improvements in the Internet Protocol.

To address these issues, Internet Protocol (Version 6) – IPv6 – was proposed in the mid-1990s. IPv6 is not yet in wide use but it would be a big mistake to assume that IPv6 cannot affect our networks.

Most operating systems and systems now include IPv6 support by default. There is also the ability to tunnel IPv6 via IPv4 with Teredo, 6to4, etc. For those whose ISPs don’t provide IPv6 connections, there are services, such as Hurricane Electric Free IPv6 Tunnel Broker1, which allow people to tunnel with IPv4 to get to the service that will give them IPv6 connections.

win7_net_ipv6

Example of IPv6 Support in Windows 7

IPv6 is going to become a bigger part of our networking and investigations in the near future. Will our tools and methods be able to handle the changes?

IPv6 vs IPv4: A Few Key Points

Without going into much detail, here are some of the key differences between IPv6 and IPv4:

Number of bits and address space.

  • IPv4 has 32 bits, allowing just over 4 billion addresses. Not even enough to give a unique address to each human being on Earth.
  • IPv6 has 128 bits, allowing 340,282,366,920,938,000,000,000,000,000,000,000,000 unique addresses. This is roughly like giving 252 addresses for every star in the known universe. Not likely to run out of of IPv6 addresses.

Address notation.

  • IPv4 usually uses dotted decimal notation. E.g., 192.168.2.12.
  • IPv6 uses groups of 16-bit hexadecimal numbers separated by colons (“:”). E.g., 2001:04c0:0000:0000:0000:c5ef:0000:0231.
  • The IPv6 addresses can be compacted. So the above example becomes 2001:4c0::c5ef:0:0231.
  • In a mixed IPv4/IPv6, the IPv6 32 bit address can be incorporated into an IPv4 address. E.g., 2001:04c0::192.168.1.1 or ::126.143.54.107 (Note the switch from colon separators to dotted format.)

IP security (IPsec) is built into IPv6, the ability to cryptographically sign the packets.

There are various IPv6 tools for defense (if we know how to use them).

This is barely scratching the surface. The Resources section (below) has IPv6 specifications and other documents for more in-depth information.

Security, Forensics & Investigations Issues for IPv6

As mentioned above, IPv6 has some security features. Also, some IPv6 feature might be helpful in investigations. For example, IPv6 may give the source’s MAC address in some cases. But there are security problems raised by IPv6 and the current networking environments.

The gigantic IPv6 address space means that scanning IPv6 networks with IPv4 methods where we can try each possible IP address is not going to work. It’s possible to scan the entire IPv4 address space this way in several days. Scanning the entire IPv6 address space the same way would take billions of centuries. Even an IPv6 subnet could take over 145,000 years. So we need IPv6 methods, such as neighbour discovery, of finding systems at IPv6 addresses.

Tools designed for IPv4 environments might not properly process IPv6 information. Some log processing applications truncate IPv6 addresses and many may not properly interpret IPv6 traits. Black listing tools may miss problem addresses because they cannot associate IPv6 with IPv4 or IPv4 within IPv6 notation. It is likely that some of the analysis tools for linking data such as IP address associated with crimes might have problems once IPv6 addresses come into play. What else might trip up with IPv6?

Keep in mind too that there are many tools available that can be used for attacking IPv6 systems or for using IPv6 to bypass security. Firewalls set up for IPv4 may ignore IPv6 connections and, thus, fail to protect the internal networks. Detection software may ignore the IPv6 or tunnelling.

Even many commonly used network tools can fail unless we have the right versions of the tools and suitable network connections. For example, here’s a part of a sample SMTP e-mail header with a reference to the IPv6 address of 2001:470:0:64::2:

From ipv6@he.net Tue Nov 23 09:51:00 2010
Return-Path:
Received: from ipv6.he.net (ipv6.he.net [IPv6:2001:470:0:64::2])
by Duncan-Server.duncan (8.14.3/8.14.3/Debian-9ubuntu1) with
<…>

Try “ping 2001:470:0:64::2” and it will likely fail. If you have ping6, it might work but not if your network connection doesn’t support IPv6. Same for traceroute and various other tools. Nslookup, dig, and whois work better. (Example of an IPv6 whois lookup via the ARIN Web site) But they are not enough for our security & forensics toolkit.

The most critical security & investigatory challenge is getting up to speed with IPv6.

Conclusion

IPv6 has much to offer. It is also outpacing many of the tools and methods for securing IPv4 networks and investigating activities on the networks. Our tools, methods, and our understanding of IPv6 will need to adapt.

Resources

IETF, RFC 2460 – Internet Protocol, Version 6 (IPv6) Specifications.
The Internet Society. Internet Issue – Ipv6.
Klein, Joe. Collection of IPv6 Security presentations. These presentations are an excellent resource for understanding the security issues with IPv6. Joe Klein is a great resource in this field.
Leinwebe, James. IPv6 and the future of network forensics. UW-Madison Information Security Team. June 6, 2011.
Nikkel, Bruce J. An introduction to investigating IPv6 networks. July 19, 2007 [Originally published by Elsevier in Digital Investigation: The International Journal of Digital Forensics and Incident Response, Vol. 4, No. 2 (10.1016/j.diin.2007.06.001)]

Wikipedia entries
Ipv6
IPv4 address exhaustion
List of IPv6 tunnel brokers

Wireshark Wiki. Sample PCAP Captures – Ipv6 and Tunneling.

Acknowledgements: Many thanks to Joe Klein, Joshua Marpet, and Jeremy Duncan for their insights and help.

Cell phones, the Internet and common evidence issues

Wednesday, July 6th, 2011

Our free webinar last week was on cell phones and the common apps used to connect them with the Internet. Mike Harrington of Teel Technologies talked about some of the items of evidence which those apps leave, both on the phones and on the Internet sites the apps lead to.

Todd has been talking for some time about how the normal crime scene has been changing over time and that investigators, both civil and criminal, need to be thinking of where there evidence is outside of the physical location they are at. The Internet, and the ability of most modern cell phones to connect to it, have greatly expanded our possible locations for evidence to be found – far beyond the physical crime scene. With this increase means of course more work. But with the additional locations for evidence, investigators can obtain a clearer picture of what occurred.

This means that evidence will be located at a minimum in the following places:

  1. The cell phone itself (forensic data extraction)
  2. The social media site (accessed from the web and properly documented). Depending on the number of apps on the phone this could be numerous sites.

Because we don’t generally let the cell phone access the web during data extraction (to prevent syncing and therefore data change), what is on the cell phone will undoubtedly be different then what is on the social media site.

This is particularly true if the user accesses the sites from places other than his cell phone, or his friends make posts to his wall (as themselves or even posing as him). So, to corroborate what they find on the phone, investigators should also plan to collect additional items through legal service (civil or criminal subpoena or search warrant):

  1. Cell phone/tower records from the provider
  2. Social media site records from the social media site. Again, depending on the number of apps on the phone, this could be numerous sites.

Each of these records contains a piece of the puzzle. Compiling all of them can give the investigator a more accurate picture of what occurred and when, but it all needs to be documented properly.

The investigator must also be prepared to investigate further when the two are inconsistent, and if necessary, explain the inconsistencies in court. For example, if phone artifacts have date/time stamps and content that are different from those found on social networking sites, investigators must question why. Likewise when a cell service provider’s records differ from phone or Internet evidence.

In short: none of this evidence – data on the cell phone, the social networking site, or in the cell or Internet service provider’s records – should be considered “nice to have.” With courts paying more attention to the authenticity and verifiability of digital evidence, gathering as much information as possible from as many sources as possible is a requirement to ensuring that victims and suspects alike get the due process they deserve.

Data retention vs. criminal anonymizer use

Wednesday, February 2nd, 2011

This week, German authorities released data suggesting that Internet Service Provider (ISP) data retention policies – which the United States hopes to implement – could actually have a negative impact on online crime fighting.

Why? As the article puts it:

This is because users began to employ avoidance techniques, says AK Vorrat. A plethora of options are available to those who do not want their data recorded, including Internet cafés, wireless Internet access points, anonymization services, public telephones and unregistered mobile telephone cards.

The European Union is looking at policy changes that protect both privacy and public safety. In the meantime, however, we know that “hard core” criminals will continue to use anonymization technology, and it will take more than policy to address this.

That’s why we’re pleased to announce that the National Institute of Justice has awarded us funding under its Electronic Crime and Digital Evidence Recovery grant. The funding is for the development of forensic and investigative tools and techniques to investigate criminal use of Internet anonymizers – tools that law enforcement doesn’t currently have.

We’ll be working in conjunction with researchers at the University of Nevada’s Department of Computer Science and Engineering on the development, while investigators from the Washoe County Sheriff’s Department will test the software and offer their feedback. Meanwhile, we’d love to hear from you. What has your experience been trying to investigate online crime despite anonymizers?

Now available: 3 free model policies for social networking support

Wednesday, May 12th, 2010

Our 2-day on-site training devotes a fair amount of time to policy issues: investigative ethics applied online, undercover work, deconfliction, and employee stress management. However, while we talked about the need for policy, we didn’t have a model to offer.

Well, now we do! In the “White Papers” section of our Web site, you’ll now find three separate model policies: social networking investigations, official agency communication, and employee off-duty use.

Why 3 policies?

Law enforcement presence online isn’t just about gathering evidence. It’s also about ensuring that employees represent themselves and their agencies as professionals at all times (including not conducting investigations via their personal accounts). Also, just as agencies simultaneously conduct investigations and community relations in their communities, they should at least consider doing the same online.

The three policies complement each other, and as Todd is quoted in our press release, they’re meant to minimize the risk and maximize the reward of an online presence. They also fill a gap: while many policies are available from private companies, few are published by law enforcement agencies.

What the policies cover

The “Investigative Use of Social Networking” policy provides for:

  • Professional online conduct
  • Investigation preparation
  • Undercover work
  • Legal issues
  • Employee stress management

The “Agency Official Use of Social Networking” policy discusses:

  • Social media tools
  • Strategy for use
  • Communicating on the agency’s behalf
  • Restrictions on use
  • Handling requests from media and general public

The “Employee Off-Duty Use of Social Networking” policy includes:

  • Employee self-identification as a police officer
  • Confidential and sensitive information
  • Legal requirements
  • Disciplinary action

Because these are model policies, be sure to run them through administrators and department or other legal staff before you implement them, as state or jurisdictional laws may need to be specifically addressed.

Who will benefit?

We timed these policies’ release during the week of the ICAC Conference in Jacksonville, FL, where Todd is exhibiting. Now, we know ICAC investigators are well-versed in online investigation and thus policy – but we also know that their investigations can take them into jurisdictions where other detectives are not familiar with online work, undercover or otherwise.

So whether you’re an investigator whose agency needs social networking policies, or you know of investigators who do, please feel free to pass these along. You can refer others to the policy page using this address:

http://tinyurl.com/verepolicies

And if you have any questions, please let us know at info (at) veresoftware (dot) com !

DragNet? In what form?

Wednesday, May 5th, 2010

In February, CNet reported that police are looking for a “back door” to private data, in the form of “a national Web interface linking police computers with those of Internet and e-mail providers so requests can be sent and received electronically.”

This was followed up in April by a revelation that the Department of Justice had requested Yahoo emails without a warrant—because the emails were older than 180 days and stored on Yahoo servers rather than on a local machine.

Civil libertarians, of course, regard these stories as evidence of Big Brother manifesting all his totalitarian glory. But the original concept of a national network, says its originator, has been misrepresented.

More efficient, not more invasive

Sgt. Frank Kardasz is director of the Phoenix (Arizona) area Internet Crimes Against Children task force and, in a report to the Commerce Department’s Online Safety and Technology Working Group, wrote about the need for Internet service providers (ISPs) at least to maintain records for longer than the few weeks they currently do—up to a year or longer.

“The trouble with real life policing is that there are reporting delays from victims, overwhelming caseloads for detectives, forensics analysts and prosecutors, time delays or no response from Internet service providers and many other systemic issues that impede the rapid completion of our work,” he wrote in his report, “Internet Crimes Against Children and Internet Service Providers: Investigators Request Improved Data Retention and Response.”

Similar problems exist among government agencies, which is why Los Angeles County instituted the Electronic Suspected Child Abuse Report System. The Web-based system links public agencies together, replacing outdated forms of communication like faxes and postal mail, and reducing the likelihood that charges will be dropped or reduced due to missing evidence.

Not a direct link from law enforcement to private records, it doesn’t carry quite the same implications for privacy. It does, however, solve very similar problems, and as the first of its kind in the country, could easily serve as a model for other efforts.

Logistical concerns

The need for a strong model is particularly important when it comes to security. Many companies have hesitated over moving to “the cloud,” fearful of what might happen if a malware-infected PC accessed cloud-based private information. (Many of these issues are discussed in our white paper, “Basic Digital Officer Safety.”)

However, the U.S. Army is now using “milBook”, a secure Facebook-like interface restricted to its own personnel. Connecting people with each other as well as with defense-related topics, milBook facilitates the sharing of a broad range of information. Fundamentally, it might be compared to the Regional Information Sharing System, though more socially oriented.

Whether this would be as easy to set up is debatable, however. The Army, after all, has the DoD to administer its private network. For the DOJ to set up and maintain a public-private information exchange would not, to put it lightly, sit well with groups like the Electronic Frontier Foundation.

More likely may be for the DOJ to require ISPs to set up their own networks. Some already do, as CNet pointed out. The networks would have to comply with certain requirements regarding data storage and speed of retrieval, but the companies would retain control of user information.

The need for better ISP support

Kardasz noted, based on a 2009 survey of 100 investigators:

  • 61% reported ISP delays and limited time periods for storage detrimentally affected their investigations.
  • 47% reported they had to end investigations because the ISP didn’t retain the data they needed to make a case.
  • 89% wanted to see a national network established to make legal process requests more efficient.

“Investigators recognize that the subject of data preservation is controversial,” Kardasz wrote. “I think investigators respect the Constitution, support the rights of Commerce and simultaneously want to protect citizens from cybercrime. They seem to be asking for a system that is more efficient, not more invasive, a system that favors the crime-fighters instead of the criminals.”

What law enforcement can do

In last month’s issue of Law Enforcement Technology, Vere president and CEO Todd Shipley was quoted as saying, “It’s not just a federal problem. It’s a state and local problem too because the victims are citizens of the local community.”

So while ISPs can improve their processes, so can law enforcement. Todd’s recommendations: Know how to take reports on cyber crimes. Collect information the cybercrime experts need. Know how to share information and with whom. These pieces, the building blocks of professional police response, must be in place so that whatever ISPs institute to help law enforcement, it will be supported rather than criticized.

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and digital forensics and can be reached at christa at christammiller dot com.

Cloud computing: Not just for geeks or feds

Monday, February 8th, 2010

Think online investigation is just for the high-tech crimes types, the computer forensics geeks or the feds? Not so, says Todd in his interview with Cyber Speak’s Podcast (hosted, ironically, by two former federal agents). The more people are online, the more they’re likely to use cloud services, the more important it is for local law enforcement to be there too.

Todd’s appearance on Cyber Speak came about because of his two-part article on cloud computing, which had appeared in December in DFI News. He and Ovie Carroll discuss:

Impact of cloud computing on first responders

Detectives performing searches can’t simply pull the plug on a running computer anymore (a fact which prosecutors are having to get used to). They need to be able to perform data triage and possibly even volatile data collection.

Why? Because knowing whether a suspect has an online presence is critical to whether an arrest is made—and what happens afterward. Whether users are actively storing files “in the cloud” or simply members of social networking sites, law enforcement officers who don’t find evidence and therefore, do not make an arrest risk that suspect going online and deleting all incriminating information.

Why is this a problem? Because the very nature of cloud storage means investigators may not be able to access a logical hard drive somewhere to recover the evidence. First, the sheer amounts of data stored on servers make this close to impossible. Second, there are jurisdictional issues.

Are you exceeding your authority?

Not only may information be stored outside your jurisdiction, but it may also be stored in another country altogether—one with different criminal and privacy laws. Accessing evidence of a crime in the United States may actually mean committing a crime in another country (Todd relates the story of two FBI agents for whom arrest warrants were issued in Russia).

This is a problem for local law enforcement, which Todd notes has been left largely to its own devices when it comes to online crime. Only Internet Crimes Against Children (ICAC) task forces have clear direction from the federal government on how to proceed.

Hence it’s easy for local police to kick Internet crimes up to regional, state or federal task forces. But as Todd points out, more people coming online means more crimes being committed against people in local jurisdictions both large and small. Law enforcement at every level needs to be able to respond.

Please listen to Todd and Ovie, and then come back and tell us what you think!

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.

Legal Issues with Online Investigations: Some background

Friday, January 15th, 2010

As Executive Director and Senior Counsel of the National Law Center for Children and Families, Richard Whidden is most familiar with laws and precedents related to child pornography—but stresses that investigators of other crimes can take away important information, too. “Much of the case law on electronic evidence comes from child porn cases because those are what prosecutors take on,” Whidden says.

During his webinar, “Legal Issues with Online Investigation,” on Thursday, January 21, Whidden will be discussing a sampling of cases from 2009 that had to do with Internet and computer forensics. One of the primary cases, however, has to do not with child pornography but instead with steroids.

Specifically, U.S. v. Comprehensive Drug Testing, Inc. describes forensic procedures relative to search and seizure of electronically stored evidence. Although it applies to the 9th Circuit Court of Appeals’ jurisdiction, it’s likely that other courts will look to the decision when dealing with their own issues of electronic evidence.

The case also illustrates how the process of e-discovery has evolved over the past 10 years. Typically this is difficult to discuss. As Whidden says, “You could have entire symposiums on how the law has changed over the last 10 years, before you even break out the crystal ball on how it will change over the next 10.”

Notably, law changes according to the technology. “We’ve gone from pornographic images of children, to streaming video of abuse taking place,” says Whidden. “Modes of transmission change. Cell phone technology is much more prevalent now, and will continue to evolve.”

Whidden will cover other legal issues, such as the definition of “possession” of child pornography, procedures related to computer related evidence, search and seizure issues, and the difference between state and federal prosecutions. He will not discuss civil cases, only criminal cases because of the higher burden of proof.

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.

Cyber Vigilantism or Cyber Neighborhood Watch?

Saturday, March 28th, 2009

Governments across the globe have been trying to deal with Cybercrime and its impact on our communities. Some have done a better job than others in responding to those crimes. The rise in Internet users over the past decade and our dependence on it as a medium for communication has increased the number of concerned citizen users. The Internet is no longer just a tool to do our shopping from our home, or a tool to research a school paper. Through social networking the Internet is truly becoming a community. With those communities come problems, but also concerned citizens, ready to rise up and act in the best interests of their community.

Law enforcement is still grappling with its response to enforcing the law on the Internet. They continue to meet the challenges with mixed results. Because of this enforcement vacuum there recently has been a rise in what can only be described as citizen activists. The rise in social networking has brought together many diverse people. The commonality among them is their willingness to protect their piece of the Internet. As evidence of this are several examples of concerned netizens standing up and taking actions to protect their Internet.

Twitter, the recent social networking phenomenon, gave rise to an incident recently”, as commented on by socialmedia.biz, where a “Twitterer” in Virginia found a threat posted on a Wikipedia page against a school in St. Louis. Enlisting others from the Twitter ranks they tracked down information about the student posting the threat and made plans via Twitter about what to do with the information. The local police department was contacted and the threat relayed. However, the police complaint taker was less than cooperative according to reports and stated he “did not have access to the Web”. Another neighboring agency was contacted and appropriate actions were taken to resolve the issue.

And as far away as China, the Internet is changing the way the people feel about, and communicate. Locating people online has become almost a sport. When unpleasant comments were posted online after the earthquake deaths in the Sichuan province, numerous Netizens researched and attacked the posters online. Even Chinese government officials are not immune from response. With millions of people online, the Chinese government is finding it increasingly difficult to control its citizen’s response to overzealous government officials. Wearing a $25,000 watch in the picture you post on the Internet is not a probably a good idea when your government salary is not enough to cover its cost. The official was later dismissed partly I am sure to the Netizens complaints. In China this growing trend of Cyber-vigilantism is called “renrou sousuo”, or “human-flesh searches”. It is done spontaneously by Netizens to ferret out perceived wrong doers.

To the extreme in this country we have the Texas Border Watch program. This is a novel concept of recruiting Cyber border watchers. Individuals can watch streaming video over the Internet from cameras mounted at various locations on the southern U.S. Border and report suspicious activity. According to a report by NPR, “43,000 pairs of eyes are watching the Texas-Mexico border”. Netizens observations of the border have lead to arrests of wrongdoers.

Cyber Vigilantism is not necessarily new. A few years ago a Korean girl was publically humiliated online after not picking up after her dog on a train. In the late 1990’s Cyber-vigilantism was thought to be a reasonable response to the emerging online crime problem because of law enforcements inability to respond to the problem. Even extremists groups have been tracked by vigilantes on the web. It’s a popular enough concept that Wikipedia has a page defining it.

The dark side of this argument has been groups such as Perverted Justice whose regular work was chasing those who would prey on our children on the Internet. Their member’s antics have been regularly discredited as well as praised for their aggressive and persistent actions which arguably may not be within the law. In the UK recently a law was passed to try and curtail the extreme amount of pornography found on the Internet. The “Extreme Porn” law has given rise to a group, the Enforcers of the Extreme Porn Law, who are dissatisfied with UK law enforcements position about not actively policing extreme porn.

How much have law enforcements response to Internet crime changed in the past decade? Certainly law enforcement has gotten better at dealing with the technology and on many levels their response is better. Many law enforcement agencies are even using social networking sites to communicate with its citizens. But there is no real drive to recruit netizens to become the eyes and ears of law enforcement online. In a recent blog entry by Bill Schrier in his blog “Note from a City CIO” he wrote an article “Twitter, Facebook not ready for Government 2.0”. Ready or not Government will have to address social networking and the netizens on it, more likely sooner than anticipated at its growth rate.

With the isolated examples of netizens reaction to criminal’s online; law enforcement may be missing an opportunity to recruit a neighborhood “Net-Watch” type of faithful following. Law enforcement could guide netizens and encourage their support. With the Internets ability to mobilize vast numbers in response to a crime on the Internet an opportunity exists to establish a major blow to criminals everywhere. People now spend their waking hours, and some with web cameras, their sleeping ones too, online. It may be time for law enforcement to expand its online ranks with properly trained and recruited cyber watchers. It might also be a way of corralling the behavior of some of the Cyber vigilantes that have gone a little far in their attempts to hang online wrongdoers. Look out online criminals, your next door neighbor may soon be watching you.

Threat of Cyber Crime Continues to Increase

Friday, February 13th, 2009

Jim Kouri, formerly the Chief of Police of the New York City housing project in Washington Heights, wrote recently in MensNewsDaily.com about Cyber Crime and its increasing popularity as a criminal endeavor. He rightfully identified that there is a difference between critical infrastructure protection (Cyber security threats) and Cyber crimes (traditional crimes committed through the use of technology). This is far too often overlooked at the national level and appropriate consideration given to both areas. Threats to our critical infrastructure are not the same as Cyber criminals stealing from our citizens. However, from the initial look at a crime, say a “Phishing” scam against a bank, a law enforcement investigator does not know if this criminal act is a foreign state attacking our economic system by trying to make the bank fail, or a teenager from one of the old eastern block countries simply scamming unsuspecting customers out of their funds.

Law enforcement from the outset often ignores these crimes due to the investigative complexity of the crime and the lack of training and tools to effective pursue the evidence. The current economic situation is making things even worse for those agency’s who do attempt to address Internet based crime. In California High Tech Crime Task Forces are being shut down due to the budget crisis. The Northern California Computer Crime Task Force has shut down and the San Diego area CATCH Team will shut down on February 16th. Both of these task forces have made a significant impact on criminals using the Internet to commit crimes. Yet, we are allowing them to close and very little is being done to stop it.

The new administration is due to announce the appointment of its new Cyber Czar. I don’t have a hope for the near future with the President saying one thing before his inauguration:

“As president, I’ll make cyber security the top priority that it should be in the 21st century,” … “I’ll declare our cyber-infrastructure a strategic asset and appoint a National Cyber Adviser who will report directly to me.” (from a speech at Purdue University last July)

And doing another, which is by most accounts putting the new Cyber Czar post several layers down in the Department of Homeland Security. If it does end up in DHS it will be another function unable to deal with the national problem, because the appointee will have to facilitate conversations with the FBI and other organizations outside of DHS responsible for Cyber crime investigation. In addition the new Cyber Czar would have to fight for funding within his or her own organization.

As with the intelligence collection and review issues, as determined by the 911 commission, Cyber crime is another area not coordinated nationally with the many different stake holders in the arena. The better model would be to have the Cyber Czar in the White House with positive control over budgets and agency actions responding to the problem. The National Intelligence Director’s position is the best model for this issue. The problem is not for a single agency to try and solve but it should be the responsibility of a single entity to coordinate the response nationally. Cyber crime is dealt with at all levels of law enforcement in this country, from the City police investigator looking into Vice crime on Craig’s list to International Child Porn rings investigated by the FBI. Yet with all this crime occurring there is no coordination of cyber criminal intelligence or investigations from the bottom to the top.

Lastly, the person selected as Cyber Czar should have a concept of operational response to both the Infrastructure Protection space as well as the Cyber crime arena. They are two different animals and require different skill sets, but complementary responses. We will have to wait and see if the President’s pick is up to the challenge and given the proper authority and resources required to accomplish the mission.

Technorati Tags: ,,,,,,