March 2002

Background

38 years - The radio reached 50 million users.
16 years - The computer reached 50 million users.
4 years - The Internet reached 50 million users.

One need only walk through any American police station to witness first hand the technological revolution occurring within our law enforcement community. Within the next five years, a computer with full Internet connectivity will be as important to our investigators as the telephone is today. The only "soft" aspect to that prediction is that some would argue five years is too long, for without computer connectivity and the ability to use it effectively, investigators will be unable to interact effectively with their private sector counterparts; access local, state and federal databases; exchange information on crimes and criminals; and, access public information that is so critical in solving crimes and locating criminals.

Most law enforcement executives recognize the value of automation and embrace it as the biggest technological revolution to hit law enforcement since radios were put in patrol cars fifty years ago. We have seen a literal explosion of LANs, WANs, and intranets, all of which were foreign terms a mere ten years ago. Finally, many of our early visionaries are beginning to see the paperless systems they envisioned so many decades ago. But, how well are we assimilating cybercrime into the daily caseloads of our criminal investigators? This paper will discuss cybercrime in order to assist executives in addressing this rapidly increasing demand for law enforcement services.

Definition of Terms

Various terms are used (and misused) to define cybercrime. For this paper, we define cybercrime as, "A criminal offense that has been created or made possible by the advent of computer technology, or a traditional crime which has been so transformed by the use of a computer that law enforcement investigators need a basic understanding of computers in order to investigate the crime." Within that broad definition lie two distinct sub-categories: Computer Crime and Computer-related Crime.

Computer Crime involves the use of a computer as the primary instrument to facilitate the crime and the target thereof . While state laws vary somewhat, these crimes usually include the unauthorized:

• use, access or damage to a computer system;
• taking, copying, altering, deleting, or destroying computer data, software or programs;
• disrupting computer services or denying computer services to an authorized user;
• introducing a computer contaminant (viruses) into any computer or system; or,
• misuse of someone else's Internet domain name.

Computer-related Crime involves the use of a computer to commit a crime and/or as a repository of evidence related to the crime. Generally, this includes traditional crimes that have been transformed by computer technology such as:

• computer-generated counterfeit documents;
• computer generated threats;
• possession of computer-based child pornography images; or,
• any crime in which documents or evidence is stored in a computer such as records of narcotic distribution, gambling or embezzlement.

Computer-related crime can involve use of the Internet to facilitate crimes such as:

• Internet auction fraud (primarily thefts);
• criminal threats;
• stalking (cyberstalking);
• threatening or annoying electronic mail;
• distribution of child pornography;
• online gambling;
• fraudulent credit card transactions;
• fraudulent application for goods or services; or,
• identity theft.

The importance of recognizing these two distinct categories is critical in that they require varying levels of investigative skill. Specifically, computer crimes require a much higher degree of technical knowledge than computer-related crimes. Throughout this paper, we will make specific observations regarding these two categories of cybercrimes.

Investigation of Cybercrime

Many law enforcement agencies define cybercrime very narrowly and think of it only in terms of complex, computer-specific issues like hacking or crimes that require a forensic computer examination. This is a fatal flaw in two respects. First, it oversimplifies what are in fact very complex crimes, and secondly it inflates the investigative difficulty of relatively simply crimes. On a national level, law enforcement must recognize that many forms of simple theft and fraud are in fact cybercrimes if a computer is used to commit the crime. What may appear to be a simple theft of small proportions--and may even go unreported in many cases--may actually be a major crime with a huge loss. In fact, computer thieves have recognized the almost infinite number of victims available to them on an international scale and the MO of "taking a little bit from a lot of places" to avoid the normal detection systems has become all too common.

Here we will discuss the most pressing problems in the area of cybercrimes. These issues are divided into the areas of organizational structure, sharing of information, resources, regulations and prevention. Obviously, these topics can only be addressed in a limited manner in this paper. But, there is growing research and information on this entire topic which clearly is the wave of the future for local, state and federal law enforcement executives.

Organizational Structure

Investigative Responsibility. Often, there is confusion within an agency regarding investigative responsibilities for cybercrimes. The investigation of Computer Crimes requires highly specialized skills. However, Computer-related Crimes do not necessarily require the same set of skills. As computers become more common in businesses and households, it is inevitable that the information or evidence an investigator seeks will be stored in those computers or will involve use of the Internet. While experts must be developed to handle sophisticated computer crimes, traditional crimes that are merely facilitated by technology generally should remain the investigative responsibility of the units that traditionally investigate those crimes. Implicit in that distinction is the necessity to ensure that every investigator is trained to handle computer-based evidence in order to fulfill their investigative responsibilities.

Allocation of Resources. Many large police agencies have segmented their overall approach to addressing cybercrimes. However, a unified approach is often needed to be successful in this area and also to properly gauge the problem and its impact. This includes the identification of talent, sharing of specialized resources and equipment, and avoidance of duplication. In other words, while most Computer-related Crimes should remain de-centralized, sophisticated Computer Crimes and forensic investigations need to be centralized within a unit that has immediate access to a computer lab environment.

Police/Private Sector Partnerships. For decades, law enforcement agencies have formed effective partnerships with the private sector to facilitate public safety. This is especially true with large financial institutions that employ full-time, highly trained security staffs to protect their institutions and customers. As cybercrime matures, these private sector resources will become invaluable in the investigation and prosecution of computer criminals. Therefore, it is imperative that law enforcement develops and maintains strong working relationships with its private sector counterparts in order to cooperatively investigate crimes of mutual interest.

Reporting Internet Crimes. Victims will usually report Internet crimes to their local police agency, but some agencies refer the victim to the agency where the suspect is believed to be. As logical as this may be to law enforcement, it can be extremely frustrating to a victim and also presents several major problems to an agency several states or a continent away. A better solution may be to establish a standardized national reporting policy that requires the local agency to take the preliminary crime report from the victim and forward that report to the agency of jurisdiction. The victim will be better served and the remote agency will have some form of verification as it relates to the victim's identity and claim.

International Jurisdiction. There is little regulation of the Internet and it has no boundaries from one country to another. Determining jurisdictional authority is confused by the fact that criminals can legally use anonymous e-mail technology with little fear of detection while conducting illegal activities from the comfort of their homes. In order to cope with this reality, protocols must be developed to identify investigative responsibility for crimes that stretch internationally. This includes the ability to exchange evidence (contraband) expediently in order to facilitate the prosecution of suspects for state crimes, federal violations, or crimes committed in other countries.

Information Sharing

Nationwide Central Repository. A nationwide repository for Computer Crime trends and perpetrator information would enhance the investigation of these crimes. A centralized database with a hacker's name, method of operation, email address, screen names, or other pertinent data would serve as a national repository for these crimes and criminals. This type of database should function similar to the Narcotic Information Network (NIN) and should be very broad in its approach so that most financial crimes can be tracked in the database. For example, financial crimes conducted on the Internet are particularly difficult to solve, but investigations linked through a NIN-type system could connect clues from various jurisdictions and connect the detectives assigned to similar cases. Collaborating detectives could bring suspects, who now operate with impunity, to justice. These linkages are occurring at the local level in many parts of the country, but national standards for these efforts and, most importantly, national linkages will finally allow us to deal with these crimes effectively at a national level.

National Clearinghouse. A national clearinghouse for the proactive investigation of Computer Crimes should be established and agencies should be required to access that clearinghouse prior to initiating an investigation. Many agencies have dedicated resources to proactive investigation of Internet activity such as sexual exploitation of children, gambling, and prostitution. A national or regional clearinghouse, similar to those used for narcotics investigations, would eliminate multiple agencies conducting an investigation on the same suspect at the same time. Additionally, it would eliminate agencies "working" another agency and minimize the officer safety issues. Subsets of the clearinghouse should be established to facilitate the exchange of information on specific types of cases and to facilitate the exchange of information through monthly bulletins or newsletters. As a pilot in this area, consideration should be given to asking the National Center for Missing and Exploited Children to serve as the national center for online child sexual exploitation cases. Their efforts could serve as a model for other clearinghouses.

Computer Crime Task Forces. Consideration should be given to a task force approach for investigating Computer Crimes and providing the investigators with the forensic resources so critical to these investigations. This is especially true for those agencies without sufficient crime loads to justify staffing these units full time. The pooling of talent, resources and funding can have a significant impact on these types of investigations. This does not necessarily mean that the member agencies need to be housed in the same facility. The most important aspect of the task force effort is that the agencies work together on coordinated efforts. State and federal grants would certainly encourage development of these task forces.

Resources

Access to Technology. As computer hardware and software becomes more sophisticated, law enforcement agencies must provide their Computer Crime investigators with the technology required to conduct complex computer investigations. Similarly, virtually every detective assigned to conduct criminal investigations should be assigned a computer with Internet access. In both cases, continual training in the proper use of this equipment is an absolute necessity.

Forensic Computer Support. The demand for forensic computer support is growing logarithmically. The fact is that many computer crimes leave "footprints" both on the computer as well as on the Internet. The ability to extract that information and present it reliably in court is one of the most rapidly increasing demands in the area of computer technology. This must also be integrated with traditional forensic workups including the ability to properly track the intake and release of computer-based evidence and to monitor the overall computer forensic process. Computer crime-specific federal funding and standards in this area would be invaluable in that the training of computer forensic personnel is costly.

Specialized Investigative Personnel. Most major cities have established specialized units to investigate computer crimes. However, their effectiveness has been diluted to some extent as they have assumed responsibility, mostly by default, for providing computer forensic analysis, assisting their untrained peers with cybercrimes, and participating in a growing number of regional, state and national computer crime working groups.

In addition to those demands, a growing number of cases are being referred to local agencies whether or not they are prepared to handle them. For example, federal law requires that Internet Service Providers (ISP) report child pornography or child exploitation to the National Center for Missing and Exploited Children. Failure to do so can result in a $50,000 fine for the first offense and $100,000 for each additional offense. These cases are then referred to local law enforcement agencies for investigation. There has been a substantial increase in referrals over the past several years placing an increasing burden on local agencies. Similarly, the National White Collar Crime Center maintains the Internet Fraud Complaint Center, which allows Internet fraud victims to report the crime on their website (www.ifccfbi.gov). Those complaints are then forwarded to the local agency for investigation and the Center, along with the FBI, maintains a database to track cases and trends.

While the duties of our Computer Crime investigators are expanding rapidly, their staffing and supervision has not kept up with the demands for their skills. This shortage is especially acute for those agencies that have not yet addressed the issue of separating crimes into those requiring highly trained investigators from those that are of a less complicated nature. Federal grants and/or incentives to assist agencies in making these distinctions (modeling) and to develop their computer crime-specific personnel would be valuable at the local and national level.

Training. The investigation of even routine cybercrimes requires skills and resources that exceed those of most line investigators. Crimes involving the Internet will only become more popular as criminals learn the technology and are taught by other Internet criminals. On the whole, law enforcement officers are currently at a disadvantage in the detection, investigation, and prosecution of this type of crime. This disadvantage is caused to a large extent by a lack of formalized training. Precise levels of training will vary depending on each agency's level of "computer literacy." However, training should begin with recruits and continue throughout an agency's promotional and in-service schools. It should include locating computer-based evidence, using the Internet as an investigative tool, obtaining subscriber information from ISPs, obtaining search warrants for Computer-related Crimes, and proper methods to seize and store computer-based evidence. Developing the curriculum for these classes (modeling) and "Training the Trainer" programs will be an integral part of making police agencies proficient at investigating cybercrimes now and in the future.

Much the same as their police or sheriff counterparts, most prosecutors also lack the training and specialization to focus on the prosecution of criminals who use the Internet/computer as a means of committing crimes. Prosecutors are often more comfortable with familiar types of cases and tend to avoid going into unfamiliar ground. Prosecutors in sufficient numbers must have a working knowledge of computer/Internet investigations if they are to handle these crimes effectively.

Laws and Regulations

Maintenance of Transactional Records. There are no requirements that Internet Service Providers maintain information that is standardized. Entities that provide Internet service vary in how they maintain logs and records. Some anonymous e-mailing services claim they never maintain logs. The lack of logs and other information are devastating to any online investigation. Federal legislation should be written to establish requirements for maintaining logs and other Internet transactional records.

Tracing the Origin of Communications. Legislation must be enacted allowing law enforcement to trace the origin of communications involving criminal conduct. That should include requiring ISPs to maintain tracking information on their customers' communications for a substantial time period so law enforcement can conduct thorough investigations. It must also prohibit an ISP from terminating an account or notifying a subscriber of a law enforcement request for subscriber information. Some ISPs terminate service to a customer immediately when law enforcement requests subscriber information or a screen name. That drastically limits law enforcement's ability to conduct these investigations, but does not inhibit the criminal who simply uses another ISP or uses the same ISP under a different name.

Serving Legal Process on ISPs. Some states do not require ISPs to comply with court orders (search warrants or subpoenas) issued by other states. Some methods to overcome these constraints include soliciting the assistance of a police agency that is local to the holder of the records or assistance from a federal agency--neither of which is always effective. A better method would be to require ISPs doing business in a remote state to have a registered agent in that state to accept legal process. In addition, federal legislation should be written that supports local investigations. For example, if it is determined that a suspect committed a crime in California and that his/her Internet service provider is in another state, a valid California search warrant or other court order could be provided to a federal entity for review and service.

National Reporting Standards. National crime reporting standards must be modified in order to accurately capture cybercrime. For example, standard crime reports should be modified to determine if a crime is a Computer or Computer-related Crime. This information should then be required reporting under our national crime reporting standards.

Prevention Programs

We must take steps to prevent Computer Crimes from occurring. Most Internet providers as well as the business that provide services via the Internet, are aggressively pursuing ways to safely transact business on the net. However, efforts also must be made to educate people on ways they can avoid becoming an Internet crime victim. This is especially true for parents of the 45 million children who are expected to be using the Internet by 2002. In most families, knowledge of the computer and its ability to maneuver through various chat rooms and sites rests with children whose computer abilities far exceed that of their parents. Most parents wouldn't even consider letting children walk to the store unaccompanied or play in a park without adult supervision. But, many parents are oblivious to the dangers that lie within the computer or do not have sufficient knowledge to keep their families and children safe from computer predators.

Law enforcement has always prided itself in its outstanding array of prevention programs. Lady Beware, Victimization of the Elderly, and Home Security programs are just a few examples of those offered by just about every law enforcement agency in the nation. We must work together to identify the patterns of computer predators and offer prevention programs on Internet exploitation. In that endeavor, we should join with our natural partners, such as the schools, who should be our partners in educating parents and their children about Internet fraud, identity theft, sexual exploitation and pornography. Parents should be offered short training sessions on basic Internet use and how to set up parental controls to filter subject matter that could be harmful. Children should be educated on the dangers of exchanging personal information, meeting with people they meet online, and chat room dialogue that could compromise their personal safety, morals and family values. Finally, when crimes do occur, both the child and parent need to know how to recognize them, when they should report an incident, and to whom.

Recommendations

• Crimes that have been transformed by technology or merely involve the use of a computer (Computer-related Crime) should remain the responsibility of investigators who traditionally investigate those crimes.
• More sophisticated crimes (Computer Crimes) should be centralized within an agency and those investigators should have immediate access to a computer lab environment in order to conduct forensic computer investigations.
• Sufficient investigators must be assigned to investigate crimes referred to local agencies from national clearinghouses and those agencies with insufficient workload to justify full-time staff should consider forming a regional task force.
• Computer Crime working groups, which have developed on an ad hoc basic, need to be supported and developed at the state and federal levels so they can become national and regional vehicles for sharing information.
• As cybercrime matures, it is imperative that law enforcement develops and maintains strong working relationships with its private sector counterparts to cooperatively investigate crimes of mutual interest.
• Law enforcement officers, investigators, and prosecutors must be trained to use the Internet and to handle computer-based evidence.
• An agency contacted by the victim of an Internet-related Crime should complete the preliminary investigation report rather than referring the victim to another agency.
• National crime reporting standards must be updated in order to capture cybercrime information.
• Protocols must be developed to identify responsibility for the investigation of crimes that stretch internationally.
• A national repository should be established for computer crimes as well as a national clearinghouse for proactive Internet investigations into crimes such as child sexual exploitation, bookmaking and prostitution.
• Legislation must be enacted that ensures ISPs maintain transactional records, improves law enforcement's ability to trace the origin of communications, and allows law enforcement to serve ISPs with legal processes.
• Law enforcement must take the lead in developing Computer Crime prevention materials for public education.

Dan Koenig, Commander,
Los Angeles Police Department,
Los Angeles, California