Having spent many years studying, researching, investigating, and testifying in cases, we want to assure you that law enforcement is as frustrated about the lack of progress combating cyber crime as victims are. Every month the number of reported cases of identity theft, online sexual solicitation of children, credit card fraud, and cyber stalking and harassment rises. Some days it truly feels like we are swimming against the tide. And because we keep a close eye on national trends and maintain ties in the law-enforcement community with other specialized units, we know that cyber crime is not going away.
At a local level, it is especially frustrating. Municipal law-enforcement agencies struggle with budgets that are bare-boned to begin with, and certainly don’t allow new programs such as specialized cyber crime units to flourish. What used to be a budgetary boon to agencies—federal grant dollars—has largely been diverted to antiterrorist efforts to the detriment of departments across the nation that just want to be able to combat crime in their neighborhoods and on their streets.
Victims have a right to expect that justice will, if at all possible, be served. They do not want to hear “Contact your insurance company and file a claim” when someone has run up $1,000 on their credit cards. They do not want to hear “All we can do is file a report for you to take to your bank” when their identity is stolen or “If this man is bothering you, stay off the computer” when they feel their lives are in danger.
Unfortunately, that’s exactly what is still happening across the country due to law enforcement’s lack of resources, personnel, training, and funding. At some point, we hope that cyber crime is recognized as the pervasive, invasive crime that it is and resources are allocated for hiring and training, as well as education and prevention programs. That is what we hope to have accomplished with this book, but there’s a lot more work to be done.
It’s hard to fight what you can’t see. The Internet is like a large black hole for law enforcement that allows strangers to become perpetrators and victims. This is not the kind of crime law enforcement is used to investigating, and the fact that there are so many ways to stay anonymous on the Internet presents a unique challenge to law enforcement, who, traditionally, could drag suspects into the police station and either interview them or fingerprint them to get their real identity.
From the victim’s perspective, this same anonymity shakes at the very foundation of a person’s fear. If you were home alone and your neighbor was persistently staring at you from his window or the same car kept driving by your house, you would be well within your rights to notify the police about such “suspicious activity”.
In these two situations, you would at least be armed with tangible details to provide to the police for their report. When the stalking happens from an unknown person across the Internet who seems to know about you, it is that much more frightening because you have no idea where that person is or to what lengths he’ll go to reach you.
Let’s face it, police officers are generally used to investigating crime that has occurred within their city or town. Granted, sometimes a case crosses jurisdictional lines, but it tends to be regionalized. Enter the challenge of cyber crime, where crimes could be committed thousands of miles away in other states, and very likely in other countries. Does the foreign country have the same laws forbidding online solicitation of minors? Some don’t still. Does that police department 3,000 miles away have the manpower to track down the closed-circuit security video from the store in Kansas where your credit card was used to purchase a new television? Do the authorities in Africa have the incentive to try and locate who sent you the 419 letter that duped you out of $2,000?
Although most law-enforcement agencies work cooperatively to solve crime, the reality is that some agencies simply don’t have the manpower to do a whole lot of investigating on what they might consider to be a “minor” crime. Once the case slips beyond the boundaries of the local town or jurisdiction, which much of cyber crime does, it is generally up to the good will and cooperation of another agency to knock on that business’s door and ask for the video surveillance tape. If that agency is understaffed and doesn’t consider your type of crime a high priority, the case will come to a dead end.
Given our frustration in trying to deal with cyber crime, we put our collective blonde heads together to come up with this list of recommendations based on our personal knowledge, training, and experience. Please note that these ideas do not necessarily reflect the views of any law-enforcement agency. They are our personal recommendations only, but we would hope that law-enforcement agencies across the country would consider them carefully.
Excluding the predator who travels 3 hours in an attempt to have sex with who he thinks is a 13-year-old, the majority of cyber crime is perpetrated for financial gain. A new study has put a price tag of more than $7 billion on the financial suffering experienced by victims of Internet fraud and attacks (source: Consumer Reports’ 2007 State of the Net).
There really is no finite number on what the true cost of cyber crime is. It doesn’t matter. It’s huge, and it’s growing because it is a business—and a booming one at that. It’s time to start approaching cyber crime as a competitive business that needs to be shut down by looking at the overall model of cyber crime and using a multitiered approach through education and enforcement.
The trail of payments to kiddie porn sites, fraudulent auctions, and identity theft has to end somewhere. Although we are encouraged by recent collaborative efforts between law enforcement and financial institutions in following the money trail of cyber crime, it’s not enough. A greater effort has to be made to locate those who are profiting from the exploitation of children in particular, and follow the money trail back to the bad guys. This can only be done through cooperative efforts with major leading financial institutions. Although we understand that banks and credit cards companies have an obligation to protect their customers’ privacy, they also have a societal responsibility to protect our children. Tracking the monetary trail of those who pay by credit card to watch children perform sex acts online or who order videos such as “Baby Rape” is the key to putting a stop to these heinous crimes.
Traditional investigative techniques are predicated on investigating a crime perpetrated by a single person against another person. In the case of cyber crime, a highly organized and well-trained group or organization may perpetrate a crime using thousands of computers in 5 minutes, stealing credit card data, usernames, and passwords. This crime is not committed with a knife that can be dusted for fingerprints, but by malware programs and Trojan horses that execute commands and find the next thousand computers to penetrate. It takes a very different mindset and a very different set of skills to combat this type of crime. Law enforcement has to recognize that this requires people with a new skill set—those who are analytical, detailed, technical, and methodical.
Along these lines, law enforcement needs to acknowledge the overall impact of cyber crime on their community—from the text message that is sent to the teen at the high school telling her that she is ugly, to the spam mails that tie up the city’s mail server, to the senior citizen who is bilked out of his life savings by a spam email. Collectively, we would venture to bet that there is no other form of crime so prevalent when all is taken into account.
When law-enforcement agencies aren’t even sure where to report cyber crime, how can victims be expected to know? Right now, depending on the type of cyber crime that has been perpetrated, it may be appropriate to report it to any number of agencies, including your local police department, the FBI, the Secret Service, and the U.S. Postal Service. It’s no wonder that so many cyber crimes go unreported.
We need to create one single point of submission for reporting cyber crime. This is not meant to supersede your local police department, but it is meant to make it easier for victims to make complaints. For simplicity’s sake, we’ll call this the “Cyber Crime Agency”. Make cyber crime reporting of any kind a click away on a designated website or a toll-free phone number. That central reporting agency will then be responsible for disseminating the case to the appropriate agency for follow-up.
Some may say this already exists with IC3, the Internet Crime Complaint Center (www.ic3.gov), but IC3 is primarily for fraud complaints. We’re talking about a centralized agency for all types of complaints, including cyber harassment, cyber stalking, voyeurism, identity theft, sexual solicitation, and any other type of cyber crime, that could then be funneled to the appropriate agency for follow-up. Why burden the victims even further by making them fret over where to report their crime to? Keep it simple and create a single entry point. Maybe if everyone knew how and where to report cyber crime, we could, at the very least, get a better handle on just how serious this issue is, and perhaps the money that is being diverted to other federal programs could be channeled back to keeping our children safe from sexual predators.
It may shock the public to know that there really is no hard data that truly represents the magnitude of how pervasive cyber crime is. Many studies have been released, but these are largely funded by corporations that specialize in cyber security and therefore have to be taken with that subjective viewpoint in mind. The reality is that most forms of cyber crime still remain unreported. Think about it: How many phishing emails and spam emails do you receive in a given day? Do you report them to the authorities? Probably not, yet these are still crimes.
Here’s the reality of crime statistics: Some police departments report general crime statistics on a monthly basis to their states, which in turn report this information to the FBI for national collection, analysis, and dissemination. Contributing agencies tend to be medium- to large-sized police departments because for the average officer, trying to meet all the requirements for crime reporting is painful. Just mention the word “NIBRS” to any street cop and see what kind of reaction you get.
For the agencies that do comply with NIBRS submissions standards, the FBI then collects and analyzes this data to produce annual crime statistics. Unfortunately, the reporting elements are “generalized,” meaning one overall heading can account for many different types of crimes.
For example, many cyber crimes such as identity theft are reported under the category of “Impersonation,” which could also mean someone impersonating a police officer or impersonating someone else.
It’s hard to tackle a problem as big as cyber crime when no one really knows just how big the problem actually is. Add to this problem the fact that many of the reporting criteria are horribly outdated. Here’s an example taken right out of the NIBRS manual to demonstrate how outdated it is:
Example 4: A computer “hacker” used his personal computer and a telephone modem to gain access to a company’s computer and steal proprietary data. “C” = Computer Equipment should be entered.
“Telephone modem?” What about spam via cell phones? What about the child who is sexually exploited via an Xbox? Most of these crimes leave officers scratching their heads as to how to fill out the correct information required by NIBRS because the language is so outdated and the reporting is so cumbersome.
How would NIBRS categorize a man who has upskirted a woman with a mirror in a bookstore? Right now, voyeurism is categorized under NIBRS standards as “Peeping Tom,” which is considered a “Crime Against Society”. The actual definition is “… to secretly look through a window, doorway, keyhole, or other aperture for the purpose of voyeurism”. That’s not exactly upskirting, and it’s a crime against a person, not society, in our book.
Here’s the latest statistical data (as of the time of this writing) taken directly from the Justice Research and Statistics Association’s “IBR Resource Center” website about how much of the population is represented in NIBRS data (source: www.jrsa.org/ibrrc/index.html):
As of September 2007, 31 states have been certified to report NIBRS to the FBI, and four additional states and the District of Columbia have individual agencies submitting NIBRS data. Approximately 25% of the population is covered by NIBRS reporting….
Only 25% of the population is covered? How can anyone get a handle on cyber crime when only 25% of the population is represented? How can cyber crime trends be targeted when new technologies emerge every day and the collection elements don’t capture that? If officers on the street, who are the primary source of this data, are not trained in how to correctly code a case where thousands of victims are swindled in a phishing scam via their cell phones, how can law enforcement deploy their resources to go after the criminals?
It’s time for a total revamp in collecting crime data to focus on the problem of cyber crime. New technologies such as gaming systems and cell phones, and new crimes such as cyber stalking and phishing, need to be clearly spelled out for police departments to be able to report them. It’s hard to fix what we can’t collectively see.
Would you, as a parent, hand over your car keys to your 10-year-old and let her take it for a spin? We hope not! Yet that same frightening scenario happens every minute of the day as parents let their kids drive unsupervised down the “information superhighway,” where danger lurks on so many streets. It’s time for parents to acknowledge that the Internet is inherent with dangers. Hear us? It’s fraught with bad people who want to hurt your kids. Trust us. It is. And who is responsible for keeping kids safe? You are! We’re parents, too, so we’ll get in everyone’s face a bit about this. You are just as responsible for monitoring what your children do on the Internet as you are what they do anywhere else.
Want the easiest way to do this? Put the computer in a centralized location so you see exactly what your child is doing on it. And watch. Talk to your child and ask questions about who he is chatting with. Take control. That’s not only your right, it’s your responsibility!
We’ve made the statement that cyber crime is actually far more pervasive than any researcher has been able to prove and that it may, in fact, be the most prevalent form of crime our nation sees today. We base that on the collective knowledge that every day hundreds of millions of spam emails and phishing attempts are circulated around the Internet. These are, for the most part, “nuisance” crimes that most people have come to accept as the normal course of daily business, but they are petty crimes that often have catastrophic results for the small percentage of people who fall victim to them. A simple crime such as email spam also has a “trickle down” effect in lost time and the cost of trying to prevent them to begin with. The problem is, law enforcement hasn’t developed partnerships with all the industry leaders who could help thwart these types of nuisance crimes, or there is still a reluctance to work cooperatively with corporations to understand the source of these crimes.
There have been some successful partnerships, but at some point, trusts have to be better established between law enforcement and industry leaders to work cooperatively and collaboratively on putting a stop to cyber crime.
It may surprise people to know that even law-enforcement agencies sometimes have a tough time sharing information among themselves, so it’s no wonder there is reluctance to share information beyond the boundaries of the police world.
In addition, law-enforcement agencies are often reluctant to share information because they fear the data will be misused or inappropriately released, but at some point, this paradigm needs to shift for the greater good of protecting citizens and taking action against the criminals who prey on them.
In 2007, Indiana State Police Lt. Charles Cohen garnered a great deal of attention with his talks to law-enforcement officers around the country asking simple questions such as, “How many of you have heard of Second Life?” (in reference to the online game that has its own virtual community with millions of players). Lt. Cohen’s premise is that police departments often overlook cyberspace as an important investigatory tool. He mentioned the case of a New Jersey detective who tracked the alleged killers of three college students by mining MySpace pages maintained by the suspects and their friends.
Based on our own experiences in investigating cyber crime, we agree. Law enforcement has largely overlooked this new “patrol zone”. Too many departments rely on their “cyber crime” investigators—officers who are specially trained in computer forensic investigations—for everything computer related. The reality these days is that routine investigations often cross the cyber barrier, particularly if younger people are involved, so regular law enforcement cannot overlook this area as an important resource in investigations.
Every department should be training at least their general investigators or juvenile investigators on how to mine information from social networking sites such as MySpace and Facebook, how to collect and permanently catalog videos on YouTube, how to develop a presence on popular online game sites such as World of Warcraft and Second Life. Investigators whose specialty is computer forensic examinations are often so swamped these days that they don’t have the time to stay on top of all these social venues, but these social networking sites have become the cyber playground and hangout for many of our youth, and to overlook that is wrong.
Community policing has been a law-enforcement term for well over a decade. The main premise behind the concept of community policing is that police officers should maintain a proactive presence in the community rather than just showing up after a crime has been committed.
In our dream world, agencies would also practice “virtual policing” by maintaining a proactive presence online—a cyber patrol, if you will. We know from many studies that a police presence is a deterrent. It’s not enough anymore for police departments to say they maintain a cyber presence just because they have a website. Websites are a dime a dozen and for the most part are flat. There’s no real interaction with the community other than to typically provide a generic email address for sending questions or comments. That’s not a virtual presence.
We would go so far as to suggest that an officer be assigned cyberspace just like any other beat. It takes little time to develop a presence on social networking sites, but it does take time to view profiles and comments. We think this would be well worth it, especially because our experience is that many parents aren’t even aware of their children’s online presence. If a 14-year-old girl suddenly develops an online friendship with a 45-year-old man she does not know, or a young man comments on his website about “getting wasted at Tom’s party,” someone needs to intervene before these risky behaviors become disastrous.
We understand that officers are supposed to be out on patrol on the street in the community, but the paradigm of what the “community” is has to change to include the “virtual” community—to include school sites, individual home pages, social networks, and popular interactive gaming sites. Until law enforcement acknowledges the concept of “virtual policing,” it will continue to shut the door on an entire community where so much proactive policing could occur.
Our children live in a very different world from what we grew up in—a world in which technology pervades their lives. It is not enough to think that just because you raise good kids, they’ll be safe. Parents have a responsibility to understand the dangers the online world presents. We can find any number of online safety programs, but too often they are offered by individuals who have no real-world experience dealing with real cyber crime. In fact, many parents still don’t know that “ASL” means “age, sex, location”.
We’d like to see enhanced funding programs for parents to educate them about online dangers, including child exploitation, cyber stalking, and cyber bullying, by qualified professionals. Although many parents are aware, too many are not. How do you reach parents who are juggling work schedules, soccer games, piano lessons, and so on? Many corporations allow their employees to take a few hours out each month to volunteer in their community. Why not let employees take an hour to attend a presentation by qualified professionals who can teach them about these dangers they may not know about. Seriously, think about it: Did you know there were specialized websites dedicated to cannibalism or supporting suicide before reading this book? We don’t mean to frighten you, but this is the world we work in, and you owe it to yourself and your children to be educated about it.
Law enforcement is inherently territorial. Besides the issues with sharing information, agencies compete fiercely against each other for federal grant money to try and supplement their miniscule municipal budgets. At major crime scenes, disparate agencies fight over who has jurisdiction.
If we’re ever going to make a dent against cyber crime, this has to stop because so much of cyber crime crosses “territories”.
Different forms of cyber crime require technical expertise in many areas. One officer who may be highly trained in conducting computer forensic examinations is not necessarily going to be trained to investigate identity theft cases or know how to gauge whether a corporate network has been compromised in an embezzlement case.
Add to that the fact that technology is ever-changing, often overnight. It’s hard enough for anyone who knows anything about information technology (IT) to keep up with new products, new operating systems, and new devices. Police officers already have a plethora of duties, and few departments can afford to limit Detective Smith’s duties to just one task. Although she may be the “cyber crime wizard,” she may very well have to work extra shifts on patrol if manpower is short, or have to respond to a major crime that has nothing to do with cyber crime, or be tied up testifying in court.
We’re not suggesting that any investigations be “outsourced” beyond the walls of the department, though some agencies do use qualified and vetted experts at times. We are suggesting that more departments consider the use of civilians in assisting with cyber crime cases. The reasons are many fold:
• Civilians who are employed with law-enforcement agencies are usually governed by the same rules and regulations regarding confidentiality and often have to follow the same policies and procedures as sworn personnel.
• When hired, police civilians often undergo the same vigorous background checks as police officers to ensure they are of good character and are trustworthy.
• By allowing civilians to conduct some of the more technical aspects of these investigations, investigators would be freed up to follow leads on the case.
• Police officers are often promoted out of their positions to a higher rank. In our department, we’ve seen no less than three highly trained police officers who received years of specialized training in cyber crime, at a huge expense, get promoted out of their positions. This leaves a gap that takes a great deal of time, training, and money to fill. Civilians are less likely to be promoted out of their positions and can maintain the much-needed consistency that is necessary to develop expertise in the area of cyber crime.
• Civilians could also be assigned to monitoring and maintaining a virtual presence.
• Just like civilian dispatchers monitor phone lines and alert police officers whenever their response is needed, civilian employees could monitor cyberspace and alert police officers whenever their response is needed. It just makes sense.
Many larger agencies already use civilians, but unfortunately there are still too many agencies who feel that only police officers can do these jobs. We think that’s very wrong, especially when taxpayers are shelling out thousands of dollars for training, only to have that police officer leave that position after just a few years because she was promoted.
The penalty for a crime such as cyber stalking still varies widely from state to state, if it exists at all. Federal laws are still haphazard in addressing many cyber crime issues. Lawmakers are still woefully uneducated about cyber crime. We’re encouraged by some of the more recent federal laws being introduced, but remember that cyber crime is largely a multijurisdictional crime. It becomes a prosecutorial nightmare when laws are inconsistent and penalties are drastically different from one state to the next. It comes as no surprise that sexual predators are very well versed in what states are more lenient than others and that they tend to migrate toward those states in case they get caught. That’s pretty sad. Let’s shore up this loophole and make cyber crime laws consistent across all states so these miscreants don’t think they can find safe harbor in our neighborhoods.
When someone becomes a victim of identity theft, this person is usually required to fill out an affidavit, or a sworn statement indicating he was not the one who conducted the fraudulent transactions. The problem is that every institution seems to have its own forms and requirements; therefore, the victim ends up being revictimized every time by having to spend so much time and energy, both physical and emotional, filling them all out.
There is no reason banks, credit card companies, motor vehicle departments, and other organizations could not accept one standardized affidavit that would contain all the pertinent details of the alleged crime. We understand that different databases require different fields and in a different order, but let’s give the victim a break by adopting standardized forms like those found at the Federal Trade Commission (FTC) website (www.ftc.gov).
We don’t just mean specialized training for those that will become the cyber crime investigators, but to all police officers, especially first responders—the police officer who shows up at your door when you realize your bank account has been bled dry. Too often, valuable evidence is lost because first responders do not know the proper procedure when technology is potentially involved in the commission of a crime. Computers that were turned off get turned back on, thereby changing files that are needed as evidence. Peripherals such as digital cameras are unplugged without being catalogued, recorded, or photographed. Accounts are logged into without appropriate records being taken.
This all starts at the very basic level—the police academy. We’re happy to report that more and more police academies are incorporating basic cyber crime training in their curricula, but this needs to be broadened to include the 15-year-veteran cop as well. This training is critical to be able to prosecute cyber crime. A forensics expert can’t testify in court that a file is original and untainted if Officer Smith went on the computer at the scene to see if it had any illegal pictures on it.
One of the most difficult aspects of writing this book was deciding what not to include. Every single day we were barraged with more cases, new security alerts, new vulnerabilities and methods to exploit those vulnerabilities, and changes in laws state by state. It became more and more difficult to decide what to keep and what to exclude because the reality is that cyber crime changes almost on a weekly basis.
Just when we thought we’d seen and heard it all, we’d either be directly exposed to or learn about another method of exploiting children, your bank account, or your identity. It changes that quickly, and we’ve endeavored to give you the most recent and accurate information we could find so you would be well educated. However, all this will have changed yet again by the time you finish reading this book.
We’ve focused most of our efforts on talking about how cyber crime impacts people on an individual basis, but we would be remiss if we did not mention the concerns we have about cyber terrorist initiatives. It is well known and widely reported that highly skilled terrorist organizations are focusing more and more efforts on trying to penetrate vulnerable cyber infrastructures. This has prompted large-scale “cyber war” simulations in many countries in which governments try to gauge the impact of their critical infrastructures—power grids, financial markets, water supplies, nuclear strongholds, communication systems—being knocked out due to cyber threats. The weaker a country’s cyber infrastructure, the more susceptible it is to attack. This was highlighted in a recent quote from ZDNet Australia by David Vaile, Executive Director of the Cyberspace Law and Policy Centre at the University of New South Wales:
Why would you bother with flying a plane into a skyscraper when you could cause a crisis of confidence in the financial sector with an internet-based attack? You don’t even need to rob the banks, just cause a run on them. (“Is the World Ready to Fight Cyber Crime?” ZDNet Australia, July 10, 2008.)
Because the punishment for cyber crime varies so greatly from country to country and is largely inconsistent, cyber terrorists have hunkered down in countries that have weak laws, but their threat is no less serious. We occasionally receive “law-enforcement-sensitive” alerts and bulletins describing suspected cyber terrorism activities, but the information contained in these alerts is almost always already widely reported across the Internet.
The reality is that the damage someone can do from a computer with an Internet connection tucked away in a cyber café in a third-world country is no different than if they were sitting in a cyber café within the boundaries of the United States.
New technologies, new methods of exploitation, new vulnerabilities—staying on top of it all is truly a full-time task, but we hope this book has educated you so you and your loved ones can be better protected. That is our goal in writing this book.