NOWHERETOHIDE.ORG

Cyber-Crime – Cyber-Warfare…you say tomato, I still say tomato…but are we prepared?

War has been defined as “a state of organized, armed and often prolonged conflict carried on between states, nations, or other parties typified by extreme aggression, societal disruption, and usually high mortality.[Wikipedia]” Cyber Warfare has been defined as “politically motivated hacking to conduct sabotage and espionage. [DOD]”

While some of what we’ve recently can be construed as Cyber Warfare (including the recent hacktivism), the bulk of what’s really going (largely beneath the surface) is a) efforts by organized criminal elements using new technologies and capabilities to do what they have always done—steal money, or b) continued acts by nation states to steal military secrets (espionage) or corporate secrets (economic espionage).

While the latter (b) get the big press, I am worried that that the former (a) is actually the bigger problem of the two. I was personally hit by identity theft a few years ago when a group got access to my credit card details from a retailer I had done business with. This group proceeded to charge 250 rubles (about $9US) twice a month to one of my credit cards. While not a significant amount of money for me, I would guess that they had thousands of victims like me, and together, the monthly booty would add up quite quickly. Two hypotheses…

1. More of this type of cyber-crime  is occurring today than the stuff showing up on the front page of any newspaper; and
2. What we mean when we say “Cyber Warfare” is really just the 21st century version of crime; criminals using cyber means.

I’m also afraid that our law enforcement forces (internationally) are nowhere near being prepared to dealing with crime using cyber technologies—two points from a National Criminal Justice Association (NCJA) Forum I recently attended:

1. One of the sessions I participated in was entitled “Why Does the Crime Rate Continue to Decline?” The speaker (a well-respected professor) informed us that crime in America is actually down to the levels it was in 1964—this represents a significant drop. I asked the question “Did crime really drop or have criminals begun to use technology to steal rather than a pistol?” His response was “criminals aren’t smart enough to use computers.” I found this very hard to believe. Criminals have always adapted to stay a step ahead of law enforcement, and I fear that they now have a significant upper-hand, especially if law enforcement feels the way the speaker did and they fail to re-tool their ranks to detect, deter, and dismantle the new cyber-oriented criminal threats.
2. Another session I attended was entitled “A Clear and Present Threat: A Look at Cybercrime.” In this session, one of the speakers spoke of the growing problem of crime in virtual worlds—people with avatars in virtual worlds are stealing other peoples virtual property and assets, and real lawsuits are being tried in real courts by real people. If you don’t believe me, read this article – Virtual add-ons draw real-world lawsuits – that I found in researching this further. I would submit that today’s criminals are more tech/cyber-savvy and have realized that there are safer (cyber) ways to steal money and property without having to physically point a gun at someone’s face.

Now ask yourself, how many law enforcement officers are prepare to investigate this type of crime, let alone basic identity theft, software piracy, child pornography, and cyber-extortion? And what about their readiness to preserve digital evidence in computers, laptops, routers, firewalls, servers, and handheld devices?

Today these skill sets are confined to special divisions within a police department, segregated from the bulk of the force. I would like to offer that just like the weapon, handcuffs, and radio on their utility belt,it’s time to equip many more, if not all law enforcement officers with the training and tools to understand, detect, and investigate cyber-crime…we’ll never get fully ahead of the problem, but maybe we can catch-up a bit.

your comments and thoughts welcome…r/Chuck

Health Info Sharing Beating LE to the Punch

If you haven’t heard about the Department of Health and Human Services Federal Health Architecure and CONNECT project, I suggest you pop over to this website where documentation for version 2.0 of the software resides:

http://www.connectopensource.org/display/NHINR2/Release+2.0+Home

CONNECT is an open source software gateway that connects public and private health orgaizations to the National Health Information Network.  Think of it like a giant peer-to-peer N-DEx, but with an open source “front-porch” that drops into each agency and extracts the data from back-end systems.

I’ll be doing more investigation into the CONNECT project to see if we can adapt it for law enforcement information sharing use–the closest thing to this on the LEIS side is the FINDER project in orlando, FL.

as always, comments and thoughts welcomed.

r/Chuck

chuck@nowheretohide.org - www.nowheretohide.org

Information Sharing: When they say it's about the money, it's NOT about the money…

Some who read this may take it as a rant against agencies/providers who say we need more money for implementing law enforcement information sharing (LEIS), but in-fact, this post is really about understanding the landscape and influencing the choices and priorities of state and county policymakers and the affected law enforcement executives.

Let me first layout the agency landscape :

• There are about 14,000 state and local law enforcement agencies;
• In roughly 3,000 counties;
• That make up the 50 states of our great nation.

Now let’s layout the funding landscape:

• For 2008 the Department of Homeland Security (DHS) allocated $3,200,000,000 (billion) for state and local assistance grants;
• In that same year, the Department of Justice (DOJ) made another $2,000,000,000 available;
• For 2008 that’s a total of $4,200,000,000;
• For 2007 that number was $4,500,000,000;
• For 2009, we are hoping that number stays about the same or goes even higher.
• To all these numbers you must add funding from the Department of Defense, Department of Transportation, Department of Health and Human Services, or State funding sources for LEIS.

Finally, let me lay out the cost landscape for LEIS:

• In my eight or so years of experience of building and deploying LEIS, I’ve seen the costs associated with hooking up an agency to vary between $5,000 and $80,000 per record system connection;
• On average though, I feel the safer number is between about $20,000 and $40,000;
• For arguments sake, let’s use the high number of $40,000.

Now comes the fun part…let’s do some math…

• To be realistic, let’s say that 25% of the 14,000 agencies are already sharing information;
• That leaves about 10,000 agencies left to connect;
• At $40,000 an agency, we would need a total of $560,000,000 (Million);
• Divide that by the 3,000 counties, and we will need about $190,000 per county;
• If we do this over three years, that’s only $63,000 per county, per year for three years!

With (on average) every county getting about $1,400,000 every year for law enforcement and public safety (out of the $4.2 Billion allocated annualy), I would like to think that we (collectively) can see the benefits of LEIS enough to spare $63,000  a year for three years to get it done.

Here’s where the issue of choices and priorities comes in.  If we can agree that the money IS there, what we really need to work on are ways to convince the policymakers and law enforcement exectutives in those counties that investing a little in LEIS is a better investment than whatever it is their currently spending their part of the $4,200,000,000 on.  Do you agree?

I’d also like to know what role youthink the IACP, MCC and NSA would play here?

Thoughts and comments invited…and yes, I used a calculator…;-)

r/Chuck Georgo

What Gets Measured Gets Done…Using Evaluation to Drive Law Enforcmement Information Sharing

Tom Peters liked to say “what gets measured gets done.”  The Office of Management and Budget (OMB) took this advice to heart when they started the federal Performance Assessment Rating Tool (PART) (http://www.whitehouse.gov/omb/part/) to assess and improve federal program performance so that the Federal government can achieve better results. PART includes a set of criteria in the form of questions that helps an evaluator to identify a program’s strengths and weaknesses to inform funding and management decisions aimed at making the program more effective.

I think we can take a lesson from Tom and the OMB and begin using a formal framework for evaluating the level of implementation and real-world results of the many Law Enforcement Information Sharing projects around the nation.  Not for any punitive purposes, but as a proactive way to ensure that the energy, resources, and political will continues long enough to see these projects achieve what their architects originally envisioned. 

I would like to propose that the evaluation framework be based on six “Standards for Law Enforcement Information Sharing” that every LEIS project should strive to comply with; they include:

1. Active Executive Engagement in LEIS Governance and Decision-Making;

2. Robust Privacy and Security Policy and Active Compliance Oversight;

3. Public Safety Priorities Drive Utilization Through Full Integration into Daily Operations;

4. Access and Fusion of the Full Breadth and Depth of Regional Data (law enforcement related);

5. Wide Range of Technical Capabilities to Support Public Safety Business Processes; and

6. Stable Base of Sustainment Funding for Operational and Technical Infrastructure Support.

My next step is to develop scoring criteria for each of these standards; three to five per standard, something simple and easy for project managers and stakeholders to use as a tool to help get LEIS “done.”

I would like to what you think of these standards and if you would like to help me develop the evaluation tool itself…r/Chuck

Chuck Georgo
chuck@nowheretohide.org
www.nowheretohide.org