Working with Law Enforcement
Another issue that should be addressed up front is how the team will interact with the law enforcement community. Will the team work with law enforcement either directly or indirectly? In addressing this question, consider the following: The computer is like any other invention that has had a major impact on our daily lives in that it has both benefits and negative consequences. A good analogy is the automobile. When the car first came along, it enabled people to do things more quickly and effectively than they could prior to its invention. People were able to travel farther, travel together more efficiently, and travel in much more comfort, thereby doing more things in a day by covering more places. Cars also had negative effects—namely, automobile accidents and automobile theft. It took people some time to learn how to deal with these negative effects, design and implement safety and security features, and establish laws to address the problems and challenges of the new invention.
Similarly, the computer is an invention that has enabled people to do many more tasks in an increasingly efficient manner and has literally changed the way we live. In fact, even an auto mechanic cannot work on a car now without a computer to run diagnostic tests. Although the positive results have rapidly expanded the use of computers, some negative uses still need to be addressed—namely, computer crime. It will take us some time to catch up to the invention by developing and widely implementing security safeguards to help protect systems better and to establish case law. With this fact in mind, enabling an incident response team to work with law enforcement can have a very positive effect on the overall safeguards that are ultimately established. In fact, the best approach when investigating any incident that potentially involves a crime uses three experts: an attorney who is familiar with high-tech crime laws, the law enforcement agent, and the technical expert. Each has valuable knowledge and insight that can be vital when taking a case to trial.
One major advantage to working with a law enforcement agency is the benefit of extended networking. Specifically, many larger law enforcement agencies have developed relationships with other law enforcement groups that may provide an added advantage in tracking an external perpetrator who has broken into a system or successfully launched a denial-of-service attack. A team trying to track an attacker on its own without any law enforcement involvement will typically find this task much more difficult, especially when the incident crosses international boundaries. It is far better (and many times easier) to provide the information to law enforcement officials and let them work with their contacts and resources to help track an intruder.
Working with law enforcement may also have some disadvantages. Often, when an organization is asked why it did not bring in law enforcement, the organization states that it didn't want the company name in the newspaper. It didn't want the publicity of a “hacking case.” Although in most cases the media isn't interested in such things, this bad publicity is a real concern. There are ways to keep the company out of the news, such as using an attorney to keep the case as private as the laws will allow. Also, the organization may want to turn the case over to a prosecutor to pursue in conjunction with local, state, or federal law enforcement agents to pursue as a crime against the state or federal government, instead of naming the company in the proceedings.
An additional disadvantage of working with law enforcement may be the threat of losing control of the case. Inviting law enforcement to investigate a case may require that the case be fully investigated, even if your organization decides to stop its pursuit of the attacker. Although situations where a case cannot be stopped are very rare (all of the authors' dealings with law enforcement have been very cooperative), this outcome may be a possibility.
Even if your organization chooses to not include law enforcement as a regular part of its investigative team, it is a good idea to contact city, county, state, and federal (FBI especially) law enforcement agencies to introduce yourself and to get an idea of their services, contact information, capabilities, evidence requirements, and reporting procedures. It's always good to be prepared, even if you don't plan on using them.
Of course, legal considerations must also be addressed as they relate to privacy laws, company policies, and other issues that determine what information is shared with law enforcement. If the organization is considering the inclusion of law enforcement officials directly on the team, the first step would be to discuss the possibilities, concerns, and limitations with the appropriate legal organization as well as the management team.
If computer crime laws are to evolve so that they will better protect our information, they must be tried and tested in the criminal justice system. Organizations reporting to and working with law enforcement will facilitate this evolution. Even if an organization decides not to work directly with law enforcement, inevitably the team will encounter an incident where a law has been broken. Having contacts established up front with local, regional, state, and federal law enforcement agencies will help expedite the reporting process when this need arises. Groups such as InfraGard can help to establish these contacts.
Several groups have been formed in recent years to provide an avenue for networking and resource sharing between law enforcement officials and the technical community. One of these groups is InfraGard. “The National InfraGard Program began as a pilot project in 1996, when the Cleveland FBI Field Office asked local computer professionals to assist the FBI in determining how to better protect critical information systems in the public and private sectors. From this new partnership, the first InfraGard Chapter was formed to address both cyber and physical threats.”1 InfraGard's government component is staffed by the FBI and the Department of Homeland Security's National Information Protection Center (NIPC) and includes numerous chapters throughout the United States. In fact, all 56 FBI field offices have now opened local chapters with hundreds of members across the nation. InfraGard is seen as a cooperative effort between law enforcement and the private sector, with the participants being dedicated to increasing the security of critical infrastructures within the United States. From the beginning, the FBI has stated that it is not an FBI-run program, but rather a community program in which the FBI and many other government agencies participate. The InfraGard program is often likened to a “neighborhood watch” program, in which businesses and agencies with similar interests share information and experiences to help reduce the risks of a networked community.
InfraGard was formed as a national organization, with individually governed and managed chapters. Working together within and between chapters, the group members strive to better protect critical information assets by enabling the flow of information between the technical community, corporate policy makers, the owners of the critical infrastructure, law enforcement, and lawmakers. Becoming involved with a local chapter provides an excellent avenue for meeting law enforcement officials, legal experts, and other technical resources in the area that may be contacted when the need arises. More information may be obtained by contacting the closest FBI office or from the national InfraGard Web page (http://www.infragard.net).