Strategies for Cooperation Against Asset Loss Between Corporate and Law Enforcement Entities
The world of cyber security is ever evolving. As innovation and technical advancement continues so must the infrastructure to guard against incursions that put these investments at risk, both in the private and public sector. The resources that have been devoted to the research and development of technology have not been matched in resources devoted to threat management and incident response that cross the barriers of private and public assets and enforcement organizations. In a series of interviews with leaders on both the corporate and the law enforcement side of security and protection of assets it becomes clear that there must be more attention paid to proactive assessment and planning that protects the interest of all against cyber threats.
Advancing technology requires research and development that exists in an atmosphere of confidentiality agreements and executed non-compete clauses. Therefore, it is not surprising that there is an innate mistrust that exists when law enforcement organizations enter the corporate environment in the event of a breach. Corporations have spent millions to develop and secure their assets. The proprietary nature of the work product promotes a protectiveness that results in an unwillingness to share with complete transparency. Corporations set up safeguards even within their own walls and with their own employees. Why would they not expect to execute those same safeguards with whoever walks through their doors? This basic disconnect appears to be the foundation of the challenges that both the corporate and the law enforcement sector presented during these interviews.
Kevin Burns, CISO of Draper, a large private not for profit research and development company specializing in design, development and deployment of advanced technology recommends a proactive approach to cyber threat.
Developing and executing protocols and procedures consistent with the organizations policies and with the legal requirements of law enforcement will go a long way toward breaking down some of the barriers that currently exist. Regular meetings with key stakeholders can assist with developing relationships of trust and understanding. Creating underlying agreements for information flow supported through executed confidentiality agreements can add value. Much of this is new territory that must be explored as laws on cyber-attacks continue to evolve with the evolution of the technology itself. These agreements must be consistent with current law. If law enforcement cannot find a way to assist the corporate sector in securing their investment, then barriers to maximizing private and public resources in combatting these threats will continue.
Burns stated that he has made a point of meeting first individually with the local FBI, Massachusetts State Police, Local Law Enforcement., etc. Burns mentioned that it is optimal to have a member of your corporation’s legal team present during the meetings. After meeting individually, Burns reported that he generally asks for a round table discussion with each law enforcement official present. This meeting helps to ensure that everyone who will be involved has a shared vision about how each issue will be handled in the event of a breach. During the meeting Burns requests that each organization execute a memorandum of understanding. Burns asserts that it is absolutely essential that law enforcement understand the desires of corporate when they are called in to help with an investigation if the investigation is to be successful.
Securing MOU’s during a time prior to an investigation is a positive and proactive step to this work. There are challenges that remain during the actual investigation. At what point does the need for detailed evidence of the crime outweigh the need for confidentiality of the contents or information contained in the evidence. This raises the question of chain of evidence and how law enforcement organizations secure evidence that may contain high level technology with extreme value both fiscally and from a national defense perspective.
Julie Fitton is Vice President of Digital Product Security for Stanley Black and Decker who develops and implements solutions for large scale at risk businesses such as retailers, educational institutions, health care environments, financial institutions and airports. Fitton asserts that corporations and law enforcement need to be more transparent with one another. Information sharing has been very limited. Fitton believes that it would benefit both sides if the members of corporations who will be dealing with cybercrime become members of police computer crime organizations such as HTCIA. This would further enhance understanding and communication between the cooperating parties during an investigation of a cyber-breach.
Transparency would be the ultimate goal. Achieving this requires development of policies and procedures within each organization both in the corporate and public sector. There are a number of groups addressing these issues at present. Standardizing practices including vetting specific documents that can provide an assurance of some confidentiality while maintaining the integrity of the investigation on both sides would offer some level of comfort. Other business sectors have benefitted from national and state standards established to protect confidential information. Protecting technological property that can have a direct effect on national security requires that focus. For example, national HIPAA laws and state privacy laws have set specific standards for security and release of certain information. They have provided protection for information and for those who maintain that information. Perhaps a comprehensive review and documentation for securing information during investigation of cyber security threats on a national level is what may move this forward. Would a confidentiality agreement be possible between law enforcement and the private sector and how will the integrity of such an agreement play out against the evidentiary chain? Compartmentalizing information to secure confidentiality has been noted to negatively affect these investigations. More work needs to be done to increase trust between the sectors.
One thing that may help to move these cooperative efforts forward is the movement of personnel between the corporate and law enforcement sector. As investigative talent moves between the corporate and law enforcement worlds, greater understanding is developed and so is the chance for mutually agreed upon solutions. Increased training within both sectors is key to all of this. Law Enforcement has historically seen their goal as prosecution. The corporate sectors’ ultimate goal is to secure their research and development to maintain their property.
One example of the migration of staff from Corporate to public sector is Mike Steinmetz, who was appointed as the first cybersecurity officer for the state of Rhode Island. Steinmetz, who came from the corporate sector holds that it is helpful for corporations to learn how law enforcement organizations are organized and how they conduct their investigations. Law enforcement has many valuable investigative tools not available to corporations. Steinmetz acknowledges that it is important that law enforcement is tuned into the idea of securing information during an investigation. He suggests that law enforcement needs to come to understand that it is not always in the best interest of a corporation to prosecute.
Only through this shared understanding and a cooperative view toward a mutually agreed upon end goal can an investigation be successful. Underlying this success is the development of legal requirements within the law enforcement sector. Steinmetz suggests preparatory exercises between the parties. This feels suggestive of a disaster response model where mock scenarios pull all stakeholders together from the private and public sector and roles are established responding to each scenario. Through these exercises each participant gains a true understanding of what is needed to minimize casualties. In this case to secure assets.
A true understanding of the challenges to open communication is needed from top to bottom within the system in order for these investigations to be successful. Massachusetts may have an advantage in this new and changing territory as Hans Olsen, The Assistant Undersecretary of Homeland Security-Senior Advisor Antiterrorism and Cyber Security for the Commonwealth of Massachusetts Executive Office of Public Safety and Security has done work in both the private and public sectors including at the federal level. Olsen’s role in guiding emergency preparedness and his focus on anti- terrorism and cyber threat provide an opportunity to move the state forward in addressing the challenges that have been reviewed. Olsen understands the need to secure information and supports the concept of Memorandum’s of Understanding between the private and public sector in investigations of cyber breach.
From my perspective as a current law enforcement officer, the challenges of merging these two perspectives seem insurmountable. I have experienced both sides during my current work and in my internship work in cyber security. There is legitimacy to the concerns of both sides as there is no current standardized approach to these situations for most law enforcement departments. Neither is there flexibility to change the normal flow of aiming toward prosecution rather than just securing assets in some cases. It will require a culture shift and a new area of training for line staff officers with regard to privacy, trademarks, securing proprietary information, understanding the limits of disclosure on the business side and a working understanding of developing individualized cross purpose goals for each incident. Examining the possibility of building a module for training within the law enforcement academies where officers can learn about the business interests and coordinated opportunities, as well as, understand the evolving field of cyber security may benefit the system as a whole by providing a new source of workforce development that marries the two perspective and capitalizes on the skills of both sides. This training would assist in bringing understanding on the law enforcement side while increasing trust in the standardized skill level of law enforcement to manage high risk, high security situations by the corporate side.
The underlying message from both the corporate and law enforcement side is clear. We must find ways to work together in an atmosphere of trust in which a shared vision of desired outcomes defines the goal on both sides. As those with expertise in law enforcement and in the corporate sector come to understand the advantages and the risks of each investigation and the pivotal role that security of information plays in asset loss and in many instances national security, investigative policy, procedures and law will evolve.
John Ellis holds a Bachelor’s Degree in history from Boston College in addition to being a graduate of The Boston Police Academy. He is currently pursuing a Master’s Degree in Cyber Security at Boston College with expected completion date of 2019. John has over 25 years’ experience in community policing and criminal investigations including computer forensics. He has served as an intern at The Advanced Cyber Security Center and with The Massachusetts State Police Computer Crime Division at The Fusion Center.
I would like to acknowledge Kevin Burns, CIO of Draper Laboratories; Julie Fitton, Vice President of Digital Product Security for Stanley Black and Decker; Mike Steinmetz, Cybersecurity Officer for the State of Rhode Island; and Hans Olsen, Assistant Undersecretary of Homeland Security-Senior Advisor Antiterrorism and Cyber Security for the Commonwealth of Massachusetts Executive Office of Public Safety and Security for their willingness to share their time and their expertise.