Have you ever suspected that your network at work or system at home had been compromised? Have you ever suspected that an authorized employee was doing something nefarious on your network? Did you tell someone? Who did you tell? At work you may have called the Help Desk (which can occasionally be the opposite of helpful). Did they inform the Chief Cybersecurity Officer? Or did they reboot your system and brush you off?
If you suspect your network has been compromised by an insider, or you suspect an intrusion, do you call the cops? If so, when?
In my role as a criminal investigator for the military, we struggled to get our own organizations to report suspected criminal activity to the cops. We created a CERT (Computer Emergency Response Team) to coordinate these cyber incidents and events. The techies most often tried to ‘play the cop’ and solve the problem without notifying the criminal investigators. Some did it for egotistical reasons, and others because they were afraid of losing control of the situation by notifying law enforcement.
There is a limit to what a systems administrator or cybersecurity officer is legally able to do. They can only conduct an investigation inside their own network, not someone else's. They can stop the bleeding internally (maybe), but they cannot reach out to identify and stop the intruder.
I had to assign a full-time cybercrime investigator to the CERT and actually force them to work as a team. Many do not realize that an intrusion or unauthorized access by an authorized user is in fact criminal activity.
The Computer Fraud and Abuse Act of Title 18 USC 1030 deems the following a federal crime:
- Computer trespassing in a government computer
- Computer trespassing resulting in financial systems
- Damaging a government computer, bank computer, or a computer in or affecting interstate or foreign commerce
- Committing fraud by computer
- Threatening damage to a government, bank, or a computer affecting interstate or foreign commerce
- Trafficking in passwords
- Accessing a computer to commit espionage
Key ‘Trespass’ – defined as unauthorized access or one that exceeds their authorization (covers insiders).
Federal Jurisdiction – used in or affecting interstate or foreign commerce, or communications including a computer outside the country that affects US commerce. If connected to the Internet or a telephone line, it is a covered system.
There are many other federal statutes that apply as well, such as:
- 18 USC 1029, Access Device Fraud (addresses trafficking in passwords)
- 18 USC 2511, Interception & Disclosure of Wire, Oral, or Electronic Communication (addresses wiretapping, sniffers, and protects information in transit)
- 18 USC 2701, Stored Wire & Communication (addresses unauthorized access to stored data)
Today, all states also have their own laws against unauthorized access to computers.
The bottom line is that intrusions and unauthorized access, including exceeding authorization level, are all state and federal crimes.
When to call the cops
As soon as possible. Evidence can be extremely volatile and temporary. You do not have to solve the case for them, although you should provide assistance, theories, possible suspects and motives, and estimated damage. Set the ground rules up front. You want to help catch the bad guys, but your systems must remain operational. Law enforcement will respect your wishes and appreciate your assistance.
The FBI certainly has more resources and expertise than the state and local law enforcement, but they must prioritize the use of their resources to gain the biggest bang for the taxpayers’ buck. They should be your first call, but if you have a limited intrusion that is small in scale, do not hesitate to call your state and local law enforcement.
Support and educate your state legislators in providing the necessary resources to increase the cybercrime and digital forensics capability of your state and local law enforcement. They desperately need your support.
Looking forward to hearing from you.
Jim Christy is VP of Investigations and Digital Forensics at Cymmetria. Jim retired from the U.S. government in 2013, ending a career investigating computer crimes and running digital forensics labs that began in 1986 at the Air Force Office of Special Investigations.
Jim can be reached by email at email@example.com.
Connect with Jim on Twitter: @jimchristyusdfc