“W e didn’t need no new-fangled computers when I was workin’ the streets in the 1970s.” Sound familiar?
The reality: Today, there’s not a single official activity a cop does that doesn’t involve computer work. The extent to which police have become dependent on technology sometimes escapes us. From running a license plate to filling out the report about the guy whose mailbox has been dented by the neighbor’s kid, everything we do involves computers.
In 2011, there were major attacks on the computer networks of the Spanish Federal Police, the German Border Police, the Brazilian Federal Police, the Columbian Ministry of Justice and the Peruvian Aguilas Negras. In the U.S., the networks of the Arizona Department of Public Safety were attacked three times. Attacks were successfully mounted against more than 70 agencies in Alaska, Kansas, Louisiana, Missouri and Mississippi. The breach of the email accounts of 28 police chiefs in Texas in September was followed by the breach of the Texas Police Chiefs Association, the BART Police Officers Association and the International Association of Chiefs of Police (IACP). Most recently, California LEOs were attacked. So were the N.Y. Police Chiefs, which saw the residential addresses of more than 1,300 N.Y.-state police chiefs and law enforcement personnel were breached.
The reaction among most cops has been something like, “Well, it’s just our website,” or “There was no classified information in that data.” Even the FBI sounds this refrain. But you should care and you must respond quickly if you find your department victim to a cyber attack.
Why You Should Care
The first thing that officers should understand is that the attackers—in most cases, affiliated with the hacking group Anonymous—or with various affiliated splinters including AntiSec and LulzSec—seek specifically to create personal safety issues for LEOs. They say as much. To this end, they’ve released the home addresses, phone and credit card numbers and other personal information about police officers and their families.
Additionally, looking deeper, we see that this “computer” problem actually creates pressing public safety problems. Data stolen in 2011 included rosters of officers, contracts, intelligence reports, tactical manuals, detailed plans and narratives of raids and arrests. There were lists of crime victims, tips, leads, names of informants, lists of suspects, plus catalogs of property, evidence transmittals and vehicle information. Carefully consider the impact upon your safety and those you’re sworn to protect if such information was free and publicly available.
It’s not just safety, it’s dignity. Just ask the scores of officers whose bra sizes were made public after a breach or the chief whose personal emails revealed his dating habits. The breaches also led to the discovery of some things that shouldn’t be tolerated by any agency—hate, racist speech and pornography. We shouldn’t protect those who abuse their power, their office or break the law. But the ramifications of a breach are more far-reaching than just “the stuff on our website.”
What to Do
Make no mistake: regardless of your security, everyone gets hacked. When the commercial intelligence firm STRATFOR was hacked on Christmas Eve, Nick’s personal information and credit card data were released—as were those of 80,000 others, including folks like Henry Kissinger, James Woolsey and entertainer Harry Shearer. Hacks happen.
What agencies must do is move immediately to understand the scope of the problem, communicate honestly with those who may be affected and, above all, take a hard look at the information that was breached to evaluate its potential impact. The FBI may want to investigate, and, of course, you should cooperate. But those investigations take ages. Foremost, you must do what you can to take care of your officers and those you’re sworn to protect.
Officers will need help with credit monitoring. In our opinion, an agency that loses an officers’ data should pay for at least one year of credit monitoring from a company like LifeLock or Identity Guard. City attorneys should consider the liability of the agency that was to protect information, such as that of crime victims or informants. Any information about civilians who get caught up in the breach should be examined, and the citizen must be informed and counseled.
Above all, the agency must not abdicate to federal law enforcement or anyone else the assessment of whether the breach was “serious.” Feds are concerned with classified information, but one should never conflate “classified” with “important.” I can tell you that my credit card numbers and home address were very important to my family and me, and they were absolutely not classified. Make your own assessment of the importance of the data that may have been exposed.
Before the Breach
Outsource responsibly: Too often, agencies go with what’s cheapest. Instead, speak with your outsourcer about security early. Get the answers you like. Consider that the webmaster of the Texas Police Chiefs Association was himself an activist, and said that he understood and supported the goals of the attackers. Consider hosting email and documents at vendors like USA.net, or even bringing in firms like Dell, Cisco or IBM small business managed services to provide security as well as hosting. It’s cheaper than you’d expect—and cheaper than doing it yourself.
Assess your technology: Most agencies are creaking by on old stuff. Have an external firm assess your situation and give you a realistic assessment of your network security. There are technology grants out there to upgrade, and many vendors who sell to LEOs can help you find information and walk through the grant process. But be hard-nosed about your assessment. Your computers hold more than ever. Leaving them insecure is like placing your file cabinets unlocked, on the street.
(Resources: Our site, PoliceLedIntelligence.com, has lots of resources and further information about this. Also, check with the IACP and GovernmentSecurity.org for resources.)
Bottom line: Information on computers is valuable. When it’s breached, it creates real officer safety issues. We urge officers and administrators to face this reality and to take concrete steps to become better prepared to deal with an attack against our computer systems.