This year, law enforcement organizations are likely to see continued ransomware attempts and will need to confront the growing risks as the adoption of digital tools and services expands attack surfaces, explained Christian Quinn, former commander of Fairfax County, Va.’s Cyber and Forensic Bureau and chair of the International Association of Chiefs of Police (IACP)’s Subcommittee on Cyber.
Many departments are also entering the year with the usual challenges experienced in public-sector IT — limited cybersecurity investments, lack of dedicated technology personnel and struggles to get issues treated seriously enough before attacks happen, Quinn said.
Laura Cooper, executive director of the Major Cities Chiefs Association (MCCA), a professional organization representing for police executives of large U.S. and Canadian cities, told GovTech that many agencies have let IT and software investments slide in past years.
In her view, the greatest challenge to improving cybersecurity is the price tag — and the difficulty getting across the value of the investment.
“If it’s a determination between beefing up cyber infrastructure or getting a vehicle that you’ve needed, probably, you’re going to go with the vehicle because you can see it and it’s tangible,” Cooper said.
But MCCA member agencies say the tide may be changing as attacks increase and leadership becomes more aware of the damage cyber incidents can deal.
Cooper and Quinn explained the challenges, and priorities, ahead.
RANSOMWARE HITS HARD
Traditional ransomware attacks lock down data and systems, and police departments cannot always build back everything, Cooper said. (She was unaware of any departments paying the ransom to regain access.)
Agencies that used software to track crime statistics or use-of-force incidents could see a decade’s worth of information wiped out, for example, and may struggle to recapture it from paper sources.
“A lot [of departments] are still reeling from things that happened even a couple years ago,” Cooper said. “Some of it you just can’t get back — it’s like [the data] never existed; it’s lost forever.”
Inability to access data is only a portion of the problem, although a significant one — the Dallas Police Department’s accidental deletion of case data interrupted at least one trial, for example. Another concern is that hackers might tamper with evidence and even “the mere presence of an attacker on the network could render [digital] evidence inadmissible,” per the IACP’s Police Chief Magazine.
Double extortion — in which bad actors threaten to leak information — can also put residents and officers at serious risk. For example, D.C. police fell to a ransomware attack last year in which perpetrators posted officers’ personal information and threatened to expose confidential informants’ identities.
“People’s lives are at stake,” Quinn said. “And at a time when public safety is really struggling to maintain public trust, police legitimacy and enhance collaboration with the communities, they just end up having egg on their face.”
Departments unable to protect sources or keep private information that victims may find sensitive or embarrassing are liable to quickly lose residents’ confidence, Quinn said.
Presque Isle, Maine’s police department had its own struggles last year, when cyber attackers published a domestic violence incident report — including personal information on the victim — and threatened to release other victim statements and confidential information.
FINE-TUNING DATA COLLECTION
While backup strategies can help restore systems, there’s no way to un-leak exposed data. Departments therefore need to both use strong defenses and think carefully about how they gather data.
Quinn said Fairfax County ran into such concerns when deciding how to adopt drones. Police might send a drone to record the scene of a car crash, but if the camera is on during the flight over, it could capture invasive and irrelevant footage that the department cannot quickly delete, he said.
“[If] they fly over someone’s house, and they’re in their backyard laid out topless or something like that, we’re kind of stuck with that [data],” Quinn said. The county ultimately decided drone cameras would stay off until pointed exclusively at the scene being investigated.
Departments may also need to take a long-term look at defense.
Per its manual on Unmanned Aircraft Systems, Virginia requires data related to traffic management and control be retained for a year. Other data is held longer — case files related to investigations of unresolved serious offenses must be held 100 years, for example, during which time many new forms of cyber threats could emerge.
CONFRONTING CHALLENGES
Police departments looking to boost their security will need to attend to their overall posture, not just focus on thwarting the cyber attacks currently getting the most attention, Quinn advised. That includes training personnel on good practices, preparing contingency plans and adopting strategies and tools for detecting and mitigating intrusions.
The challenges facing departments keep growing as more services go digital and officers equip more IoT devices, Quinn said. He was particularly concerned that attackers might gain entry points into police systems if officers download potentially insecure personal-use apps onto their work devices or link them with personal devices.
Even as some agencies up their digital usage, legacy systems remain a problem.
“The 911 systems that are currently out there are quite antiquated in a lot of areas. When a denial of service comes about, it really does have negative impact on the community,” Cooper said, saying adopting next-gen 911 would help.
Other hurdles facing police are familiar across the public sector: difficulty getting cybersecurity funding, hiring designated IT and cyber staff and getting cyber needs prioritized.
Still, there’s good news: federal grants could ease some strain, and Cooper said MCCA member agencies have been focusing on raising awareness about the importance of cybersecurity and seeing leadership outside the IT department paying more attention.