National Academies: Hard Cyber Problems in Law Enforcement
On September 26, 2024, the National Academy of Sciences ‘Hard Cyber Problems’ committee hosted a law enforcement session, and I was asked to present an overview for their consideration.
To build this presentation, I chatted with former colleagues and current friends, to ensure that I wasn’t missing anything. You can watch the open and public presentation here (the presentation starts at 04:20).
At a high level, the issues are:
Identity and Access management
- Who gets in, how do they get in?
- Related: What gets in?
Acceptable use
- What can we do within the networks?
- Who knows when this isn’t the case?
- Related: who manages your network?
Endpoint management
- What is an endpoint, how is it managed?
- Who owns the endpoint?
- Related: does your department understand the liability of personal devices?
That sounds like pretty much any other network, but the challenges to law enforcement networks are unique.
One observation I made during the presentation (at 26:17), is about how police departments are unable to use threat intelligence to prioritize their defenses against the most likely threats:
We are not capturing real cyber crime statistics about stuff that happens on law enforcement networks: acts that bring them down or corrupt data, or otherwise doing things that constitute unauthorized use of a law enforcement computer network – those are cyber crimes, and that data is not being captured.
The IC3 website is particularly unhelpful in this arena, and the data that is there is really not useful for prioritization, or for funding [to combat] the kinds of threats that are faced by law enforcement agencies.
With more than 17,000 law enforcement agencies, about twelve-and-a-half thousand purely local agencies, each of them is essentially its own island. There are no federal requirements to bubble up any of these data, and I know of no academic work that is being done to aggregate information about these on a meaningful national scale.
In the video I drill into things including:
- What is on these networks?
- How are these challenges unique?
- What are the demographics of law enforcement (and why is it that 93% of American police departments have fewer than 100 officers)?