informa
4 min read
article

Proposed Nonprofit Would Bridge Law Enforcement, Enterprise Security Worlds

Organization aimed at translating business' breach experience and what information law enforcement needs to prosecute a case
Organizations rarely report breaches to law enforcement, but a new grassroots effort exploring the creation of a nonprofit to bridge the gap between law enforcement and security professionals hopes to change that.

Alerting law enforcement that your organization has been "owned" just doesn't cut it because that will get lost in translation, says Nick Selby, managing director of Trident Risk Management, who is spearheading the formation of the nonprofit. "[But] If you say, 'My systems were breached' in a way that the penal code describes it, and that you suffered [X] dollars in damages, and customer records were exposed to potential identity theft, now you've given the cops something they can dig their teeth into," says Selby, who will discuss the latest on his concept for the nonprofit at next month's BSides conference in San Francisco.

Selby, a security consultant who was sworn in as a police officer last year, says the key is to give businesses and law enforcement the ability to better communicate and understand one another in the aftermath of an attack. That way, a breached company calling local law enforcement would provide up front the information investigators need, the proper forensic evidence, and leads that will help them prosecute the case, for example. "The private sector is great at investigative work. Law enforcement doesn't know what to ask for unless you've worked with them for a while," he says. "All we have to do is get what each other needs. Cybercrime is not diminishing."

Most organizations suffering breaches that don't require public disclosure don't call in law enforcement, mainly because they consider it an exposure risk, as well as an effort with little or no payback. And those that do have their own rules about reporting to law enforcement. Some require nondisclosure agreements, and that's something the FBI traditionally won't agree to. There's also the question of who to call -- local law enforcement, the FBI, or the Department of Homeland Security?

InfraGard, a partnership between the FBI and private industry to share information and intelligence, can help, but most small organizations aren't participants, Selby says. He says the idea is not to overlap with InfraGard and similar groups, but instead to complement them. "We need to help law enforcement and security pros communicate with one another better by translating [for them]," he says.

Budget-strapped law enforcement agencies, meanwhile, are becoming bombarded with more and more cybercrime cases. "The problem is there's a lack of knowledge of how to investigate and prosecute them," says David Henderson, a police sergeant in the Dallas-Forth Worth area who handles cybercrime cases. Henderson says he and his fellow law enforcement officials need specifics, such as what was stolen, how it occurred, and the value of the stolen information. "We need to know the value because there's a scale that determines what classification the offense is -- whether it's a misdemeanor or felony, and what grade," for example, he says.

"The most important thing is that we can confirm something happened and can articulate it so that a jury can understand what was taken, how it was taken, and by whom," Henderson says. Evidence such as forensics logs would get handed off to the department's forensics specialist for analysis, he says.

Among the main cybercrime cases his department sees: breaches, bank account fraud, and ATM skimming, he says. And the key is getting the victim organizations and law enforcement on the same page to tackle these crimes, he says. "It's our responsibility to get together and learn from one another," he says.

Selby says he has had several large organizations offering to help, but there has also been some pushback from both security pros and law enforcement who don't want anyone telling them how to do their jobs. "[Some] people hate this idea already," he says. But the proposed organization would not tell them how to do their jobs, but instead provide them a resource, he says.

"I've been really encouraged by the response I've gotten from the infosec community and a lot of people in law enforcement -- local, county, and state law enforcement have been really encouraging," Selby says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.