State and local law enforcement agencies need to act now to educate their officers about basic cybersecurity practices, according to a new report by a team of policing experts and cyber researchers.
The National Consortium for Advanced Policing and George Washington University’s Center for Cyber & Homeland Security released their “Cybersecurity Guide for State and Local Law Enforcement” Wednesday, containing steps police departments of all sizes can take to protect themselves against cyberthreats.
“Too often, cybersecurity is just thought of as a federal issue,” said Frank Cilluffo, the center’s director, at an event on the university’s campus to unveil the guide. “But it needs to be considered at the state and local level, since these departments have so much access to confidential data.”
Analysts for both groups surveyed federal, state and local cybersecurity experts to compile the report, identifying common problems law enforcement agencies face when it comes to preventing cyberattacks and laying out resources they can take advantage of to beef up their network defenses.
Usha Sutliff — a program manager for the Lafayette Group, a cyber consulting firm that helped the organizations research the report — said the report answers the key question of “What do cops need to know about cybersecurity?” and can help agencies chart a path forward for getting smarter about cyber.
“We found a real lack of awareness of what cyber even means among agencies,” Sutliff said. “For a long time, network security has been exclusively an IT issue or under the purview of investigators of cyber crimes, but now we’re all part of this.”
Accordingly, she noted that the guide calls for “all agency employees to be regularly trained in cyber practices,” like identifying potential phishing attacks.
Mike Sena — the director of the Northern California Regional Intelligence Center, a “fusion center” that brings together federal, state and local law enforcement personnel — agrees that “people are often the weakest link” in any agency. He often works with police departments in his area to run simulated phishing attacks, and he noted that “seven to 10 percent of people” will click on links they send out in emails to test their awareness about these issues.
“All it takes is one person clicking on a link to decimate an agency,” Sena said.
Michael Downing, the deputy chief of the Los Angeles Police Department’s Counterterrorism and Special Operations Bureau, thinks it will take a “cultural paradigm shift” to get more agencies truly engaging with the issue. Though his own department now operates its own “cyber intrusion command center,” he lamented that the agency only made a commitment to fighting cyberthreats after hackers succeeded in briefly gaining access to department databases.
“We need to shift from a mindset of being first responders to being first preventers,” Downing said.
But as that culture change happens, Sutliff added that the analysts also want to see cops start better coordinating with their government IT departments to counteract that knowledge gap.
“The IT department has to be a critical part of this,” Sutliff said. “And workers there must be vetted as thoroughly as law enforcement officers because of their access to sensitive information here.”
Indeed, the guide frequently stresses the value of turning to the federal government for help as well, and Downing believes it’s “incumbent on state and local agencies to reach out” for assistance.
Yet Sena thinks that many departments don’t do that sort of outreach because they’re unsure who to call when they’re facing a major cyber incident.
“If I told you, ‘If someone is burglarizing your house, call one of these seven numbers,’ how would that work out for you?” Sena said. “We’ve got to have commonality and a more unified message in how this information is triaged. Because I can tell you how information on a physical threat is handled throughout the country, but it’s not the same for cyber.”
Rep. Dan Donovan, R-N.Y., said he empathizes with that frustration after seeing the “ad hoc” communication between the feds and local agencies as a prosecutor in Staten Island. But he pointed to three bills making their way through Congress that could help address that problem.
One introduced by Rep. Will Hurd, R-Texas, would direct the Department of Homeland Security’s National Cybersecurity and Communications Integration Center to coordinate more directly with state and local officials. Donovan added that he even introduced a bill last week to promote cyber information sharing among federal agencies and state and local agencies.
“Congress has made progress here, but we still have a long way to go,” Donovan said.
But for all that progress, Sena worries that there’s “lots of talk” among lawmakers about cybersecurity, but still not enough action.
“Cybersecurity isn’t sexy, it doesn’t get peoples attention until it affects them personally,” Sena said.
Contact the reporter at firstname.lastname@example.org, and follow him on Twitter @AlexKomaSNG.