The role of the Cybercrime Analyst Fellow is to incorporate a cyber-component to the Indiana Intelligence Fusion Center. The intelligence community was greatly improved as a response of September 11, 2001 to safeguard the United States homeland. The IIFC was created to collect, analyze, and disseminate intelligence products relevant to territorial, local, state, and federal law enforcement. A key factor to the efficiency of the fusion center are through the partnerships made, resources utilized, and policies enforced. To be a cybercrime analyst, the fellow must be adept in both the inner workings of cybersecurity and cybercrime. In the pursuit of a Master of Science in Criminal Justice and Public Safety, many previously taken graduate courses can be applied to the knowledge, skills, and abilities required of this position.
A History of Fusion Centers
The attacks that occurred on September 11, 2001 created a necessary change in the intelligence community of the United States. Before the 9/11 attacks, many wondered if the intelligence community properly collected, analyzed, and disseminated intelligence to adequately protect citizens of the United States (Best, 2003). A Joint Inquiry of the intelligence community was launched by Congress in 2002, and results were published in 2003. According to the Joint Inquiry, the intelligence community had warning of an Islamic terror attack headed by Osama Bin Laden. According to Best (2003), “For a number of Constitutional, statutory, and organization reasons, information collected by intelligence agencies has historically not been routinely used for law enforcement purposes.” Prior to the attack, many people had not taken the Federal Bureau of Investigation’s role as the lead counterterrorism investigatory role as seriously as proven after the attack. Weaknesses of the intelligence community and the law enforcement communities were outlined in the Joint Inquiry results as, “…an absence of emphasis on the counterterrorist mission, a decline in funding, limited use of information technology, poor inter-agency coordination, insufficient analytic focus and quality, and inadequate human intelligence” (Best, 2003). The underlying concept and resolution was the need for a federal strategy to collect information, analyze, and disseminate intelligence to stop or reduce terrorist activity against the Homeland. The Cabinet of the United States President gained a new member: the Director of National Intelligence. The new DNI would oversee the priorities of the intelligence community and approve its budget. Additionally, the newly created Department of Homeland Security effectively became the first federal fusion center model by being, “… an effective all-source terrorism information fusion center that will dramatically improve the focus and quality of counterterrorism analysis and facilitate the timely dissemination of relevant intelligence information, both within and beyond the boundaries of the Intelligence Community” (Best, 2003). Under the George W. Bush administration, Fusion Centers were created with the direction and guidance of the Department of Homeland Security and National Fusion Center Association (NFCA). The mission of the NFCA is:
“To represent the interests of state and major urban area fusion centers, as well as associated interests of states, tribal nations, and units of local government, in order to promote the development and sustainment of fusion centers to enhance public safety; encourage effective, efficient, ethical, lawful, and professional intelligence and information sharing; and prevent and reduce the harmful effects of crime and terrorism on victims, individuals, and communities” (National Fusion Center Association, 2020).
Indiana Intelligence Fusion Center
The Indiana Intelligence Fusion Center (IIFC) is operated through the Indiana State Police. The vast majority of the IIFC is funded through federal and state grants. According to the State of Indiana (2020):
“The Mission of the Indiana State Police is to protect life and property within the State of Indiana from all threats, foreign and domestic, to investigate and deter crime, and to promote roadway safety by upholding the laws of the State of Indiana. By partnering with federal, state, and local agencies, the Indiana State Police will accomplish these efforts through effective patrols, investigations, intelligence gathering, innovative application of current technology, and all crimes policing efforts.”
The IIFC is comprised of two main types of analysts: criminal intelligence analysts and watch officers. Criminal intelligence analysts are trained in a verse background of analytic techniques to utilize appropriate databases and tools. Responsibilities include taking in requests for information and criminal case assistance. Additionally, some of the analysts work on special products on behalf of certain agencies in the interest of enhancing law enforcement efficiency and public safety. Criminal intelligence analysts are civilians hired under the Indiana State Police. Watch officers are specialized analysts who are contracted between the IIFC and other agencies (i.e. local law enforcement departments, Department of Corrections, Indiana Gaming Commission, Indiana Office of Technology, High Intensity Drug Trafficking Area, Transportation Security Agency, Department of Homeland Security, etc.). The principle of including watch officers in the IIFC is that they promote the coordination and collaboration of multijurisdictional resources and expertise. Additionally, criminal intelligence analysts are able to utilize their resources to assist in agency specific investigations.
“The mission of the MS-ISAC [Multi-State Information Sharing and Analysis Center] is to improve the overall cybersecurity posture of the nation’s state, local, tribal and territorial governments through focused cyber threat prevention, protection, response, and recovery” (Center for Internet Security, 2020). In this fellowship, the MS-ISAC’s automated newsletters, announcements, and advisories allow the incumbent to stay up-to-date on national cybersecurity issues.
The IN-ISAC (Indiana Information Sharing and Analysis Center) was created to serve the State of Indiana by cybersecurity risk mitigation of all state agencies. This is accomplished by, “… the sharing of threat information and collaboration on strategies. It provides real-time network monitoring, vulnerability identification and threat warnings” (State of Indiana, 2020). As the fellow, the incumbent reports directly to the Executive Director of the IN-ISAC. The roles and responsibilities of the incumbent are overseen and approved partially by the Executive Director. Under the umbrella of the Indiana Office of Technology, the IN-ISAC is the main source of cybersecurity information distribution to key personnel in the State of Indiana.
“The mission of the [IC3] Internet Crime Complaint Center is to provide the public with a reliable and convenient reporting mechanism to submit information to the Federal Bureau of Investigation concerning suspected Internet-facilitated criminal activity and to develop effective alliances with law enforcement and industry partners.” (Federal Bureau of Investigation, 2020). The IC3 is an important resource for the incumbent because this would be used for any cybercrimes that need to be reported to a federal authority. The LECC also prioritizes the utilization of the IC3 in any cybercrime reporting inquires. I had the opportunity to connect with an FBI Computer Scientist at the Indianapolis Field Office. Through our communications, he has provided me with key resources and tools he endorsed for different types of cyber-investigations and techniques.
CISA (Cyber and Infrastructure Security Agency) of the Department of Homeland Security is a federal risk advisor and defense agency against cyber and infrastructural threats. According to the Department of Homeland Security (2020), “CISA builds the national capacity to defend against cyber attacks and works with the federal government to provide cybersecurity tools, incident response services and assessment capabilities to safeguard the ‘.gov’ networks that support the essential operations of partner departments and agencies.” CISA’s first role of cybersecurity involves information sharing, tips and alerts, securing federal networks, protecting critical infrastructure, and directive and guidance. CISA’s second role of infrastructural security includes chemical security, hometown security, active shooter preparedness, risk assessments, and school safety and security. CISA’s third role of emergency communications involves national and statewide planning, priority services, partnerships, technical assistance, and regional coordination. Lastly, CISA’s fourth role of risk management includes cross sector risk management, national critical functions, pipeline cybersecurity initiative, ICT supply chain risk management, tri-sector executive working group, and election security. Much like the IC3, CISA also provides a reporting system so that incidents, phishing attempts, malware, and vulnerabilities can be analyzed and addressed with appropriately.
The LECC (Law Enforcement Cyber Center) is funded by the Bureau of Justice Assistance, and is operated by partnerships between the NW3C, International Association of Chiefs of Police (IACP), and Police Executive Research Forum (PERF) (Lybarger, 2018). The LECC was created to be a “… one-stop-shop for law enforcement cybercrime information and resources” (Lybarger, 2018). The LECC provides over one hundred legal templates and model policies, provided by the Department of Justice Computer Crime and Intellectual Property Section, which include anything from search warrants for service providers, to wiretap orders, and so on. Additional resources include law enforcement portals, investigative resources, cyber threat bulletins, incident reporting (IC3), directory of cybercrime labs, mobile resources, video resources, printable resources, glossary of terms, cybercrime community resources (prepared PowerPoints and presentations), internet of things, and IACP model policies (International Association of Chiefs of Police, 2020).
“The NW3C [National White Collar Crime Center] provides a nationwide support system for law enforcement and regulatory agencies tasked with the prevention, investigation, and prosecution of economic and high-tech crime” (National White Collar Crime Center, 2020). In the role of the fellow, the NW3C became a resource for many on-demand and live webinars and online trainings to understand the landscape of this career field. Through the NW3C, the incumbent is able to remain up-to-date on the latest cybersecurity, cybercrime, open source intelligence, overall intelligence, and Dark Web policies and resources. All of the webinars, provided by the NW3C, are produced by experienced professionals actively in the field.
O-S-I-N-T Open Source Intelligence Training is dedicated to, “advanced online search techniques and strategies, search techniques of blogs and social networks, methods to obtain archived pages and hidden information, online privacy and counterintelligence techniques, and organize, analyze, summarize, and report you results” (Camelot Investigations, 2020). OSINT investigations often require a broader knowledge of internet use and manipulation. According to Camelot Investigations (2020), “Special databases and off-line sources are among the many rich veins of intelligence which go unknown and untapped by law enforcement, legal professionals, business researchers, security personnel, intelligence analysts, and terrorism, gang and financial researchers.”
Cybersecurity and Cybercrime
Through this fellowship, I have had the position of addressing the relationship of cybersecurity and cybercrime as having a causality effect. To summarize this relationship, when cybersecurity is compromised, threatened, breached, or attacked, the cybercrime investigation begins. Therefore, to understand the methodologies of cybercrimes, I must be knowledgeable of how a cybercriminal accomplishes their goal. “The U.S. Department of Justice (DOJ) broadly defines computer crime as “any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution” (Kim, Newberger, & Shack, 2012). The DOJ also uses their definition of cybercrime to categorize the crimes further: (1) a computer is the “object” of a crime where the hardware or software is the target, (2) a computer is the “subject” of a crime where computer servers and services are targeted, and (3) a computer is the “instrument” of a crime where other types of crime are used solely or mostly with a computer (e.g. identity theft, fraud, human and/or drug trafficking) (Kim, Newberger, & Shack, 2012). I received a Cybersecurity Technology Map that outlines key cybersecurity aspects as well as respected service providers from the Optiv/Con 2019 conference. The main contributions of cybersecurity include, but is not limited to, data protection, risk and compliance, identity management, application security, internet of things, cloud security, foundational security, and security operations. Security operations was a branch that has the broadest aspect, and thus further delineated to capture the necessity of understanding the origin of cybercrime analysis: monitoring and operations, vulnerability assessment and management, change management, orchestration and automation, incident management and response, and threat detection and analysis.
To effectively analyze cybercrimes and provide assistance to my fellow criminal intelligence analysts in the IIFC, I determined that my position required a broad base of open source intelligence methodologies and tools. A great resource I found was the Open Source Intelligence Tools and Resources Handbook (Bielska, et al., 2018). This handbook was essentially a list of available OSINT sites and tools to investigate cybercrimes using various categories: general searches, social media, people investigations, company research, real estate, online marketplaces, cryptocurrencies and financial information, terrorism, cybersecurity, stolen items, human trafficking, transportation, web intelligence, Dark Web, events, images, videos, audio, documents, data and statistics, news, foreign language content, web monitoring, data collection, browsers, Geospatial, as well as privacy and security. From various webinars [Stibbards (2019), Duquette (2019), Bohn (2019)], I have also learned of other OSINT capabilities such as phone numbers, emails, secure browsers, alert systems, familial, IP addresses, registrations, Wi-Fi, virtual machines, and governmental public records.
While the internet facilitates cybercrime, the Dark Web operates in a way that is the perfect environment for nefarious purposes. The Dark Web is often outlined metaphorically as an iceberg. While the vast majority of everyday use of the internet is the top of the iceberg, the Dark Web is the bottom of the iceberg unseen underwater and vastly more expansive. Originally created by the military, the Dark Web was eventually used by the public. There are several ways to access the Dark Web including utilizing the Tor Browser. Tor stands for “The Onion Router” and is utilized much like an onion. The way the Tor Browser works is that the user inputs a search, the search is then passed around between a circuit of Tor nodes to segment and layer encryptions around the search. This method, exemplified by Figure 1, allows the user and ending search point to never directly communicate and share metadata. The underlying purpose of the Dark Web is to ensure user anonymity. Cybercriminals thus have the ability to utilize the Dark Web to create criminal enterprises without their identity being discovered easily. Many illegal sites have been taken down to combat criminal activity. Tor Warehouse was a website created to deal in stolen and carded merchandise. When a credit card is stolen, this website allows thieves to sell items bought with the stolen credit card. The buyer then could not be charged with possession of stolen items. Emperor Chemical’s Kingdom was created to deal in dangerous and illegal chemicals. In the wrong hands, these chemicals could have been used to create a chemical weapon of mass destruction. The most common type of crime exploited using the Dark Web includes trafficking offenses (human, organ, drug, and sexual). The currency of the Dark Web is cryptocurrency. The most common type of cryptocurrency is Bitcoin. This type of currency transaction is nearly untraceable and the conversions of other currencies are anonymized.
Roles, Responsibilities, and Experiences
The underlying concept of a cybercrime analyst fellow was to create a cyber-component to the Indiana Intelligence Fusion Center. When I was first told this, I was not entirely sure what exactly my role and responsibilities would be. My task was to figure out how I was going to take on this unique opportunity and create my own program. It was clear I had plenty of knowledge and background of the criminal justice system and criminology to be able to acclimate and align myself with what the fusion center was created to do.
The first challenge I had to address was to build the knowledge, skills, and abilities (KSAs) relevant to the position. I have a fairly broad knowledge of the criminal justice system, ideologies, methods, and expectations of information through personal, educational, and professional experiences. However, none of those experiences involved cybercrime. Many of the crimes I have discussed or studied have been primarily Part 1 crimes (i.e. homicide, robbery, burglary, assault, arson, rape, larceny, narcotics, etc.). To address the lack of KSAs, I reserved the majority of my time towards attending conferences, attending conference calls, watching webinars, and utilizing online trainings. The majority of these resources were found in the NW3C website. I categorized the conferences, webinars, and online trainings between 6 categories: Cybersecurity, Dark Web, Open Source Intelligence, Internet of Things, Intelligence, and Cybercrime. Due to budgetary restraints, I was only utilizing free conferences, webinars, and online trainings to enhance my KSAs.
The second challenge I addressed was the ability to keep informed of current threats and alerts from key partners. Over the period of the fellowship, I was able to accumulate and build connections between key partnerships relevant to my position as a cybercrime analyst. The LECC was a valuable resource in this capacity because of the available and up-to-date lists of cyber threat bulletins and directory of cybercrime labs throughout the nation. One of my personal favorite connections I made was from a seminar I attended, where the keynote speaker was a cybercrime investigator for the Federal Bureau of Investigation. Following the seminar, I reached out to him, and he was able to provide me with a list of useful tools and methodologies to investigate various cybercrimes.
Dissemination of intelligence is vital to the function and importance of a fusion center. Now that I have established continuous notifications from key partners, part of my responsibilities as a cybercrime analyst fellow is to submit pertinent cybercrime information and intelligence for the weekly IIFC bulletin. Submissions have included topics of interest such as cyberattacks in the holiday season, cybersecurity awareness month, and law enforcement only/for official use only intelligence relevant to national security.
During the beginning of the fellowship, I was tasked with utilizing a software tool that had the ability to scan Dark Web activity for chatter from targets of interest. The targets of interest included key infrastructures and personnel for the State of Indiana government. Shortly into the fellowship, the grant funding that provided me with this tool ran out, and I had to cease the continuation of this responsibility until funding became available. An additional responsibility I had was to scan critical infrastructure for cyber threats and vulnerabilities. Using the resource, I was able to actively participate in the intelligence process of collecting information, analyzing results, and disseminating intelligence products throughout the proper channels.
Towards the end of the spring semester of this internship, I had the unique opportunity to increase the scope of my position as a cybercrime analyst. In an effort to partner with the Indiana Department of Homeland Security, I became the Cyber Liaison for the Emergency Operations Center (EOC). Key members within the Indiana Office of Technology, Indiana Department of Homeland Security, Indiana National Guard, Indiana State Police, and the Indiana Executive Council on Cybersecurity facilitated a cybersecurity response annex and Indiana Cyber Advisory Group. The purpose of this multiagency coordination was to provide key members of the criminal justice and public safety field with incident detection, analyzation, intelligence dissemination, and response plans for cyberattacks that would threaten people, infrastructure, and the state economy.
Previous Course Relevance
A major component of this fellowship is how I have been able to reference or contribute concepts learned in other graduate courses I have taken. The courses that stand out, in my own opinion include Criminological Thought and Policy, Crime Analysis, Public Safety in the US, Research Methods in Criminal Justice and Public Safety, Risk Analysis for Public Safety, Mapping and Analysis for Public Safety, and National and Homeland Security in America. Criminological Thought and Policy provided me with the ability to conceptualize criminal justice theories to rationalize criminal activity and motives. Crime Analysis was particularly useful for this position because my role as a cybercrime analyst relies on the core principles of how to analyze crime. Public Safety in the US instilled the ability to conceptualize a “bigger-picture” of the certain types of crimes I would be analyzing. Instead of focusing solely on the crime, Public Safety in the US allowed me to analyze how cybercrimes are able to create a rippling effect of disorder in many aspects of governmental infrastructures. Research Methods in Criminal Justice and Public Safety showed me the importance of the proper research processes pertinent to this position: collection, analyzation, and dissemination. Risk Analysis for Public Safety was another particularly important course for this fellowship because I had to conceptualize how to not only respond to crime, but to mitigate and evaluate the risks associated with vulnerabilities and potential threats associated with the crime. Mapping and Analysis for Public Safety built a knowledge of a useful software program relevant to crime analysis of multiple capacities. National and Homeland Security in America contributed to the knowledge of federal abilities and methodologies in the pursuit of protecting the United States from foreign and domestic threats.
Creating a cyber-component to a fusion should become a common practice across the country. As technology, criminology, and law enforcement evolve, so should the methods that dictate the effectiveness of crime prevention, reduction, and prosecution. A foundational aspect of a fusion center is the collaboration and coordination of expertise and resources. Due to the nature of cybercrime analysis, a base of cybersecurity and information security is vitally important. I personally came into this position having a very basic foundation of cybersecurity, but an extensive background in criminal justice and public safety. With the resources available to me and to best of my abilities, I believe I have adequately acclimated to the role of a cybercrime analyst serving the State of Indiana.