Most state and local governments have few options for fighting cybercrimes that extend beyond their jurisdictions or fail to meet the FBI’s threshold for getting involved.
Utah is an exception.
“[The FBI’s] resources were stretched, and the threshold for investigating cybercrime was so high that so many cases were going uninvestigated,” says Keith Squires, commissioner of Utah’s Department of Public Safety. “Our goal was to engage from the state level.”
The state is pioneering a new approach for addressing cybercrimes against residents and state networks that may not trigger an FBI takeover of the cases but that pose a security threat or have caused damages.
Last year, Utah’s cyberunit spent nearly 1,500 investigative hours on 30 cases between January and November. Funding from the state’s Legislature in 2013 provided three investigative positions and two analysts to conduct those investigations.
Today, Utah’s cyberunit is actively working on several cases involving Internet threats, computer intrusion, data theft and distributed denial of service (DDoS) attacks, says Brian Redd, director of Utah’s State Bureau of Investigation.
One of those active cases started with victims in Utah and was traced back, with the help of the FBI, to a lead in South Africa, Squires says. The Nigerian police found out that the Utah Department of Public Safety was working on the case and sent a command-level employee to Utah for several weeks to help with the case.
“These are the kinds of relationships being built in a cybercrimes investigation,” Squires says. “It opens the opportunity for being able to … share information better on who the suspects are. I was very impressed with that.”
After hearing about Utah’s cyberunit, some 30 states expressed interest in building cybersecurity expertise within their law enforcement agencies.
Prior to launching the state’s cyberunit, the Utah Department of Technology Services handled cyberattacks, but the agency’s focus was on mitigating the attacks, not monitoring for intelligence and potential criminal cases.
That responsibility now falls on the cyberunit. Utah’s analysts have full access in order to monitor the state’s network for threat intelligence that can be shared with state, local and federal governments
In December, the unit conducted an exercise to ensure it could respond to incidents involving the state network or cases that fall below the FBI’s threshold. The exercise revealed that state officials need to create a response guide and protocol, develop strategies to properly triage cases or potential cases and strengthen abilities to collect evidence, Redd says. State crime lab personnel and an investigator from the cyberunit will be trained for forensic incident response.
In the future, Redd wants to simulate an attack to create a more hands-on experience.
“At some point, when [the] FBI can’t respond or have resources, we want to be able to respond,” he says.
In July 2013, the department joined forces with the FBI’s Salt Lake City field office; Utah’s state fusion center — the Statewide Information and Analysis Center; and the Internet Crime Complaint Center to create a platform for investigating state, local and national cybercrimes.
Called Operation Wellspring, the partnership recently moved out of the pilot phase and is now operational.
“Integrating UDPS personnel into the FBI task force has enhanced and increased resources to address cybercrimes at all levels and is having a positive impact on investigative activity and in building partnerships,” Squires wrote in a recent Police Chief Magazine article. “This effort has also increased coordination among agencies, reducing duplication and redundancy while enhancing productivity and expertise.”
Squires noted that the partnership gives cybercrime victims more opportunities for their cases to be investigated and increases the ability of law enforcement agencies to successfully prosecute criminals.
The Operation Wellspring model has spread to FBI offices in Dallas, Texas, and San Diego, Calif., according to Redd. In Utah, the goal is to strengthen cyberthreat information sharing with the private sector, too.