As local police departments turn more to digital systems to manage evidence and communicate with the public, they become increasingly vulnerable to cyberattacks, experts warn.
“U.S. law enforcement will be breached,” security firm PKWare said earlier this month in its list of digital security predictions for this year. “From body cameras to police databases, cyberattacks against law enforcement could become widespread in 2016.”
Hackers have targeted agencies involved in political controversies in recent years, with police departments and other local agencies in Baltimore, Cleveland, and Madison, Wisconsin, all seeing various forms of digital attacks by groups like political hacker collective Anonymous after controversial shootings by police.
“You can expect that if you have a questionable shooting that occurs, you’re gonna get hacked,” says Terry Sult, chief of police in Hampton, Virginia. Sult has written and spoken about cybersecurity for the International Association of Chiefs of Police (IACP).
Sophisticated attackers could access police systems to learn the identities of witnesses, tamper with evidence, or try to blackmail the targets of investigations, says Winnie Callahan, the director of the University of San Diego Center for Cyber Security Engineering and Technology. “It does require being extremely careful, and assuming that someone wants to get in, and that you’re very, very up to date on the cyberhacking techniques,” says Callahan, who’s worked on efforts to teach law enforcement officers about electronic crime. “The thing is that their records that they’re holding really do have tremendous impact on the people—the victims of crime and the criminals themselves.”
Once hacked, police information can be leaked. An Arizona state police agency was hacked multiple times by political hacker groups in 2011, with information about officers leaked to the public, and multiple police departments in Maine paid hackers to restore files held ransom by malware last year, according to the Portland Press Herald.
Those kinds of risks mean that it’s essential for officers who are interacting with digital systems to know the basics of digital evidence preservation—like not turning off a computer at a crime scene that could have encryption enabled—and security, like not putting thumb drives that could have malware on them into police computers, says Callahan.
Departments also need to make sure that digital tools they use are properly secure, which often means bringing in outside experts to evaluate vendors’ promises and audit police IT systems, she says.
“Get a third party that doesn’t have an axe to grind or a dog in the fight, so to speak, to take a look at what a vendor is selling, and be sure that you can verify that what they say a particular piece of equipment can do, does that, and nothing more,” she says. “Sometimes you can put things in, and they do a particular activity for you, but they do other things in their spare time, and that’s extremely dangerous, and that happens quite a bit.”
A security audit at a police department where Sult previously worked was an “eye opener,” he recalls, turning up vulnerabilities like former employees who still had active accounts on departmental systems.
“We found some surprising things, and I don’t think it’s unique to police departments,” he says. “We found out that what we thought we had, and what we actually had, were not the same thing.”
In other cases, police departments have apparently unintentionally left sensitive data accessible to the public at large. The Electronic Frontier Foundation (EFF) reported last year that more than 100 license plate recognition systems were misconfigured, making live footage and plate information available on publicly accessible websites. And the weekly newspaper DigBoston reported last fall that Boston authorities had made license plate information, including people’s addresses, available on another public server.
“Law enforcement agencies love to get new technological toys, but what they don’t necessarily keep in mind as they purchase this is that there’s an ongoing cost of upgrading, making sure it’s security tested—there’s a lot of upkeep that goes into it,” says Dave Maass, an investigative researcher at the EFF.
If systems aren’t patched and maintained, they can become vulnerable over time, and insecure systems can be more easily discovered, thanks to search engines like Shodan that index Internet-connected devices.
“It could be all sorts of stuff that are just out there and connected to the Internet and nobody thought to lock down, or at least when they installed it, there weren’t the kind of threats that there are now,” he says.
Ideally, Maass says, police departments think carefully about how to protect data before they collect or store it—including taking into account the risk of insiders abusing legitimate access rights—and lawmakers should make sure agencies budget for maintenance, not just the initial installation of new tools, he says.
“You don’t approve it just based on the initial pilot program or initial expenditure—you need to make sure the police officers have a five- or 10-year [plan] for updating the system or maintaining the system, with all of those costs built in,” he says.
Police departments are themselves becoming more aware of the risks, says Sult, thanks in part to efforts by groups like the IACP, which maintains its own Law Enforcement Cyber Center, and agencies like the Federal Bureau of Investigation, which offers training and tools to state and local agencies through its Cyber Shield Alliance program.
“It’s individual—agency by agency,” he says. “Some agencies are more prepared than others.”