As online criminal activity evolves, we need to continue R&D
10 February, 2021
Secure networks are often used by law enforcement to protect their systems and safeguard the victims they’re working with. They are a necessary implementation that add security to sensitive networks – but they also introduce tangible barriers to the progress of intelligence gathering, sharing and analysis. In this blog we discuss how investigators use high side networks and the challenges of investigating under secure conditions.
The difference between a network that is labelled as secure, and one that isn’t, is the level of security or classification.
A secure network will have a higher level of security regulation than its more open side alternative. There will likely be digital and potentially physical security layers surrounding this network, such as strict authorisations and on-premise restrictions.
For example, a lower classification network could have direct access to any external, public or unsecured network. In comparison, a secure network (or air gap, or air gapped network) could be entirely disconnected from any external networks, including the internet.
These are two extreme examples. In reality, law enforcement agencies (LEAs) will employ a spectrum of security parameters in between and likely have various classification levels and access allowances for different users. Agencies may use networks with different levels of security for different purposes.
Other common features and restrictions:
Users can’t transfer binary data from a secure terminal within an air gap network to another, external network.
Users can’t access high side networks outside of permitted locations and without using certain system hardware. For example, investigators couldn’t use this network while working from home.
Certain data can be transferred or shared for pressing reasons, for example to be used as evidence in a court case, but this requires an extensive authorisation process and paper trail.
The internet and open-source platforms can be a valuable investigative resource for LEAs, but in many instances, being connected to external sources isn’t worth the associated risks.
Investigating crimes that involve illegal materials, such as child abuse and child sexual exploitation (CSE) cases where imagery has been shared online, must be approached with care and sensitivity. While these images are critical pieces of evidence that must be kept – for example to track perpetrators and identify repeat imagery – the security of these images is always prioritised over ease of access.
The amount of people with access to this material needs to be limited – to reduce the risk of the images being accidentally or purposefully leaked, as well as to protect the victims’ privacy and the mental health of the investigating officers.
And from a more general perspective, LEAs are susceptible to infiltration, cyber attacks, and vulnerabilities just like any other organisation. The difference is the data they’re holding is much more sensitive than a regular commercial enterprise, with serious repercussions if it gets leaked.
Some possible threats include:
Malicious attackers hoping to break in and steal imagery, hack systems, or corrupt data.
Viruses, malware and other malicious programs designed to infiltrate and potentially steal or corrupt files.
Natural security flaws and software vulnerabilities present in external networks, such as the Heartbleed bug.
Internal actors attempting to steal and share data externally.
Secure networks have fewer potential attack points and therefore offer a stronger defence against malicious actors, human error, and other risks. Often then the best form of defence is to use an air gapped network with no connections to the outside world. This way all your data is definitively locked down, unable to be shared, and externally inaccessible – removing any possibility of a leak or breach.
YOU MAY ALSO LIKE: How big tech players could help transform how we combat CSE
While secure networks are extremely necessary, they come with inherent challenges that can impact the course of an investigation. The most obvious being that investigators don’t have access to the wealth of information available on open-source platforms, such as social media, which are usually a very valuable resource for researching cases.
The reverse problem is that investigators can’t access potentially crucial information held in high-security networks unless they are in the office which, highlighted by the Covid-19 lockdowns, can be equally limiting.
There are also greater limitations to what they users can do with their available evidence. For example, no imagery stored on high side networks can be cross-referenced with an external database, a method which could reveal links in intelligence or help identify other connected illegal materials. Similarly, intelligence material can’t easily be shared with other agencies which can result in agents unknowingly investigating the same perpetrator.
The unfortunate reality is that there is a stark trade-off between security and productivity. The stricter the network regulations, the harder it can be for investigators to do their job and make investigative progress. In addition, tighter restrictions can often lead to people unwittingly circumnavigating important ‘obstacles’, or contrastingly, acting overly cautiously and therefore not acting at all.
As has been said, there’s a spectrum of regulations between two extremes. Finding the right balance between these that protects victims and secures illegal material, while at the same time facilitating investigators to do their job is extremely important. The question we need to ask is, at what point are security measures more preventative than beneficial, when does mitigating the risk of data leaks cause the increased risk of failing to act?
The same discussion is had around perpetrator privacy rights vs the rights of the law to detect and prosecute illegal behaviour. Unfortunately for both cases, there is no explicitly correct answer. It’s a judgement call to be made by each agency and each individual.
Whatever the decision, the common goal should always be to find, protect, and safeguard victims. To use the available resources as a tool for good, and to make a positive impact.
At CameraForensics, we do our best to build tools that will add value to users and to their cases. To find out more about what we do and how we build tools that overcome common user challenges, just get in touch.