National model for fighting cybercrime based on Utah method of investigation | Crain's Utah

National model for fighting cybercrime based on Utah method of investigation

The nationally recognized Utah Model for local police response to cybercrime was created out of necessity.

In 2009, cyber criminals impersonated a public university and electronically diverted $2.5 million from a Utah state account to a private account in Texas, according to the federal study “The Utah Model: A Path Forward for Investigating and Building Resilience to cybercrime.”

State officials were able to freeze the account and reduce the loss, but were unable to recover about $300,000, said the study, prepared by the federal Bureau of Justice Assistance and the Police Executive Research Forum.

In 2012, hackers accessed personal information about Utah state Sen. Karen Mayne, temporarily shut down the Salt Lake City Police Department website and gained access to records of 780,000 people on the state’s Medicaid server, the study said.

After the attacks, Public Safety Commissioner Keith Squires determined his agency needed to enhance its cybercrime capabilities.

“Long story short, the commissioner of public safety realized they had no resources in the state to do those types of investigations,” said Sgt. Jeffrey Plank of the FBI Cyber Task Force in the Utah Department of Public Safety. “They started looking for opportunities to spool up resources.”

The DPS began working with the FBI in its pilot Operation Wellspring program, which grants state and local authorities access to internet crimes data, Plank said.

Within a few years, the Utah Model was born.

When the Bureau of Justice asked the Police Executive Research Forum to prepare the federal case study, the Utah Model was selected as a “robust program” of cybercrime investigations, cyber intelligence analysis and the study of the impact of cybercrimes.

The program, which operates as the FBI Cyber Task Force, is part of the State Bureau of Investigation in the Public Safety Department, but maintains offices in the FBI’s Salt Lake City field office.

The task force investigates cases fed to it by the the FBI, the public, the Utah Department of Technology Services, and the Utah Statewide Information and Analysis Center, also known as the fusion center, Plank said.

“We have the ability to use analysts at the fusion center,” he said. “We work closely with them and the DTS. Together it’s an awesome model.”

That the program was dubbed the Utah Model is a “little flattering,” Plank said. A number of law enforcement agencies have reached out to the task force for assistance, he said.

“Some have been here for training and got to meet with us,” Plank said. “It has been pretty nice to share what we’ve learned, but there is a lot more we can learn.”

Squire said he is pleased to help other communities and states.

“This is a big compliment to the State of Utah,” he said in a prepared statement. “We saw a need for a multiple agency collaborative program and decided to launch the efforts to be proactive.”

FBI Special Agent in Charge Eric Barnhart praised Utah for its efforts.

“Due to the nature and sophistication of the cyber threat, law enforcement must take a holistic approach, such as the Utah Department of Public Safety and the FBI have under Operation Wellspring,” Barnhart said in a release. “The cyber threat impacts law enforcement at all levels and requires a shared consciousness and the ability to synchronize expertise and assets to effectively combat it.”

FBI Supervisory Special Agent James Lamadrid said the Utah Model successfully addresses the challenges law enforcement experiences in cybercrime and allows state and local agencies to benefit from the lessons learned in Utah’s partnership with the FBI.

“Understanding where we are as a nation and where we need to be in order to fight cyber-crime is the first step towards strengthening our cyber posture,” Lamadrid said in a  release.

Despite the program’s success, initially it was challenging to get funding to dedicate the task force’s three full-time law enforcement to cyber investigations, Plank said.

“It’s not a typical crime,” he said. “There are not a lot of results of putting handcuffs on people. For agencies to give three bodies full time to a model, they want to see arrests being made. It’s not like that as much as it is gathering intelligence and sharing it. In our case, it’s gathering email addresses and IP addresses and sharing them with other  people.”

The task force does make arrests, but measuring its success is a “completely different ball game when it comes to metrics,” Plank said.

“We might be successful disrupting a criminal organization,” he said. “For example, a purchase order fraud case. We might get packages returned to a business that lost them from a scam. Last year we were able to return $800,000 in packages. There were no arrests but it was definitely a service to those businesses.”

The metrics are more about intelligence gathering and “disruptions” that occur through the task force’s investigations, Plank said.

“When we first started combing through the data, we thought we would find victims and suspects,” he said. “We found a lot of bad guys are international. It’s hard to put your hands on those people.”

The most rewarding practice has been simply sharing information nationally and internationally, Plank said.

“Instead of investigating days, weeks, months, sending subpoenas, we can quickly find another investigation that is related,” he said. “We’ve been able to solve some cases basically by identifying that somebody else is working a related case. We share the information and somebody else does the work. It leaves us open to focus on other cases nobody else is working on.”

February 12, 2018 - 2:56pm