Law enforcement needs to police security partners

Police globally are increasingly partnering security experts in the private sector to tackle cybercrime, but while more intimate collaboration can help close cases faster public organizations must be prudent when it comes to data sharing, industry watchers cautioned.

Paul Ducklin, Sophos' head of technology for the Asia-Pacific region, said in an e-mail interview that most law enforcement agencies have been building up their expertise in cybercrime and intelligence. At the same time, these organizations are also developing partnerships with industry experts.

But such public-private sector ties are set to deepen. Earlier this month, the chief executive of the International Cyber Security Protection Alliance said law enforcers in the United Kingdom were looking to formalize partnerships with information security professionals, according to a V3.co.uk report.

John Lyons explained that the arrangement could be in the form of recruiting an expert as a special constable or having him or her seconded to an agency for three years. The scheme would address challenges of shortage of skilled officers and the lengthy training required to be able to carry out the duties effectively, he added.

Rob McMillan, research director for security risk and privacy at Gartner, agreed that police forces in a number of countries would be considering such formal partnerships going forward. "We will probably see more of this over time."

Exercise prudence
However, the analyst pointed out that law enforcement organizations involved in these partnerships need to be prudent about information they choose to share. Any electronic access given, he said, should be limited to only what is relevant.

McMillan added that it was likely background vetting of private sector staff would be conducted prior to availing access to law enforcement resources.

Cathy Huang, industry analyst of Asia-Pacific ICT practice at Frost & Sullivan, also warned that agencies should be careful about "providing more information than required". They ought to be clear and decisive about the type of information they are prepared to share with third-party security companies or experts.

Stefan Tannase, senior security researcher at Kaspersky Labs' global research and analysis team for Eastern Europe, Middle East and Africa, likened the idea of seconding a security professional to an outsourcing partnership where the provider's employees work out of the client's premise.

When a company outsources security, they should first of all choose a player that is trustworthy, with a long history and good track record, he noted.

"More than that, talking [when it comes to] highly sensitive information which needs to be protected, a company [that] chooses to outsource security services needs to make sure their partner's services have been independently assessed by recognized third parties," said the researcher based in Romania.

Ducklin of Sophos said he was certain most government and public service departments have well-defined procedures for deciding whom to trust, and authorizing them to participate alongside police officers in a criminal case.

Other than security risks, there are challenges associated with formal partnerships between law enforcement agencies and security companies.

Frost & Sullivan's Huang said identifying the right partner was one issue faced by the police. "The current certification and accreditation system does not help to ascertain the expertise and integrity of the candidate or agency," she pointed out.

Law enforcement organizations may also end up neglect to develop their own expertise. Huang explained: "A heavy reliance on the security experts [or] agencies for cybercrime may pose a potential risk of having low competency of the organization itself when it comes to unexpected [circumstances] where the security experts [or] agencies fail to deliver their services."

McMillan pointed out that security experts in the private sector may command salaries that exceed the budget of the public sector.

Collaboration is key
Risks and challenges aside, the idea of collaborating closely with security experts in the industry is not only necessary, but becoming essential.

Kaspersky's Tannase noted that in today's security landscape, no individual or entity would be able to fully "dissect all criminal cases" without help from other parties.

"Solving cybercrime cases is becoming more and more complex every day, and the only way to win the battle is to collaborate," he said.

Huang said with such arrangements, public sector organizations will be able to leverage the expertise and updated tools or information possessed by professionals in the security industry more cost-effectively.

McMillan concurred, noting also that governments can obtain quality data from a broader perspective when it comes to tracking cyberactivity targeted at organizations critical to the economic health and social fabric of the country.

At the same time, security firms gain greater insight into the issues that affect the public sector and a greater appreciation of the consequences public agencies face for taking a particular action when tackling cybersecurity.