Government Training of Social Media Warfare Intelligence and Investigative Professionals

There are several U.S. federal government initiatives and programs for training intelligence and investigative professionals on the use of social media warfare tactics to support their efforts. There are also several agencies involved in providing this training, each for different types of intelligence and investigative professionals.

The U.S. Department of Homeland Security manages the National Initiative for Cybersecurity Careers and Studies (NICCS). The vision of the NICCS is to provide the United States with the tools necessary to ensure citizens and the workforce have more dynamic cybersecurity skills. The NICCS directly focuses on enhancing awareness, expanding the pipeline, and evolving the field of study and practice of cybersecurity skills. NICCS is a national resource available to anyone from government, industry, academia, and the public who seeks to learn more about cybersecurity and opportunities in the field. NICCS is managed by the Cybersecurity Education and Awareness Branch (CEA) within the Department of Homeland Security Office of Cybersecurity and Communications [8]. The following paragraphs describe training programs provided through the MacAfee Institute.

Certified Cyber Intelligence Investigator (CCII)™ program contains 26 modules of self-study learning opportunities. Learning objectives include a cyber intelligence overview, e-crime investigation methodologies, advanced e-crime investigations, classified investigation methodologies, exploring the deep web, open source intelligence, and documenting social media evidence. A more advanced program in the same area is the Certified Cyber Intelligence Professional (CCIP)™.

Certified Cyber Investigations Expert’s (CCIE’s)™ program is designed to train elite cyber investigators in advanced and state-of-the-art methodologies to identify, investigate, and resolve the most complex cybercrimes. This is a 6-month online professional board certification focused on enhancing skill sets that takes a blended learning approach of self-study, live interactions, and instructor-led investigative exercises. The program contains over 500 video-based lectures resulting in hundreds of hours of online training, online prep review quizzes to prepare for a final exam, and the necessary study manuals. Learning objectives include conducting cyber investigations and intelligence gathering, cyber intelligence methodologies, e-crime investigations, social media investigations, deep web investigations, digital evidence collection, and setting up a cyber lab [9]. Other training courses in the curriculum include

• ? Certified Cyber Threat Analyst (CCTA)
• ? Certified Cyber Threat Forensic Investigator (CTFI)
• ? Certified eCommerce Fraud Investigator (CEFI)
• ? Certified Forensic HiTech Investigator (CFHI)
• ? Certified Human Trafficking Investigator (CHTI)
• ? Certified Organized Retail Crime Investigator (CORCI)
• ? Certified Social Media Intelligence Expert (CSMIE)

The U.S. Federal Law Enforcement Training Centers (FLETC) provide career- long training to law enforcement professionals to help them fulfill their responsibilities safely and proficiently. FLETC has grown into the nation’s largest provider of law enforcement training. Under a collaborative training model, FLETC’s federal partner organizations deliver training unique to their missions, while FLETC provides training in areas common to all law enforcement officers, such as firearms, driving, tactics, investigations, and legal training. Partner agencies realize quantitative and qualitative benefits from this model, including the efficiencies inherent in shared services, higher quality training, and improved interoperability. FLETC’s mission is to train all those who protect the homeland, and therefore, its training audience also includes state, local, and tribal departments throughout the United States [10].

FLETC provide the Internet Investigations Training Program which is designed to give investigators, analysts, and individuals serving as direct law enforcement support personnel the basic understanding they need to conduct Internet-based investigations. The program focuses on investigations and operations centered on the use of the Internet and its many communities that are being exploited for criminal activity on a day-to-day basis.

The program is delivered in two instructional modules: investigating Internet crimes and conducting online investigations. The Internet investigations module focuses on the examination of historical Internet data such as e-mails and website posting to identify the author or originator of the Internet activity by looking at system artifacts and attributes. The online investigations segment focuses on the live and active interrogation of online data, such as investigating websites and attempting to determine their physical location. Participants are instructed on how to properly configure their investigative computer and how to setup investigative profiles and personas and on the use of system archival and interrogation tools. Modules include federal court procedures, electronic law and evidence, conducting investigations online, investigating Internet crimes, and the Internet environment [11].

The National White Collar Crime Center (NW3C) supports state and local law enforcement efforts to prevent, investigate, and prosecute economic and high- tech crime. NW3C began its existence in 1978 as the Leviticus Project and was created to conduct a formally structured and centrally coordinated multi-state investigation of a variety of crimes affecting the coal industry in the United States. Funding was provided by the U.S. federal government through a central funding pool, the so-called multi-state projects, which are now known as the Regional Information Sharing System (RISS). In 1991, the project expanded its membership to include all traditional law enforcement agencies in all 50 states and it expanded mission scope. The project shifted its focus from facilitating information sharing to providing training, creating databases, and providing analytical services to assist the membership. In November 1992, the project’s name was changed to the National White Collar Crime Center (NW3C). NW3C links criminal justice agencies across jurisdictional borders and provides support for the prevention, investigation, and prosecution of economic and high-tech crime through a combination of research, training, and investigative support services. NW3C now has more than 4000 member agencies in the United States and its territories as well as 15 other countries throughout the world.

The cybercrime section offers free courses to law enforcement personnel that provide training for successful criminal prosecutions [12]. Course topics include the following:

• ? Advanced Wireless Network Investigations (AWNI)
• ? Apple® iDevice Forensics (iDF)
• ? Basic Computer Skills for Law Enforcement (BCS-WB)
• ? B asic Data Recovery and Acquisition (BDRA)
• ? Basic Network Intrusion Investigations (BNII)
• ? Cell Phone Mapping and Analysis (Formerly BCPI) (CPMA)
• ? Cell Phone Seizure and Acquisition (Formerly CPI) (CPSA)
• ? Encryption (ENC-WB)
• ? Fast Track Program (STOP, BDRA, and IDRA) (ICAC-FT - Basic)
• ? Fast Track Program Advanced (WinArt, INET, MTI, and iDevices) (ICAC-FT—Advanced)
• ? First Responders and Digital Evidence (LC1-WB)
• ? GPS Interrogation (GPSI-WB)
• ? Identifying and Seizing Electronic Evidence—Web Based (ISEE-WB)
• ? Identifying and Seizing Electronic Evidence (ISEE)
• ? Intermediate Data Recovery and Analysis (IDRA)
• ? Introduction to Cell Phone Investigations (ICPI-WB)

• ? Introduction to Computer Networks (ICN-WB)
• ? Linux Open Source Forensics (LOSF)
• ? Macintosh® Forensic Analysis (MFA)
• ? Macintosh® Triage and Imaging (MTI)
• ? Mobile Digital Devices and GPS (LC7-WB)
• ? Online Undercover (LC5-WB)
• ? Post-Seizure Evidentiary Concerns (LC6-WB)
• ? Search Warrants and Digital Evidence (LC2-WB)
• ? Searching Without a Warrant (LC3-WB)
• ? Secure Techniques for Onsite Previewing (STOP)
• ? Social Media and Technical Skills (ICAC-SMTS)
• ? Social Media and Technical Skills (SMTS)
• ? Social Media Basics (SMB-WB)
• ? The Stored Communications Act (LC4-WB)
• ? Windows Artifacts (WinArt)
• ? Windows Internet Trace Evidence (INET)

The U.S. Department of Defense (DOD) Cyber Crime Center (DC3) provides training for the military, is designated as a national cyber center and DoD center of excellence, and serves as the operational focal point for the Defense Industrial Base Cybersecurity Program. DC3 operates under the executive agency of the secretary of the Air Force. The DC3 mission is to deliver digital forensics and multimedia (D/ MM) lab services, cyber technical training, technical solutions development, and cyber analytics for DoD mission areas, including information assurance (IA) and critical infrastructure protection (CIP), law enforcement and counterintelligence (LE/CI), document and media exploitation (DOMEX), and counterterrorism (CT) [13]. Courses offered online or in residence by DC3 include the following:

• ? ICIT+ Introduction to Cyber Insider Threat
• ? CTTS+ Cyber Threats and Techniques Seminar
• ? DDP+ Digital Data Protection
• ? CITA+ Cyb er Insider Threat Analysis
• ? CAC+ Cyber Analyst Course
• ? OUT+ Online Undercover Techniques

In March 2016, the U.S. Department of Homeland Security (DHS) executed Cyber Storm V, the fifth iteration of Cyber Storm, DHS’s capstone national-level cyber exercise series. Mandated by Congress, these biennial exercises are part of DHS’s ongoing efforts to assess and strengthen cyber preparedness, examine incident response processes, and enhance information sharing among federal, state, international, and private sector partners. Each Cyber Storm event builds on lessons learned from previous exercises and real world incidents, ensuring that participants face more sophisticated and challenging exercises every 2 years.

Law Enforcement Response to Social Media Warfare ? 239

Cyber Storm exercises give the cyber incident response community a safe venue to coordinate and practice plans, response mechanisms and recovery tasks, and build and maintain relationships. Most importantly, the exercises provide the community with the opportunity to identify strengths and areas for improvement, incorporating those lessons into operations to help reduce cyber risks to the nation. Cyber Storm V focused on the main objectives that are shown in Table 13.2.

Cyber Storm V was a distributed exercise that allowed players around the world to participate from their normal work locations. The Exercise Control (EXCON) cell was located at a DHS facility in the Washington, D.C. metropolitan area. The scenario progressed as players received injects through e-mail, phone, in person, and via exercise websites from EXCON. Exercise play simulated adverse effects through which the participants executed their cyber crisis response systems, policies, and procedures.

The significance of the Cyber Storm exercise series has grown since its inception with Cyber Storm I. As cyber-based threats continue to increase, more government agencies, private sector companies, and critical infrastructure organizations have acknowledged the benefits of good cyber hygiene. Cyber Storm V communities include

• ? Federal partners
• ? Law enforcement/intelligence/Department of Defense
• ? State governments
• ? International
• ? Information technology (IT)/communications
• ? Commercial retail facilities
• ? Healthcare and public health
• ? Public affairs

Table 13.2 Cyber Storm V Main Objectives

The Cyber Storm V scenario introduced participants to multiple adversaries, some working together and others working independently. These adversaries distributed complex new malware that resulted in crippling effects throughout several critical infrastructure sectors. This challenging scenario gave partners the opportunity to practice and assess their policies and procedures for responding to cyber attacks, and required them to cooperate and share information about cyber threats [14].

Some state governments in the United States have also established training programs. The state of California, for example offers a course on Computer Crime Investigation of Internet Crimes. The 40-hour course is designed to provide investigators with the necessary training, skills, knowledge, and practical experience to conduct a variety of online crime investigations. Instruction is also provided on using the Internet as an investigative tool, including Internet protocols; LAN/ WAN/GAN operations; e-mail tracing; and using social networking sites as investigative resources. The course is designed for law enforcement personnel assigned to high-technology crime investigation units, white collar crime units, fraud or forgery units, sex and vice crimes units. Additionally, any law enforcement officers with an interest in Internet crime investigations may attend. Upon course completion, students will understand crimes committed on the Internet, use of the Internet as an investigative tool, be able to conduct reactive and proactive investigations on the Internet, and be able to use basic tools to gather evidence on the Internet. Additionally, students will learn state and federal laws applicable to Internet crimes and who to contact for additional resources to aid their investigations [15].

The National Computer Forensic Institute (NCFI) is a federally funded training center dedicated to instructing state and local officials in digital evidence and cybercrime investigations. The NCFI was opened in 2008 with a mandate to provide state and local law enforcement, legal and judicial professionals with a free, comprehensive education on current cybercrime trends, investigative methods, and prosecutorial and judicial challenges.

Run by the U.S. Secret Service’ s Criminal Investigative Division and the Alabama Office of Prosecution Services, the training model is based upon the Secret Service’s successful cyber investigative strategy, which relies on partnering with and sharing information between academia, private industry, and law enforcement/legal communities to combat the ever-evolving threat of cybercrime. Prior to 2008, training for state and local law enforcement in cybercrime was difficult to find. local departments could find occasional training slots in courses taught to federal agents or could acquire the skills and equipment at great cost to their respective agencies.

In 2007, the State of Alabama approached the Secret Service and DHS with a proposal. The State of Alabama agreed to provide the property and funds to construct a state-of-the-art facility if the federal government would fund the training and allow the Secret Service to operate it. An accord was struck, between the DHS, the State of Alabama, the U.S. Secret Service, the Alabama District Attorneys Association, and the City of Hoover. In March of 2007, U.S. Secretary of Homeland Security, Michael Chertoff went to Hoover to announce the foundation of the National Computer Forensics Institute.

The NCFI’s 32,000 square foot facility is located in Hoover, Alabama, a suburb of Birmingham. The NCFI boasts three multi-purpose classrooms, two network investigation classrooms, a mock courtroom, administrative work areas, and an operational forensics lab dedicated to the Birmingham Electronics Crimes Task Force. The style and technological features in the classrooms are distinct from any within the U.S. federal government.

The full-time staff of the NCFI includes a Secret Service member who serves as NCFI Director, a Special Agent from the Electronic Crimes Special Agent program (ECSAP), an Administrative Officer, an Alabama state prosecutor, and a course administrator. Instruction is provided by both Secret Service employees and contract instructors.

State and local agencies benefit from a tuition-free education. In addition, all travel costs, hotel, and per diem are covered by the NCFI. In some of the forensic courses and intrusion courses, students are issued with all the hardware, software, and licenses necessary to conduct these investigations. NCFI students receive the same equipment and software as the special agents trained by the Secret Service; a considerable benefit as it allows both the local officer and the federal agent to operate on common systems [16]. The following is a list of courses offered:

• ? Basic Mobile Device Investigations (BMDI)
• ? Basic Network Investigation Training (BNIT)
• ? Online Social Networking (OSN)
• ? Basic Computer Evidence Recovery Training (BCERT)
• ? Mobile Device Examiner (MDE)
• ? Network Intrusion Response Program (NITRO)
• ? Advanced Mobile Device Examiner (AMDE)
• ? Mac Forensics Training (MFT)
• ? Computer Forensics in Court—Judges (CFC-J)
• ? Computer Forensics in Court—Prosecutors (CFC-P)
• ? Mobile Devices in Court—Prosecutors (MDC-P) [16]

Other training opportunities are available from colleges and universities as well as state police academies. There are numerous programs geared toward particular states and large municipalities. The best way to find such programs is to review local education offerings.