In a world where social engineering may play a key part of debilitating a cybersecure structure, are online sting operations by law enforcement a legitimate use of social engineering?
More often than not in crime investigations, on direct interrogation the blame shifts from a suspect/subject swearing they knew absolutely nothing, known to cops as SODDI (Some Other Dude Did It), toward a more plausible shift in responsibility – somebody else told me to do it. With a bit of levity in mind, let's call this justification SODTMTDI – Some Other Dude Told Me To Do It. If that other dude happens to be a confidential informant, the entrapment scenario becomes more defined as a defensive strategy.
The entrapment defense is defined as when the subject of a sting points their finger right back at the investigators who documented the events and claims that nothing would have happened had the investigators not set up the situation.
Imagine trying to interpret an SMS text message between two gang members to any jury without reasonable doubt entering into the jury's minds about what exactly the brief message may have meant. Now imagine that the text message originated with a confidential informant. The question becomes more real: would the crime have been committed without the informant's actions?
It only takes one jury member to hang a jury, meaning a retrial or dismissal of the case entirely. Often, lines get crossed in the average American's mind about whether someone would have committed a crime without an opportunity being provided by the insider.
With smartphone forensics being used as evidence across cyber and physical crime, the job of criminal defense and prosecution becomes even more complex: Evidence may become more readily found, but the digital evidence is even harder for jury members to understand without a great deal of expert witness testimony.
When evaluating this evidence, we now have to layer technology on top of this already confusing topic of intent – resulting in most jury members wondering whether messages really mean what the prosecution says they mean.
And where does an undercover operation fit into all of this?
Is a sting merely legitimized social engineering?
While entrapment often dives into the expectation of privacy and Fourth Amendment protection from unreasonable searches, there is still some debate – particularly with terrorism and cyberwarfare.
Often social engineering by law enforcement is seen by some as valid entrapment defense. Recently, Bruce Schneier, security guru, posted an open question regarding terrorism entrapment on his blog bringing up research he had done on the subject in 2007:
The JFK Airport plotters seem to have been egged on by an informant, a twice-convicted drug dealer. An FBI informant almost certainly pushed the Fort Dix plotters to do things they wouldn't have ordinarily done.
The Miami gang's Sears Tower plot was suggested by an FBI undercover agent who infiltrated the group. And in 2003, it took an elaborate sting operation involving three countries to arrest an arms dealer for selling a surface-to-air missile to an ostensible Muslim extremist. Entrapment is a very real possibility in all of these cases.
Yet for the context of cyberwarfare or cyberterrorism, sting operations and confidential informants are a critical method of turning the insider threat right back at the antagonist. Earlier this year, I quantified terrorism in the realm of cyberwar:
In warfare theory and historical precedent, having a civilian team working inside another country's infrastructure has another name: Terrorism.
Geneva Conventions stipulate combatants need to be identified – uniforms, ID cards, etc. When they're not, it's little more than a street fight between heavily armed factions not unlike Somalia in the 1990s.
With fast results and hard to quantify threat vectors, attacks through cyberspace require a real world assessment – how much information can be gained is often a result of how well integrated the public sector is with the assets in the private sector. The IT professional is becoming more and more involved.
So what makes the insider threat of a criminal's actions toward an organization different than law enforcement undercover operations?
Why cops don't have to tell you they're cops
While we've discussed the important place held by the strategy of warfare, known as destruction from within, there is an important distinction to understand for anyone who may be on a jury, or involved in any cybercrime case. The key is this: If a suspect is trending toward the bad behavior in question, entrapment will ultimately fail to be proven as a defense should the suspect be given enough space to provide intent to commit harm.
Susan Brenner, law professor and author of the blog CYB3RCRIM3, commented on entrapment and explains the purpose of sting operations in her blog post from a few years ago:
In setting up a sting, the government's whole purpose is to induce someone who ultimately becomes a defendant to commit (or attempt to commit, in some stings) the crime for which he is charged.
That is not a problem as long as the government can prove that he was predisposed to commit the crime. We see this in the 'To Catch a Predator' and other, similar online stings: The government merely creates the opportunity for someone to embark on the commission of a crime, such as traveling to have sex with what the person believes is a minor with whom he has corresponded online.
As long as the government's role is purely passive – as long as it is limited, basically, to creating the opportunity for someone to act on their own, evil impulses – the government will not be deemed to have entrapped the person into the commission of a crime.
Wikipedia defines what constitutes entrapment similarly:
It is not entrapment for a government agent to pretend to be someone else and to offer, either directly or through an informer or other decoy, to engage in an unlawful transaction with the person."
There is no entrapment where a person is ready and willing to break the law and the government agents merely provide what appears to be a favorable opportunity for the person to commit the crime."
Rock-paper-scissors: Entrapment versus social engineering versus inaction
Rock: (privacy) The overall goal in the public's best interest is to make our information systems harder to target while preserving a balance of privacy. As the criminal sphere shifts toward cybercrime and the nation-states jockey for position in cyberwarfare, expect to see an increase in cybersecurity and attribution. The harder part of both parties – prosecution and defense – will continue to be convincing a jury that reasonable doubt either does or does not exist.
Paper: (law enforcement officer) Providing an opportunity to demonstrate ill will without actually exposing the public to danger is the fine line which most law enforcement officers have to walk on a daily basis. Stings and confidential informants often provide the only credible method of documenting intent rather than risking actual exposure.The tactics of a sting or an insider may change slightly to accommodate technology, but the initial premise remains the same: If you're looking for something illegal to do in the first place, stings will give you enough rope to hang yourself.
Scissors: (defense) It is still the defense attorney's job to provide the entrapment defense as part of our legal system, which requires an adequate defense be provided to all defendants whether or not they can afford it. Providing a defense against tactics which may become over-reaching are the responsibilities of the defense legal team.
For CIOs and IT managers caught in the crossfire of discovery motions, this often creates undue concern. Dealing with law enforcement can be a scary situation for anyone, let alone those who may often be more comfortable with ones and zeros than with personal confrontation.
My advice for anyone involved: First, relax. Law enforcement teams are often very quiet about their investigations and if they're asking for help it is because they truly want to help. Second, relax and realize that inevitably you as a security professional will be involved in some type of investigation. Third, relax and read up on the topic.
One way to counter undue anxiety may involve reading up on basic criminal procedure to fill in the blanks.
- I would first recommend Google Scholar searches, starting with the articles which Joel Brenner has published on applicable cyber laws.
- Byron Acohido and Jon Swartz have a great book called Zero Day Threat about internet security and financial targets.
- Reading Nolo's Deposition Handbook by Paul Bergman is helpful in most civil litigation, and has great witness tips that carry over into criminal matters.
- Lastly, check out the Cyber Crime Investigator's Field Guide, written by Bruce Middleton. While dated, it is a fast read and has excellent content.