The Computer Crime Investigative Unit - CCIU

Military Police, March, 2002 by Carl W. Hunt

Since computers were incorporated into the mainstream Army equipment inventory about 10 years ago, criminals have been finding ways to use them inappropriately. As computers have been networked to share information, criminals have evolved and the "hacker" emerged. Computers and networks are critical components of the Army information technology and knowledge management infrastructure that supports how we communicate. Its protection is key to Army success--in the garrison and the field. The Army has built a major program called information assurance (IA) that seeks to protect its systems from a variety of problems, including--

* System misconfiguration.

* Failure to install security patches.

* Operator-error issues.

* Criminal behavior.

The figure shows the growth of the Army's computer-intrusion crime problem and how hackers are increasingly successful in spite of innovative attempts to limit their access. The incidents shown include multiple port scans, attempted intrusions, and other events short of actual computer-integrity compromise, while the intrusions involve hackers actually taking control of computers in one form or another.

In March 2000, the U.S. Army Criminal Investigation Command (USACIDC) activated the CCIU. It is a component of the 701 st MP Group (CID) and is comprised of specially trained personnel who investigate hackers and their crimes, seeking to jail these criminals. CCIU is broken into several sections to include--

* Command and control (C2).

* Criminal intelligence (CI).

* Security.

* Legal.

* Intrusion and technical teams.

* Liaison office.

The CID and CCIU are critical players in the IA program as the principal enforcers of the law and regulations that protect this important area of potential vulnerability.

C2 Team

The CCIU's C2 team oversees all office operations conducted by the other sections. The team is based in Fort Belvoir, Virginia, and includes the commander, operations officer, and operations assistant. Some of its duties include ensuring that the office personnel are receiving appropriate training and have the tools they need to fulfill their duties in the most expeditious and accurate manner.

CI and Security Manager

The CI and security manager is responsible for the overall management of the automated CI system for the CCIU. He analyzes factual or suspected situations of criminal behavior in significant criminal violations, determines certain patterns and trends of these criminal activities, and prepares analytical reports. He makes independent decisions regarding areas of investigative jurisdiction and responsibility and recommends appropriate CI actions to the commander and operations officer. The manager also evaluates commercially available programs and databases for use by the CCIU.

The CI manager conducts official liaison with federal law enforcement and intelligence organizations-- such as the National Infrastructure Protection Center and Joint Task Force Computer Network Operations, and other national law enforcement and intelligence organizations. In addition, the CI manager is also the CCIU security manager, coordinating intelligence-related activities for CCIU personnel.

Legal Advisor

CCIU also has an in-house attorney, trained and experienced in the technical knowledge of the workings of computers, networks, and programs. She is also an expert in the constantly evolving area of cyberand high-tech crime and works in full-time support of the CCIU mission. She is the principal advisor to the USACIDC on computer crime issues and is a computer law consultant to the U.S. Army Office of the General Counsel. The CCIU legal advisor is instrumental in obtaining computer search warrants, subpoenas, and foreign sources of evidence through U.S. State Department and U.S. Department of Justice procedures.

Intrusion Team

The intrusion team is responsible for identifying and pursuing leads generated by the forensic evaluation of victims' and suspects' computers. Each team member must be familiar with the technical aspect of the investigations and be able to view technical data through the eyes of a criminal investigator. These investigators must be able to understand the gigabytes of data thrust at them on a daily basis and the implications of that data and how to react to it. Each member is well versed in the technical jargon used by system administrators; they must be equally well versed in the hacker slang used on what is known as the Undernet--the "dark side"--of the Internet. CCIU special agents receive approximately 6 months of preparatory technical training before undertaking independent intrusion investigations.

Beyond being technically proficient and skilled investigators, members of the intrusion team also have to be skilled diplomats. Since nearly every investigation crosses through multiple jurisdictions, CCIU agents are required to deal with several different investigative agencies in each case. Moreover, since many intrusion investigations involve suspects in other countries, intrusion team members must know how to obtain information from foreign governments as well. The agents assigned to work intrusion investigations must be technically well versed, savvy investigators with the ability to improvise in a changing legislative environment. They must be independent, flexible, and creative, but above all, relentless.