Recently, Guest Editor, Tom Holt caught up with Special Agent Thomas Hyslip, the Resident Agent in Charge of the Department of Defense, Defense Criminal Investigative Service (DCIS), Cyber Field Office, Eastern Resident Agency. Agent Hyslip has specialized in cybercrime investigations and computer forensics and has testified as an expert witness on computer forensics and network intrusions at numerous federal, state, and local courts. Agent Hyslip graciously answered several of Tom ’s questions and discussed highlights of his fascinating career.
TH: How did you start your career in law enforcement?
SATH: I started as a Special Agent with the Secret Service in 1998. After 5 years in the Army, I knew I wanted to work in law enforcement, but was limited to where I could apply because of my location. I was stationed at Rock Island Arsenal, IL, and all the state or local law enforcement jobs would have required me to travel to the location numerous times during the application process. So I concentrated on federal law enforcement, and thankfully the Secret Service was hiring. At that time I didn’t have any preference as to what agency I worked for, so I applied to the Secret Service, ATF, and DEA and took the first offer I received.
TH: What drew you to the ﬁeld?
SATH: I thought law enforcement in general would be rewarding, yet challenging. My undergraduate degree is in engineering, so I have always enjoyed solving problems, and the thought of conducting investigations was intriguing. So my goal was to become a detective with a state or local agency or an agent with a federal agency.
TH: How long have you worked for DOD OIG?
SATH: Eight years in May 2015.
TH: And, what led you to work on cybercrime?
SATH: After I was hired by the Secret Service in 1998, cybercrime began to signiﬁcantly increase. America Online was in its prime, and high speed Internet through the cable companies was spreading fast. Also at that time, the Secret Service was the lead federal agency for investigating cybercrime, other than national security investigations, and those were done by the FBI. I was assigned to the Pittsburgh ﬁeld ofﬁce, and the Secret Service was training at least one agent per ofﬁce to investigate cybercrime and conduct computer forensics. When the Special Agent in Charge asked if anyone was interested in being trained, I volunteered. I was also interested in computers and thought the training would be ﬁin. I had no idea at the time that it would lead to my entire career being in cybercrime.
TH: Can you explain the mission of your ofﬁce/role?
SATH: The mission of the DOD IG is to ﬁght fraud, waste, and abuse in the Department of Defense. The Defense Criminal Investigative Service (DCIS) is the criminal enforcement arm of the IG. Within the DCIS, there is the Cyber Field Ofﬁce, and the mission is to investigate computer intrusions into the DoD and other cybercrimes that affect the DoD and its programs. So in addition to intrusions within the DoD, we also investigate intrusions into DoD contractors when DoD information is affected. We also provide computer forensics support to the entire DCIS for all the criminal investigations. We also provide support to other components of the IG such as admin investigations, whistleblower, hotline, etc. My role is the Resident Agent in Charge (RAC) of the Cyber Field Ofﬁce, Eastern Resident Agency. So I supervise the cybercrime agents located in the eastern USA.
TH: Can you describe your educational background?
SATH: Certainly. I have a mix of postsecondary education and government/private industry training. Academically, I have a doctor of science degree in information assurance from Capitol College, a master of science degree in technology systems from East Carolina University, and a and a bachelor of science degree in mechanical engineering from Clarkson University.
TH: And, I would presume you have quite a bit of technical training.
SATH: I do. As part of my training with the Secret Service, I attended a 4-week class at the Federal Law Enforcement Training Center. The course was a mix of computer forensics, networking, and intrusion investigation and was put on by the Department of Treasury Enforcement Bureaus (Secret Service, IRS, ATF, and Customs). The forensic training was based on the FLETC Seized Computer Evidence Recovery Specialist (SCERS) training program, which some people may be familiar with.
SATH: And, later, I attended the basic and advanced data recovery classes at the National White Collar Crime Center, Guidance Software’s Encase training, and Access Data’s FTK boot camp. And, ﬁnally, I have attended a network security and intrusion course at the National Security Agency and the Certiﬁed Ethical Hacker boot camp and certiﬁcation.
TH: Walk us through an average day. What do you do?
SATH: Because I am supervisor, my day is pretty boring most of the time, at least when compared to my agents in the ﬁeld. Typically I am on the phone, answering e-mail, and reading and approving reports all day. While I stay engaged with all my agents’ investigations, I am not actively conducting the investigations. Rather, I am providing guidance and assigning work to my agents. They, in turn, get to conduct the investigations through interviews, evidence collection, and forensic analysis.
TH: What is the most difﬁcult case you’ve worked?
SATH: I was involved with the Mariposa/Butterﬂy botnet investigation. The FBI and foreign law enforcement were investigating the hackers who wrote and maintained the malware that operated the Mariposa botnet, and at the same time, I was actively investigating a hacker in the USA who was selling compromised computers (bots). It turned out my suspect was also operating a large Mariposa botnet, so we began to work together (the FBI and DCIS). It was difﬁcult because during the course of the investigation I obtained control of the botnet from the suspect, and it consisted of over 50,000 compromised computers. Together we had to dismantle the botnet and also do our best to inform the owners of the Victim computers.
TH: What is the most rewarding case?
SATH: There was a case where a hacker obtained access to numerous DoD and many other federal, state, and local government computers, and posted accounts and portions of SQL databases for sale. I was able to track the hacker back to an IP address in Kuwait, and working with Kuwaiti law enforcement, we were able to identify the hacker. The hacker was indicted for the crimes and is currently a fugitive. Although he hasn’t been captured yet, the case was rewarding because the system worked as it should. Through MLAT requests and a good working relationship with foreign law enforcement, the hacker is now a known fugitive and published by Interpol for capture and extradition to the United States if he is identified while traveling internationally.
TH: What is the most important thing you think is needed to improve the law enforcement response to cybercrime?
SATH: The laws need to be updated to reﬂect the fast and ever-changing nature of cybercrime. By that I mean the laws related to obtaining account information, IP logs, and evidence from third parties. For example, if there is an intrusion at the DoD and the logs show the intrusion was from the IP address 220.127.116.11, we will determine who the IP address 18.104.22.168 is registered to and then obtain a subpoena for the account holder’s information. The subpoena can take up to 30 days to receive the information. Once we receive the information, we then have to send an agent to interview whoever was assigned the IP address at the time of the intrusion. Usually the IP address was assigned to a home user from a large ISP, and she was a Victim as well. The criminal hacked the home user’s computer, then used her computer to hack the DoD. Now we have to analyze the computer to determine where the hacker came from when he hacked the home user’s computer. This leads us to another IP address, and the cycle starts again. Smart criminals “hoop” through numerous computers on their way to the end target, knowing we (law enforcement) will have to try and trace the hoops back. The process can take many months waiting on subpoena responses, and often the IP address logs will be gone by the time we get there. So, requiring faster responses for subpoenas would definitely help.
TH: What else might help in the ﬁght against cybercrime?
SATH: The prosecutors, both federal and state, need more resources to investigate cybercrime. There are only ﬁnite resources in every US. attorney’s ofﬁce and district attorney’s ofﬁce, so many cybercrimes do not get prosecuted. For example, intrusion attempts are rarely prosecuted. Only if the intrusion is successful is the crime investigated and prosecuted. This allows hackers to keep trying until they are successful. If the attempts were prosecuted, it could deter ﬁiture hackers from trying. I liken the current situation to a criminal who takes a gun to the airport. Are you going to simply turn away a person who tries to take a gun through security at the airport or arrest him when he is caught trying? Obviously, you arrest him. Otherwise, he will keep coming back and trying to get the gun through security until he is successful. But with cybercrimes, we simply turn them away and let them try again another day. Eventually, they will be successful.
TH: In terms of international cases, what are some of the unique challenges that you have to deal with?
SATH: Take the challenge of a domestic case with subpoena response time and easily double or triple the time it takes to obtain records. With international cases, the US. government has to ﬁle a request under the Mutual Legal Assistance Treaty (MLAT) with the foreign government and request assistance to obtain the records, i.e., IP logs. The MLAT process is tedious, similar to obtaining a search warrant, and then you are dependent on the foreign government to obtain the records. Some will assist, but many will not, and even when they do provide assistance, it can take months to obtain a response. Criminals also know that certain countries will not cooperate with US. law enforcement, so they purposely try to hoop through a hacked computer in one of those countries. Then when we track the hacker back to that country, our investigation is effectively done.
TH: How can research improve the response to cybercrime?
SATH: Since much of cybercrime is now automated through the use of malware and botnets, research can significantly improve the ability of law enforcement and network defenders to respond to cybercrime. Furthermore, the anonymity of the Internet allows criminals to hide through the use of TOR, 12P, and payment systems such as bitcoin. Research into identifying criminals using these systems would be very helpful to law enforcement.
TH: What would you tell students who want to enter this ﬁeld in terms of necessary experience, training, education, expectations?
SATH: Historically most students obtained a degree in criminal justice to work in law enforcement, and that is still a good path to follow. However, I recommend students who wish to work in cybercrime to obtain a degree in CJ with a minor in computer science, or Vice versa. It is much easier to teach a police recruit how to investigate and enforce laws than it is to teach a police recruit computer hardware, software, and networking. So if you already have experience and a background in computer science, information assurance, networking, or administration, you will have a leg up on those who do not. If you look at the FBI website, they are currently seeking applicants with backgrounds and expertise in “IT network administrators, intrusions.” Therefore, consider taking your electives or a few extra courses in computers and information technology. The more experience you have with computers and networking, coupled with a background in criminal justice, the easier it will be to obtain a career in cybercrime.
TH: Some people may not think of cybercrimes as having a physical demand on the responding ofﬁcers/agents as do physical or real-world crimes. Do you think cybercrimes have more of an emotional or psychological impact, and if so, how?
SATH: The majority of cybercrimes and “real world" crimes are very similar and have the same effect on a responding ofﬁcer/agent, with the exception of crimes that involved bodily injury or death. However, I see two types of cybercrimes that may have more of an emotional or psychological impact on the ofﬁcers. The ﬁrst and most obvious are the crimes against children that are often classiﬁed as cybercrime. The emotional impact on ofﬁcers involved in these types of cases can be severe and overwhelming at times. As anyone can imagine, having to investigate any crime involving children is difﬁcult, but when the crime involves sexual acts against defenseless children, the emotional and psychological impact is severe. The second classiﬁcation of cybercrime that has a psychological impact is hacking cases. When investigating top-tier hackers, especially groups such as Anonymous, agents are always concerned about retaliation. The possibility of hackers targeting agents is real and includes identity theft, credit damage, and even public smear campaigns online.
TH: In your opinion, from an investigative standpoint, what is it that makes a cybercrime case different from a traditional crime that occurs outside the Virtual world?
SATH: Well, cybercrime cases are similar to traditional, large white collar fraud cases in that both investigations involve lots of paper, i.e., subpoenas, search warrants, and the subsequent review and analysis of the records or computer logs and account information. But what makes them different is the fast nature of the Internet and the quick destruction of potential evidence in cybercrimes. While investigators are waiting for subpoena or search warrant returns, there is a good possibility the digital evidence in another location may be getting overwritten or unknowingly destroyed. So you are always in a rush to get the evidence before it is gone.
TH: How can criminological/criminal justice research help improve our knowledge of cybercriminal behavior?
SATH: It is difﬁcult for investigators to stay on top of the latest communication practices of cybercriminals, so up-to-date research on how cybercriminals communicate is very helpful. As we have seen in recent years, the mode of communications for hackers changes quickly. ICQ, AIM/MSN, PMs on forums, IRC chat rooms, TOR forums, online gaming forums— there are so many possible locations to communicate from, and it is easy to hide in plain sight, such as communicating Via gaming systems, that investigators may not be aware of the newest mode of communications. If we were able to see the patterns of how and when different types of hackers (hacktivists, carders) work together, this would also be helpful from an investigative standpoint.