Poison Ivy Scenario: Law Enforcement Surveillance

Metro Police Department: Urban police force, 2,500 officers, investigating organized crime
APT • PoisonIvy
STAKES
Criminal investigation integrity + Officer safety + Evidence security + Public safety
HOOK
Metro Police is conducting a major organized crime investigation when detectives notice their case management systems showing signs of remote access - investigation files being viewed during off-hours, surveillance footage being accessed remotely, and confidential informant data showing unauthorized activity. Criminal organizations have been using remote access tools to monitor police investigations.
PRESSURE
Organized crime arrests scheduled Thursday - any intelligence leak threatens officer safety and case integrity
FRONT • 150 minutes • Expert
Metro Police Department: Urban police force, 2,500 officers, investigating organized crime
APT • PoisonIvy
NPCs
  • Detective Captain Sarah Williams: Leading organized crime investigation with compromised case management systems
  • IT Security Officer Michael Rodriguez: Investigating remote access patterns affecting law enforcement networks
  • Detective Lisa Chen: Reporting suspicious computer behavior during confidential investigation meetings
  • FBI Liaison Agent David Park: Coordinating federal support for compromised law enforcement investigation
SECRETS
  • Police personnel clicked on fake legal document attachments during case preparation
  • Criminal organizations have remote surveillance of police investigation systems
  • Confidential informant identities and investigation strategies have been exposed

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

Poison Ivy Law Enforcement Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

Poison Ivy Law Enforcement Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Opening Presentation

“It’s Monday morning at Metro Police Department, and the organized crime unit is finalizing arrest operations scheduled for Thursday - representing months of investigation into criminal networks threatening public safety. But detectives notice troubling signs: case management systems showing remote access during off-hours, surveillance footage being viewed remotely, and confidential informant data displaying unauthorized activity. Investigation reveals criminal organizations have been using remote access tools to monitor police investigations.”

Initial Symptoms to Present:

Warning🚨 Initial User Reports
  • “Detective workstations showing signs of remote desktop control during confidential criminal investigation meetings”
  • “Case management files being accessed automatically without authorization during off-hours”
  • “Screen surveillance and informant database access detected on law enforcement systems”
  • “Network traffic indicating exfiltration of investigation intelligence to criminal organization infrastructure”

Key Discovery Paths:

Detective Investigation Leads:

  • Digital forensics reveal classic Poison Ivy remote access trojan with complete system control capabilities on police systems
  • Email analysis shows targeted fake legal documents during organized crime case preparation
  • Timeline analysis indicates weeks of undetected remote access to criminal investigation files and confidential informant data

Protector System Analysis:

  • Detective workstation monitoring reveals real-time screen surveillance and investigation intelligence theft
  • Case management security assessment shows unauthorized access to criminal investigation files and informant identities
  • Law enforcement network security analysis indicates coordinated criminal targeting of police investigation systems

Tracker Network Investigation:

  • Command and control traffic analysis reveals criminal surveillance infrastructure with centralized remote access management
  • Organized crime intelligence patterns suggest systematic targeting of police investigation data and operational planning
  • Law enforcement communication analysis indicates criminal organization coordination to compromise investigation integrity

Communicator Stakeholder Interviews:

  • Detective interviews reveal suspicious computer behavior during confidential organized crime investigation meetings
  • Informant safety assessment regarding potential exposure of confidential identities and cooperation agreements
  • FBI coordination regarding federal support for compromised law enforcement investigation and officer safety protection

Mid-Scenario Pressure Points:

  • Hour 1: FBI discovers potential exposure of confidential informant identities threatening witness safety and investigation integrity
  • Hour 2: Criminal intelligence analysis reveals organized crime counter-surveillance operations using stolen police intelligence
  • Hour 3: Investigation strategies found compromised affecting Thursday arrest operations and officer safety
  • Hour 4: Informant security assessment indicates potential witness intimidation requiring immediate protection coordination

Evolution Triggers:

  • If investigation reveals informant exposure, witness safety and criminal prosecution are compromised
  • If remote surveillance continues, criminal organizations maintain persistent access to police investigation intelligence
  • If arrest operation compromise is confirmed, officer safety and investigation integrity are severely threatened

Resolution Pathways:

Technical Success Indicators:

  • Complete remote access trojan removal from law enforcement systems with forensic preservation of criminal evidence
  • Investigation file and informant data security verified preventing further unauthorized criminal organization access
  • Criminal surveillance infrastructure analysis provides intelligence on organized crime targeting of police operations

Business Success Indicators:

  • Thursday arrest operations protected through secure evidence handling and FBI coordination
  • Investigation integrity maintained through professional incident response demonstrating commitment to officer safety
  • Public safety obligations met preventing criminal organization advantage through compromised police intelligence

Learning Success Indicators:

  • Team understands classic RAT capabilities and criminal organization surveillance of law enforcement operations
  • Participants recognize organized crime targeting and officer safety implications of investigation intelligence theft
  • Group demonstrates coordination between cybersecurity response and law enforcement operational security requirements

Common IM Facilitation Challenges:

If Remote Access Sophistication Is Underestimated:

“Your malware analysis is progressing, but Agent Park discovered that criminal organizations have been monitoring confidential investigation meetings in real-time for weeks. How does complete remote desktop access by criminals change your officer safety protection approach?”

If Informant Safety Implications Are Ignored:

“While you’re removing the RAT, Captain Williams needs to know: have confidential informant identities been exposed to criminal organizations? How do you coordinate cybersecurity response with witness protection and investigation integrity preservation?”

If Officer Safety Impact Is Overlooked:

“Detective Chen just learned that Thursday arrest operation strategies may be in criminal hands. How do you assess whether stolen investigation intelligence has been used for counter-surveillance or witness intimidation operations?”

Success Metrics for Session:

Template Compatibility

Quick Demo (35-40 min)

  • Rounds: 1
  • Actions per Player: 1
  • Investigation: Guided
  • Response: Pre-defined
  • Focus: Use the “Hook” and “Initial Symptoms” to quickly establish law enforcement surveillance crisis. Present the “Guided Investigation Clues” at 5-minute intervals. Offer the “Pre-Defined Response Options” for the team to choose from. Quick debrief should focus on recognizing criminal RAT capabilities and officer safety implications.

Lunch & Learn (75-90 min)

  • Rounds: 2
  • Actions per Player: 2
  • Investigation: Guided
  • Response: Pre-defined
  • Focus: This template allows for deeper exploration of criminal surveillance challenges. Use the full set of NPCs to create realistic arrest operation and witness protection pressures. The two rounds allow discovery of informant exposure and investigation compromise, raising stakes. Debrief can explore balance between cybersecurity response and officer safety coordination.

Full Game (120-140 min)

  • Rounds: 3
  • Actions per Player: 2
  • Investigation: Open
  • Response: Creative
  • Focus: Players have freedom to investigate using the “Key Discovery Paths” as IM guidance. They must develop response strategies balancing arrest operations, informant protection, investigation integrity, and officer safety. The three rounds allow for full narrative arc including remote access discovery, witness safety impact assessment, and FBI coordination.

Advanced Challenge (150-170 min)

  • Rounds: 3
  • Actions per Player: 2
  • Investigation: Open
  • Response: Creative
  • Complexity: Add red herrings (e.g., legitimate law enforcement tools causing false positives). Make containment ambiguous, requiring players to justify witness protection decisions with incomplete forensic evidence about criminal targeting. Remove access to reference materials to test knowledge recall of RAT behavior and law enforcement security principles. Include deep coordination with FBI and potential organized crime counter-surveillance implications.

Quick Demo Materials (35-40 min)

Guided Investigation Clues

Clue 1 (Minute 5): “Digital forensics reveal classic Poison Ivy remote access trojan providing complete system control over Metro Police Department detective workstations. Security analysis shows criminal organizations maintaining real-time screen surveillance, keystroke logging, and investigation intelligence exfiltration. Detectives report workstations performing unauthorized actions during confidential organized crime investigation meetings affecting Thursday arrest operations.”

Clue 2 (Minute 10): “Timeline analysis indicates remote desktop access maintained for weeks through targeted fake legal documents during criminal case preparation. Command and control traffic analysis reveals organized crime surveillance infrastructure coordinating systematic police investigation intelligence theft. Case management security assessment shows unauthorized criminal access to investigation files and confidential informant identities affecting witness safety and operational security.”

Clue 3 (Minute 15): “FBI coordination discovers confidential informant data exposed to criminal organizations confirming witness safety compromise and investigation integrity breach. Detective safety assessment reveals arrest operation strategies compromised threatening officer safety during Thursday operations. Law enforcement security analysis indicates coordinated criminal targeting of police investigation requiring immediate witness protection and FBI support coordination.”

Pre-Defined Response Options

Option A: Emergency Investigation Isolation & FBI Coordination

  • Action: Immediately isolate compromised detective systems, coordinate comprehensive FBI investigation with witness protection assessment, conduct informant safety damage assessment, implement emergency security protocols for arrest operation protection and federal coordination.
  • Pros: Completely eliminates criminal remote surveillance preventing further investigation intelligence theft; demonstrates responsible law enforcement incident management; maintains officer safety through transparent FBI coordination and witness protection.
  • Cons: Investigation system isolation disrupts Thursday arrest operations affecting case timeline; FBI coordination requires extensive law enforcement cooperation; damage assessment may reveal significant informant exposure compromising witness safety.
  • Type Effectiveness: Super effective against APT malmon type; complete remote access removal prevents continued criminal surveillance and investigation intelligence theft.

Option B: Forensic Preservation & Targeted Remediation

  • Action: Preserve FBI investigation evidence while remediating confirmed compromised systems, conduct targeted informant safety assessment, coordinate selective federal notification, implement enhanced monitoring while maintaining arrest operations.
  • Pros: Balances arrest operation requirements with FBI investigation; protects critical law enforcement operations; enables focused witness protection response.
  • Cons: Risks continued criminal remote surveillance in undetected locations; selective remediation may miss coordinated targeting; forensic requirements may delay investigation protection and officer safety.
  • Type Effectiveness: Moderately effective against APT threats; reduces but doesn’t eliminate criminal remote access presence; delays complete investigation security restoration.

Option C: Operational Continuity & Phased Security Response

  • Action: Implement emergency secure investigation environment, phase remote access removal by case priority, establish enhanced law enforcement monitoring, coordinate gradual FBI notification while maintaining Thursday arrest operations.
  • Pros: Maintains critical arrest operation timeline protecting investigation integrity; enables continued law enforcement operations; supports controlled FBI coordination.
  • Cons: Phased approach extends criminal surveillance timeline; emergency operations may not prevent continued investigation intelligence theft; gradual notification delays may violate witness protection requirements and affect officer safety.
  • Type Effectiveness: Partially effective against APT malmon type; prioritizes arrest operations over complete criminal surveillance elimination; doesn’t guarantee informant protection or investigation integrity.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Criminal Investigation Compromise Discovery (35-40 min)

Investigation Clues (Time-stamped)

T+0 (Round Start): “It’s Monday morning at Metro Police Department. Your organized crime unit is finalizing arrest operations scheduled for Thursday - months of investigation into criminal networks. Detective Lisa Chen reports case management systems showing remote access during off-hours. IT Security Officer Michael Rodriguez detected unusual surveillance footage access patterns. Initial investigation suggests criminals may be monitoring police investigation intelligence.”

T+10 (Detective): “Lisa’s workstation forensics reveal classic Poison Ivy RAT with complete remote control - screen capture during confidential investigation briefings, keystroke logging capturing informant identities, file exfiltration of arrest operation plans. Email analysis shows fake legal documents targeting detectives during case preparation. Malware active for approximately 3 weeks during critical operation planning phase affecting Thursday organized crime arrests.”

T+15 (Protector): “Michael’s security analysis confirms multiple detective workstations compromised with real-time surveillance of criminal investigation activities. Case management logs show unauthorized access to confidential informant database and surveillance footage. Network monitoring reveals sustained command and control traffic to external criminal infrastructure indicating ongoing intelligence gathering about police operations.”

T+20 (Tracker): “Command and control infrastructure analysis reveals criminal organization counter-surveillance operation. Traffic patterns indicate systematic exfiltration of investigation strategies, informant identities, and arrest operation plans. Threat intelligence suggests organized crime groups have been targeting law enforcement systems to compromise criminal prosecutions - witness intimidation and counter-surveillance capabilities.”

T+25 (Communicator): “Detective interviews confirm suspicious computer behavior during confidential briefings - investigation files opening automatically, informant database accessed without input, surveillance footage displayed during private strategy sessions. Captain Williams extremely concerned about Thursday arrest operation security. FBI Liaison Agent Park requesting immediate briefing about potential compromise of federal case coordination.”

Response Options

Option A: Emergency Investigation Isolation - Action: Immediately disconnect compromised detective systems, secure informant identities offline, initiate comprehensive FBI breach investigation, reassess Thursday operation security - Pros: Stops active criminal surveillance immediately; protects officer safety and informant security - Cons: Disrupts Thursday arrest operation timeline; may alert criminals to police awareness - NPC Reactions: - Captain Williams: “This jeopardizes months of work, but officer safety comes first.” - FBI Agent Park: “Federal coordination requires immediate assessment of informant exposure.”

Option B: Monitored Containment - Action: Leave systems online while implementing enhanced monitoring, document ongoing criminal intelligence gathering, prepare for controlled remediation while observing criminal objectives - Pros: Maintains Thursday operation timeline; gathers evidence of criminal targeting - Cons: Continued informant exposure during observation; extreme risk to officer safety - NPC Reactions: - Michael: “We can learn their objectives, but every minute risks informant lives.” - FBI: “Each moment of delay could compromise witness protection obligations.”

Option C: Selective Remediation - Action: Isolate critical arrest operation systems only, phase removal by case sensitivity, maintain some investigation operations for Thursday - Pros: Balances officer safety with Thursday arrests; protects most critical operations - Cons: Partial approach may leave criminal surveillance gaps in related investigations - NPC Reactions: - Captain: “Acceptable compromise - Thursday operation gets priority protection.” - Informant Handler: “What about the witnesses not prioritized?”

Pressure Events

T+30: “PRESSURE EVENT - Confidential informant contacts handler in panic: ‘People I’ve never seen before are watching my house. Someone followed my kid to school today. Did the targets find out I’m cooperating?’ How do you respond when investigation compromise may have exposed informant identity?”

Round 1 Transition

Based on team response choice, reveal:

If Emergency Isolation: “Your rapid isolation prevented further criminal intelligence theft. Forensics confirms approximately 40% of investigation files accessed - including confidential informant identities and Thursday arrest operation plans. Criminal organizations had real-time surveillance of strategy meetings for 3 weeks. FBI needs immediate witness protection assessment.”

If Monitored Containment: “Your monitoring documented extensive criminal intelligence gathering. Attackers accessed 65% of investigation files and observed detailed arrest operation planning. Evidence suggests criminal organization counter-surveillance preparation - witness intimidation plans may be in development. FBI warns: continued exposure constitutes reckless endangerment.”

If Selective Remediation: “Thursday operation systems secured, but criminal surveillance continued on related investigations. Approximately 55% case file exposure including some informant identities. Thursday arrests feasible if criminals don’t know we detected their surveillance. FBI coordination required regardless of phased approach.”

Round 2: Officer Safety & Witness Protection (35-40 min)

Investigation Clues (Time-stamped)

T+35 (Round Start): “Investigation systems partially secured, but scope of criminal intelligence compromise now clear. Thursday arrest operations may be compromised - criminals potentially know operation plans and informant identities. Team must decide: proceed with arrests accepting criminal awareness risk, delay for complete security rebuild, or coordinate emergency FBI witness protection while redesigning operation strategy.”

T+45 (Detective): “Criminal intelligence exposure forensics complete. Attackers accessed: investigation strategies, informant identities and cooperation agreements, surveillance footage showing undercover operations, arrest operation timing and locations. Timeline shows systematic counter-surveillance gathering aligned with Thursday operation planning. Evidence shows criminal organization specifically targeted police systems to compromise prosecution.”

T+50 (Protector): “Case management security audit reveals deeper exposure than initially detected. Undercover officer identities may be compromised - surveillance footage accessed showing undercover operations. Security rebuild estimated at 2-3 weeks for comprehensive remediation. Emergency Thursday arrest operations possible with manual protocols if criminals aren’t aware we detected their surveillance.”

T+55 (Tracker): “Criminal organization analysis suggests this was deliberate counter-surveillance operation against organized crime investigation. Similar patterns detected affecting other law enforcement agencies investigating same criminal network. Evidence indicates criminal organization has coordinated intelligence gathering capabilities targeting multiple jurisdictions. FBI considering federal organized crime prosecution implications.”

T+60 (Communicator): “Captain facing intense pressure about Thursday arrest operations from department leadership. Several informants reporting surveillance and potential intimidation attempts. FBI preparing emergency witness protection protocols. District Attorney warning that compromised investigation may jeopardize prosecution even if arrests succeed.”

Response Options

Option A: Emergency Witness Protection & Operation Redesign - Action: Immediate FBI witness protection for exposed informants, delay Thursday arrests for operation redesign, coordinate comprehensive federal case security review - Pros: Prioritizes witness safety and officer protection; maintains prosecution integrity - Cons: Delays arrest operations allowing continued criminal activity; potential informant confidence impact - Victory Conditions: - Technical: Clean systems with verified officer safety protocols - Business: Investigation integrity maintained despite operational delay - Learning: Team understands law enforcement cybersecurity prioritizes lives over cases

Option B: Secure Thursday Operations with FBI Coordination - Action: Implement emergency secure protocols for Thursday arrests, enhance officer safety measures, coordinate real-time FBI support, accept increased operational risk - Pros: Maintains operation timeline protecting months of investigation work; demonstrates determination - Cons: Proceeds with potentially compromised operation; officer safety risk if criminals prepared - Victory Conditions: - Technical: Emergency protocols enable secure operation execution - Business: Arrests proceed with enhanced safety coordination - Learning: Team appreciates operational risk management during compromise

Option C: Targeted Arrests with Witness Protection - Action: Proceed with highest-priority arrests only, immediate witness protection for exposed informants, coordinate partial operation while rebuilding investigation security - Pros: Balances prosecution objectives with safety priorities; reduces scope to minimize risk - Cons: Partial arrests may alert remaining targets; complex coordination of simultaneous operations - Victory Conditions: - Technical: Priority targets secured with witness protection - Business: Partial prosecution success while maintaining safety - Learning: Team learns operational trade-offs during criminal targeting

Pressure Events

T+70: “PRESSURE EVENT - Organized crime intelligence: Criminal targets of Thursday arrests were observed meeting with unknown individuals reviewing documents that match your investigation strategy briefings. Criminals may know exact arrest timing and locations. How does this intelligence affect your Thursday operation decision?”

Facilitation Questions

  • “What obligations exist to protect informants when criminal organizations gain access to their identities?”
  • “How do you balance months of investigation work against potential officer safety compromise?”
  • “What prosecution implications exist when criminals have monitored investigation strategies?”
  • “How do you coordinate across local police, FBI, and witness protection during crisis?”

Victory Conditions

Technical Victory: - All Poison Ivy infections removed from law enforcement systems - Informant identities secured with FBI witness protection coordination - Investigation file access restricted and monitored

Business Victory: - Thursday operations proceed safely or delayed appropriately for security - Witness protection fulfills law enforcement obligations - Prosecution integrity maintained through appropriate FBI coordination

Learning Victory: - Team understands criminal organization targeting of law enforcement - Participants recognize officer safety and witness protection as paramount priorities - Group demonstrates coordination between cybersecurity and law enforcement operations

Debrief Topics

  1. Criminal Counter-Surveillance: How organized crime targets police investigations
  2. Witness Protection Obligations: Law enforcement duties to informant safety
  3. Officer Safety Priorities: When operational success cannot override safety
  4. FBI Coordination: Federal support during compromised local investigations
  5. Prosecution Integrity: How criminal intelligence gathering affects court cases

Full Game Materials (120-140 min, 3 rounds)

[Comprehensive materials similar to Corporate Espionage and Financial Advisory scenarios, adapted for law enforcement context with focus on:]

  • Round 1: Initial compromise discovery with detective workstation forensics
  • Round 2: Criminal counter-surveillance impact with informant safety assessment
  • Round 3: Operational security decisions balancing arrests, witness protection, and prosecution integrity
  • NPCs: Captain Williams, FBI Agent Park, Detective Chen, IT Officer Rodriguez
  • Pressure Events: Informant panic, criminal surveillance detection, undercover officer exposure
  • Strategic Decisions: Operation timing, witness protection scope, federal coordination, prosecution strategy

Advanced Challenge Materials (150-170 min, 3+ rounds)

Additional Complexity Layers

Red Herrings

  1. Legitimate Law Enforcement Tools:
    • Case management remote access for multi-agency coordination
    • FBI database queries generate unusual network patterns
    • Automated criminal database updates during off-hours
    • IM Challenge: Distinguish criminal surveillance from authorized law enforcement systems
  2. Detective Remote Work:
    • Detectives accessing case files from home during long-term surveillance operations
    • Multi-jurisdictional coordination requires unusual access patterns
    • Undercover officers accessing systems from external locations
    • IM Challenge: Separate authorized remote investigation work from criminal monitoring
  3. Criminal Investigation Complexity:
    • Organized crime targets conduct legitimate counter-surveillance (legal)
    • Criminal defense attorneys request discovery materials
    • Internal affairs investigations create overlapping access patterns
    • IM Challenge: Differentiate between legal activities and criminal system compromise

Knowledge Recall Testing

Teams must recall from training:

  1. Law Enforcement Cybersecurity:
    • What special obligations exist to protect informant identities?
    • When does criminal intelligence gathering require FBI notification?
    • What witness protection protocols apply during system compromise?
    • How does chain of custody apply to digital evidence?
  2. Officer Safety Principles:
    • When does operational success get subordinated to safety?
    • What risk assessments apply to compromised arrest operations?
    • How do you evaluate threat levels from criminal counter-surveillance?
    • What tactical considerations apply when criminals know operation plans?
  3. Prosecution Integrity:
    • How does criminal access to investigation strategies affect cases?
    • What discovery obligations exist for defense about compromise?
    • When does system compromise require case dismissal?
    • How do you maintain evidence integrity during security incidents?

Advanced Facilitation Challenges

Challenge 1: Officer Safety vs. Case Success “Your investigation represents 18 months of work and could dismantle major criminal organization. But proceeding with Thursday arrests risks officer safety if criminals know the plans. Do you prioritize the case or officer safety? What threshold of risk is acceptable?”

Challenge 2: Informant Protection Ethics “Forensics shows some informant identities definitely exposed, others uncertain. Full witness protection for all informants would compromise investigation and waste resources. Do you protect everyone or accept risk for uncertain exposures? What duty exists to witnesses?”

Challenge 3: Criminal Intelligence Advantage “Even if you remove the RAT, criminals already have your operation plans. Redesigning arrests takes weeks allowing continued criminal activity. Do you proceed with compromised operations or delay while criminals continue crimes?”

Challenge 4: Prosecution Disclosure “Defense attorneys may be entitled to know about system compromise affecting evidence integrity. Disclosure could dismiss cases. Do you fulfill discovery obligations or argue compromise doesn’t affect prosecution? What are ethical boundaries?”

Scenario Variations

Variation 1: Undercover Officer Identity Compromised - Surveillance footage accessed showing undercover officer operations - Criminal organization may have identified officer - Immediate extraction vs. mission completion trade-offs - Additional pressure: Officer safety overrides all other priorities

Variation 2: Criminal Organization Counterattack - After detecting investigation, criminals launch coordinated response - Multiple officers targeted with surveillance and intimidation - Escalation from intelligence gathering to direct threats - Additional pressure: Department-wide security crisis

Variation 3: Federal-Local Coordination Conflict - FBI wants immediate witness protection and operation delay - Local department leadership demands Thursday arrests proceed - Conflicting priorities about informant safety vs. case timing - Additional pressure: Inter-agency political dynamics during crisis

Modernization Discussion

Contemporary Parallels: - Russian cyberattacks against law enforcement investigating organized crime - Chinese state-sponsored targeting of FBI investigations - Ransomware attacks against police departments - Criminal use of encrypted communications and counter-surveillance

Evolution Questions: - How do modern encrypted criminal communications change law enforcement surveillance? - What role does AI play in criminal counter-surveillance detection? - How has cloud-based case management affected police cybersecurity? - What new threats exist from nation-state actors supporting organized crime?