Getting Governments & the Public to Take Cybercrime Seriously
Originally aired on June 15, 2020 @ 7:30 PM - 8:00 PM EDT
Best of: Internet Summit 2018
- Detective Superintendent Andrew Gould - National Cybercrime Programme Lead, National Police Chiefs’ Council
- Ollie Whitehouse - CTO, NCC Group
- Moderator: Alissa Starzak - Head of Policy, Cloudflare
English
Internet Summit
Transcript (Beta)
🎵Outro Music🎵 🎵Outro Music🎵 So, welcome back everyone.
I'm excited to be here today with Detective Superintendent Andrew Gould, who's the National Cybercrime Program Lead for the National Police Chiefs Council, and Olly Whitehouse, the Chief Technical Officer at NCC Group.
So, I want to start, the title of our panel is getting governments and the public to take cybercrime seriously.
And the thing I want to start with is actually, what is cybercrime?
Because this is where we started when we started having our discussions, and I don't think there's a common understanding.
So, let's talk about that.
Yeah, so, you know, I think sometimes people think of cybercrime and it's people hacking computers, and that's what cybercrime is, when in actual fact it's kind of more nuanced than that.
So, yes, that is a dimension of it, but then there is kind of traditional crimes which have been enabled by the advent of cyber.
And I think, you know, the biggest manifestation that we see of that today, traditional kind of fraud type activities, where cyber is merely the tool or the technique used to perpetrate a crime that's been around for arguably centuries.
So, on the reporting side of that, we were just talking about reporting of crime.
What do you see?
What type of cybercrime do you see reported? And what do people think of what cybercrime is?
Yeah, I mean, it's massively underreported because, well, for a number of different reasons.
Well, I think one of the reasons is because there's a real lack of confidence that policing will be able to, A, be interested and B, be able to do anything with it.
So, we've seen traditionally a real lack of interest across policing.
If I was being really honest, I think the response that business has had and members of the public have had for the last few years has been shocking.
It's been really, really bad. It's not been a priority for policing, so no one's really invested in it.
That's really changed in the last couple of years.
There's some fantastic relationships now at the national level with GCHQ, National Cyber Security Centre, National Crime Agency, and ourselves in policing.
To the extent we have national tasking, which is something you only get in counterterrorism.
We're very fragmented in policing. Generally, you've got 43 forces.
You can't tell, you know, one force can't tell another force how to manage something or deal with something.
So, you know, we're kind of stuck with some 19th century structures to deal with 21st century threats.
But in the cyber space, certainly in the cyber-dependent spaces, we would describe it.
So you're kind of, you know, you're computers on computers, as opposed to the wider cyber -enabled fraud side.
We're actually in a really good space. There's some really good regional and national capability.
We share work across the teams and across the NCA and with GCHQ.
And more and more with the private sector as well, which Ollie might be able to touch on in a moment.
So we've built a good capability and we're getting some really good operational results.
The big gap for us is at that local level.
So maybe the high-level organised crime groups and hostile state actors, we're starting to have quite a positive impact.
But if you're, you know, a member of the public living at 10 High Street, you're probably not going to get much of a response, certainly outside of London, which is really poor.
So there's a lot of money coming from government at the moment to build local force cyber-crime units and we'll be rolling those out over the next 12 months.
We're very much a primary focus on improving the victim experience, upskilling officers, not just within cyber-crime units, but across mainstream policing as well.
So there's an awful lot of good stuff going on and we hope that in the next 12 months, 18 months, that will start to filter through into kind of public consciousness, as it were.
So on all of those things that you just brought up, one of the things that kind of stood out to me is the question of the cyber-crime element.
Who commits cyber -crime?
And I think you brought up organised cyber-crime. So what percentage, or maybe percentage is the wrong term, but how much of it is organised and what does that look like?
So even on the more facilitated side, how much of that is organised criminal groups?
Yeah, I think when we see the incursions into a lot of private sector now, at least on the very sharp end, it is sometimes very difficult to differentiate between a hostile nation -state actor and organised crime.
So the larger breaches that we see, where they are acting in an indiscriminate manner just to see what they can secure access with, and then triage and basically then kind of convert that into something which is useful, is majoritatively what we do.
Because the low-end stuff is either going to be rent-to-malware or some kind of very poorly put together phishing campaign, which if you've only got a moderate degree of security, you're going to be able to rebuff with some success.
So does that change the law enforcement response?
If you know you have organised criminal groups, how do you think about responding?
And is that one of the reasons why the public's been so sceptical over the years?
Because it's a very hard thing to respond to.
Yeah, I think it's interesting to see how it's changing. In many ways, we're seeing at the top end things are getting more sophisticated, but we're becoming a lot more sophisticated and working a lot more closely with the agencies to get the response right.
We see, quite interestingly, more and more blurring between the hostile-state actors and the really top-end organised crime groups.
Is there a tasking relationship there?
Is there a kind of, we'll let you get on with what you're doing as long as you're not impacting on our country?
I'll leave those open to question.
Then you also see at the other end of the scale, as Ollie said, these sort of criminal services as a marketplace, lower barriers to entry.
There are really kind of easy-to-use tools, tutorials on YouTube showing you how to use them.
You don't have to be that technically skilled or sophisticated at the bottom end to do a lot of this stuff, as many of you will know.
So we're seeing a real kind of almost a democratisation of that criminal space in a way.
And by having criminal services as a marketplace, if you look at a traditional gang of bank robbers, they've got to know each other.
They've got to somehow come together. They'll have to be involved in some sort of planning.
Everyone will have different roles.
Someone's going to have to get the guns and bring them to the bank, and they'll all come together to then go and do the offence.
From a policing point of view, there are lots of different opportunities to attack that organised crime group through a number of different traditional policing methods.
Suddenly, it's a lot harder to do when it's an international group, many of whom may not have actually met each other, but are sharing services and whatever.
But that's not to say that all this is undoable.
We often find that a lot of these organised groups might be brilliant in some areas, but actually are quite poor in others.
I've never...
I mean, I've sort of got a background in investigating terrorism before I came across to this space.
I've never seen a terrorist group or an organised crime group that had brilliant operational security in every area, every day, in the online space, in the real -world space.
There are always vulnerabilities to exploit because they're human beings like us.
They're just as fallible as we are.
So there's always opportunities there. So it's easy to kind of make it all sound very scary and difficult to manage and do.
Personally, because I'm a bit sad, I find it quite fun, actually.
That challenge is brilliant.
And with a lot of the international working relationships we've got now, we can have much more effect overseas.
Ran a job about this time last year, actually, with the French, where we had a huge data...
kind of a hack and data exfiltration of a very large global financial services company.
They were then getting hit with an extortion demand.
The group then came in and said, right, for 500 grand's worth of Bitcoin, we'll give you all the stuff back.
For 700 grand's worth of Bitcoin, we'll tell you how we did it, which I thought was actually quite entrepreneurial, quite thoughtful.
200,000 pounds was a bargain, I thought. But anyway, obviously, the company didn't pay.
They got us involved and we took over that negotiation online, did some of the stuff that we could do with partners.
And we were able to identify and locate them in Paris.
So whilst we were doing what we were doing in London, I had officers from the Met over in Paris and the French National Cybercrime Unit had them under real-world physical surveillance for four or five days before we then decided to go and wrap them all up.
That's not rare. That's happening more and more.
That's exactly the space we want to be in. So we are starting to have quite a significant impact at that top end.
But as I said earlier, it's kind of closing that gap at the local end in terms of that volume of crime is the big challenge for us at the moment.
So Ali, on the private sector side of that, what role does the private sector play?
Is there a role for the private sector at all or is it entirely a law enforcement?
Yeah, no, it's very much a partnership these days.
So the reality is where kind of Andrew and their team will have various mechanisms and tools.
Private sector really, I guess, has different tools and techniques which we can use.
So we aren't bound necessarily by proportionality tests and these types of things.
So what we're able to do is we deal with the incidents actually in the institutions.
So we see, you know, hands -on the actual breach, the compromise.
You know, sometimes we get mature clients that will let the breach run for a period of time to gain a better understanding of what the attacker's motives were, what data they were after and what they were trying to exfiltrate, which can again kind of infer who they are and help with the attribution.
But similarly, I think on the e-crime side specifically, you know, there is a, as you will imagine, there is a product around that which large mature institutions want to buy in terms of understanding the threat.
And so without hacking back or any of the other illegal means, there are legal means in order to do crime group infiltration from the private sector perspective to understand those more readily.
And I think, you know, that is where we add basically capacity and understanding and a distillation of what the groups are doing.
We generally don't want those accesses that we have disrupted because we are commoditizing something off the back of it.
But we can at least inform, you know, is it a small campaign?
Is it a massive indiscriminate campaign? And actually then are there various subgroups that come in afterwards depending on the quality of the institution or the individual that's actually breached, which is often the perspective that we can, we give and do give.
So on that collaboration piece, does it flow both ways?
So do you get information back from the police as they're looking at things?
What does that look like actually? Yeah, so at least from our perspective, I guess, you know, we have various relationships in the UK and internationally depending on the countries in which we're operating.
And it may be that they give us a tipper.
So we get an IP address or a domain name that they're particularly interested in because they've seen it used in a campaign and they go, what do you know about it?
You know, and we'll tell them what we know about it. And then, you know, they may come back subsequent to an investigation and go, well, actually, and here's some bits of your puzzle that you were missing, which may help with kind of future understanding of that actor or that campaign.
So I guess that is the best way, best example of where there is a free flow of information with the private sector.
So I want to touch on the idea of individuals behind cybercrime because one of the things that's interesting to me is the notion that you potentially have individuals who are targeted.
Organized crime sounds like a vast thing, but when you actually come down to it, there are people involved.
So what does that look like from the law enforcement side?
How do you think about it?
How do you figure out who's somebody that you want to go after from a law enforcement perspective?
Who is someone who just got in and accidentally? What does that look like?
Yeah, that's a really good question. I guess it's variable. Different people have different motivations.
You know, you've got your politically motivated hacktivists.
You've got your kind of cyber terrorists that, you know, we would say that their capability is not particularly high at the moment.
Touch wood. I guess the Internet connection has not been too great in Raqqa for the last couple of years, but that will change.
That will change. I don't mean so much the Internet connection, but that could change very quickly being serious because at the moment they've got low capability.
You know, they only need two or three key people to significantly upgrade in their skills to cause us a little bit more of a problem.
But at the moment, that has to be quite a low threat. Your organized crime groups, as we've kind of discussed, it's a huge, amorphous blob.
You've got some quite unskilled UK-based groups, individuals.
You've got some very highly skilled homegrown individuals now as well as that global threat.
So it's quite disparate.
The stereotype of the kind of, you know, your kiddie scripter in the bedroom, I think we're probably moving away from that.
Do still get that, but with all the other threats out there and, you know, they generally look a bit lower skilled and easier to deal with.
So different people have different motivations, but mostly it's about making money with a minimum of fuss and a minimum of aggravation from law enforcement.
So, yeah. Like crime everywhere. Yeah, absolutely.
But we do find with some of the groups we've disrupted, I know I won't name the banks, but a couple of banks were having hundreds of offenses almost a week committed by one particular organized crime group.
And there is a view that you can't arrest your way out of this problem and I accept that to an extent.
But once we took that group out, we ended up arresting 22 of the group and they all got locked up for pretty decent sentences.
Those banks didn't have any successful attacks on their systems for more than a year.
So you can have an effect. Yes, there are significant numbers out there, but at the really high end, it'll be the same as any other crime type.
There'll be a small number of people, small number of groups driving most of the activity.
And I think one of the things that we are seeing increasingly though is kind of trade card transference.
So from the security research community talking about how to break into systems, their ability to consume that as security researchers do in the industry, in the ethical side, and actually then apply that in an aggressive fashion against targets is kind of increasingly becoming compressed.
And so if we had said domain fronting as a technique, which is to kind of almost masquerade who you're doing command and control with, that was talked about in the red team domain, what 18, 24 months ago.
And we are seeing those types of techniques for being readily pulled through into organized crime.
And so I mean, that's what's keeping everyone on their toes is their ability to understand, interpret, arguably weaponize, and then deploy into active campaigns is increasingly becoming shorter, which relies on a certain readiness within the defense community to stay abreast of what those new techniques and tactics are.
So how do you do that? So how do you stay abreast of the new tactics and techniques?
There's lots of stuff that's happening all the time.
What's, given the short timeframe between something being released?
Find people that it's a hobby, which is the best way, right? Because, joking aside, right?
If crime investigation, e-crime investigation, instant response, you know, blue team, all of that good stuff is your hobby, you are going to naturally want to stay at the forefront.
We find those individuals are generally better because the rapid pace of change.
Obviously, where we start to see thematics emerge, we try and communicate that out as quickly as possible, but it relies on kind of obsessive compulsive people generally being obsessive compulsive.
Which are probably a lot of people in this audience, for the record, right?
So don't insult them, we're good. Don't worry, I'm at the forefront of that. So actually looking out of the audience, you know, the idea of security researchers as a tool that can potentially be used, are there any challenges with that information flowing back to law enforcement?
So in the United States, we certainly have lots of challenges on information sharing, what that looks like.
What does that look like here?
Well, I guess we're always willing to take information.
I think the difficulty with it is traditionally policing. We're good at taking, but very poor at giving back.
We're sorted out now, thanks very much. That's not a very good way of building an effective working relationship.
But in terms of kind of individuals or particular companies coming forward with interesting snippets that we'd find useful, I think we're getting much better at saying, yeah, we like that, we want more of that.
Or that's not so relevant. What else have you got?
So I think we've got some pretty good trust-based relationships now. Information sharing is always difficult.
And, you know, that's just been made a little bit more challenging with GDPR.
Although from a policing point of view, we are massive supporters and fans of GDPR because it encourages people to start to get to grips with data and protect it better and take it more seriously than they have done in the past.
And that mandatory reporting requirement is good for us as well. But it's causing challenges for us the same as it's causing challenges for everybody else.
So GDPR, it had to come up at some point, right? So it's not just you that it's causing challenges for, obviously, the security researcher community.
Feeling keenly the pains of GDPR and who is at the moment, right?
So, you know, historically, what we would have done is used that and relied on what Andrew alluded to, poor OPSEC and being able to pivot away from that.
Because generally, you know, not all actors are really great at segregating their infrastructure.
And we'd usually uncover a map.
But any domains registered in the last, you know, 15 days or something, we're just slamming into kind of anonymized domains all over the place.
And it's causing a huge pain.
And yes, there are now policy steps underway to allow security researchers access to that.
But that's going to be a while down the road before we can.
So we're relying on basically domain tools and historic who is data, which is going to age off really quickly for legacy domains.
And then for new domains, you know, in certain GTLDs, we're going to be, yes, challenged.
But so I'm actually curious about the positive things about GDPR too, though.
So you mentioned that there are lots of good things that you support it, which I think you have to say.
But I'm curious, I mean, from a cybercrime perspective, what are the benefits of GDPR?
Are there, what do you see? How will it affect cybercrime and people's vision of, you know, what they can report and what it looks like on the back end?
Well, it sensitizes boards because they have a legal obligation to report, right?
Within 72 hours. And so that's going to wake a lot of organizations up.
As we discussed, you know, the private sector is nothing but cynical, as we all know.
And it has a risk of driving perverse incentives as well, which is, you know, if I don't have the logs, I can't tell you what happened.
And so there is the risk that GDPR and these types of regulations where people will minimize log storage or expunge it very quickly in order to reduce, you know, I guess the scale of what they would need to report on potentially.
Yeah, it's an interesting one.
I mean, I think by having that kind of, you know, 4% is a very big headline and a very scary figure.
And that's what's grabbed everyone's attention and concern.
And when you look at the breaches we've had over the last few years, and anybody in the kind of cyber security industry will just laugh at how easy a lot of very big organizations, some big tech organizations, have just allowed people free reign, because frankly, they just didn't take it seriously and probably shouldn't have been trusted with people's data in the first place.
That's going to concentrate a lot of minds, which is a real benefit.
So I think it will have a, people will, they'll work out finally what they've got, where they've got it and how it's protected and start to take reasonable steps to protect it.
That will, that's huge.
I mean, it sounds pretty simple. But, you know, time and again, when people do come to us and we go through and work out what's happened, you think, really?
This is really, really poor. And it's not because kind of, you know, the tech guys and girls within organizations don't know it and don't know what they're doing and aren't flagging it.
It's the wider business that's saying that's just not important for us.
It's important now. So that's a big bonus. And then for us, by driving that reporting, we get a better picture of what's going on out there.
And then it helps us in terms of demand for more resource to build up that better capability to start having more of an impact.
Because we know from what we see in terms of breaches, I think that people are probably nervous of putting figures on it, but 80 to 90% of this stuff is really easily organized out if people do the basics.
And we're still not generally across the board doing the basics.
And I think if we take that as an example there, like how many organizations suffered data breaches because of S3 buckets being misconfigured, right?
You know, that is a very basic facet of that platform, which a number of organizations managed to fat finger and expose large data sets as a result.
And so, you know, it is very, very basic hygiene factors that we sometimes get undone by.
So that makes sense for large organizations.
So what happens if you're a small business, you're now subject to GDPR, you don't have a lot of technical capability, you don't have an IT department.
What does that look like for them? And how do they figure out what they should be doing?
Even simple things, right? That should be obvious to anybody who's in the security community.
It's difficult for smaller organizations because the number of times I've heard, well, you know, our IT network providers handle that or manage that.
And we know from what we see that most of them, frankly, are a bunch of charlatans and couldn't care less about their clients' networks.
So I suppose in practical terms, the advice I always give to small businesses is actually go back and look at your contract.
If there's no commitment to patch, you're wide open.
If there's something in there not being able to pen test without the permission or agreement of the network provider, you've probably got a problem.
And if there's something in there will only compensate you for the amount of time you're offline, not for the impact of a data breach, then you need to change your managed service provider.
The industry's been poor. And I think wider, if we talk wider than just managed service providers, but the tech industry in general, there are some really good examples of companies really thinking about security at an early design stage and taking out those responsibilities quite seriously.
And there are quite a lot, probably more examples of when in the rush to market, understandably, but companies have thought, well, generally industry puts the responsibility for protecting the consumer on the consumer.
Well, the consumer hasn't got hope in hell of managing that because this stuff's too complicated.
If the people that are producing it can't be bothered or can't take that responsibility, then we have quite a significant problem.
But that's probably the downside of where we are.
More and more organisations are taking that seriously in terms of the products that they're starting to put out now.
We've seen a big change in the last year, 18 months of companies being more responsible and taking it more seriously.
And hopefully we'll continue to see that improve.
I'll just say two things on that. Cyber essentials, small companies should make sure that their suppliers or at least have that.
So cyber essentials is a UK scheme, design, as it implies, it's not a gold standard, it is essential.
And if your supplier hasn't got that, then why are you interacting with them?
And increasingly we're suggesting to SMEs to basically gain the benefit from the large multinationals.
So the Googles, the Amazons, et cetera, et cetera, Microsofts, if you use their cloud technology, their cloud platform, you gain a degree of innate protection because of the money that they're investing in those platforms.
So there are tools available is the sort of underlying piece of it.
And to some degree, it's making the public aware of them.
How do we go about doing that? I mean, is GDPR, is the enforcement function, the fact that the 4%, the potential hammer, is that enough?
Obviously that doesn't deal with individuals.
Prevention of cyber crime is in part a user responsibility. So how do you do it?
That's a lot of stick and no carrot. And so ultimately we have to be able to sell the benefit and make people care and actually give them practical steps.
Because I think sometimes we give people an array of information of various degrees of technologies and we have to kind of do the, does it pass a grandparent test?
And does it pass increasingly the toddler test? And if you can't cut through to those extreme of the demographic- They might be very different, by the way.
I don't know, I'm not a toddler.
I can sway one with a peppa pig and the other one, I don't know, is something else.
But that's the type of challenge that we have in terms of that spectrum.
So the advice has to be practical. We have to choose the fights that we do or choose the battles that we do indeed fight and realise it's going to be a generational, potentially multi-generational thing.
And also work on the basis that if we make the UK just a little bit harder to cause displacement, then I'll go somewhere else.
Yeah, I couldn't have put it better myself, really.
If I was being honest, I don't know the answer to that. That's something we kind of are, you know, wrestling with almost every day.
How do you, A, how do you industrialise the message so everybody gets it?
And at the same time, how do you do that in a way that actually changes behaviour?
Because it's easy to, you know, raise awareness, frankly, so what?
It's behaviour change that we want. And we collectively, not just policing, but government as well, put a lot of time and effort into researching what messages work, what messages don't work.
And even with that evidence-based knowledge, we kind of, we're really struggling with that.
So you're probably the most, people will think that the generation that's most vulnerable, or the group rather, that's most vulnerable is the older generation.
Well, they're not actually, because we see that generally they're operating online a lot less than everybody else.
So they're less targets to start with. It's the younger generation who think, frankly, they understand the tech in a good space and it's not going to happen to them.
And if it does, they're going to be reimbursed by their bank or the product's going to protect them.
It's that kind of, that overconfidence is probably what we need to tackle.
And security's boring. Who wants to listen to that?
So it's really hard to kind of find ways of kind of get people's attention before, you know, something bad happens.
If you've got any stunning insights or answers on that, I'd be really interested to hear them.
And if you do have any stunning insights there, National Cyber Security Center is looking for people to work in socio-technical fields, which is exactly this.
Well, and from what I've just heard, we're not going to have a generational shift either.
But I'm going to, I want to turn to the, it doesn't sound like our new generation is going to necessarily fix this all for us as they come in.
But I'd like to turn it over to the audience for questions.
Okay, do we have a mic? Let's go right in front.
Hi.
So we've heard some of the speakers today talk about engineered-in backdoors for access by law enforcement, nation states and so forth.
Then we've heard later in the day about WannaCry and how that was NSA technology that was weaponized and obviously was not intended to be used in the way that it was.
I'm interested in your opinions on engineered -in backdoors and whether you see that that has a potential to create a greater problem if it's ever exploited than actually the issue of not being able to get into particular people's devices and so forth to further prosecutions.
I'm glad I don't work for government because I can answer that.
I think it's a terrible idea. You know, let's be honest because of exactly that reason.
But let's also not kid ourselves. Even without the presence of them, the latent level of vulnerability in all the technology we use today is so shallow, you don't need it.
So don't attribute to malice what can be purely attributed to incompetence at the moment.
Yeah, it's a really tricky one. I can see the argument for both sides.
The problem that we have, you wouldn't accept as the public, and I don't think the public would accept it in the tech space either, actually.
But you wouldn't accept not being able to get into someone's house to enforce a warrant, to be able to rescue a child, or any of those kind of issues.
But we seem to be in a place where privacy has been fetishized above every other good.
And the civil liberties lobby have done a fantastic job in elevating it into that space.
So those are the terms of the debate. I think to have spaces where there's evidence of criminality or intelligence around terrorism that is completely dark and we can't access, it's just dangerous for everybody.
There has to be a way for us to lawfully get into people's devices.
Engineering backdoors that other people can then exploit.
Obviously, I'm uncomfortable with that, but at the higher end, the people that are going to probably be exploiting that are your nation state actors who have higher capability anyway.
If you've got a load of child molesters and robbers and all the rest of it, that all the evidence is there and we can't access it, that's having a huge impact on members of the public.
Look at the problems that police are having around disclosure and rape trials at the moment.
This is volume of crime impacting on people's lives day to day that we're losing the ability to prosecute.
Criminals getting free run isn't in anybody's interest.
What the answer is, I don't know because I think there are some really difficult challenges around backdoors, but the status quo is just untenable because it's getting worse and worse and people are becoming less and less safe.
The current solution to our mobile devices is technology like Cellbrite.
It's coming out of Israel that basically just exploits vulnerabilities in mobile handsets.
That gap is being fulfilled by the private sector with tools for law enforcement.
Which for the really high-end capabilities is really expensive.
Yes. And we can't afford to do that at scale.
So that again creates real ethical problems for us. So I think that's all we have time for, but that was a great way to end the question I didn't have to ask.
So thank you very much. It was great to have you both. Thank you.
Thank you.