Three years ago, Stephen Greenhalgh, London’s former deputy mayor for policing, described the Metropolitan Police’s handling of cyber-crime as a disgrace.
Detective chief inspector Andrew Gould, head of the Metropolitan Police Cyber Crime Unit, speaking at a breakfast briefing with Remora last week in London, agreed that at that time it was a fair comment.
However, he went on to point out that there has since been a sea-change in the Met’s approach, prioritisation and capabilities, with 300 new staff appointed to handle cyber-crime, including the setting up of the Falcon (Fraud and Linked Crime Online) unit.
Initially law enforcement wasn’t equipped to cope with the shift in crime online, but then found many of the tools and techniques are those used in terrorism, plus its experience of tackling organised crime helped bring down cyber-crime groups.
For a decade crime appeared to be falling, but it appears that it was simply shifting online, and today cyber represents 48 percent of all reported crime (ONS Crime Survey). Even then, 90 percent of cyber-crime is believed to go unreported – a legacy from the police’s previous inability to respond – so the true extent of cyber-criminality is much higher.
Nonetheless, victims increasingly report cyber-crime. At the top end, GCHQ and NCSC identify and tackle national threats, and amalgamate responses to both top and lower level crimes is underway.
Quantifying the threats, Gould put organised crime at the top, closely followed by state actors, observing that there is increasing collusion between the two, with state actors preferring not to use their most sophisticated tools (which could identify them) if criminal tactics or proxies could be used to confuse the situation. Third comes insider-threats – both disgruntled employee and the unwitting staffer. Then come hacktivists with ‘political’ motivations, followed by terrorists.
Terrorists are not currently seen as particularly sophisticated, but they are trying to increase their capabilities – plus most attackers online don’t need to be very tech savvy given that both the tools and tutorials to use them are freely available.
Tim Court, detective sergeant in the Metropolitan Police Crime Cyber Unit, urged faster reporting by companies, citing a recent example where an asset wealth management company CEO reported the loss of £100,000 and the police were able to quickly close the accounts being used to launder the money. They retrieved £45,000, arrested two and apprehended another five involved for a separate offence.
While cooperation between criminals allows them to subcontract elements of the crime – supported by an entire underground economy facilitated by various auction systems – the resulting tensions between those involved often proves to be a weakness that law enforcement can exploit.
However, Edward Cowen, CEO at Remora, noted the tendency of financial organisations which find themselves victims of cyber-crime is to cover up what has happened, both internally to other departments, and externally too. The message was that reporting quickly can prevent further loss, to yourself and others, and it increases the likelihood of the criminal being caught. But this needs to have senior management on board.
Protection of the company’s assets and interests and the gathering of evidence by authorities are not mutually exclusive, Cowen said, emphasising that the need to include both the police and any third-party IT protection company was compatible.
Recently police arrested a London-based Russian crime group targeting banks and high net worth individuals. It was a sophisticated racket and many Europe-wide networks were hit due to the extent of interconnectedness among them.
Another cyber-enabled crime gang had stolen at least £113 million from small companies. It was being run by brothers aged 24 and 25 from a ‘traditional’ crime family who had branched out into telephone spoofing.
As they cleared out accounts, they would put every £1 million into 10 accounts of £100,000, which would then be divided into a further 10 mule accounts and funnelled into a global network with regional managers who collected the money for transfers from London to Dubai and Pakistan.
Traditional surveillance activity resulted in the arrest of 22 people, with the heads getting 11 years in prison and potentially a further 10 years per million for the £66 million required to be reimbursed.
Court adds that there were 27,000 investigations in London last year, a quarter of which were solved, with some 2,500 people arrested in recent years.
Cyber-crime is what former robbers and burglars are doing now – and in general they’re not very sophisticated. But at the top end they can be very sophisticated, sitting on your system for months to learn all about you and your organisation by watching activity on your network and researching you and your staff on social media, waiting for the optimum time to strike.
Delegates were advised to be aware how their openness online might be used against them and minimise posting of potentially compromising data to social networks – not just in a business and a personal context, but also by the family. One case cited an executive’s kidnap insurance being invalidated because their children posted the name of the hotel where they were staying.
“Internet search engines are probably the biggest aider and abetter of criminality in history,” observed Gould, referring to their role in victim research by criminals.
Once again, the need to do the basics came up loud and clear, with patching seen as critical. Gould was scathing about the fact that most outsourced network providers offer no commitment to patch.
What’s needed, said Bob Wigley, chair of the newly amalgamated financial services trade association, is for companies to spend sufficiently on IT and software, while also ensuring they have the right policies in place, including HR, finance and compliance, plus the right people/training.
Unfortunately, he said, it’s rare that all come together at board level.
Of course, Cowen noted, “Once something happens people want to spend,” but until it does, cyber-security is fourth or fifth on the risk list.
Then the companies ask the tech industry what they should buy. “A lot of people are getting their prescription from the drug company,” observed Cowen.
Another problem is that the amount that can be transferred by banks without additional checks is as high as £250,000. “A simple phone call to someone known to you can prevent 95 percent of incidents,” said Cowen.
One questioner did ask, given the drive to frictionless transactions, would the demand for security not slow transactions?
The response by Cowen was that the new £250,000 limit was dangerous, and that slowing payments by adding eyeballs on payments, especially new payments, was a good thing. “Speed creates bigger problems – and the slow broadband in London has probably saved a lot of people a lot of money,” he added.
Bringing in the lawyers as first priority following a breach is probably a mistake, and deleting material to make it harder to follow and track an IP was also described as a wrong move. Having a plan on how you will respond to a breach is key. “You don’t want to be the CEO that’s thinking, ‘what do we do now?’” said Gould.
He added that the Met sees a lot of attacks where money has been wasted on tech solutions where the same money would have been better spent on pre-planning and execution of that plan.
He emphasised that the police were a free and independent service, and victims are advised to call the police even though they are currently under no regulatory requirement to do so.
However, with GDPR that will change and, Cowen noted, GDPR is very proscriptive. One client who went to the regulator with a problem got fined, so don’t expect it to be applied with a light touch.
Gould commented, “This [GDPR fines] is potentially the next PPI as it has an individual compensation element, so victims can go for compensation. If thousands are victims of one breach, law firms may want to take it on a ‘no-win, no-fee’ basis. Extrapolating from ICO fines to GDPR rules, an average fine of £11 million per breach would be imposed once the new regulations come into force next year.”
The supply chain will also be looked at by the ICO, but it should be noted that even if you subcontract, it’s still the data owner who is responsible for checking their policies and procedures and will ultimately carry the liability for any breaches.
One questioner asked if the GDPR would not encourage extortionist ransomers to threaten exposure – and thus fines – if they were not paid a sum less than the anticipated fine. Gould responded that this was a possibility as, “criminals will exploit whatever there is to exploit”.
So who do we contact? Action Fraud – 0300-1232040 is open 24/7 and will triage calls, and Falcon is also open 24/7 on 020-7230 8129. For threats to government and CPNI, there is the National Cyber Security Centre.
One questioner did ask what SLAs the police work to, eliciting the wry observation from Cowen that the organisations most demanding of the Met’s resources tend to be those that have done least to prepare themselves.
This article originally appeared on SC Media UK