UK law enforcement efforts to combat cyber crime are the “most joined-up bit of policing” in the country, but police forces cannot do it alone, according to Peter Goodman, deputy chief constable of Derbyshire Police and national lead for cyber crime.
Collaboration, engagement and partnership with industry are important because cyber crime is “right at the extreme” of the things that law enforcement cannot deal with alone, Goodman told a forum on cyber crime at Mansion House in London.
Opening the event, Andrew Parmley, Lord Mayor of London, said the police could not patrol the cyber defences alone. “We must all – as employers, employees and private individuals – become more cyber resilient,” he said. “Better defences and gaining information will also generate far greater rates of capture and prosecution.
In the past, criminals could expect to net about £25,000 from a bank heist, but that was relatively high-risk and low-yield compared with today’s cyber-enabled bank heists, which could net in the region of £1.3m, he said. In contrast, the risk is extremely low because it is a complex environment and law enforcement around the world is still behind the curve on this, he added. At the same time, cyber criminals are rapidly increasing the speed at which they can recover from law enforcement actions aimed at disrupting their operations.
Two years ago, said Goodman, it took cyber criminals about nine to 12 months to recover from an international law enforcement operation aimed at disrupting a specific malware campaign, but now the recovery time is down to two days for targeted malware to be updated, made impenetrable and relaunched on the underground market.
The biggest cyber crime threats are data theft, distributed denial of service (DDoS) attacks, phishing and ransomware, and the key enablers include poor cyber security, poor security awareness and training, lack of personal responsibility, insiders and criminal marketplaces, he said. The emergence of these criminal marketplaces mean that anyone with little or no cyber expertise can buy or rent everything they need to carry out a cyber attack, from easy-to-use tools and malware to cashing-out facilities, said Goodman.
This is underlined by a newly published report by the National Crime Agency (NCA) about how and why some young people become involved in cyber crime. The report notes that off-the-shelf tools such as DDoS-for-hire services and remote-access Trojans (RATs) are available with step-by-step tutorials at little to no cost to the user, making the skills barrier for entry into cyber crime lower than it has ever been.
In the face of these challenges, Goodman said UK police forces at a national and local level are working extremely closely with the security services, the NCA and the regional organised crime units (ROCUs). This collaboration means that, as national lead for cyber crime, Goodman can draw on a network of policing resources to focus them on the biggest risks across the UK. While this level of collaboration on any one crime type is unprecedented and represents “a massive step forward” for policing, Goodman said he recognises there is still a lot more work to be done.
In terms of collaboration with UK industry, the aim is to ensure that all stakeholders have a common picture, he said. “We need to know what the threats look like, and have a common picture of what [cyber criminal] infrastructure and the weaknesses in it look like, so we can all play a part in making sure the UK is as hostile as possible to cyber attack.”
A similar approach is being pursued by the National Cyber Security Centre (NCSC), which is seeking to increase engagement with UK industry about cyber threats and wants input to improve its cyber defence capabilities and services. Maria Vello, a director of the Cyber Defence Alliance (CDA), a London-based public-private partnership set up to turn threat information into actionable intelligence, also emphasised the importance of collaboration.
“Information is not power, but sharing information is you being powerful,” she told the forum. “Our adversaries are outpacing us in every way, and unless we work together and collaborate, we are not going to be effective against the global and systemic problem of cyber crime.” Vello described cyber crime as a “highly evolved” enterprise system that has greater business continuity and disaster recovery capabilities than legitimate business. “They share everything: how-to documents, where businesses are vulnerable, and how they are vulnerable,” she said. “They know more about us than we do.”
The alliance, currently comprising seven banks, aims to become “the epicentre of cyber threat intelligence” and works with law enforcement, academia and private industry, which Vello said is typically the source of the best information about cyber attack tactics, techniques and procedures.
The CDA is all about enabling trusted partners to work collaboratively to share information and turn that information in to actionable intelligence, she said, which is “the only way” to stop cyber crime. “Our ultimate goal is attribution to enable prosecution through our law enforcement partners,” said Vello. The Global Cyber Alliance (GCA) is another collaborative partnership of law enforcement and research organisations that is focused on combating cyber risk.
For example, the GCA is championing the use of the Dmarc (domain-based message authentication, reporting and conformance) protocol to help organisations protect themselves from email fraud. The Alliance has created a guide to help organisations implement Dmarc, which is being rolled out across UK government departments, led by the UK’s National Cyber Security Centre (NCSC).
The GCA is also working on a free DNS (domain name system) infrastructure project in partnership with Packet Clearing House (PCH) and a consortium of industry and non-profit contributors. The project is aimed at using multiple threat intelligence feeds to block malicious domains and is similar to a project by the NCSC in partnership with Nominet. “The GCA has attracted 150 member organisations in the first 18 months of its existence, and I have never before seen such willingness to contribute, get involved and talk to others,” said Scully.
John Grim, senior security specialist at Verizon, said there are several clear imperatives for collaboration beyond the need to match attackers’ ability to share information and support each other. “We also have to work together out of necessity because cyber insurance requires us to get to the bottom of this, as well as laws and regulations that require us to share information,” he said.
In the past, said Grim, only Verizon investigators and clients were involved in breach investigations, but now there are multiple stakeholders involved, such as human resources, public relations, card payment processors and even law enforcement. Another factor driving the need for collaboration and information sharing is the interconnected nature of attacks, said John Loveland, global head of cyber security strategy and marketing at Verizon.
“Organisations on the receiving end of attacks that are monitoring what is happing further upstream and participating in threat intelligence sharing will typically be in a better position to defend themselves,” he said. David Clark, national lead for fraud and commander at City of London Police, said collaboration and information sharing is vital because fighting cyber crime is often like trying to complete a jigsaw puzzle without knowing who has the next missing piece. “It has to be all of us doing something, either by informing others about what we know as well as ensuring that we know all we can,” he said. “We have never arrested a computer. The problem is never a computer. It is always a person, so it is only people who can help fix this problem by working together.”
Author – Warwick Ashford