Policing cyberspace

In an exclusive interview with Computer Weekly, Len Hynds, head of the UK's National High-Tech Crime Unit, talks to Mark Lewis about tackling the growing threat of cybercrime

What exactly do you mean when you use the term "high-tech crime"?

High-tech crime, e-crime and cybercrime are expressions that we are all familiar with, but in essence they all mean crime. Policymakers in government, law enforcement and industry need to take heed of this and incorporate the internet as a new territory into their core processes.

So we need to take this form of crime more seriously?

We must challenge the existing misguided perception that high-tech crime is somehow less serious than its mainstream equivalent. For example, why should somebody recoil from the thought of breaking into a house and stealing, but condone the equivalent act in cyberspace?

If we are to combat it, we must recognise high-tech crime as being every type of crime but with a component placing it in the digital environment. In doing so, it becomes an aggravated version of the original offence. It is able to operate instantaneously, remotely, and with disregard for sovereignty and geography. It also becomes easier for criminals to target many victims, to hide assets, and cover the trail of evidence.

Perhaps people take cybercrime less seriously because they understand so little about it?

Understanding the problem without overstating it is the dilemma that many have attempted to tackle in recent years. The empirical data with which to plot trends in high-tech crime is limited. Surveys conducted recently agree on two things: high-tech crime is increasing, and organised crime is now infiltrating the digital frontier.

The internet provides organised crime groups with lucrative opportunities in a relatively low-risk theatre of operations. And, with the uptake of the ubiquitous point-and-click interface, an increase in computer literacy, and a proliferation of websites carrying information on hacking techniques, the assessment is clear: the threat is increasing.

To what extent is high-tech crime increasing?

This question is being asked worldwide and there are many studies we could turn to for guidance. In December, the National High-Tech Crime Unit, in conjunction with [market research firm] NOP, conducted a survey of the business community. It found that 87% of respondents have suffered some kind of attack. The case at present is not so much "will you become a victim?" but rather "when will you know that you are a victim?" Couple this with the irrefutable intelligence we have gathered that shows organised crime groups' involvement in illicit activity and communications through the internet, and you are bound to conclude that the threat is significant.

What can we do to combat high-tech crime?

The fight has to be a team effort. There is nothing more important than forging an effective partnership between law enforcement and industry. Since its inception, the National High-Tech Crime Unit has promoted policies that focus on partnerships that benefit business, the consumer and the public.

I am convinced of the profit in partnership. It is often the synergy between two or more disparate pieces of information that gives rise to the understanding of a new or emerging threat. In the high-tech crime arena we are all able to contribute. In fact, I would argue that it is only through collaboration that the true picture is painted.

What part should industry play in the fight against cybercrime?

Industry spends vast sums of money on business intelligence. Whether engaged in expansion, downsizing, or investing in a new product, companies devote significant sums to ensure that they have the best possible information upon which to make decisions.

Risk assessment is about looking at the problem from every conceivable angle. IT security must therefore be an element in this process and cross-sector consultation will inevitably broaden the picture.

Where is the motivation for companies to confess publicly to security glitches or compromises?

The relationship built between law enforcement and industry must have mutual benefits. If business does pass intelligence to the National High-Tech Crime Unit, we undertake to analyse, aggregate and compare this information with that supplied from various business sectors and intelligence sources.

Trends will be plotted and considered in the light of environmental scanning and we then deliver a threat assessment. The real value to industry is that this kind of assessment provides risk managers with an entirely independent and alternative window on the world.

In a similar vein, we must share and promote good practice. The cybermarket continues to evolve at a formidable pace and law enforcement must play a part by providing a conduit through which learning can be shared. It is crucial that we understand the nature of high-tech crime in all its guises and I believe this to be achievable. A 3600 view of the threat is within our grasp, but only if we commit to working together.

Does the role of industry begin and end with merely passing on information?

The range of collaborative measures developed must, of course, stretch beyond quantifying the problem. We must also work together to build solutions.

The evolution of e-commerce and the growth of multinational companies have meant that e-business has developed security systems that, in the main, are privately policed. Intranet systems, for example, although guarded behind firewalls and intrusion detection technology, suffer continuous and unwelcome attention from hackers.

If organised crime employs a simple "risk verses reward" equation it will surely be drawn towards the assets of industry that are suspended in cyberspace. They can take advantage of the anonymity and security of this technology and, most importantly, they will exploit the industry's well-publicised desire to deal with security breaches in-house.

Of course, many in business do adopt an approach to security and cybercrime that is now inclusive of law enforcement, and it is heartening to see so many chief executives committing to a joined-up security policy, but the remainder who adhere to an insular style are extremely vulnerable.

What do you say to claims that calling in law enforcement agencies to investigate a crime will only succeed in further denting business continuity?

Law enforcement must take responsibility for building the framework that will enable industry to collaborate. The first step is to build trust - the active ingredient in any enduring partnership.

While damage to reputation and brand continue to be cited as a major barrier to collaborative working, our own experience indicates that concern about business continuity is the most prominent factor when developing outreach initiatives to combat cybercrime.

The popularised image of the detective freezing the crime scene with a ring of white tape and seizing everything contained therein as potential evidence is still pervasive. As a result, board members looking to protect shareholder interest are drawn to conclude that they have to operate in isolation.

Irrespective of the tactics deployed privately, if law enforcement is unsighted, the perpetrators will not be disrupted in a major way, nor will they be dissuaded from attempting further assaults. If anything they will find comfort in this action and may even translate it as an invitation to try again.

In other words, businesses should resist the temptation to keep high-tech security problems under wraps?

When business attempts to tackle high-tech crime alone, it is a short-term, high-risk strategy for both the company and the industry in general. What is more, it is founded on outdated stereotypes which bear no resemblance to the reality of policing in the 21st century. In just 20 months the National High-Tech Crime Unit developed and delivered a new brand for law enforcement. This service is tuned in to business, receptive to the needs of industry, and committed to a common aim in its desire to build a lawful marketplace in cyberspace.

Of course, in order to police the high-tech arena one has to have a presence in it, not just for the occasional pre-planned operation, but an everyday police presence which is accepted and welcomed in the same way that the public welcome a police presence on the streets.

Establishing such a presence has many facets but essentially it must include collaboration and co-operation with the e-industry whose marketplace it is.

Do you see your unit's role as being an after-the-fact investigator?

It should be remembered that for law enforcement, prosecution of offenders is an effective tactical option, but there are many more tools in its armoury.

Law enforcement has a duty to prevent and reduce crime as well as detect it. Naturally, the full spectrum of tactical options available to combat high-tech crime is only discovered through co-operation with industry on a case-by-case basis. A safe platform for early confidential discussions between law enforcement and industry is pivotal to the success of any joint strategy.

The formula for me is clear. If we work together we will succeed by creating an optimum environment in which to conduct e-business. If we work in isolation we will fail and leave the way open for organised crime in cyberspace.

Does industry need a change of attitude in order to confront cybercrime?

Security is not just about the height of the perimeter fence any more. We must share knowledge about vulnerabilities and trends in criminal exploits, and that means that industry must share intelligence with its competitors as well as its recognised partners.

The business world is connected in a way that it has never been before. Companies must address security concerns with business partners and suppliers.

We must nurture a doctrine that enables competitors to come together with genuine resolve. Companies should not only be concerned about how they will manage risk within their immediate power, but also how their clients, consultants and business partners do so.

That concern should transcend mere evaluation and grow into a sophisticated mutual support programme. This is crucial because you are only as strong as the weakest link in the IT security chain.

It is important to emphasise that when I talk about IT security, I am not just talking about software and hardware issues. IT security must encompass business processes and policy, human resources, physical security and lines of accountability.

Do you think technologists should be left to tackle high-tech crime?

I have alluded to the positive steps that some companies have taken to ensure that comprehensive risk management is a core governance issue. But the question remains, why is it that others do not focus on IT security?

It seems that for some, IT security continues to be seen as an IT issue and not a corporate concern. For some it represents a time-consuming and unproductive overhead, while others see it as simply too difficult.

Having invested in impressive security systems, one is immediately faced with the challenge of maintenance and review. When this happens, chief executives often entrust the company's most valuable assets to staff who are neither paid, nor equipped, to protect them.

My message is simple: high-tech crime is real crime. It represents an immediate and significant threat. The solution is just as real - we must work together.

CV: Len Hynds   

Detective chief superintendent Len Hynds is head of the National High-Tech Crime Unit. He has served at a tactical, strategic and policy level in more than 30 countries in partnership with foreign colleagues to prosecute and disrupt international criminal networks and to streamline investigation procedures. 

As head of the National High-Tech Crime Unit, Hynds has responsibility for the development and implementation of a national centre of excellence to combat high-tech crime and the delivery of benchmark standards for all local computer crime units within England and Wales.

He has advised the government on proposed legislation, attended the United Nations Commission on Narcotic Drugs as adviser to the UK delegation, and led European Union-funded workshops examining the harmonisation of law enforcement effort. 

Hynds was involved in the formation of the National Crime Squad and is acknowledged as the architect of the operational protocol between the National Crime Squad and HM Customs & Excise. He chairs the UK Internet Crime Forum and the Association of Chief Police Officers National High-Tech Crime Working Group.    

Hear Hynds speak    

Len Hynds will be leading the Policing the Digital Frontier keynote debate at Infosecurity Europe 2003, Europe's largest information security event.

Now in its eighth year, the show features a free education programme and more than 200 exhibitors at the Grand Hall at Olympia from 29 April-1 May. 

www.infosec.co.uk