Ruslan Grumble - Fotolia
Under-reporting is a huge problem when it comes to cyber crime, depriving law enforcement organisations of key insights and opportunities to connect criminal activity.
That was the view of a panel of law enforcement and private business representatives at Infosecurity Europe 2018 in London, discussing the importance of partnerships between the two in fighting cyber crime.
By gathering data about cyber crime, law enforcement organisations can get a better picture of the nature and scale of what is really happening, in order to allocate budget and resources appropriately and enable more arrests and effective disruptive action.
The panel said that by reporting cyber crime, organisations can, in turn, benefit from the expertise in law enforcement organisations on how to respond to, and mitigate, the various kinds of cyber attack.
“Information from CrimeStoppers is hugely important to the effectiveness of community policing, and so we need to marshal the same good citizenship in cyber space by encouraging organisations to report cyber crime, and law enforcement can help to demystify cyber crime and the methods and motives of those behind it,” said Victoria Baines, visiting associate at the Oxford Internet Institute and formerly of Europol’s European Cybercrime Centre and Facebook’s trust and safety department.
“Collaboration between US, European and other allies’ law enforcement organisations means they can be more agile in tracking cyber crime internationally by pooling information, and the more information available, the more effective that will be,” she said. “We are getting much quicker as a global community at collating and responding to cyber crime intelligence.”
The panel recognised that, historically, it has not been easy for businesses to report cyber crime and that many organisations may be afraid to do so, fearing how it will affect their business operations.
Ben Russell, head of threat response at the National Crime Agency’s (NCA) National Cyber Crime Unit, said: “In the UK, cyber crime reporting has certainly become a lot easier in the past 18 months, and the reality is typically very different from the perception of what will happen after a cyber crime is reported.
“Many businesses are concerned that we will come in and shut down business operations or that we will make the investigation public without their consent, but that is not at all what happens.”
Russell added that under section 7 under the Crime & Courts Act, organisations can share information confidentially without having to trigger a formal crime report.
Read more about business collaboration with law enforcement
It is always easier the second time after a trust relationship has been established, he said, but the NCA understands that the first time often requires “a leap of faith” by the business concerned.
“We can’t go out and talk to absolutely everyone, so where there is no existing relationship, businesses will have to take a leap of faith, which is difficult, but there are benefits to reporting cyber crime and working with law enforcement,” said Russell.
In view of the fact that the first step is often the most difficult, Russell said the NCA is working to find ways to make it easier to understand when and how to report a cyber crime and what businesses can expect to happen as a result. “If we can get the first 24 hours in our engagement right, it tends to flow quite positively from then on,” he said.
While private enterprise and law enforcement organisations exist for very different reasons, there is also a lot of common ground, said Eric Welling, deputy assistant director of the FBI’s cyber division. “We all agree on things like defending networks and preventing cyber crime that we can focus on and have conversations about,” he said.
The FBI sees the same challenges, said Welling. “Transparency is extremely important. When we work with companies, we need to ensure that they understand why the FBI is asking for certain things and what the agency will do with that information,” he said.
“Another challenge we are working to overcome is engaging with company boards. While you may have a good relationship with a CISO, it is key to have the same conversations with the boards and the general counsels to reach an agreement on what action to take.”
A good example of collaboration around fighting cyber crime is the UK’s National Cyber Security Centre (NCSC), said Paul Midian, CISO of Dixons Carphone.
“The one key reason it is successful is that it has unshackled GCHQ and enabled its experts to go into the public domain and give organisations very sensible advice,” he said.
Cyber security guidance
The NCSC is also publishing good, simple cyber security guidance for organisations on its website, as well as hosting the Cybersecurity Information Sharing Partnership (CISP), which enables industry and government to exchange cyber threat information in real time.
Baines pointed out No More Ransom as an example of successful collaboration between international law enforcement agencies and private industry.
“This has been of great benefit not only to the parties involved, but to individuals and businesses hit by ransomware through the provision of a repository of keys and applications that can decrypt data locked by different types of ransomware,” she said.
“This is a good place to start because it is a task-based problem-solving initiative, and off the back of something like that, you can build a more sophisticated relationship.”
Welling said that in the US, there are a number of initiatives on collaboration between law enforcement and industry, particularly the tech sector.
“The National Cyber Forensics and Training Academy, for example, enables representatives of the public and private sector to work together on finding solutions to problems each side is seeing,” he said.
Collaboration between the public and private sectors “is the way forward”, said Welling. “Fighting cyber crime has got to be a team sport. We all have to come at it as partners, nationally and internationally, and we have found that the private sector is definitely interested in getting involved.”
In the US, various industries have also set up information sharing and analysis centres (Isacs), which are non-profit organisations that gather information on cyber threats and provide two-way sharing of information between the private and public sector.
Welling added: “Various critical industry sectors, such as banking, aviation, health and water, each have their own Isac, which is a good model that works well and could be replicated elsewhere around the world.”
GDPR and insurance companies
Looking to the future, the panel said the EU’s General Data Protection Regulation (GDPR) and insurance companies are likely to play a key role in encouraging more reporting of cyber crime.
The GDPR introduces a mandatory requirement to report serious personal breaches of EU citizens’ data, which is expected to increase the number of cyber crime incidents reported. Midian said the legislation will also help to drive consistency in common understanding of cyber risk and threats.
Insurers are also expected to drive better cyber security practices by insured organisations, including increased cyber crime reporting. “Often, organisations reporting cyber incidents admit they were advised to do so by their insurance company,” said Russell.
According to Baines, law enforcement bodies should ensure they always give feedback to organisations about how the information shared by them is used and what was achieved as a result.
“It is important to report back the return on investment by private enterprise in human resources in proving that information, so it is necessary to tell organisations when the information they provide has led to an arrest or has helped eliminate a particular threat,” she said.