Businesses must report cyber crime, panel urges

Under-reporting is a huge problem when it comes to cyber crime, depriving law enforcement organisations of key insights and opportunities to connect criminal activity.

That was the view of a panel of law enforcement and private business representatives at Infosecurity Europe 2018 in London, discussing the importance of partnerships between the two in fighting cyber crime.

By gathering data about cyber crime, law enforcement organisations can get a better picture of the nature and scale of what is really happening, in order to allocate budget and resources appropriately and enable more arrests and effective disruptive action.

The panel said that by reporting cyber crime, organisations can, in turn, benefit from the expertise in law enforcement organisations on how to respond to, and mitigate, the various kinds of cyber attack.

“Information from CrimeStoppers is hugely important to the effectiveness of community policing, and so we need to marshal the same good citizenship in cyber space by encouraging organisations to report cyber crime, and law enforcement can help to demystify cyber crime and the methods and motives of those behind it,” said Victoria Baines, visiting associate at the Oxford Internet Institute and formerly of Europol’s European Cybercrime Centre and Facebook’s trust and safety department.

“Collaboration between US, European and other allies’ law enforcement organisations means they can be more agile in tracking cyber crime internationally by pooling information, and the more information available, the more effective that will be,” she said. “We are getting much quicker as a global community at collating and responding to cyber crime intelligence.”

The panel recognised that, historically, it has not been easy for businesses to report cyber crime and that many organisations may be afraid to do so, fearing how it will affect their business operations.

Ben Russell, head of threat response at the National Crime Agency’s (NCA) National Cyber Crime Unit, said: “In the UK, cyber crime reporting has certainly become a lot easier in the past 18 months, and the reality is typically very different from the perception of what will happen after a cyber crime is reported.

“Many businesses are concerned that we will come in and shut down business operations or that we will make the investigation public without their consent, but that is not at all what happens.”

Russell added that under section 7 under the Crime & Courts Act, organisations can share information confidentially without having to trigger a formal crime report.

It is always easier the second time after a trust relationship has been established, he said, but the NCA understands that the first time often requires “a leap of faith” by the business concerned.

“We can’t go out and talk to absolutely everyone, so where there is no existing relationship, businesses will have to take a leap of faith, which is difficult, but there are benefits to reporting cyber crime and working with law enforcement,” said Russell.

In view of the fact that the first step is often the most difficult, Russell said the NCA is working to find ways to make it easier to understand when and how to report a cyber crime and what businesses can expect to happen as a result. “If we can get the first 24 hours in our engagement right, it tends to flow quite positively from then on,” he said.

While private enterprise and law enforcement organisations exist for very different reasons, there is also a lot of common ground, said Eric Welling, deputy assistant director of the FBI’s cyber division. “We all agree on things like defending networks and preventing cyber crime that we can focus on and have conversations about,” he said.

The FBI sees the same challenges, said Welling. “Transparency is extremely important. When we work with companies, we need to ensure that they understand why the FBI is asking for certain things and what the agency will do with that information,” he said.

“Another challenge we are working to overcome is engaging with company boards. While you may have a good relationship with a CISO, it is key to have the same conversations with the boards and the general counsels to reach an agreement on what action to take.”

A good example of collaboration around fighting cyber crime is the UK’s National Cyber Security Centre (NCSC), said Paul Midian, CISO of Dixons Carphone.

“The one key reason it is successful is that it has unshackled GCHQ and enabled its experts to go into the public domain and give organisations very sensible advice,” he said.