chalabala - Fotolia
“We’ve got to do that at greater pace and at greater scale,” Goodall told Computer Weekly in an exclusive interview.
First, the NCCU is allocating more resources, which means training more people to engage with businesses to share information, best practice and expertise in combating cyber crime.
Second, Goodall is encouraging an approach in which members of the NCCU do not make assumptions about the concerns of their partners in industry, or about what partner companies consider the “best fix” in any cyber crime situation.
“I want our partners to feel confident in the law enforcement cyber community, so they know how to protect themselves, they can discuss their concerns and cyber attacks in confidence and they can contribute to collective learning on how to tackle cyber crime,” she said.
Read more about the NCA and NCCU
- A joint investigation by the NCA and information security firm Trend Micro has led to two arrests in connection with a crypting website.
- Hackers target global financial institutions and payment systems with Dridex malware, with UK losses estimated at £20m, warns the National Crime agency (NCA).
- UK police have arrested 57 cyber crime suspects in 25 separate operations co-ordinated by the National Crime Agency.
- UK law enforcement officers work with public and private sector partners to help businesses and consumers guard against cyber crime.
In late January 2016, for example, the NCCU ran an exercise with several UK banks and Financial Fraud Action UK to look at ways of identifying "money muling" activity – a form of money laundering used by cyber criminals.
“The exercise tapped into skills we lack internally to yield loads of tangible lines of enquiry to enrich our intelligence packages and demonstrated the interest and commitment of experts in this sector to make a contribution,” said Goodall.
In the past six months, the NCCU has set up a virtual taskforce with cyber security firm Trend Micro, which has already seen a forensics and malware expert seconded to an NCCU investigation team and contributing to an operational outcome.
A third goal Goodall set for the NCCU is to improve the value to industry of its annual strategic assessment of the cyber threat.
“I have made no secret of my fascination with cyber crime in its scale, effect on victims and diversity of offender types – all of which demands a new approach to investigations”
Sarah Goodall, deputy director, NCCU
By involving industry in the process, she said industry partners have already seen improvement in the quality of information provided to them directly and to a broader cross-section of industry, through the government’s cyber security information sharing partnership (Cisp) hosted by the UK national computer emergency response team (Cert-UK).
“Going forward, we will focus on how to become even better at drawing out themes that provide value such as ransomware, distributed denial of service (DDoS) attacks and bullet-proof hosting services, and setting up initiatives to tackle the most pressing of these issues together with industry,” said Goodall.
A key element of the NCCU’s collaboration with industry is the NCA’s “specials” programme, which Goodall helped to set up, that draws in volunteers from across industry who want to offer specialist skills to help investigators.
“This is an excellent scheme that provides a direct and growing link with industry and, across the NCA, the NCCU in particular has picked up the ball and run with it,” said Goodall, with a group of around 20 “specials” joining the NCCU in March 2016.
“Within the NCCU, I am seeing some amazing technical work being done by specials helping with particular problems,” she said, adding that the NCCU is always on the lookout for more specialist volunteer through recruitment programmes and applications.
Goodall – a former regional head of investigations at the Serious Organised Crime Agency (Soca) that was rolled into the NCA along with the Police Central e-Crime Unit (PCeU) in 2013 – has been involved in investigations since joining Warwickshire police in 1989.
Fascination with cyber crime
But she admits that her current role, of leading and delivering the UK’s law enforcement response to cyber crime, has been a longstanding ambition.
“I have made no secret of my fascination with cyber crime in terms of it scale, effect on victims and diversity of offender types – all of which demands a new approach to investigations,” said Goodall.
With traditional crime policing – such as murder investigations, for example – there are centuries of best practice and standards to draw on.
“But with cyber crime the threat is changing continually, and the best way of reducing that threat is yet to be understood fully. We are still a long way from attaining the equivalent practised doctrines in cyber crime investigations, which is what attracted me,” she said.
Goodall is driven by the challenge of “turning the investigative model on its head” to discover better way of investigating crime, which she recognises is global in nature and likely to relyt on industry, rather than law enforcement holding all the knowledge and the power, as it has in the past.
“I like a challenge and, although there is still much to be done because of the scale of cyber crime, I can see we have come a long way in a relatively short period of time – when I look at the journey undertaken by my predecessor Andy Archibald and how far law enforcement in general has progressed in this area, which is impressive,” she said.
Exuding enthusiasm, Goodall said she loves working in the NCA’s NCCU, and has been “blown away” by the competence, enthusiasm and dedication of her colleagues.
Looking to the year ahead, she said industry partners can expect to see more value coming out of the NCCU’s virtual taskforce and more contact, advice and intelligence from law enforcement through the regional organised crime units (ROCUs).
The NCCU is in daily contact with Cert-UK, and to enable greater agility and a more dynamic exchange of useful information from 2016, the NCCU now has three officers in Cert-UK.
“This will enable us to get the information out faster to our business partners, as well as improve our understanding of their needs by having member of our staff embedded in what is effectively a ‘front door’ to industry,” said Goodall.
In 2016, there will also be a continued focus on finding ways of collaborating and ensuring there is one cohesive response to cyber crime across UK law enforcement.
“We also aim to use that process to draw information faster from industry about what they see as threats, and ensure we are always seeing the bigger picture as threats emerge and do not miss forensic opportunities to getter better understanding of these threats,” said Goodall.
Another focus for the NCCU in 2016 is defining what “excellent performance” looks like. “Performance is a hot topical theme because, for anyone to have pride in their work, it is important to feel that progress is being made,” said Goodall.
“You can’t define excellent performance exclusively in terms of the number of arrests, for example, because that is not solving the problem.
“It is difficult to get a handle on and, in terms of terms of industry effort, we are not quite there yet in finding a meaningful definition. But, for me, success is something like achieving mitigation at scale through applying things like automation, good industry knowledge and robust doctrine, rather than relying solely on pure resources,” she said.
While unwilling to discuss specific areas of focus to avoid tipping off the criminal community, Goodall said one of the main goals for 2016 is using the channels of communication already established with industry to derive tangible value.
“We want it to be easy for the public and industry to engage with law enforcement, and for the benefits of doing so to be obvious.”