Interview: Partnering to Bring Cyber-criminals to Justice

Kevin Brown, managing director for security, BT
Kevin Brown, managing director for security, BT
Doug Witschi, assistant director for cybercrime threat response & operations, Interpol
Doug Witschi, assistant director for cybercrime threat response & operations, Interpol

Most of the discussion in infosecurity understandably centers on how to defend against and respond to cyber-attacks. Alongside a focus on defense, however, the industry must focus on helping bring perpetrators of these crimes to justice. After all, free from consequence, cyber-criminals can act with impunity, making for a more dangerous world for all.

Finding and prosecuting cyber-attackers who operate anonymously and from any location globally is an onerous task and generally more complex than for other types of criminal activities. Encouragingly, there have been several vital breakthroughs for law enforcement in this area this year. For example, Ukraine arrested members of the CIO ransomware gang in June. Nevertheless, this remains a particularly challenging area for law enforcement.

Discovering the identities of those responsible for attacks usually requires vast amounts of data and intelligence gathering, necessitating significant collaboration between organizations across numerous jurisdictions. It is therefore essential to emphasize that all organizations, big or small, play their part in helping law enforcement disrupt and prosecute cyber-threat actors by actively sharing any insights on cyber-threats that they have.

Companies operating in the technology sector can be instrumental allies in this respect, given the vast levels of threat intelligence data they often hold. This point is highlighted by a mutual data sharing agreement between telecoms firm BT and the international police force Interpol, signed in 2017. As part of this arrangement, BT threat intelligence experts provide data and knowledge to help Interpol uncover cybercrime gangs and individuals operating throughout the world.

Infosecurity recently caught up with two individuals extensively involved in the process: Kevin Brown, managing director for security at BT, and Doug Witschi, assistant director for cybercrime threat response & operations at Interpol. The two individuals discuss how the partnership works, how it assists in bringing cyber-criminals to justice and other effective methods of disrupting the activities of threat actors.

Data Sharing Agreement

Before joining BT, Brown spent 20 years working in law enforcement, and he therefore knows a thing or two about investigating criminal activity. He has combined this knowledge with his experience working in threat intelligence and cybersecurity at BT before being appointed managing director of BT security in 2018.

While working in threat intelligence at BT, Brown felt that “cybercrime was moving at such a pace it was obvious that legislation was never going to keep up.” He believed that as a global company, BT was duty-bound to assist international law enforcement agencies in disrupting these activities across borders, which “as we know is still plagued with challenges.”

Doing so is clearly to the benefit of BT, as it will make itself and its customers more secure in the long-term, but Brown also noted the company “takes responsibility for playing a part in delivering a safer connected world.”

This led to the data-sharing agreement with Interpol, which affects all the countries where BT operates. “It is a very good opportunity for us to share emerging trends, known threats, and when some of the threats do land, and we see an attack in a certain country, very quickly having people on the ground to work with Interpol to understand: is this a regionalized matter, is it a nation-state, is it something that as a globe we need to be worried about?” explained Brown.

From a law enforcement perspective, partnerships such as the one with BT are “absolutely critical,” according to Interpol’s Witschi. “Cybercrime is an issue for all stakeholders connected to the virtual environment, so, ideally, we should all be trying to stamp out the challenges we’ve been identifying and seeing,” he added.

Witschi noted that the key to ensuring such partnerships are effective is to make them ‘collegiate’ rather than ‘transactional’. In essence this means making it beneficial to both parties. “We have our partners as part of our threat discussions on a fortnightly basis,” he explained. “We’re looking at a range of threats that impact and provide opportunities for different partners at different times.”

Witschi, who was previously a detective superintendent at the Australian Federal Police, said that agreements of this nature are crucial for cyber-threats emanating from Interpol member countries that lack cybersecurity resources and expertise at a government level. “What we’ve found with private-public partnerships like the relationship with BT is that we can call on specialist capabilities and certain capacities within those agencies to share a problem and help us to find a solution or strategy,” he said. “It might not necessarily be a law enforcement strategy, it might be a prevention operation, it might be some other activity, but at least we’re starting to have those discussions at a level I don’t think we’ve had previously in the law enforcement realm.”

Building More Public-Private Partnerships

Creating more of these private-public partnerships is essential for Interpol’s strategy to combat cybercrime. Witschi acknowledged, though, that there are several challenges in getting the necessary buy-in from many companies. First is the trust regarding the information shared: “People have to trust the people they’re working with, and there are processes around ensuring the information shared is used in the manner it’s intended, and that there’s not going to be any further repercussions in relation to that,” he stated. Another issue is that “over the last 12 months, we’ve seen organizations that have been attacked become quite insular.” In short, many organizations sadly wish to stay as quiet as possible about the attacks they face.

Such attitudes need to change, and fast. Witschi cited research that predicts global cybercrime costs will reach $6 trn in 2021, which makes it “the most significant crime type of our lifetime.” He added, “When is enough going to be enough? We’ve got a global problem here, and we’ve got to come together as a global community to find a solution to it.”

"We've got a global problem here, and we've got to come together as a global community to find a solution to it"

This is a view echoed by Brown, who said “BT has been very proactive and public around our support for public-private partnerships because there are some countries and organizations that are a little skeptical about what it means.” He emphasized that there is no personal data shared in this process, just that of threats. “It’s around threat data — the trend, the metadata, it’s not about the attribution of is it to this country or that country, it’s more about the threats itself. There’s a clear differentiation there,” he commented.

There are also safeguards concerning personal data being shared in BT’s partnership with Interpol and other agencies. He said, “The important thing is that in the agreements we have with Europol, Interpol and the NCSC, we’re very explicit about what we will or won’t share, and where there’s a need for legislation to be followed if it’s about attribution — it’s around making sure the right sort of guard rails and legislation are appropriately used.”

Witschi was keen to point out that maintaining individual privacy is something Interpol takes very seriously as well. “Interpol works under a very strict regime around the rules dealing with the processing of data, so we’re not immune to the fact we’ve got obligations and processes that we have to comply with,” he said. “These activities also go through a process of auditing, both internally and independently.”

While a law enforcement agency like Interpol naturally has to deal with personal data to identify and disrupt cyber-criminal networks, Witschi said, “we have a strict regime about how we can share that information and who we can share that information.”

In time, Brown expects that there will be a lot more companies willing to engage in such relationships with law enforcement agencies like Interpol. He cited survey data from earlier this year showing that cybersecurity is becoming an increasingly important consideration for consumers. “I’d like to think we’ll get to a point where Doug’s door is inundated with requests from the industry to be part of collegiate ways of working. We’ve still got a long way to go, but public perception has really shifted, and I think the pandemic has helped drive that,” he stated.

Witschi already sees significant movement in this direction since the start of COVID-19. “We’re seeing a lot more organizations wanting to come into the gateway arrangement with us than we have done in the past,” he outlined, adding that “Interpol’s quite unique in that we’re a neutral organization, we’re not here for the politics and we don’t look at state actors; what we try to do is facilitate outcomes from a cyber-criminal perspective.”

Disrupting Cyber-criminals 

The conversation turned to other ways activities of cyber-criminals can be disrupted. This includes preventative measures, and Witschi gave an example of an operation in which Interpol, in collaboration with partners, analyzed the risks and vulnerabilities around the health sector inside its 194 member countries. “We don’t want another episode like in Dusseldorf, Germany, where a ransomware attack on a hospital resulted in the death of an individual. It’s quite feasible that’s going to happen again, whether it’s in a hospital or some other environment,” he explained.

Witschi added that the prosecution side of the work takes several forms. Much involves gaining intelligence on the relevant malicious actor/s. For example, for those attacks undertaken by a range of actors, “we’ve got to think about how these people are structured, how they meet, how they build trust because a lot of the issues we’re dealing with on our side, they’re dealing with on the dark side as well.” Gaining this kind of information can then provide opportunities to “interdict, disrupt and discredit those types of activities.”

He revealed that Interpol is also undertaking a lot of work in areas such as blockchain and cryptocurrencies, which are “facilitators of a lot of illicit money movement.”

Nevertheless, Witschi emphasized that there is a wide variety of kinds of cyber-attackers working in very different ways, meaning every operation “presents its own unique challenges.” Interpol, therefore, collaborates with relevant member countries to overcome such challenges including private sector partners. He said such initiatives had been undertaken on several occasions in Africa. “We come together, talk about the issues, work up a clear set of objectives of what we’re trying to achieve and then put a plan together about how we can actually do that.”

Brown outlined proactive steps BT is taking to protect against rising cyber-attacks. He mentioned the company’s active cyber-defense strategy, which blocks around 135 million malicious communication attempts per day. Working in conjunction with other industry players is key to making such an approach most effective. “You multiply that by getting more telco’s and ISPs on board, so you’re taking some of the noise out before it hits the end consumer.”

Bringing cyber-criminals to justice for their heinous acts should be looked upon as just as much a part of cybersecurity as defensive and preventive measures. Identifying those responsible is a particularly significant challenge, and companies with substantial insights on cyber-threats must help law enforcement as much as possible in their investigations. Bringing more cyber-criminals to justice is clearly in everyone’s best interests, as it will help stem the flow of attacks.

What’s Hot on Infosecurity Magazine?