In cybercrime, there is no classic victim – and no common attacker

Source: PSE June/July 2018

When it comes to cyber security, we are only as strong as our weakest link. PSE’s Jack Donnelly explores how safety in the digital age has drastically changed the landscape of crime, and looks at what the public, private and academic sectors can do to protect themselves.

On a busy Friday afternoon on 12 May, 2017, David Willis was away from the office. Instead, he was supporting his labouring wife in the maternity care unit at his local hospital, anticipating the birth of his child.

With a passion in technology – particularly in clinical computers installed in hospitals – he took interest in a newly-installed online workstation that had all the bells and whistles on it: touchscreen, fingerprint scanners, faster data logging times. After all, when you are head of information governance at Wrightington, Wigan and Leigh NHS Foundation Trust, knowing about the tech used is part of the job. Yet whilst admiring the beauty of the system, the program ‘blue screened’: a fatal error, where the operating system can no longer operate safely and requires a password to restore the system back to normal service.

“I thought that was too much of a coincidence. I knew something wasn’t right there,” Willis told the audience at the Public Sector Cyber Security Conference last month. Only then did someone stick their head around the door and tell staff to disconnect all online machines.

Although he didn’t know it yet, Willis was witnessing a savage cyber-attack launched on the systems of the NHS, the UK’s online servers, and ultimately systems across the globe. What happened in his local hospital, and in 46 other NHS organisations around the country, was a ransomware attack known as WannaCry. This was an assault on Microsoft Windows operating systems by encrypting – essentially converting data into a code, and preventing access from unauthorised parties – highly sensitive software information and demanding a ransom in return. The cyber-offensive was estimated to have affected more than 200,000 computers across the USA, South America, Russia, and Europe, causing hundreds of millions of pounds in damage – with the Public Accounts Committee still assessing the impact of the attack nationally.

The hack was incredibly simple in worming its way into the public’s online system as well. WannaCry made use of the server messaging-block and only relied on users clicking on an email link to spread to other users’ inboxes and infiltrate public systems: it had no human intervention whatsoever once it was in the system. “The majority of problems organisations had was due to just clicking on an e-mail,” Willis said.

But WannaCry is on the grand-scale of online crime. The vast majority of digital threats target any user – meaning there is no explicit target for cyber-criminals – from attackers who could be from a variety of backgrounds with an array of motives for committing criminal acts online.

DC Paul Taylor of Greater Manchester Police’s (GMP’s) cybercrime team deals with individual cases on a daily basis. He said: “You can never really profile a cyber-criminal – you just arrest hackers. They could be people who range from ex-partners and ex-employees to ‘script kiddies’ – young kids who go on the computer, watch a few YouTube videos and think they’re a cyber-criminal.

“The UK law enforcement picture has to respond and enforce on multiple levels to a cyber-crime threat because the threat itself is on multiple levels,” he continued. “They pose a threat to the financial sector or the manufacturing centre: you may have a factory completely shut down because all of their files are encrypted that their machines depend on. We still have a threat from organised crime groups, and then, increasingly, a threat from nation-state actors.”

A growing – and evolving – challenge

Since Taylor joined the cybercrime team in 2014, their cases have skyrocketed. More than 400 reports of cybercrime were made to the GMP between March 2016 and October 2017. Over £250,000 has been lost by cyber security victims due to ransomware in that time. In the United States, the FBI says victims’ losses exceeded $1.4bn in 2017 due to internet crime.

“Last year was rife for ransomware,” Taylor said. “Every force tends to have a digital forensic unit, and in general they tend to be overworked; the volume of material coming in now is colossal. The demand on them is greater than ever, so we’re clearly facing quite a few challenges with digital crime.”

Earlier last month, Taylor worked on a case convicting university student Joshua Probert for cybercrime offences. Probert obtained personal information from young girls’ social media pages and blackmailed them, threatening to distribute the information in return for increasingly sexual content – videos and photos from girls, some of them children, in what was dubbed as ‘sextortion’ by committing a criminal online attack for sexual favours in return. Probert’s case is one of many where any cyber-criminal able to use basic online skills can export multiple victims’ data and extort valuable information in return for whatever they demand.

“Often, when you deal with fraud and cybercrime it can feel a bit futile when you’re in the police, because you can look one way and there’s a million other issues to deal with,” said Taylor. “You can arrest as many people as possible, but you’ll be going on forever.”

Sharing responsibility

With online attacks continuing to soar, policing cybercrime becomes more difficult. Additionally, as most of the nation’s police forces are suffering cuts in funding, some of them with a 30% smaller workforce than before, the onus is on the public services to evolve into detecting online crime and preventing it before widespread attacks such as WannaCry appear and severely damage the UK’s public services. David Willis said that contingency plans need to be put into place to prevent major public and cyber attacks from occurring at the same time, such as last year’s Manchester Arena terrorist bombing alongside a potential cyber-attack on the nation’s emergency services.

Adapted policing is one solution to achieving that, said Taylor: “I don’t think you can treat cyber as anything special anymore; I think it should be part of regular policing.” He labelled cybercrime as in the ‘mainstream’: it affects almost all crime types, from murders to harassment, and the cybercrime team cannot be as effective just working as the police service alone anymore. “It’s all about engaging with the public, private and academic sectors,” said the GMP investigator.

Employees in the public and private sectors have a responsibility in safeguarding valuable files of information. “Any data breach can have a significant impact,” said Mike Pannell, CTO of cyber and secure systems for majors and public sector at BT.

“Staff are key to prevention of lost data. Many have access to HR, payroll and sensitive data. When they have multiple roles, it’s difficult to keep all of that information separate and keep your business secure,” explained Pannell. With 85-95% of all cyber security failures being caused by human error, the general public should be expected to become cyber-savvy by making minor changes that could prevent themselves from becoming a victim in the future.

“When you come across cybercrime victims, nothing clever or magical happened; it’s simply things they could have changed to protect themselves,” said DC Taylor. Willis echoed this: “There are 233 separate NHS organisations across the UK. A chain is only as strong as its weakest link.”

The stories of Willis and others falling victim to cybercrime in a public hospital shows the damage online crime can create in the public sector. Moreover, the ease with which Joshua Probert was able to exploit young girls using basic online skills represent the ever-increasing task facing public sector workers like DC Taylor in nullifying crime created by faceless actors unto unsuspecting victims who may not know the best method to protect themselves from cybercrime. With 1.8 million incidents of fraud being cyber-related in 2017, the responsibility will be on the user to protect their own data and protect themselves from becoming a victim in the future.


There are no comments. Why not be the first?

Add your comment


public sector executive tv

more videos >

latest public sector news

Essex council announces £1bn construction deal

22/03/2019Essex council announces £1bn construction deal

An Essex council has announced a £1bn contract in a joint venture to regenerate council sites and deliver new homes and commercial faciliti... more >
Council to pull out of government schools improvement body over rising costs and ‘major concerns’ over poor management

22/03/2019Council to pull out of government schools improvement body over rising costs and ‘major concerns’ over poor management

A Welsh council is to pull out of a government-run schools improvement scheme over concerns about how it is run and fears that the quadrupling of... more >
Councils' legal challenge against Buckinghamshire merger process rejected

22/03/2019Councils' legal challenge against Buckinghamshire merger process rejected

An application from three district councils for a judicial review of the merger plans to create a single unitary council for Buckinghamshire has ... more >
149x260 PSE Subscribe button

the raven's daily blog

Councils Can: LGA launches Spending Review campaign

18/03/2019Councils Can: LGA launches Spending Review campaign

Lord Porter, chairman of the Local Government Association, outlines his organisation’s campaign to make sure local government tops to government’s list for this year’s Spending Review. Our #CouncilsCan campaign to influence this year’s Spending Review is well underway and gathering momentum. The money local governm... more >
read more blog posts from 'the raven' >


Digital innovation in the public sector: The future is now

17/12/2018Digital innovation in the public sector: The future is now

One of the public sector’s key technology partners has recently welcomed a new member to its team. Matt Spencer, O2’s head of public ... more >
Artificial intelligence: the devil is in the data

17/12/2018Artificial intelligence: the devil is in the data

It’s no secret that the public sector and its service providers need to invest in technology to help make better use of their resources. Bu... more >
New Dorset Councils CEO on the creation of a new unitary: ‘This is going to be the right decision for Dorset’

05/11/2018New Dorset Councils CEO on the creation of a new unitary: ‘This is going to be the right decision for Dorset’

The new chief executive of one of the new unitary authorities in Dorset has outlined his approach to culture and work with employees, arguing tha... more >
Keeping the momentum of the Northern Powerhouse

15/10/2018Keeping the momentum of the Northern Powerhouse

On 6 September, the biggest decision-makers of the north joined forces to celebrate and debate how to drive innovation and improvement through th... more >

last word

The importance of openness after Grenfell

The importance of openness after Grenfell

Following the recent Grenfell Tower tragedy, Lord Porter, chairman of the LGA, argues that if the public are going to have faith in the safety testing process then everything must be out in the o... more > more last word articles >

editor's comment

25/10/2017Take a moment to celebrate

Devolution, restructuring and widespread service reform: from a journalist’s perspective, it’s never been a more exciting time to report on the public sector. That’s why I could not be more thrilled to be taking over the reins at PSE at this key juncture. There could not be a feature that more perfectly encapsulates this... read more >

public sector focus

Flexible working being led by the public sector, Softworks survey finds

26/02/2019Flexible working being led by the public sector, Softworks survey finds

The public sector is leading the way in regar... more >
Digital innovation in the public sector: The future is now

17/12/2018Digital innovation in the public sector: The future is now

One of the public sector’s key technolo... more >