Crime Reduction

25.06.18

In cybercrime, there is no classic victim – and no common attacker

Source: PSE June/July 2018

When it comes to cyber security, we are only as strong as our weakest link. PSE’s Jack Donnelly explores how safety in the digital age has drastically changed the landscape of crime, and looks at what the public, private and academic sectors can do to protect themselves.

On a busy Friday afternoon on 12 May, 2017, David Willis was away from the office. Instead, he was supporting his labouring wife in the maternity care unit at his local hospital, anticipating the birth of his child.

With a passion in technology – particularly in clinical computers installed in hospitals – he took interest in a newly-installed online workstation that had all the bells and whistles on it: touchscreen, fingerprint scanners, faster data logging times. After all, when you are head of information governance at Wrightington, Wigan and Leigh NHS Foundation Trust, knowing about the tech used is part of the job. Yet whilst admiring the beauty of the system, the program ‘blue screened’: a fatal error, where the operating system can no longer operate safely and requires a password to restore the system back to normal service.

“I thought that was too much of a coincidence. I knew something wasn’t right there,” Willis told the audience at the Public Sector Cyber Security Conference last month. Only then did someone stick their head around the door and tell staff to disconnect all online machines.

Although he didn’t know it yet, Willis was witnessing a savage cyber-attack launched on the systems of the NHS, the UK’s online servers, and ultimately systems across the globe. What happened in his local hospital, and in 46 other NHS organisations around the country, was a ransomware attack known as WannaCry. This was an assault on Microsoft Windows operating systems by encrypting – essentially converting data into a code, and preventing access from unauthorised parties – highly sensitive software information and demanding a ransom in return. The cyber-offensive was estimated to have affected more than 200,000 computers across the USA, South America, Russia, and Europe, causing hundreds of millions of pounds in damage – with the Public Accounts Committee still assessing the impact of the attack nationally.

The hack was incredibly simple in worming its way into the public’s online system as well. WannaCry made use of the server messaging-block and only relied on users clicking on an email link to spread to other users’ inboxes and infiltrate public systems: it had no human intervention whatsoever once it was in the system. “The majority of problems organisations had was due to just clicking on an e-mail,” Willis said.

But WannaCry is on the grand-scale of online crime. The vast majority of digital threats target any user – meaning there is no explicit target for cyber-criminals – from attackers who could be from a variety of backgrounds with an array of motives for committing criminal acts online.

DC Paul Taylor of Greater Manchester Police’s (GMP’s) cybercrime team deals with individual cases on a daily basis. He said: “You can never really profile a cyber-criminal – you just arrest hackers. They could be people who range from ex-partners and ex-employees to ‘script kiddies’ – young kids who go on the computer, watch a few YouTube videos and think they’re a cyber-criminal.

“The UK law enforcement picture has to respond and enforce on multiple levels to a cyber-crime threat because the threat itself is on multiple levels,” he continued. “They pose a threat to the financial sector or the manufacturing centre: you may have a factory completely shut down because all of their files are encrypted that their machines depend on. We still have a threat from organised crime groups, and then, increasingly, a threat from nation-state actors.”

A growing – and evolving – challenge

Since Taylor joined the cybercrime team in 2014, their cases have skyrocketed. More than 400 reports of cybercrime were made to the GMP between March 2016 and October 2017. Over £250,000 has been lost by cyber security victims due to ransomware in that time. In the United States, the FBI says victims’ losses exceeded $1.4bn in 2017 due to internet crime.

“Last year was rife for ransomware,” Taylor said. “Every force tends to have a digital forensic unit, and in general they tend to be overworked; the volume of material coming in now is colossal. The demand on them is greater than ever, so we’re clearly facing quite a few challenges with digital crime.”

Earlier last month, Taylor worked on a case convicting university student Joshua Probert for cybercrime offences. Probert obtained personal information from young girls’ social media pages and blackmailed them, threatening to distribute the information in return for increasingly sexual content – videos and photos from girls, some of them children, in what was dubbed as ‘sextortion’ by committing a criminal online attack for sexual favours in return. Probert’s case is one of many where any cyber-criminal able to use basic online skills can export multiple victims’ data and extort valuable information in return for whatever they demand.

“Often, when you deal with fraud and cybercrime it can feel a bit futile when you’re in the police, because you can look one way and there’s a million other issues to deal with,” said Taylor. “You can arrest as many people as possible, but you’ll be going on forever.”

Sharing responsibility

With online attacks continuing to soar, policing cybercrime becomes more difficult. Additionally, as most of the nation’s police forces are suffering cuts in funding, some of them with a 30% smaller workforce than before, the onus is on the public services to evolve into detecting online crime and preventing it before widespread attacks such as WannaCry appear and severely damage the UK’s public services. David Willis said that contingency plans need to be put into place to prevent major public and cyber attacks from occurring at the same time, such as last year’s Manchester Arena terrorist bombing alongside a potential cyber-attack on the nation’s emergency services.

Adapted policing is one solution to achieving that, said Taylor: “I don’t think you can treat cyber as anything special anymore; I think it should be part of regular policing.” He labelled cybercrime as in the ‘mainstream’: it affects almost all crime types, from murders to harassment, and the cybercrime team cannot be as effective just working as the police service alone anymore. “It’s all about engaging with the public, private and academic sectors,” said the GMP investigator.

Employees in the public and private sectors have a responsibility in safeguarding valuable files of information. “Any data breach can have a significant impact,” said Mike Pannell, CTO of cyber and secure systems for majors and public sector at BT.

“Staff are key to prevention of lost data. Many have access to HR, payroll and sensitive data. When they have multiple roles, it’s difficult to keep all of that information separate and keep your business secure,” explained Pannell. With 85-95% of all cyber security failures being caused by human error, the general public should be expected to become cyber-savvy by making minor changes that could prevent themselves from becoming a victim in the future.

“When you come across cybercrime victims, nothing clever or magical happened; it’s simply things they could have changed to protect themselves,” said DC Taylor. Willis echoed this: “There are 233 separate NHS organisations across the UK. A chain is only as strong as its weakest link.”

The stories of Willis and others falling victim to cybercrime in a public hospital shows the damage online crime can create in the public sector. Moreover, the ease with which Joshua Probert was able to exploit young girls using basic online skills represent the ever-increasing task facing public sector workers like DC Taylor in nullifying crime created by faceless actors unto unsuspecting victims who may not know the best method to protect themselves from cybercrime. With 1.8 million incidents of fraud being cyber-related in 2017, the responsibility will be on the user to protect their own data and protect themselves from becoming a victim in the future.

Comments

There are no comments. Why not be the first?

Add your comment

 

public sector executive tv

more videos >

latest public sector news

Council to spend £4m investigating senior officers who gave themselves 20% wage rise during pay freeze

14/12/2018Council to spend £4m investigating senior officers who gave themselves 20% wage rise during pay freeze

A council has agreed to allocate nearly an extra £250,000 to an investigation looking into alleged pay rises given to senior officers. ... more >
Government commissioner allows Wakefield Council to retain full control of services

14/12/2018Government commissioner allows Wakefield Council to retain full control of services

Almost four months after Ofsted inspectors identified “serious and widespread failures” across Wakefield’s children’s ser... more >
Fife Council scraps controversial P1 assessments despite harsh government opposition

14/12/2018Fife Council scraps controversial P1 assessments despite harsh government opposition

Fife Council has announced that it will be scrapping the controversial standardised P1 assessments at the end of the current academic year. ... more >

editor's comment

25/10/2017Take a moment to celebrate

Devolution, restructuring and widespread service reform: from a journalist’s perspective, it’s never been a more exciting time to report on the public sector. That’s why I could not be more thrilled to be taking over the reins at PSE at this key juncture. There could not be a feature that more perfectly encapsulates this feeling of imminent change than the article James Palmer, mayor of Cambridgeshire and Peterborough,... read more >

last word

The importance of openness after Grenfell

The importance of openness after Grenfell

Following the recent Grenfell Tower tragedy, Lord Porter, chairman of the LGA, argues that if the public are going to have faith in the safety testing process then everything must be out in the open — and this needs to happen as soon as possible. The fire at Grenfell Tower has been an unimaginable tragedy and it continues to be a hu... more > more last word articles >
Council to spend £4m investigating senior officers who gave themselves 20% wage rise during pay freeze

14/12/2018Council to spend £4m investigating senior officers who gave themselves 20% wage rise during pay freeze

A council has agreed to allocate nearly an extra £250,000 to an investigation looking into alleged pay rises given to senior officers. Labour, Plaid Cymru, and Independent members at C... more >
Government commissioner allows Wakefield Council to retain full control of services

14/12/2018Government commissioner allows Wakefield Council to retain full control of services

Almost four months after Ofsted inspectors identified “serious and widespread failures” across Wakefield’s children’s services, it has today been announced that the counci... more >

the raven's daily blog

Blog: 5 minutes with Gary Wallis-Clarke, member of the Northern Powerhouse Education and Skills Group

12/12/2018Blog: 5 minutes with Gary Wallis-Clarke, member of the Northern Powerhouse Education and Skills Group

Ahead of the upcoming networking extravaganza EvoNorth, we caught up with Gary Wallis-Clarke, a member of the Northern Powerhouse Education and Skills group, executive headteacher at West Jesmond Primary school, and its national leader of education. In our interview, Gary reveals what the Northern Powerhouse means to him and explains... more >
read more blog posts from 'the raven' >

comment

The digital buying community is live

12/11/2018The digital buying community is live

Many of the requirements from buyers posted on the Digital Marketplace were either non-compliant or poorly worded, which resulted in challenges f... more >
A force to be reckoned with

12/11/2018A force to be reckoned with

The South Bank plan, which refers to a number of investments and proposed activities across a massive plot of land south of the River Aire, is on... more >
Less for less: the risk of 'core offers'

12/11/2018Less for less: the risk of 'core offers'

As councils across England struggle with their finances in the face of massive cuts from central government, Simon Edwards, director of the Count... more >
A two-speed England

05/11/2018A two-speed England

Central government needs to change its approach to local transport planning and investment, including by consolidating funding and maximising dev... more >

interviews

New Dorset Councils CEO on the creation of a new unitary: ‘This is going to be the right decision for Dorset’

05/11/2018New Dorset Councils CEO on the creation of a new unitary: ‘This is going to be the right decision for Dorset’

The new chief executive of one of the new unitary authorities in Dorset has outlined his approach to culture and work with employees, arguing tha... more >
Keeping the momentum of the Northern Powerhouse

15/10/2018Keeping the momentum of the Northern Powerhouse

On 6 September, the biggest decision-makers of the north joined forces to celebrate and debate how to drive innovation and improvement through th... more >
Cllr Cutts on dealing with children’s services pressures: ‘I can’t magic money out of the air’

26/09/2018Cllr Cutts on dealing with children’s services pressures: ‘I can’t magic money out of the air’

The leader of Nottinghamshire County Council has outlined her priorities for dealing with soaring demand of children’s services and social ... more >
Nottinghamshire considers unitary shake-up proposals in a bid to balance books

05/09/2018Nottinghamshire considers unitary shake-up proposals in a bid to balance books

Nottinghamshire County Council is considering proposals to scrap its current two-tier structure for a new unitary system in order to save on... more >

public sector focus

View all News