Crime Reduction

25.06.18

In cybercrime, there is no classic victim – and no common attacker

Source: PSE June/July 2018

When it comes to cyber security, we are only as strong as our weakest link. PSE’s Jack Donnelly explores how safety in the digital age has drastically changed the landscape of crime, and looks at what the public, private and academic sectors can do to protect themselves.

On a busy Friday afternoon on 12 May, 2017, David Willis was away from the office. Instead, he was supporting his labouring wife in the maternity care unit at his local hospital, anticipating the birth of his child.

With a passion in technology – particularly in clinical computers installed in hospitals – he took interest in a newly-installed online workstation that had all the bells and whistles on it: touchscreen, fingerprint scanners, faster data logging times. After all, when you are head of information governance at Wrightington, Wigan and Leigh NHS Foundation Trust, knowing about the tech used is part of the job. Yet whilst admiring the beauty of the system, the program ‘blue screened’: a fatal error, where the operating system can no longer operate safely and requires a password to restore the system back to normal service.

“I thought that was too much of a coincidence. I knew something wasn’t right there,” Willis told the audience at the Public Sector Cyber Security Conference last month. Only then did someone stick their head around the door and tell staff to disconnect all online machines.

Although he didn’t know it yet, Willis was witnessing a savage cyber-attack launched on the systems of the NHS, the UK’s online servers, and ultimately systems across the globe. What happened in his local hospital, and in 46 other NHS organisations around the country, was a ransomware attack known as WannaCry. This was an assault on Microsoft Windows operating systems by encrypting – essentially converting data into a code, and preventing access from unauthorised parties – highly sensitive software information and demanding a ransom in return. The cyber-offensive was estimated to have affected more than 200,000 computers across the USA, South America, Russia, and Europe, causing hundreds of millions of pounds in damage – with the Public Accounts Committee still assessing the impact of the attack nationally.

The hack was incredibly simple in worming its way into the public’s online system as well. WannaCry made use of the server messaging-block and only relied on users clicking on an email link to spread to other users’ inboxes and infiltrate public systems: it had no human intervention whatsoever once it was in the system. “The majority of problems organisations had was due to just clicking on an e-mail,” Willis said.

But WannaCry is on the grand-scale of online crime. The vast majority of digital threats target any user – meaning there is no explicit target for cyber-criminals – from attackers who could be from a variety of backgrounds with an array of motives for committing criminal acts online.

DC Paul Taylor of Greater Manchester Police’s (GMP’s) cybercrime team deals with individual cases on a daily basis. He said: “You can never really profile a cyber-criminal – you just arrest hackers. They could be people who range from ex-partners and ex-employees to ‘script kiddies’ – young kids who go on the computer, watch a few YouTube videos and think they’re a cyber-criminal.

“The UK law enforcement picture has to respond and enforce on multiple levels to a cyber-crime threat because the threat itself is on multiple levels,” he continued. “They pose a threat to the financial sector or the manufacturing centre: you may have a factory completely shut down because all of their files are encrypted that their machines depend on. We still have a threat from organised crime groups, and then, increasingly, a threat from nation-state actors.”

A growing – and evolving – challenge

Since Taylor joined the cybercrime team in 2014, their cases have skyrocketed. More than 400 reports of cybercrime were made to the GMP between March 2016 and October 2017. Over £250,000 has been lost by cyber security victims due to ransomware in that time. In the United States, the FBI says victims’ losses exceeded $1.4bn in 2017 due to internet crime.

“Last year was rife for ransomware,” Taylor said. “Every force tends to have a digital forensic unit, and in general they tend to be overworked; the volume of material coming in now is colossal. The demand on them is greater than ever, so we’re clearly facing quite a few challenges with digital crime.”

Earlier last month, Taylor worked on a case convicting university student Joshua Probert for cybercrime offences. Probert obtained personal information from young girls’ social media pages and blackmailed them, threatening to distribute the information in return for increasingly sexual content – videos and photos from girls, some of them children, in what was dubbed as ‘sextortion’ by committing a criminal online attack for sexual favours in return. Probert’s case is one of many where any cyber-criminal able to use basic online skills can export multiple victims’ data and extort valuable information in return for whatever they demand.

“Often, when you deal with fraud and cybercrime it can feel a bit futile when you’re in the police, because you can look one way and there’s a million other issues to deal with,” said Taylor. “You can arrest as many people as possible, but you’ll be going on forever.”

Sharing responsibility

With online attacks continuing to soar, policing cybercrime becomes more difficult. Additionally, as most of the nation’s police forces are suffering cuts in funding, some of them with a 30% smaller workforce than before, the onus is on the public services to evolve into detecting online crime and preventing it before widespread attacks such as WannaCry appear and severely damage the UK’s public services. David Willis said that contingency plans need to be put into place to prevent major public and cyber attacks from occurring at the same time, such as last year’s Manchester Arena terrorist bombing alongside a potential cyber-attack on the nation’s emergency services.

Adapted policing is one solution to achieving that, said Taylor: “I don’t think you can treat cyber as anything special anymore; I think it should be part of regular policing.” He labelled cybercrime as in the ‘mainstream’: it affects almost all crime types, from murders to harassment, and the cybercrime team cannot be as effective just working as the police service alone anymore. “It’s all about engaging with the public, private and academic sectors,” said the GMP investigator.

Employees in the public and private sectors have a responsibility in safeguarding valuable files of information. “Any data breach can have a significant impact,” said Mike Pannell, CTO of cyber and secure systems for majors and public sector at BT.

“Staff are key to prevention of lost data. Many have access to HR, payroll and sensitive data. When they have multiple roles, it’s difficult to keep all of that information separate and keep your business secure,” explained Pannell. With 85-95% of all cyber security failures being caused by human error, the general public should be expected to become cyber-savvy by making minor changes that could prevent themselves from becoming a victim in the future.

“When you come across cybercrime victims, nothing clever or magical happened; it’s simply things they could have changed to protect themselves,” said DC Taylor. Willis echoed this: “There are 233 separate NHS organisations across the UK. A chain is only as strong as its weakest link.”

The stories of Willis and others falling victim to cybercrime in a public hospital shows the damage online crime can create in the public sector. Moreover, the ease with which Joshua Probert was able to exploit young girls using basic online skills represent the ever-increasing task facing public sector workers like DC Taylor in nullifying crime created by faceless actors unto unsuspecting victims who may not know the best method to protect themselves from cybercrime. With 1.8 million incidents of fraud being cyber-related in 2017, the responsibility will be on the user to protect their own data and protect themselves from becoming a victim in the future.

Comments

There are no comments. Why not be the first?

Add your comment

 

public sector executive tv

more videos >

latest public sector news

Council controversially begins first monthly bin collection in England and Wales

25/09/2018Council controversially begins first monthly bin collection in England and Wales

Monthly bin collections have been introduced for the first time in England and Wales by Conwy County Council, despite major complaints from resid... more >
Nottinghamshire leader hits back: ‘We’re the most transparent and open council there is’

25/09/2018Nottinghamshire leader hits back: ‘We’re the most transparent and open council there is’

The leader of Nottinghamshire County Council has hit back against claims that the authority lacks transparency, claiming that the council is &ldq... more >
Exclusive: Notts leader rejects calls for council merger referendum, public decision due in May

25/09/2018Exclusive: Notts leader rejects calls for council merger referendum, public decision due in May

The leader of Nottinghamshire County Council has rejected calls from opposing councillors to put potential merger plans to a referendum, arguing ... more >

editor's comment

25/10/2017Take a moment to celebrate

Devolution, restructuring and widespread service reform: from a journalist’s perspective, it’s never been a more exciting time to report on the public sector. That’s why I could not be more thrilled to be taking over the reins at PSE at this key juncture. There could not be a feature that more perfectly encapsulates this feeling of imminent change than the article James Palmer, mayor of Cambridgeshire and Peterborough,... read more >

last word

The importance of openness after Grenfell

The importance of openness after Grenfell

Following the recent Grenfell Tower tragedy, Lord Porter, chairman of the LGA, argues that if the public are going to have faith in the safety testing process then everything must be out in the open — and this needs to happen as soon as possible. The fire at Grenfell Tower has been an unimaginable tragedy and it continues to be a hu... more > more last word articles >
Council controversially begins first monthly bin collection in England and Wales

25/09/2018Council controversially begins first monthly bin collection in England and Wales

Monthly bin collections have been introduced for the first time in England and Wales by Conwy County Council, despite major complaints from residents over piles of waste, rats and fly-tipping. ... more >
Nottinghamshire leader hits back: ‘We’re the most transparent and open council there is’

25/09/2018Nottinghamshire leader hits back: ‘We’re the most transparent and open council there is’

The leader of Nottinghamshire County Council has hit back against claims that the authority lacks transparency, claiming that the council is “the most open and transparent council there is.... more >

the raven's daily blog

Social value: what is it and why?

14/09/2018Social value: what is it and why?

Ben Carpenter, chief executive of Social Value UK, discusses the worth of social value, and argues that, before we start measuring social value, we should ask clearly: what is it, and why? Social value is so much more than a value for money exercise. If you see social value as simply a new catchphrase for ‘efficiency savings’... more >
read more blog posts from 'the raven' >

comment

Crown Commercial Service: Travel solutions on track

10/09/2018Crown Commercial Service: Travel solutions on track

Katrina Williams, head of travel at the Crown Commercial Service (CCS), explains how they are helping government organisations to get the best de... more >
LEPs need to do more for England's countryside

10/09/2018LEPs need to do more for England's countryside

Paul Miner, head of strategic plans and devolution at the Campaign to Protect Rural England (CPRE), highlights the findings of a recent survey wh... more >
What about social care?

10/09/2018What about social care?

Cllr Izzi Seccombe, chairman of the LGA’s Community Wellbeing Board, looks at the exclusion of social care from the government’s rece... more >
Re-evaluating public service reforms

10/09/2018Re-evaluating public service reforms

Chris Painter, professor emeritus at Birmingham City University, explores the paradox of reform principles persisting despite mounting evidence a... more >

interviews

Michael King: Time for Ombudsman reform

06/08/2018Michael King: Time for Ombudsman reform

Michael King first joined the Local Government Ombudsman service back in 2004 as deputy ombudsman. At the start of 2017, he was appointed as the ... more >
Helping a city understand itself

06/08/2018Helping a city understand itself

SPONSORED INTERVIEW The urban landscape is changing. How can local authorities keep up with citizen behaviour? Stephen Leece, managing directo... more >
Modern policing: the future is bright

06/08/2018Modern policing: the future is bright

SPONSORED INTERVIEW The public sector, and policing in particular, has often been criticised as being slow to adapt to change. But now, says L... more >
Data at the heart of digital transformation

03/04/2018Data at the heart of digital transformation

SPONSORED INTERVIEW Grant Caley, UK & Ireland chief technologist at NetApp, speaks to PSE’s Luana Salles about the benefits of movin... more >

public sector focus

View all News