25.06.18
In cybercrime, there is no classic victim – and no common attacker
Source: PSE June/July 2018
When it comes to cyber security, we are only as strong as our weakest link. PSE’s Jack Donnelly explores how safety in the digital age has drastically changed the landscape of crime, and looks at what the public, private and academic sectors can do to protect themselves.
On a busy Friday afternoon on 12 May, 2017, David Willis was away from the office. Instead, he was supporting his labouring wife in the maternity care unit at his local hospital, anticipating the birth of his child.
With a passion in technology – particularly in clinical computers installed in hospitals – he took interest in a newly-installed online workstation that had all the bells and whistles on it: touchscreen, fingerprint scanners, faster data logging times. After all, when you are head of information governance at Wrightington, Wigan and Leigh NHS Foundation Trust, knowing about the tech used is part of the job. Yet whilst admiring the beauty of the system, the program ‘blue screened’: a fatal error, where the operating system can no longer operate safely and requires a password to restore the system back to normal service.
“I thought that was too much of a coincidence. I knew something wasn’t right there,” Willis told the audience at the Public Sector Cyber Security Conference last month. Only then did someone stick their head around the door and tell staff to disconnect all online machines.
Although he didn’t know it yet, Willis was witnessing a savage cyber-attack launched on the systems of the NHS, the UK’s online servers, and ultimately systems across the globe. What happened in his local hospital, and in 46 other NHS organisations around the country, was a ransomware attack known as WannaCry. This was an assault on Microsoft Windows operating systems by encrypting – essentially converting data into a code, and preventing access from unauthorised parties – highly sensitive software information and demanding a ransom in return. The cyber-offensive was estimated to have affected more than 200,000 computers across the USA, South America, Russia, and Europe, causing hundreds of millions of pounds in damage – with the Public Accounts Committee still assessing the impact of the attack nationally.
The hack was incredibly simple in worming its way into the public’s online system as well. WannaCry made use of the server messaging-block and only relied on users clicking on an email link to spread to other users’ inboxes and infiltrate public systems: it had no human intervention whatsoever once it was in the system. “The majority of problems organisations had was due to just clicking on an e-mail,” Willis said.
But WannaCry is on the grand-scale of online crime. The vast majority of digital threats target any user – meaning there is no explicit target for cyber-criminals – from attackers who could be from a variety of backgrounds with an array of motives for committing criminal acts online.
DC Paul Taylor of Greater Manchester Police’s (GMP’s) cybercrime team deals with individual cases on a daily basis. He said: “You can never really profile a cyber-criminal – you just arrest hackers. They could be people who range from ex-partners and ex-employees to ‘script kiddies’ – young kids who go on the computer, watch a few YouTube videos and think they’re a cyber-criminal.
“The UK law enforcement picture has to respond and enforce on multiple levels to a cyber-crime threat because the threat itself is on multiple levels,” he continued. “They pose a threat to the financial sector or the manufacturing centre: you may have a factory completely shut down because all of their files are encrypted that their machines depend on. We still have a threat from organised crime groups, and then, increasingly, a threat from nation-state actors.”
A growing – and evolving – challenge
Since Taylor joined the cybercrime team in 2014, their cases have skyrocketed. More than 400 reports of cybercrime were made to the GMP between March 2016 and October 2017. Over £250,000 has been lost by cyber security victims due to ransomware in that time. In the United States, the FBI says victims’ losses exceeded $1.4bn in 2017 due to internet crime.
“Last year was rife for ransomware,” Taylor said. “Every force tends to have a digital forensic unit, and in general they tend to be overworked; the volume of material coming in now is colossal. The demand on them is greater than ever, so we’re clearly facing quite a few challenges with digital crime.”
Earlier last month, Taylor worked on a case convicting university student Joshua Probert for cybercrime offences. Probert obtained personal information from young girls’ social media pages and blackmailed them, threatening to distribute the information in return for increasingly sexual content – videos and photos from girls, some of them children, in what was dubbed as ‘sextortion’ by committing a criminal online attack for sexual favours in return. Probert’s case is one of many where any cyber-criminal able to use basic online skills can export multiple victims’ data and extort valuable information in return for whatever they demand.
“Often, when you deal with fraud and cybercrime it can feel a bit futile when you’re in the police, because you can look one way and there’s a million other issues to deal with,” said Taylor. “You can arrest as many people as possible, but you’ll be going on forever.”
Sharing responsibility
With online attacks continuing to soar, policing cybercrime becomes more difficult. Additionally, as most of the nation’s police forces are suffering cuts in funding, some of them with a 30% smaller workforce than before, the onus is on the public services to evolve into detecting online crime and preventing it before widespread attacks such as WannaCry appear and severely damage the UK’s public services. David Willis said that contingency plans need to be put into place to prevent major public and cyber attacks from occurring at the same time, such as last year’s Manchester Arena terrorist bombing alongside a potential cyber-attack on the nation’s emergency services.
Adapted policing is one solution to achieving that, said Taylor: “I don’t think you can treat cyber as anything special anymore; I think it should be part of regular policing.” He labelled cybercrime as in the ‘mainstream’: it affects almost all crime types, from murders to harassment, and the cybercrime team cannot be as effective just working as the police service alone anymore. “It’s all about engaging with the public, private and academic sectors,” said the GMP investigator.
Employees in the public and private sectors have a responsibility in safeguarding valuable files of information. “Any data breach can have a significant impact,” said Mike Pannell, CTO of cyber and secure systems for majors and public sector at BT.
“Staff are key to prevention of lost data. Many have access to HR, payroll and sensitive data. When they have multiple roles, it’s difficult to keep all of that information separate and keep your business secure,” explained Pannell. With 85-95% of all cyber security failures being caused by human error, the general public should be expected to become cyber-savvy by making minor changes that could prevent themselves from becoming a victim in the future.
“When you come across cybercrime victims, nothing clever or magical happened; it’s simply things they could have changed to protect themselves,” said DC Taylor. Willis echoed this: “There are 233 separate NHS organisations across the UK. A chain is only as strong as its weakest link.”
The stories of Willis and others falling victim to cybercrime in a public hospital shows the damage online crime can create in the public sector. Moreover, the ease with which Joshua Probert was able to exploit young girls using basic online skills represent the ever-increasing task facing public sector workers like DC Taylor in nullifying crime created by faceless actors unto unsuspecting victims who may not know the best method to protect themselves from cybercrime. With 1.8 million incidents of fraud being cyber-related in 2017, the responsibility will be on the user to protect their own data and protect themselves from becoming a victim in the future.