Detect and disrupt

'Page not found! It’s not you. It’s the internet’s fault,’ stated the online message on Sony’s Playstation store earlier this month. And this, just a few weeks after its Hollywood film studios’ corporate network was targeted, resulting in 47,000 employees’ personal information being leaked, as well as several still-to-be-released films. However, the tech giant’s double whammy is just symptomatic of the ever-increasing threat of cybercrime, one that Troels Oerting, head of Europol’s European Cybercrime Centre (EC3) at The Hague, is all too aware of.

EC3 became operational almost two years ago, its remit to act as a focal point in the EU’s fight against online fraud, child sexual exploitation and other forms of online criminality, primarily those involving serious organised crime. Technical, analytical and forensic expertise has been pooled to support investigations within and across EU states, while EC3 also brokers cooperation outside the union, often with some tricky customers. Recently, for example, a joint operation between 16 European countries, led by EC3 and US authorities, resulted in 17 arrests and 400-plus services on the ‘dark net’ being removed - believed to be linked to the sale of illegal items such as weapons and drugs. 

Today, though, the headlines are critical. ‘Business as usual on “dark web” one week after sting,’ says The Times, amid reports that illicit marketplaces untouched by the six-month-long investigation had simply swollen in size after Silk Road 2.0 and another 26 sites were shut down. 

Asked whether law enforcement is winning the fight against online crime, the head of EC3 says, matter of factly: “Yes, I am convinced about this.” That said, Oerting, who rose through the ranks of the Danish police to become director of their Serious Organised Crime Agency as well as director of operations in the Security Intelligence Service, is frank that his colleagues’ mindsets must change if they’re to continue to do so.

Traditional crimes, such as the sale of drugs, weapons or stolen goods, are being “industrialised” online, with the likes of Bitcoin offering a heightened degree of anonymity for both buyer and seller. “We see a mushrooming of these hidden services, predominantly on the Tor server, where they sell drugs, they can sell weapons, they sell stolen identities, stolen credit cards, stolen goods, anything you want,” says Oerting. “Then you pay, typically with virtual currency, and get it sent with the mailman.” 

Unmanned drones could well be the next delivery method, he suggests, given their ability to transport larger quantities of drugs anonymously. Traditional smuggling methods, meanwhile, are not immune to innovative tactics. In June last year, for instance, police in Belgium and the Netherlands dismantled a drug-smuggling ring that had been using hackers to tamper with systems controlling the movement of shipping containers to ensure their product slipped through unnoticed. 

Drugs, of course, are just one commodity. European Central Bank data earlier this year revealed that bank card fraud within the single euro payments’ area rose for the first time in four years, driven by higher internet fraud that stems from what EC3 calls the “cyber workhouse of the digital underground” – banking malware. This has been compounded by the emergence of a ‘service-based criminal industry’, warned their latest Internet Organised Crime Threat Assessment published in September. In essence, expert programmers are developing products and services to be used by other less capable criminals. 

“This is the whole problem about cybercrime; you don’t have to sit in a basement and have a PhD in rocket science to do this work because you simply buy them off the shelf and utilise that which is already on the market,” says Oerting.

He also insists that police forces and governments must realise that “we cannot use the normal way of police thinking in policing us out of this”, primarily because jurisdictional boundaries don’t apply, meaning that individuals are “out of our reach from the very beginning”. Attacks originate mainly from outside the EU and as such, EC3 demands quick connections to be established, often with less accommodating countries, to ensure evidence is sealed or investigations commenced. 

"There is this misconception that online anonymity and privacy is the same and I don’t think they are..."

“For this, our normal legal system, which is based on the Mutual Legal Assistance Treaty, is, in my view, outdated: it’s too slow, too cumbersome, it requires too many steps,” says Oerting. “We need to industrialise the way that we work with evidence obtaining in this world and then we probably need to have better international cooperation between the EU and outside.” 

Partnership work within the EU, spearheaded through joint investigation teams that consist of judicial and police authorities from at least two member states, is “excellent”, claims the EC3 director. In 2012, Europol supported almost 35 such teams. “But we have to work with all other kinds of countries and that can pose a problem because sometimes they don’t even want to extradite their criminals, so we have to hand over the case to them or do it jointly, which sometimes can be difficult. In the future, I think that you will see that some of these criminals will really enjoy trying to exploit this by operating from countries far away or from Africa and from other areas where there is a weak infrastructure and, by that, also rather limited opportunities for cooperation in a swift way. It’s a bigger problem than just legislation.”

An added problem is corporate players’ general unwillingness to report data breaches to law enforcement. A study published in June by the Centre for Strategic and International Studies and McAfee produced two separate estimates for the global cost of cybercrime that were some $200bn apart. The divergence, the authors said, was down to a lack of reporting and poor data collection. The report cites a 2010 case which saw Google hacked and 34 other Fortune 500 companies also affected; only one, besides Google, admitted to the crime. 

The draft Network and Information Security Directive, adopted by the European Parliament this March, represents the EU’s effort to establish a consistent set of cyber security standards across the union. Among its requirements, organisations in critical infrastructure industries, such as energy, transport and finance, will be compelled to report significant breaches to regulators. The EC’s desire to broaden this out to ‘information enablers’, such as e-commerce and cloud platforms, has been controversial, as the EC, European Parliament and member states sought to finalise the agreement this month.    

“There is a general unwillingness to report cybercrime because companies think that it will hamper their branding, image, reputation and standing; we need to work on this,” says Oerting. “We will not point fingers at a bank if there is a bank robbery. Why should we do it if there has been a robbery in the cyber world? The only thing we have to make sure is [that] they have done everything they can; there is no absolute security. If they have been sloppy, of course they should be criticised and maybe even punished. But there is a need for everybody to report more. Otherwise, we will never be able to get a correct figure on where we should prioritise our scarce resources to reduce crime [based on] where it is most needed.”

Despite recent criticism of US tech companies by new GCHQ head Robert Hannigan, Oerting says EC3’s outreach work with the private sector is very good. A UK-led Joint Cybercrime Action Taskforce was set up in September as a six-month pilot to co-ordinate international cybercrime investigations. It brings together cyber liaison officers from EC3 and EU states as well as external law enforcement partners, such as the FBI and authorities in Australia and Colombia, among others. It has been working on an encryption system designed to encourage exchange of data with private companies. In effect, only if matches between data sets are found would official requests be lodged by law enforcement to use it. “That way, we have limited the data transfer and it’s more proportionate than without having this system,” says Oerting.

However he claims investigations are being hampered in the wake of the Snowden leaks. “If you look generally at this, what the tendency seems to be after the Snowden affair, there seems to be, by some of these companies, the wish to encrypt everything with an irreversible encryption so we cannot go to the companies and say, ‘what is on this account?’, ‘what has happened here?’ because they won’t have it,” he adds. 

“This might be a wrong approach for private companies because if law enforcement is prevented from intercepting anything in a legal way where it is justified and where there is suspicion and we have a court order, it’s targeted, it’s proportionate, then I think it will be difficult to obtain evidence against cyber criminals as intelligence-led policing. And if we haven’t got that ability then we have to have other compensations to do our job, otherwise it will be the wild west and it will completely be free of any risk to commit crime.”

Oerting thinks this stems from an ill-founded belief that privacy and anonymity online are one and the same. “It seems that in the physical world, we have a footprint with our government and societies; we have full privacy and everybody tries to protect our privacy. But if you break the law, we take away your privacy if the police can get permission to search your house, to bug your phone, to do surveillance because there is a founded suspicion that you are a criminal. This should be the same online. I think there is this misconception that online anonymity and privacy is the same and I don’t think they are. You still have privacy, and I still think you have the right to privacy, but if you break the law, there must be somebody who does then have the possibility to penetrate your privacy in order to justify, in front of a judge, that you are the person who has conducted some kind of crime.  

“This is a discussion that we need to have in the future. That if we accept complete anonymity in the online world then it will also be without any possibilities for law enforcement to do any kind of crime fighting and then it will become the wild west. Who will then protect the four billion people who are online and not technical experts, just like in the physical world? This is a discussion that we need to have in a democratic society [on] where is the trade-off between freedom and security, and there will always be trade-offs. You cannot have full freedom and full security; it will always have to be a balance and we have to strike the right balance.”