Moving target

Two-thirds of the work undertaken by Police Scotland’s specialist cybercrime unit is focused on indecent images of children. Detective Superintendent Stevie Wilson, cybercrime lead for the single force, does not see that proportion diminishing anytime soon. However, economic and “pure cyber-crimes” – as opposed to older crimes enhanced by the internet – are on the rise not just in Scotland but across Europe. “It’s advancing so quickly I don’t think that law enforcement can ever expect to be right on the curve – you’re always going to be reacting to a certain extent to some of the innovations that are coming,” admits Wilson. 

A little over a year ago, Police Scotland became the first force in the UK to receive university training on how to tackle cybercrime. In return, officers are now lecturing in some universities on what is being witnessed at the front end. The single force is also one of a number of law enforcement agencies across Europe working with Napier University as part of an EU-funded project to develop an advanced training platform for all levels of the police family, whether it be new officers or those in specialist areas.

Acknowledging that small and medium-size enterprises are often more vulnerable and as such, offer a route into the supply chain, the Scottish Business Resilience Centre has this year taken on interns from universities to help test firms’ defences. Police Scotland itself is currently scoping the potential for internships running between six and nine months to give those who are university-trained a solid grounding in forensic investigation. “The idea of law enforcement tackling this alone is a complete fallacy,” says Wilson, describing the academic sector as Scotland’s “jewel in the crown”.

Legislation remains a thorny issue, though. “If you take it from the UK perspective, in many respects, we’re applying 19th and 20th century legal principles to 21st-century technology,” he says. “The idea of jurisdiction is something that’s quite a difficult concept when you start looking at the internet.” A fiscal within the Crown Office has been given overall responsibility in relation to cybercrime, while police are now in regular discussion with sheriffs to communicate the legal complexities they’re facing. “I think the legislation we have just now, the Computer Misuse Act, is fit for purpose for what we’re trying to achieve,” adds Wilson. “It’s more the application of it that we need to look at. If the crime type evolves, that’s where we need to be able to say the legislation needs to be able to evolve to actually tackle the crime type.” Attribution remains one of the tallest hurdles, with identification of IP addresses informing police where data is going but not necessarily who is perpetrating the act.

Unlike real world cases, evidence – in other words, data – is volatile, capable of being wiped in an instant. “We may well need to try new things to recover that material that we might actually need to go ahead of the legislation,” says Wilson. “That would need to be tested in court to say, ‘how have we actually been able to recover that material?’, to say, ‘is that legal?’, ‘is it something that could be applied in the future?’ [With] the concept of a conventional search, if you are acting to recover something that otherwise will be destroyed, i.e. say there is a weapon from a murder inquiry, you would be entitled to force that door without a warrant. You might need to look at the situation of how do we act to recover that material in cyberspace knowing that it might be destroyed immediately.”

Police Scotland, along with the Metropolitan Police, are the only two UK forces to have their own liaison officer at The Hague-based Europol. Launched last year, Europol’s European Cybercrime Centre (EC3) offers support to multinational operations as well as helping spread relevant intelligence. Attacks, however, originate primarily from jurisdictions outside of the EU. That requires swift connections with countries further afield to ensure evidence is either sealed or investigations started. 

“For this, our normal legal system, which is based on the Mutual Legal Assistance Treaty, is, in my point of view, outdated – it’s too slow, too cumbersome, it requires too many steps,” says EC3 director, Troels Oerting. “We need to industrialise the way that we work with evidence obtaining in this world and then we probably need to have better international cooperation between the EU and outside.” Especially since this area is becoming increasingly commercialised as skilled malware coders produce products and services for use by anyone on the ‘deep web’, a sprawling anonymous area of the internet.

Amidst recent criticism of US tech companies by new GCHQ head Robert Hannigan, Oerting says EC3’s outreach work with the private sector is very good. However, he is less enthusiastic about what he sees as a “misconception” that privacy and anonymity online are one and the same. A number of private companies are now intent on irreversible encryption of data, he claims, frustrating police attempts to obtain evidence when granted permission. “If we haven’t got that ability then we have to have other compensations to do our job, otherwise it will be the Wild West and it will be completely free of any risk to commit crime,” he tells Holyrood.    

Even then, investigations require skilled individuals to lead them. “There are not enough security professionals to work in security companies like ours,” says Rashmi Knowles, chief security architect at RSA. “Then you think about companies, there just isn’t a pool of people to recruit from, so companies are struggling with getting the right people. Government organisations suffer even more because they can’t attract the good security people and if they take them on, they’ll leave within six months to a year because they have been poached by industry.” 

A few steps further back, changes in the curriculum to encourage ‘cyber hygiene’ are needed, underlines Wilson. “The key to me for this is we start at primary school,” he says. Police Scotland has jointly led a 12-week pilot on cyber security with all first years at one secondary school in south Ayrshire, seeing pupils carry out cyber security assessments of their parents and grandparents’ digital devices as homework. The joint venture concludes next week and, subject to evaluation, could be set for wider rollout.

One of the growing problems seen in Scotland of late has been phishing attacks – a method used to access personal details – with the agricultural sector and elderly targeted in particular. Knowles believes theft of corporate intellectual property remains vastly under reported given companies fear the reputational damage that might follow. Scotland’s expertise in areas such as energy and life sciences makes it “potentially more attractive” in this regard, acknowledges Wilson.   

Europe-wide, more than two-thirds of law enforcement has encountered some form of ransomware, whereby users are effectively locked out of their data. As part of a shift towards the so-called ‘Internet of Things’ – in which previously dumb objects come to life through in-built sensors and web connections – Knowles warns the crime is likely to evolve even further. 

“I think you’ll see a crime economy coming out of that as well, which is really around threatening either people who wear pacemakers, for example, which have wireless capability; [also] diabetics’ insulin pumps, a lot of those have wireless capability. If you can tamper into one of those, you can hold people to ransom… a lot of the analysts are saying there is going to be a huge rise in that.”