Celebrated instances of botnet takedowns and cyber crime indictments often rely on major cybersecurity vendors for intelligence and expertise. But can the government bring cyber criminals to justice without the backing of the private sector? Dan Raywood investigates
Earlier this year, Assured Intelligence considered global law enforcement’s response efforts to ransomware. We questioned whether there is an adequate response to stop ransomware groups from operating and succeeding in their attacks. For the answer to that question, check out the article.
One of the commentators in that discussion claimed a legacy issue “where many governments underinvested in fighting cyber crime, leaving law enforcement agencies with little or no choice but to cooperate with private sector firms to gain intelligence about those behind the various cyber crimes and attacks.” The commentator in question was Brian Honan, CEO of BH Consulting, and we circled back with him to further unpick his comments. Is there a shortage of investment in fighting cybercrime at the public sector level?
Honan points to the history of private companies’ involvement in disruption and takedown activities. The likes of Microsoft, for example, can identify IP addresses and get a court to file an injunction against the associated ISPs and data centres. On the one hand, law enforcement agencies can only pursue those who break criminal law and can only go to court based on criminal law breaches.
“Many governments underinvested in fighting cyber crime, leaving law enforcement agencies with little or no choice but to cooperate with private sector firms” Brian Honan
Honan ponders: “If private sector companies take on a direct fight against cyber crime, then where do we, as a society, stand on law and order? We need our governments to provide proper funding to enable law enforcement to have technical and other resources to fight cyber crime.”
What should or could this capability to fight cyber crime look like? And is the public sector hampered by a lack of ability to gather actionable threat intelligence?
The 2022 Cyber Security Strategy was backed by £37.8 million of government funding to boost cyber resilience in local authorities and focused on building a solid foundation of organisational cybersecurity resilience, allowing the government to harness the value of sharing data, expertise and capabilities. This strategy is less conducive to creating honeypots of intelligence data and metrics and more helpful to ensure overall security.
However, this highlights the need for increased capability to carry out a cyber investigation without relying on private sector assistance. On one side, you’ve got a (public) sector that can carry out arrests and legally do attribution, while on the other, you’ve got a (private) sector with the knowledge and facts, but also with shareholders, customers and products to sell. So where is the balance between the two?
Stay in your lane
Assured Intelligence spoke to two former public sector cyber crime experts about this conundrum, both responding with the message: It would be impossible for the public sector to catch up with the private sector regarding threat intelligence.
Mark Tibbs, a former team leader for cyber intelligence at SOCA and senior officer for cyber intelligence at the National Crime Agency (NCA), says there is no way that law enforcement can investigate cyber crime thoroughly due to cost and capability factors. Charlie McMurdie, former head of the Police National Cyber Crime Unit, agrees.
“I don’t think the [public sector] are over-reliant on the [private sector], I think they have to rely on them.” Mark Tibbs
Tibbs says the cost of doing threat intelligence gathering has a high cost and concedes that law enforcement “is not going to put their resources into that sort of investment”. That was certainly his observation during his time at NCA. He does suspect, however, that there’s still a focus on pursuing attribution and arrest. “That is the unique thing they can do well,” he says.
Organisations that collect telemetry are a vast collection point for intelligence that the government does not have, Tibbs says. It’s therefore critical that these organisations work with law enforcement, including the National Cyber Security Centre (NCSC).
“I don’t think the [public sector] are over-reliant on the [private sector],” considers Tibbs. “I think they have to rely on them. They don’t have any choice. The focus of law enforcement will never be to do that level of [data/intelligence] collection.”
Relying on companies with greater telemetry and threat intelligence capabilities
is a significant challenge for the public sector when fighting cyber crime. McMurdie says there needs to be a “tripartite approach” of industry, government and academia that can benefit from working together. McMuride and Tibbs believe that working together benefits both the public and private sectors – it’s a two-way street.
A case of underinvestment?
Is it fair to say there has been underinvestment in fighting cyber crime? Assured Intelligence asked this question directly, and a Government spokesperson said: “Strengthening the UK’s cyber resilience is vital for maintaining our position as a leading cyber power, and it requires a collaborative effort from across government, industry and academia to tackle the online threats we face.
“The Government is investing £2.6bn in cyber and legacy IT until 2024-25, with a particular emphasis on improving the government’s cybersecurity, as part of our commitment to building up our capabilities and defences. The UK’s thriving cyber sector has an important part to play in helping us bolster the UK’s online security as part of a wider whole-of-society approach to cyber, as set out by the National Cyber Strategy.”
Whether or not you consider the Government investment in cybersecurity adequate, what is undisputed is that law enforcement and government agencies rely on industry partners to enable them with the necessary intelligence.
The right people for the job
The UK government needs to focus on building capabilities and defences, but they can’t forget the importance of having adequately skilled staff to do the job. Attracting the best cyber experts into the civil service, not to mention keeping them there, is a challenge. Tibbs admits that he is an example of the lure that pulls civil servants into the private sector. He now works as cyber intelligence director for MDR Cyber.
During Tibbs’ tenure in government, he received much training and obtained great experience before ultimately leaving to work in the private sector. McMurdie adds that while working in roles in law enforcement, people develop skills “to address and deal with the intelligence.” Once those skills have been acquired and fine-tuned, the private sector will look to poach those staff with proven capabilities and skillsets.
“I put a load of my staff on masters degrees and sent them off to do training. It’s really expensive to train them up and get them fit for purpose. Then when they are, that’s when they get poached by industry,” she says. She goes on to cite examples of staff members who loved their job and “loved getting hold of the bad guys”, but ultimately, she concedes, when there is a company who could offer three or four times their salary, how could the public sector compete with that?
In a recent keynote address at the CyberUK conference in Belfast, Oliver Dowden MP, Chancellor of the Duchy of Lancaster, talked of government and industry building a solid partnership. However, he also contended that government needs to do more to attract the best talent. “If a cyber specialist knows they can earn five to seven times more for the same role in the private sector” than in government, “the government needs to break through its glass ceiling.”
The solution here is still being determined. Tibbs says if the public sector turned around tomorrow and said it would invest a lot of money in collecting all this data, then that would categorically be the wrong action. Instead, he advises, “They should focus on their purpose and abilities.”
There are obvious strengths in the sharing of intelligence. While the public sector may have been underfunded to deal with cyber crime, it appears it is doing its best. Reliance on the private sector is an essential part of this effort, given that’s where the expertise and the intelligence data are. Ultimately, the close partnership between the private and public sectors is beneficial for all involved and the protection of UK citizens.