The Mishcon Academy Digital Sessions.
Joe Hancock, Partner and Head of MDR Cyber
Mishcon de Reya
Hello everyone and welcome to our last MDR Cyber Digital Session of 2020. I’m Joe Hancock. I’m a Partner and Head of MDR Cyber which is the cyber security and digital investigations practice here at law firm, Mishcon de Reya.
Today we are launching our State of Cyber Crime Report, looking at sort of the key themes in cybercrime for 2020 and also taking a look forward to the future. So, I am joined by three great speakers today. So, first of all, Louise who is the Head of Cyber Operations and Intelligence at Jacobs. Until February ’19 Louise headed up the UK’s largest cyber crime unit as a Senior Detective in the Metropolitan Police. We are also joined by Ben who is a Partner in our White Collar Crime Investigations Group here at Mishcon de Reya. He is highly experienced in cyber crime investigations and fraud and has covered everything from Abu Hamza to Julian Assange. And finally, last but very much not least, it’s Mark who is the Head of Cyber Intelligence within MDR Cyber here. Mark previously worked in the threat intelligence field and then spent a large amount of his career at the National Crime Agency focussing on cyber crime issues. Mark is going to talk through the report today, give you some of the headlines and then we are going to have a Q&A with Ben, Louise and Mark where we’ll talk a bit about the report in detail. So, with all of that, over to Mark.
Mark Tibbs, Head of Cyber Intelligence
Mishcon de Reya
Thanks Joe. Thanks everyone for joining us today. So what are the key themes that have punctuated 2020? Well, firstly we saw the Coronavirus pandemic unfolded, we saw the immediate and rapid shift of cyber criminals to use phishing lures which followed these events and they exploited Coronavirus themes to get victims to interact with their emails. Lines blurred between criminals and states, State sponsored crime in particular. The US accused North Korea of acquisitive cybercrime, particularly against cryptocurrency exchanges. We also saw the increased use of anti-money laundering laws against cryptocurrencies, estimates range up $2.8 billion of criminal money that was moved in cryptocurrency in the year. Cyber enabled fraud jumped, certainly in the UK, we saw statistics which showed big and sustained increases between May and July it rose about 45% but probably the biggest issue of the year for most businesses was the threat of big game or targeted ransomware attacks. These attacks now are not just the work of individual groups, this is a maturing marketplace where you find services being offered by various different groups so you might find one group offering initial access to a network and then selling it to another but I suppose the good news around this is that the vast majority of these attacks use known weaknesses, at least to get into networks, and for those doing security right, they should be able to mitigate the impact. So, what’s driving this? Well, this is facilitated, has been facilitated somewhat for the last few years by anonymous payments or pseudo anonymous payments, through cryptocurrencies but also a willingness of businesses, in some cases unavoidably, to pay the ransoms and in the year we heard speculation, I’d say it wasn’t confirmed, of ransoms being paid of $10 million by Garmin in August and $2.3 million by Travelex in January. This has all made Governments sit up and start taking notice. We’ve seen in the year the EU introduced sanctions against cyber attackers and the US who have been sanctioning cyber criminals for some time reiterated their intention to enforce sanctions in October they released an advisory stating that they would enforce sanctions against those that pay sanction ransomware groups. So, in a kind of development of 2020, I think one of the newer developments that we’ve seen, again it didn’t quite start in 2020 but it’s the development in 2020 was the mass adoption of dual ransoms where attackers would not only request ransoms for decrypting files but they would also steal your files and request another fee not to leak them publicly. In another good news story, there are opportunities if victims move fast to recover their money so we’ve worked with our lawyers this year to repatriate several million pounds of stolen funds, helped by Court Orders which allowed us to identify wrongdoers and freeze assets, ultimately returning millions of pounds worth of stolen funds. So that’s kind of the whirlwind tour of 2020 but what does all this mean for the future? So the report that we are publishing next week, takes a forward look at possible futures as well by using the established process of scenario planning and that led us to hypothesise four potential scenarios and they’re not, these scenarios are not meant to perfectly predict the future but they do describe possible characteristics of the future so, in reality we are likely to see elements of each future in different contexts and you may look at these and decide that actually we are in one of these four different scenarios already, or we’re more in one than the other. If we think about where we are and where we are heading, my personal opinion is I think we’re going from the top right there, survival of the fittest, where we have a smaller group of elite cyber criminals towards a more chaotic landscape where both sophisticated and low skilled attackers exist, co-exist, and that would be largely due to the economic global, the global economic turndown. And with that, I’ll hand you over to Joe and the panel to ask some questions.
Joe Hancock, Partner and Head of MDR Cyber
Mishcon de Reya
Well, thank you very much Mark. It was a fascinating canter through. I guess the kind of opening question for everyone really, what really has kind of surprised you about cyber crime in 2020? Is there anything you’ve seen this year that you didn’t expect?
Ben Brandon, Partner, White Collar Crime Investigations Group
Mishcon de Reya
I’m not surprised that we’ve seen so much cyber crime in 2020 but from a criminal justice perspective, I’m afraid I remain surprised that so little is being done to combat it.
Joe Hancock, Partner and Head of MDR Cyber
Mishcon de Reya
Fair enough. Louise, any thoughts on that?
Louise Shea, Head of Cyber Operations and Intelligence
Jacobs
Yeah, I would echo what Ben is saying and I think what we have found most surprising about cyber crime this year has just been that absolute professionalisation I think of ransomware.
Joe Hancock, Partner and Head of MDR Cyber
Mishcon de Reya
Do you think sanctions are an effective way of regulating the kind of cyber crime and particularly ransomware markets or do we see a lot of a… and also James asked a question around, you know, OFAC and the speed of resolution here in the chat and if, Ben, if you could perhaps give us some comments on this.
Ben Brandon, Partner, White Collar Crime Investigations Group
Mishcon de Reya
The short answer and the uncontroversial answer is probably that I’m not sure we really know because the empirical data is not there yet on the effectiveness of the sanctions regime, as you will know. To me, the issue is, how does… how do we see sanctions working, particularly sanctions directed against individuals outside the cyber crime arena and what we do know is that where the targets of designated persons are outside the UK, outside the EU, and in the case of those individuals names in the EU sanctions are Russia and in China that sanctions really have a pretty limited effect and, in my view, that the reason for that is that individual sanctions only really work if the target has legitimate interests or does business overseas, in other words business outside Russia or business outside China. It could be said that the sanctions regime at the moment certainly, is largely symbolic where the targets remain well beyond the reach of this jurisdiction or indeed any other jurisdiction. I think the more interesting question, and I’ll try and deal with this briefly, is of course a very recent announcement from the US Treasury, from OFAC. What the OFAC guidance says, for those who’ve not come across it, is companies that facilitate ransomware payments for cyberactors on behaver of victims, including financial institutions, cyber insurance firms and companies involved in digital forensics and instant response, not only encouraged future ransomware payments demands but may also risk violating OFAC regulations but it’s a pretty clear shot across the bow so, if you are involved for example as an insurance company in facilitating a ransomware payment that you may fall foul of the OFAC sanction regime.
Joe Hancock, Partner and Head of MDR Cyber
Mishcon de Reya
If we’re going to accept that people can’t pay or don’t pay and therefore there are going to be consequences, effectively does the State have some obligation then to jump in and support businesses? Interesting point and I’ll open that up to the panel if they have any views.
Louise Shea, Head of Cyber Operations and Intelligence
Jacobs
Yeah, that’s certainly a point that I would have made as well. You know, what level of Government interference into very important, complex, strategic business decisions is appropriate? And what is the compensation package for these businesses that would ultimately fold? And I think there’s also another issue around enforcement, how would enforcement be implemented? You know, we talk about the OFAC list. How is business supposed to know exactly who is on it and who they are even negotiating with because quite often, you don’t know.
Mark Tibbs, Head of Cyber Intelligence
Mishcon de Reya
That’s certainly a problem because, yeah, you know these groups are not necessarily going to tell you who they are, right? And attribution is hard and in the case of Garmin, that was the point in question, it’s like is this WastedLocker, is it linked to Evil Corp or not? But I think actually it probably, and Ben you may be able to tell me, would OFAC care? If you paid a sanction group even if you didn’t know, I don’t think they’d care.
Ben Brandon, Partner, White Collar Crime Investigations Group
Mishcon de Reya
No.
Mark Tibbs, Head of Cyber Intelligence
Mishcon de Reya
I think they’d say that’s too bad.
Ben Brandon, Partner, White Collar Crime Investigations Group
Mishcon de Reya
It’s not an offence to say I didn’t know they’re on the list but there may be an issue about whether they’re on the list and that’s where, you know, you start to look at complex, you know, factual, fact sensitive issue of is this group a… genuinely a new group or new entity or new collection of individuals that are conducting this attack who have previously not been sanctioned and therefore presumably, you know, I might not myself be the subject of, you know, civil crimes and recovery if I pay them or are they in fact connected to another group and they are just calling themselves something different?
Joe Hancock, Partner and Head of MDR Cyber
Mishcon de Reya
Again, for the, for the kind of the whole panel but I’m happy for anyone to take a view, what do you think the main issues are around the law enforcement actions or enforcing actions against cyber crime in the UK at the moment? What’s perhaps preventing this happening?
Ben Brandon, Partner, White Collar Crime Investigations Group
Mishcon de Reya
Resources.
Joe Hancock, Partner and Head of MDR Cyber
Mishcon de Reya
Okay.
Mark Tibbs, Head of Cyber Intelligence
Mishcon de Reya
I’d say the most damaging groups it’s probably international cooperation and protection and corruption. So, if you look at that Evil Corp group, you know, the group, the individuals behind them are well known and with high confidence but they’re not being arrested and they’re not being extradited and, you know, you can only really think there’s a couple of reasons for that and I think protection of those individuals is probably local corruption issues.
Louise Shea, Head of Cyber Operations and Intelligence
Jacobs
Yeah, I would absolutely echo that, I was directly involved in an investigation for several years specifically against Evil Corp and I know Maksim Yukabets is on the OFAC list and for very good reason. These people, they don’t leave their own jurisdiction and they certainly don’t travel to a country where there’s any risk of them being extradited. In terms of collaboration, there is extensive collaboration that goes on currently between UK law enforcement and across Europol and with the Five Eyes community but, you know, in my experience there’s still an awful lot more that can be done and there is a huge difference in different countries across Europe with, you know, resourcing even though appetite in dealing or tackling cyber criminality, it absolutely varies from country to country.
Joe Hancock, Partner and Head of MDR Cyber
Mishcon de Reya
Just picking up on items and some of the difficulties. Ben, perhaps if you just spend just a couple of minutes before we wrap up just commenting on whether you think the legislation in this area is fit for purpose. Do we actually have the right tools in place in the UK to deal with cybercrime?
Ben Brandon, Partner, White Collar Crime Investigations Group
Mishcon de Reya
I think from a perspective of do we have the tools to prosecute, you know, exercise the right prosecute I think we do but I also think that there is some force in the argument that the act ought to be looked at very carefully to ensure that the private sector which is engaged in improving security is not at risk of penalisation.
Joe Hancock, Partner and Head of MDR Cyber
Mishcon de Reya
One perhaps last quick question for everybody with a short answer if don’t mind. Do you think there’s any kind of green shoots at the moment? Is there any… are there any kind of positives we can take away looking forward for the next year?
Mark Tibbs, Head of Cyber Intelligence
Mishcon de Reya
I think the positives are that the cyber security industry, given the right resourcing, is able to tackle to some extent, you know, the attacks that they see against… I don’t think you’ll necessarily avoid it but there are lots of good things that companies can do to prevent and also to recover from cybercrimes so, they’re my green shoots.
Louise Shea, Head of Cyber Operations and Intelligence
Jacobs
Given that the sort of the doom and gloom of this year, actually the green shoots may be and I think should be that this could be a ripe opportunity for private industry and law enforcement to form much closer collaborations and start sharing in a much more meaningful way to help both, you know, law enforcement and industry tackle some of these issues.
Ben Brandon, Partner, White Collar Crime Investigations Group
Mishcon de Reya
For me, the green shoots are, I suppose I just there’s just a much greater awareness and knowledge, not only across the industry but in the general public of the threat that’s posed by cybercrime and I think the greater that people are aware of it and know about it and understand it, the more likely that there is going to be a response from law enforcement or a response from Governments as Louise suggested, hopefully in very close collaboration in the private sector.
Joe Hancock, Partner and Head of MDR Cyber
Mishcon de Reya
Thanks Ben and I think that brings us to the end of our session. I’d just like to give a final massive thank you to our panellists, it has been fantastic to hear your views and I look forward to catching up with all of you soon. Take care.