“Securing the internet is a societal task. Just like the air and the water that we share, we don’t allow anyone to pollute that, and we can’t allow the internet to be polluted. We rely on it.”
That’s the assessment of Troels Oerting, head of the European Cybercrime Centre (EC3) at Europol, discussing the challenges that law enforcement faces as the cyber landscape continues to evolve.
Speaking in Barcelona this week at the Check Point conference, Oerting set the scene by outlining the sheer magnitude of the target surface: There are 2.7 billion people online today, with 4 billion expected by 2017. In tandem, there are 8 billion devices online, a number that is expected to at least triple to 24 billion in the same timeline.
That’s when we get to the internet of things (IoT) era, he explained, "when we will all be online always. Processing power will double, bandwidth consumption will quadruple, and we will go from downloading content and applications to streaming everything all the time. And that, in turn, increases cyber-criminal capabilities almost exponentially."
We used to define the threat area as being one of sea and land, air and space, he said, "but now we must add the fifth dimension of cyberspace - the only one that is manmade”, said Oerting. “In cyberspace, criminals are able to attack anyone at anytime and anywhere. This is the biggest intellectual change in my 34 years as a police officer.”
In fighting organized crime, and in investigating murders, rapes, robberies and the smuggling of drugs and illegal immigrants and the like, there is always a connection between the criminal and the crime scene, explained Oerting. "This is not the case in cyberspace. Cyber-thieves can launch a simultaneous attack on millions."
Oerting suggested that cybercriminals won't necessarily strike from the countries that Europol cooperates with. "They will not do it from inside the European Union. These are organized groups taking advantage of failed states, [and you don’t know where they are].”
As a result, he continued, attribution and making the link between IP addresses and perpetrators, and the perpetrators and the correct jurisdiction, becomes very challenging for law enforcement.
The Dark Net
Many criminals operate in the “Dark Net”, Oerting told the audience. “Normally we seize things - a server, computer, laptop - as evidence,” Oerting said. “But soon, no criminal will distribute anything from surfaces that we can seize. They will distribute their wares from bulletproof host services, and use Bitcoin to hide their profit. So ‘follow the money’ may be easy to say, but it’s much more difficult to actually do that.”
He added that there are two distinct camps of cybercrime: pure cybercrime, where all transactions are virtual; and “cyber-assisted” crime, which are more traditional transgressions that have been enabled by hacking.
Aa an example of the latter, Oerting referenced the case of a Colombian gang shipping containers that have 1.2 to 1.3 tons of cocaine into the EU. "To ease their efforts, the gang hacked into the shipping company’s computer, and put in a keylogger to gather passwords that were used to access the combined web page for customs and for shipping companies. From there, they were able to check off the box that says that the parcel containing the coke had already been inspected by customs."
Similarly, he explained, a group operating from the Dominican Republic was able to order five debit cards from a European bank, each with $100 on it. They then cloned the debit cards to multiply them into 60, hacked the bank’s Indian cloud operator, and was able to change a simple tick box from “debit card” to “credit card with unlimited withdrawal. Using those 60 cards, in 1 hour 52 minutes they stole $45 million US dollars,” Oerting said.
The Rise of State-Sponsored Activity
Aside from financially motivated efforts, state-sponsored activity is on the rise, he said. "Threat actors here are questing to better prepare in the event of a war, and also to steal information and intellectual property". There are also violent extremists looking to communicate with, recruit and radicalize followers to their causes, he said.
“The best hackers by the way are the state-sponsored ones,” he noted. “The tools that they use tend to take the organized crime contingent two or more years to prepare.”
Oerting admits that the capabilities of cybercriminals are very, very high. He said that in Europol’s latest research, it trapped 71 new malware in sandboxes that were unprotected by the slew of anti-virus offerings in the market. Also, it found that vicious software spent 229 days on average lurking on networks before organizations detected it; and, those organizations discovered it by themselves in only a third of instances.
"To help combat the mounting difficulties and criminal capabilities, Europol’s goal is to create a much stronger infrastructure than exists today". It needs, he concluded, to be “an infrastructure that can match the bad guys,” with governance that gives law enforcement a path to appropriate “bookkeeping” to tie cybercriminals to crimes, he added.
“Do you think this is easy in these post-Snowden times? No, it isn’t,” he said. “But if we can’t identify [the criminals], then we won’t have anyone prosecuted.”
This, combined with cooperation and information-sharing with security firms and organizations, and end-user education about how to act, react and interact online, create a better approach to protection and prevention going forward, he said.