Fighting cybercrime is an international endeavour, a fact no better illustrated than this week’s takedown of the Russia-linked ransomware gang Lockbit.
Eleven nations including supranational law enforcement agencies took part in Operation Cronos – a joint effort to seize the dark web sites of the world’s most prolific hacking gang.
It was all the more significant from a UK context, with the operation being led by the National Crime Agency.
Although not directly involved in the Lockbit seizure, Police Scotland is the second largest force in the UK and has worked with the NCA on a number of successful cyber-focused operations; and it is part of an ever-expanding global network of agencies working to combat the rising tide of cybercrime.
With Cyber Scotland Week taking place next week, that cooperation will be on show with US agencies the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) taking part in various activities, including Futurescot’s Cyber Security 2024 conference. There will also be a delegation from the Australian Federal Police.
Chief Superintendent Conrad Trickett, who oversees the force’s Policing in a Digital World programme, explains: “We’re hosting some international law enforcement partners during Cyber Scotland Week just to talk about how we further develop those links, and how we share best practice to take those relationships and collaborations a further step forward.”
Trickett, left, adds: “Because we recognise that we absolutely have to collaborate with the private sector, with the public sector, with UK law enforcement and now as part of this international cyber law enforcement ecosystem, and to understand the role that we can play there.”
Over the last several years, Police Scotland has adjusted its policing model, in line with the way society has moved increasingly online. It published a cyber strategy in 2020 and a new digital strategy last year, in which it emphasised the need to move from ‘doing digital’ to ‘being digital’. Across the UK and in Scotland, cyber is the fastest-growing crime type, either enhancing existing crimes such as fraud (which has moved mostly online, or with an online element), or creating new and evolving ones. Ransomware and business email compromise are examples of an evolving threat environment that scarcely existed a decade ago – but are now impacting organisations on an industrial scale.
The seizure of the domain servers used by the Lockbit ransomware gang this week are evidence of a growing fightback by law enforcement against a pernicious threat that has claimed high-profile victims in Scotland, including the likes of the Scottish Environment Protection Agency, Arnold Clark, Western Isles Council and the Weir Group, to name a few.
Police Scotland splits the type of online crime into ‘cyber-dependent’ and ‘cyber-enabled’. CS Trickett explains that the former category is largely reserved for cybercrime – the likes of ransomware and web-based targeting, usually for monetary gain, but sometimes there can also be a nation state or industrial espionage element to contend with. Cyber-enabled, on the other hand, is anything that can be a conventional crime but has a digital element, for example online child sexual exploitation.
The distinction can be a difficult one but the reason we now have a Cyber Scotland Partnership, a national cyber resilience strategy supported by government, and agencies like the Cyber & Fraud Centre – Scotland, is because there is a need not only to investigate a crime, but to provide support to victims, to coordinate efforts nationally when a major hacking or ransomware incident occurs, and to try and offer as much training, education and resourcing as possible to avoid getting hit in the first place.
CS Trickett says: “So, when a cyber-dependent crime happens, it falls heavily to our specialist cybercrime investigations team. But aside from these international collaborations, we also work closely with the likes of the Cyber Scotland Partnership and the Scottish Government as part of a much wider response, which includes the SC3 Centre. Essentially we have to have a Team Cyber approach for Scotland, the UK and internationally, as the borderless nature of the crimes means we cannot operate in isolation.”
He gives the example of Police Scotland’s strategic approach to cyber, and to organised crime more generally: pursue, protect, prepare and prevent are the ‘four Ps’ that define how not only Trickett’s force but how the UK in general seeks to tackle cybercrime and serious and organised crime. Law enforcement is just one aspect of that through pursuing cybercriminals, which Trickett says will ‘usually resolve’ to a specific geography. He’s talking about the victims in that sense, but implicitly there is also a recognition that the pursuit requires some capabilities to go after the criminals, who will be based in places like Russia, North Korea or Iran. In the capabilities sense, the requirement for investment in technology was outlined in the force’s digital strategy last year, which has become an “operational imperative”.
Trickett says: “In terms of pursuit, if you can follow that cyber trail, you can usually get to a location somewhere else – perhaps with some exceptions – but you will usually get to a geographic area. And so it’s then about then law enforcement in that geographic area, being able to take the appropriate action. That can also require effective partnerships, be they regional – in the UK we have the ROCU (Regional Organised Crime Unit Network) structure – or international. The other elements – prevent, protect and prepare – are what we do externally, really. And it’s that work with the likes of Scottish Government, the cyber resilience unit and the cybersecurity providers where we’re straight into this sort of private-public partnership. And police have a role to play in that.”
The challenges on the force to fulfil that role, however, require expanding their existing resources and capabilities. As last year’s strategy highlights, cybercrime reports rose from 7,240 to 14,890 in the years 2019 to 2023, with a significant uplift experienced through the Covid pandemic as people moved their lives online. At the same time the force has had to grapple with the fact that the cost of technology solutions have increased by around 10 per cent due to inflation. Police Scotland’s budget was uplifted by 6.3 per cent last year, to £1.45 billion, an increase of £80 million, “supporting investment in police assets – estate, fleet, specialist equipment and ICT”.
The aspirations in the digital strategy were laid out in an outline business case – approved by the Scottish Police Authority in August last year – against the financials required to deliver on its five-year aims. The £398.7 million cost to deliver on the strategy – spread across five years – was contingent on the “availability and sources of funding”; at the point of publication only £183.8 million had been committed, described as “pre-approved funding for existing and in-flight projects”.
Trickett is cautious around the budgetary discussion and says only that the year-on-year settlements are a “hard stop” and that longer-term financial planning to make such strategic investments would allow the force to more easily realise its aims around the digital strategy. But he adds: “If we can get to a position where technology is helping us to automate as much as we can, and to deliver on some of the technical requirements, and in operational redesign, then I think we can reap the rewards off of that in terms of efficiencies.”
Aside from the operational and technical aspects of the force’s development, there has also been a shift towards becoming a more victim-focused organisation. Police Scotland was recently credited with the way it supported an Orkney charity worker, who fell victim to an online business scam. At recent awards ceremonies, Police Scotland has also been singled out for praise in the way it goes about not only its investigations, but also in what Trickett describes as a “trauma-informed” approach, making sure victims are listened to, and helping organisations and individuals to recover from what might be a faceless crime, but can still have a considerable personal and professional impact.
He adds: “What’s important from the cyber criminality point of view, and particularly some of these types of cyber defendant crime, is that the victim either doesn’t report or is nervous about reporting because they don’t necessarily see themselves as a victim of crime to begin with. They think they’ve made a mistake and therefore they’re almost embarrassed – especially if you think about romance fraud – they’re embarrassed to come forward. So, we are absolutely victim-focused. And the message would be that you are a victim of crime. And that’s why we can’t detach cyber criminality from policing more generally.”
Chief Superintendent Conrad Trickett will speak next week at Futurescot’s Cyber Security 2024 conference in Glasgow.