Ian Todd: Hello and welcome to the second episode of the new realities of cyber security podcast. My name is Ian Todd, I am a data protection cyber security consultant here at PwC. In today’s episode I am joined by Charlie McMurdie to discuss the future of cyber security law. Charlie has spent a better part of three decades at the Met Police, working from a detective to the head of Law Enforcement National Cyber Capability at the police central e-crime unit.
Well good morning, thank you for joining us Charlie. I think is again a really topical area and we are trying to cover off all the different areas of the cyber universe I guess and I think cyber-crime is a really fitting area of that right now and it’s becoming more and more prevalent, people are understanding it more and more so I guess what we would like to try and find out is a little bit about your background, I think it’s quite a unique background, before you came to PwC and a little bit about what you do now at PwC as well.
Charlie McMurdie: Ok. I’m glad I’m not covering the cyber universe. So my background started in law enforcement back in Life on Mars days, 1981, joined the Metropolitan Police. Spent 32 years within law enforcement dealing with all sorts of different issues. Primarily in specialist crime dealing with murders; robberies; a bit of terrorist covert policing; running covert units.
Latterly I moved to take over the Scotland Yard Fraud Squad. So back probably about 10 years ago when I was managing the Fraud unit and a few other sort of international engagement units and specialist crime departments, cyber wasn’t even really a word, even you know only as far back as 10 years but working in fraud and working with the banks it was pretty obvious that technology was playing a substantial part in large scale crime and the old fashioned way of dealing with fraud would be you know very slow and four year investigation and production orders; follow the money trail; gather the evidence – whereas talking to the banks you know they were talking about ‘well we lost 10 million’ you know ‘yesterday morning’ and then the other bank would say ‘oh we had that last week’ and another bank would chip in and say ‘yeah we are seeing the same sort of issues and fast-time money movement’ using the internet to facilitate these big transactions.
So at that time we had a limited forensics team at Scotland Yard, mainly dealing with seized material, dead-box forensics if you like, but we put together a bit of a proof of concept operation with the banks, looking at how we could try and address common issues, common problems that the banks were facing, cyber-crime attacks. So we got the banks together to actually look at working in a fast-time tactical dynamic way with law enforcement. Initial proof of concept operations; common issues; common problems; attacking the banks or using banks infrastructure to facilitate cybercrime money movement primarily, clearly showed there was an opportunity to do more in the cyber, the high-tech crime space.
So we started to take on a few cases, proof of concept, showing that we could actually condense an old fashioned style of investigation from you know six months, eight months, slow-time investigation – if we actually changed our way of working to throw everything at that investigation and use the technology opportunities, we could condense that investigation into you know six weeks or eight weeks.
So mitigating harm. But that meant actually using the skillset that existing primarily within the financial sector with our law enforcement investigators and that led to those proof of concepts showing a substantial return on investment cutting the timespan that that criminality was taking place over and then, this is a very condensed version, but a lot of lobbying a lot of evidence trying to actually paint a picture of how much technology was actually playing in committing crime.
There was no intelligence picture at the time. Cyber-crime wasn’t being reported because of reputational issues.
If it was reported, law enforcement didn’t actually capture it particularly well, it was normally captured as a fraud or you know old fashioned terminally. So there was no threat assessment, there was no picture of how much was happening but we managed to put the evidence together to secure £30 million treasury funding out of the spending review.
That money was used to build a central operational team housed at Scotland Yard, the police central e-crime unit, that would deal with national impact, national harm-type cyber-crimes. But as well as building the central capability you know only a relatively small number of police officers involved in that operational team but the realisation was there that you know there were several thousand, tens of thousands of police officers around the country that ultimately need to, needed to increase their knowledge and understanding so that if somebody in you know the Midlands or the South West goes into a police station and says that they have been a victim of cyber-crime you know, denial a service or a ransom where or whatever the crime may have been involving technology, those police officers needed to have an understanding … and a certain you know, different levels of capability. So in a nutshell it was really about building a central operational capability; housed at Scotland Yard; upskilling and embedding that cyber awareness into all law enforcement training.
Ian: Is it all across the UK – this goes?
Charlie: The training roadmap.
Charlie: And putting together some regional hubs - that came later on, realising that you know by having, building a central body of law enforcement capability, the strength and the power of that unit wasn’t just in, the cops that sat in the unit, it was in the relationships that they could form and capitalise with their industry partners. So working with the banks or working with aerospace or working with academia, the universities that could come on board and work with them and very early on you know my cyber-crime team formed really good relationships not just with other law enforcement bodies, around the world; Interpol; Europol, every investigation involved some international connotation to it either with victims outside of the UK; suspects outside of the UK or infrastructure outside of the UK. So we formed these relationships with as I say, primarily industry academia, other law enforcement bodies but a big, a big success factor certainly early on was to get the, the banks working with law enforcement in this time critical data sharing, but tactical partnership and we set up a virtual financial task force.
So when we saw a common issue, common problem, cyber-crime occurring that was affecting loads of different banks and quite often I say affecting the banks, quite often it would be data stolen, financial credentials elsewhere and being utilised, you know muelling the money passing that financial transaction through UK banks.
Ian: Right I see, yeah.
Charlie: So lots of operations, still early days, a lot of cyber-crime was going, unreported. Perhaps a bonus, some may see it in other ways, but it was at the time of the, the WikiLeaks and Julian Assange and a lot of hacktivist attacks taking place with the likes of Anonymous and certainly some of those attacks knocking over you know global payment systems and big companies that they, they took, took offence to and turned their attentions to and attacked them, certainly raised the profile of cyber in the media and raised the awareness of the need for capability within law enforcement.
But I think it, it was also a bit of a wakeup call to business and industry that you know they were susceptible, the internet could be used to cause substantial harm relatively easily.
Ian: And that, I mean, to the flavour I got from, from what you said there was it had started around financial institutions I guess and the financial sector and then once you started to focus on that and provide solutions to the problems they have, you quite quickly see it branching out everywhere else and it affects national infrastructure or the retail sector and like you say the complexity of all this is someone may steal something through a retail store and then use that as a fraudulent transaction to go through the banks and so it becomes a very big web of deceit I guess.
Charlie: Definitely and you know the web just keeps expanding throughout the investigation, so as you say data can be stolen in one sector or numerous… quite often it will be data stolen in numerous different sectors.
Data stolen through numerous different tactics used by the cyber criminals, you know either the old fashioned you know the usual sort of data breach, just you know ram-raid if you like into a company and steal that data or putting up hacked websites to entice people to provide their data the old fashioned deceptions but online.
Ian: Yeah … and I think that’s what's really funny, I mean people think about these really sophisticated technology methods but in actuality it is just a replication of what’s happened historically through crime I guess isn’t it? It’s the same idea, it’s just a different application.
Charlie: That’s right it, it’s using technology which you know it is the old fashioned type of crime and most of the people arrested and prosecuted were charged with old fashioned offences certainly on the, early on rather than computer misuse act offences.
The problem is with technology as we know it, it speeds up that interaction, you can interact with, instead of face-to-face one person, you can interact with thousands or tens of thousands at any one time. So the old fashioned fraudster that would have to you know physically be in one location and deceive one individual, is now happening at a click of a button or you know across the internet, it’s affecting thousands and the money can be moved so fast out of our jurisdiction and the cyber criminals know, you know where the opportunities are within law enforcement, where the hard to reach places are so they exploit that as well.
Ian: Yeah. So I mean that gives us a really, really good foundation for this. How, how do you feel organisations today are prepared for this? Do you think, I mean are you seeing a really robust industry out there or are there still big vulnerabilities and weaknesses?
Charlie: Unfortunately it’s the latter I think …there’s still lots of vulnerabilities and weaknesses, I mean we see these attacks day-in, day-out in the media. The volume of data, the big data that companies are now holding that can be compromised, quite often relatively easy, presents substantial opportunities for cyber criminals. I think you know the lightbulb has gone on with a lot of companies, they understand that you know cyber is happening, there is still to a large degree that sort of you know ‘well it’s happening to somebody else’ – ‘it hasn’t happened to me yet’. I think big companies are obviously gearing up because of regulations changing, liability issues that we are now seeing come into play, the reputational harm that can be caused by a lot of these breaches that take place.
I think the same perhaps isn’t as true with the smaller companies that haven’t got the resources, that haven’t got that awareness as to where their vulnerabilities exist and what they could and should be doing about them. But certainly we are now seeing sort of a force of companies almost running to uplift their cyber defences so that they are appropriate to the threats that they are now facing.
Ian: Yeah I think some of the things that I’ve seen within this industry which is still quite worrying as well, is that people are kind of securing the perimeters and they are building big walls but if somebody managed to get over that wall, they have got no idea where they are once they get inside and it’s, that’s another problem I guess from the crime perspective, if you know a breach has happened as a law enforcement you are going to say ‘what’s happened’ and ‘how bad is the damage’ and ‘where are the criminals now’ and I’m not sure how many organisations right now can actually answer those questions, I mean is that something you have seen as well?
Charlie: Yeah and that, that has a real impact on that company’s reputation when, when that breach does then go public and they don’t know when it happened; how it happened; what harm has potentially been caused. You know it’s that post-breach response that can be almost as damaging as the breach itself
And that thing that you know, when we speak to a lot of companies and when you look at you know, historic breaches, and I’m talking historic going back 2 years, but also in the last few weeks. A lot of the breaches now, cyber criminals, you know, they are far more sophisticated when you look at who’s responsible for the attacks, the crime that’s taking place, they’re not the old-fashioned ram raiders. They will have teams dedicated to researching that company, to look at you know, staff profiles online, to do their open source research, they will send teams out to physically recce the premises.
One of the last cases I was involved in before leaving law enforcement was committed by an individual who established teams working to him and they were tasked with specific aspects of that cyber-crime business - such as researching online who the suppliers were, you know what the staff passes might look like so that he could actually, in this particular case, social engineer individuals into branches of our UK banks
Ian: And by social engineering you mean manipulating the people around them so he can or she can get what they want?
Charlie: Yeah, walk and talk your way into that branch. You are a cyber-criminal, but you’re going in, you know the right name of the person to ask for, you know that they’re not in the branch on that particular day because you’ve seen they’ve posted they’re off on holiday in the Bahamas somewhere. You know that, you know one of their utility suppliers might be whoever, so you look the part, you act the part, you talk the part, you can talk your way into some of these organisations, so that’s bringing the physical aspect into the attack and it ties in with a lot of our findings about you know insider, the part that insiders play in cyber-crime now, in quite a unique way, but then once you’ve managed to work your way into that organisation, then you can exploit the technology and in that particular case, it was deploying keyboard monitors onto the back of the banking terminals, then capturing all the data for all the transactions that were taking place so you’ve then got all that nice financial identities that you can then, you know, data, step-change the data and obtain your own, you know, the credit cards when you can then go and spend on those cards or do the money transactions, but the insider aspect comes up time and time again as a particular vulnerability that cyber criminals exploit and by insider, you know, we see all sorts of parts and roles that insiders play, either through lack of awareness and training, the old, typical phishing email that somebody doesn’t appreciate and you know, they click on the link and that causes a vulnerability and exploit into the organisation or they’re posting something inappropriate, completely unaware that, that is useful to cyber criminals who are watching and monitoring, who’ve perhaps befriended them on LinkedIn or Facebook, or just you know insiders not following guidance policy or applying appropriate security measures that should have been applied. All the way up to insiders specifically gaining employment with fake legends, fake CV’s, purely to gain access to that company to facilitate passing data back to the criminal gang that’s behind them.
Ian: And that’s always a worry isn’t it, I think when I talk to clients they say ‘oh we do a great background screening, we do all these different things, we know the people we’ve got in here are really nice, good people’ but that doesn’t mean that they won’t slip up themselves at some point. I mean the simplest security thing of someone tailgating through the front door, they use their pass, they hold the door ‘oh let’s be polite, I’ll open the door for you’ and you’ve let some random person into the building, so like I say the insider threat can be a really non-malicious thing but it can be hugely, hugely detrimental to the organisations security.
Charlie: Yeah, I think you know one of the changes that we are starting to see now is, traditionally cyber has been and cyber security has been in that sort of silo. That it’s the IT guys that are responsible for the cyber-security of that organisation. Now as you say, there is that realisation that you need to bring together the cyber, the technology side, the information side, the physical side, because that’s what the cyber criminals will look at and they will look at all those different aspects, how they can actually utilise those different vulnerabilities to gain access into the organisation. These attacks are far more sophisticated than just you know, crashing into the organisation.
They will use all the different opportunities, coming in through the supply chain is one that we talk about…. you know more often than not and we see that time and time again and that supply chain could be, to compromise you know one of your suppliers or one of your contractors who’s coming onto the network for a short period of time, but it’s a softer touch, rather than trying to get through the fortress walls of the organisation that you’re targeting.
Ian: I’m sure somebody will correct me for this but, Target I believe were, when their big breach occurred happened through their supply chain. I believe it was the air-duct engineers somewhere through that supply-chain, it’s a very public case and that was the weak link in their chain and they exploited that and that’s how the huge breach occurred so like I say, it may not be the obvious area, but somewhere they’ll be a little break in the chain and someone will exploit that.
Charlie: Yeah and that isn’t unusual. You know knowing, we always say to companies, you know, where does your network start and finish, all the endpoints, who’s on the network, making sure that if somebody comes in for a period of time that it is the appropriate and the security measures and that person follows the security policies and procedures, but when that piece of work has finished, making sure that they no longer have access to the network
Ian: So in terms of PwC, what are we doing as an organisation, so what was is your role now, and how are we tying of all this together?
Charlie: So I think we’re still doing an awful lot of awareness raising around the nature of the threat, how these exploits occur, different departments, more so now, we’ve done lots of work with you know board level and C-Suite members of organisations, but also you know last week I was talking to HR, heads of HR teams that you know, perhaps present a real opportunity for cyber-criminals, people in HR we say you know, all the security advice about ‘don’t click on that link’ but HR everything comes into them with CV’s attached on that link and how do you actually assess, who’s trained to know whether that individual is legitimate and that you know, emailed passport is legitimate etc. so, PwC, we’re doing an awful lot still around awareness raising within our clients and companies, we’re doing an awful lot once that awareness has been raised to support companies in identifying where they could improve their cyber-security defences and that’s around you know, not just the IT aspect and shoring up the firewalls, it’s around the people, it’s around the policies, it’s around implementing security measures. Perhaps the wrong thing to say, but an awful lot of the cyber-crime and the exploits that we see happen, could be prevented with just better housekeeping, if you like, being put in place
You know, making sure that you haven’t got, you know vulnerabilities on the network, understanding where your network starts and finishes, looking at your supply chain, looking at training and awareness and making sure you haven’t got loads of historic data still lying around. If you’re sharing data externally, how do you actually manage the security of that data that goes out of your infrastructure, your organisation?
Obviously, loads of work going on around data protection regulations coming in, making companies aware of what they need to be doing. The other part that we actually provide is with our Breach Aid services, so when unfortunately breaches do occur it’s scrambling all the requisite capability to support clients, particularly in those critical first few days and that’s not just the IT team going in to assist to identify when and how that breach occurred and what has been taken, but it’s also you know, working with clients as to what they should do to try and mitigate the harm, their engagement with the Information Commissioner’s Office and I’m normally called in when it comes to, ‘well do we need to report this to law enforcement? What will law enforcement do if we report it to them? How could law enforcement potentially assist in this breach?’ and unfortunately for clients the law enforcement picture is still quite a confusing one with the National Crime Agency and local policing.
In the Metropolitan area, within London we have FALCON, which encompasses the cyber capability for victims in London. Then you’ve got regional cyber-crime teams and you know potentially calling on the high-end capability within GCHQ, so you know when a major breach occurs, all these different parts need to be aligned and companies need to know how they can engage appropriately. Who do they report to in the first instance? And if it is a substantial breach then you know UK reporting, most cyber-crime reports, we push or try and encourage victims to report to Action Fraud, but you know if you’ve had a major breach such as you know, the Target breach that you mentioned or any of the high profile breaches that we’ve seen recently, companies don’t want to go online and fill in that form, they want to speak to somebody, they want to you know, have somebody on board who can actually get involved with them and support them in that investigation.
Ian: Yeah, I think that I am biased but I think Breach Aid is such a valuable option for clients. I think like I said earlier, people try and build their big walls, but people can still jump over them and once it happens, we know, I think we all, if we’re honest with ourselves, know that it’s very difficult in the first 72 hours to know exactly what’s gone wrong, how much has gone wrong and what to do?
Charlie: Yeah and I mean you’ve mentioned sort of some of the people involved in Breach Aid, but a lot of the advice might be outside of that specific sort of skill set area, it might be primarily, you know what should their voice to the market, to their client’s be? As well as all the tactical, you know engagement with the Information Commissioner’s Office etc. etc. but it is that critical moment how they deal with that breach, that can play such a substantial part in how it’s perceived by the customers, how it’s perceived by the Information Commissioner’s Office and you know, cyber-crime still has that stigma about it that, ‘well you’ve had a breach, why did you have that breach?’ and you know, we’re seeing a bit of a change now with, a Chief Exec I was talking to and somebody said you know ‘what keeps you awake at night, is it the fact you’re going to have a breach?’ and I thought his answer was particularly good with, ‘Well no it’s not if I’m going to have a breach because we will all potentially have a breach at some stage. What keeps me awake at night, is how we will be responding to that breach to get back to business as usual as fast as possible and how we will actually deal with that breach appropriately’, so I think you know hopefully, the stigma of having a cyber-crime will you know continue to lower, but company’s readiness and ability to respond to the breach when it occurs will actually continue to improve.
Ian: Yeah well Charlie, it’s been fascinating, thank you so much for joining us, I think there’s going to be hundreds of questions, so hopefully we can get you back on for a second take some time as well but I do appreciate your time today.
Ian: So thank you for joining us today, next week I’ll be joined by Kris McConkey to discuss digital crime scene forensics. Kris leads one of the most fascinating areas of PwC, where his team look through digital crime scenes after an organisation has been compromised, to understand what happened, how to fix it and how to stop organisations being breached again in the future.
In the meantime if you have any questions, please feel free to contact me directly on Twitter @IanTodd86 or email me at firstname.lastname@example.org. Please remember to subscribe for all future episodes.
Cyber Threat Operations - Manager, PwC United Kingdom
Tel: +44 (0)7841 803680