Information Age (IA): All kinds of crimes nowadays involve computers. As far as your remit is concerned, what is a high-tech crime?
Len Hynds (LH): There are two types of high-tech crime. There are ‘new crimes, new tools’ committed against computers and IT networks, such as hacking, viruses, denial of service attacks and the spoofing of websites. And there are ‘old crimes, new tools’; these are traditional crimes, supported by the use of the Internet and high technology, such as fraud, blackmail, extortion, child abuse, identity theft and cyber-stalking.
We carry out strategic intelligence work in commercial extortion, class A drug trafficking, child abuse, and hacking and viruses. We also react to crimes reported to us, such as fraud.
IA: How successful has your unit been to date in cracking crime?
LH: We’ve run 70 proactive operations to date, in addition to giving help to local forces. So far, we’ve arrested 100 people, all involved in serious criminal activity and most working in organised groups. The vast majority of these have been prosecuted, but some are still awaiting trial.
A quarter of these investigations involved child abuse and the Internet, where we focus particularly on organised groups. We’ve run operations that have spanned 30 countries, and quite often, the trail of evidence takes us to the old Eastern Bloc.
IA: There is an image of computer criminals as being ‘bedroom hackers’ and that often computer crimes are victimless. Are these perceptions fair?
LH: No. How is it that, as a society, we are able to say, ‘I’d never break into a house and steal something’, yet speak with a wry smile on the face when we talk about a teenage hacker in his bedroom? Regardless of motive, the impact can be great. And it’s not just about preventing fraud – it’s about making the environment safer for everyone.
In any case, a lot of the criminal activity we see is organised. Twenty-five years ago, organised crime was about armed robberies against banks and extortion against small businesses. But now the risk/reward profile has changed. Now armed robbers go into drugs. Those that are arrested will invariably share information in prison, which will cause more archetypal organised crime syndicates to diversify into high-tech crime.
At the moment, online crime is not perceived as much of a threat. But the case [in the mid-1990s of Russian fraudster] Vladimir Lenin is a good example. He managed to transfer $12 million from private accounts [held in Citibank in the US] and would have got away with it, but he travelled to the UK and was arrested. But his sentence [passed by US courts] was three years in prison. He’ll share his prison time with others and they will probably learn from him.
However, a lot of organised crime involves internal staff. They may be planted, or existing employees can be bribed or intimidated [to commit crimes or disclose information]. In the financial sector, they have got very good at protecting their vulnerable staff, such as the bank manager, against intimidation. But it’s not only the person with the keys to the safe that is vulnerable today. IT staff and others with access to information also need to be protected.
Very often, IT staff are involved. In one of the operations we ran [a case of copyright fraud], of the 10 people we arrested, nine had an IT background.
Another component that is overlooked by businesses is that they tend to defend themselves on the basis of a risk assessment that they conduct on themselves. This can be very unreliable.
We need to extend the definition of ‘victims’ in this arena. I prefer to think of businesses, rather than being victims, as being hosts, and the criminals as parasites. There are irrefutable cases of criminals putting their material on company servers or using a business to launch an attack.
IA: Many businesses don’t report high-tech crime. This is partly because of publicity fears but partly because they fear that they will lose access to their systems while an investigation is carried out. How is the Confidentiality Charter helping to deal with this? And how successful has it been?
LH: [Before the Confidentiality Charter was introduced in November 2002], lawyers would contact us as intermediaries and say, ‘Hypothetically, if we had a client that had suffered this kind of attack, what would your course of action be?’ What that told us was that they were concerned about losing control. They can just see the detective turning up at the crime scene, putting a ring of blue and white tape round everything and telling them that it’s all evidence. ‘You might as well send your staff home,’ they thought. We don’t do that.
The Confidentiality Charter allows business leaders to pass on computer security-related information on an ‘intelligence only’ basis, and confidential discussions can take place. We can also agree to minimise disruption. For example, in order to look for evidence, we’ve imaged servers overnight, or whenever it suits the organisation best. Or they might say to us, ‘The company’s morale is not good, please arrest the suspects when they are not at work.’
The Charter has had some success. There has been significant take up from the financial sector, and it has led us to identifying some organised crime syndicates. Capturing the voice of industry is extremely challenging – especially when your target audience goes beyond multinational corporations to include small and medium-sized enterprises.
We are also working on the development of a single portal which business can use to share intelligence with us. That should be up and running in 2004.
IA: How do you see the technology battle between organised crime and law enforcement? Are you winning or losing the high-tech crime battle?
LH: I think is it fair to say that organised crime was a bit slow, and on this one occasion law enforcement got its foot in the door first. But one thing is certain. Organised crime will be pitting its wits against a technology from the moment it is deployed.
Technology develops at great pace. The NHTCU has to be on the crest of that wave. I am optimistic. Although the Internet is fast moving, the one thing you cannot get away from is that there are people involved. There are always patterns of behaviour – the human element – and that is where we can make progress.
IA: Do you think that new technologies – such as ID cards or biometrics – will help you to win the battle?
LH: It will take three to six years to roll out national ID cards. But the problem is: what are the applications of an ID card in an Internet environment? The whole thing boils down to verification. How do you ensure that the person with the card is who they say they are?
IA: Do you have enough resources?
LH: We have 55 people on the team and 62 in local policing. Our plan is to bring us up to full strength at 83 people. And there are 160 people working in computer crime units in local forces. One must of course look at the way increasingly all crime scenes will have a technical component in the future – so the number of people in law enforcement with the skills to manage such incidents will inevitably have to increase.
IA: What about local police forces? Can the local police station deal with the challenge?
LH: Prior to the development of the Hi-Tech Crime Strategy, there were some police forces that didn’t have a high-tech crime unit. But it has improved. I spent a lot of time negotiating a protocol to decide who does what when investigating crimes. High-tech crimes can challenge jurisdiction. Local police know the high street, the business, the people, but there is a whole other [digital] area that they don’t know so well.
There will always be a need for a unit like the NHTCU to step up to the challenges that new technology presents. But the technology of today may well be absorbed into the fabric of society tomorrow, and as that happens so the police service in general must adapt and respond to these changes.
IA: You’ve spoken about the dangers of businesses being infiltrated by organised crime. Where do you get the skilled, reliable people that you need to counter that?
LH: We recruit the majority of our staff from the police, customs, the military, and from intelligence agencies. In order to meet the fairly unique skills profile that we are developing it is essential that we adopt a flexible recruitment policy. I do not rule out bringing in the right people from the private sector – although experience suggests that this might bring retention issues. Surveys suggest that people in the IT industry, for example, tend to change jobs frequently. The NHTCU needs to be sure it gets a good return on training investment.
A significant number of our staff – not only within our forensic section but also across the Unit – either have or are in the process of securing masters degrees in computer science and information security. In fact we work closely with academia to provide input where appropriate on associated courses, and we have a budget to bring in consultants if necessary.
For example, much has been said about encryption. It would not be right to discuss the nature of our tactics in this area but encrypted files are in some ways like DNA evidence: Even if we can’t read something today, we retain material and we may be able to unlock it at some point in the future.