SC Congress London 2017 kicked off with Tom Reeve, SC's deputy editor, questioning a panel of experts with the perhaps potentially provocative question of “is the law any use in cyber-space?”
To answer that question, Troels Oerting, group chief information security officer at Barclays Bank, who comes from a law enforcement background as the former head of Europol's EC3 unit, said cyber-space poses a difficult problem for law enforcement, as it presents a degree of separation between it and the perpetrator.
Oerting said that thanks to the internet: “There's a lot of crime that can be committed where they can be the other side of the world,” whether that's for, “stealing money or intellectual property.”
Oerting highlighted that the kind of criminals who tend to target his organisation are highly well-prepared criminals who come with the backing of organised crime outfits - the kind which are able to operate ransomware-as-a-service operations.
It is for this reason, Oerting said that he wants to assist law enforcement in investigations, but he often isn't allowed to, due to privacy concerns. “Fighting crime is not a competitive differentiator, it's something which we need to do together.”
| Troels Oerting, Group CISO at Barclays
| Melissa Hathaway, president of Hathaway Global Strategies
Melissa Hathaway, president of Hathaway Global Strategies LLC and a former cyber-security advisor to two US presidents, suggested fighting cyber-crime shouldn't entirely lie with law enforcement. “With the exponential growth of connected devices and internet infrastructure, driven by government in hopes driving productivity and growth, we need to recognise that our attack surface will grow.”
Hathaway, an advisor to the Bush and Obama administrations, posed the question that no one is protecting our first line of defence, the devices themselves and the ISPs they connect to. “We need to get ahead of the problem, clean the ecosystem, and ensure the attacks aren't getting through the pipes.”
Perhaps sounding a little exasperated, Hathway mentioned the mass-scale DDoS attack which DNS supplier Dyn was subjected to by the Mirai botnet. “If the government are able to put flouride in our water to help us keep healthy teeth, and allow no cars on the road with faults, no camera should get to operate with a default password.”
Ed Tucker, head of cyber-security at HMRC, the UK's tax collection body, said “there will always be crime, we just need to ensure we make it as hard and as not cost effective for the perpetrators as possible.”
As part of the UK's Active Cyber-Defence Strategy, Tucker has recently stopped upwards of 300 million phishing emails from reaching HMRC customers – that is, UK taxpayers – by implementing the DMARC email protocol.
“HMRC will always be targeted by criminals, due to our huge customer base. However with the implementation of DMARC, we've put an obstacle in the criminal's way making it difficult to send phishing emails with our branding.”
Tucker disagreed that law enforcement is of no use, as this Herculean mission was supported by the UK's National Cyber Security Centre.
| Ed Tucker, head of cyber security, HMRC
| Renate Samson, chief executive at Big Brother Watch
Renate Samson, chief executive at Big Brother Watch, said she doesn't do what most would expect of her as a privacy activist. “Most people think we spend most of our time telling government off, asking them to do less snooping.”
She said, “We don't! We spend it in front of businesses like the one Troels [Oerting] runs, asking them to have a conversation about what data should be handed over to law enforcement.”
Samson argued that with regards to law enforcement fighting cyber-crime, there needs to be checks and balances put in place to ensure that the government does not overstep the mark when using its new Investigatory Powers Act, which came into force at the end of 2016 and requires communication service providers in the UK to break their own encryption on demand.
Although the panel disagreed on the originating question, Oerting quipped, “When I was in law enforcement, I hated encryption. And now I run the security operation for Barclays, I love it.” It was a comment that received nods from those on stage and many in the audience.