Rob Wainwright helps coordinate criminal investigation across the EU's 28 member states as head of Europol
Rob Wainwright helps coordinate criminal investigation across the EU's 28 member states as head of Europol

Criminals are busily attacking weaknesses in IT systems that are not only simple to exploit but also quite old. In some cases, the vulnerabilities are older than the hackers themselves, giving new meaning to the term “script kiddies”.

Meanwhile, organisations are failing to observe basic cyber-hygiene, and in many countries, criminal justice systems are adapting so slowly to the new threat landscape that one could be excused for thinking that the cyber-criminals were running circles around them.

To top it all off, the law enforcement and intelligence services of well-established democratic nations have reached a virtual impasse with tech companies over access to data they consider vital to combating serious organised crime, child sexual exploitation, people trafficking and terrorism.

These are just some of the problems facing Europol, the policing organisation that bridges investigative activity between the 28 member states of the European Union, as it attempts to address the growing problem of cyber-crime.

While it doesn't have the power to conduct investigations in member states or arrest suspects, Europol helps to collate and analyse information from the relevant authorities in member states including police, customs and immigration and often boasts of its involvement in major pan-European operations.

Ironically, given the parlous relationship between the UK and the European Union, the director of Europol is a British citizen, Rob Wainwright. He is also the first director of Europol not to have a policing background or belong to a national police force, having served as an analyst at MI5 and then in director level positions for international affairs at the National Criminal Intelligence Service and later the Serious and Organised Crime Agency (which was absorbed into the National Crime Agency in 2013).

Data access

Wainwright joined Europol as its director in 2009 and four years later launched a new division devoted to computer crime called the European Cybercrime Centre (EC3). SC spoke to Wainwright late last year.

“I think the environmental problems that we face in the online space of having access to the kind of data and evidence that we would normally rely on in the everyday world is the real problem,” he said. “It's the ability of criminals to hide behind certain features of the internet that are so far not regulated in a way that would allow law enforcement to have the ability to deploy its skills.”

For several years now there has been an ongoing debate around encryption and the ability of governments to access information for law enforcement and intelligence purposes. Despite tech companies taking a generally hardline stance against breaking encryption, senior officials in governments around the world have pushed for some kind of system that would be secure for everyday use but could be broken on demand.

Just last week, the UK home secretary Amber Rudd repeated this plea in the wake of the attack on Westminster bridge and the Palace of Westminster.

Wainwright supports that plea, saying the tech community has an obligation to help.

“What I would like to see is a more constructive, systematic and better partnership between law enforcement and the tech providers – yes, indeed, in developing law enforcement's ability to decrypt certain communications under judicial conditions,” he said. “I think it's important that the police do develop their ability to decrypt communications of suspects where they have a lawful means to do it, and yes, I do think that the tech sector has a responsibility to help law enforcement do that.”

However, in common with ministerial assertions on the matter, Wainwright is vague on how that might work apart from saying that it shouldn't be beyond the capabilities of “the brightest minds in Silicon Valley” to create systems that are, on the one hand, secure while not being so secure that police can't have access when they need it.

When pressed on this question, he replied: “You can have it both ways by helping law enforcement to develop a capability to decrypt certain communications when they absolutely need to.”

Perhaps the bigger stumbling block – an issue that will surely be testing the brightest minds in the legal profession – is how to legislate for this. Laws are national while the tech industry is almost defined by its transnationality.

“We note that there have been several examples of trying to legislate for this problem, such as the debate going on in the UK about possible legislation, similarly in France over the past year,” Wainwright says. “It shows countries are really struggling with this dilemma. It also shows there is a problem here that we really haven't regulated in the right balanced, proportionate way – the need to have an internet environment that is safe and secure as well as free and private.”

However, he sees encouraging signs in Europol's relationship with the leading social media companies when it comes to identifying and removing terrorist content – all without Europol being granted any enforceable powers.

Team Mozart

Europol is adept at working with multiple stakeholders, not just in Europe but around the world, and in addition to law enforcement agencies, it has developed a close working relationship with a number of tech companies.

One case that Wainwright described was the Joint Investigation Team Mozart which ran a two-year investigation targeting an organised crime group. The group, which Wainwright described as one of the most prolific in the world, committed highly effective ebanking fraud and Trojan attacks on four continents, he said, and involved law enforcement from 15 countries.

“It's sort of a cliche but one country can't fight this alone,” he says. “It's not just one country but also one sector – so by bringing our technical specialists, law enforcement specialists, the industry and judiciary together, in a global way, allowed us finally to get to grips with the multi-dimensional parts of that particular threat and operation.”

He adds: “We have the ability across a very wide and interconnected community to harness multiple different parts of that community, each with maybe its own specialist expertise and to use our information-sharing platform to exchange intelligence, again, on a massive scale and understand the different dimensions of criminal activity.”

As an indication of Europol's reach, it's interesting to note that the organisation has an interconnected network of 700 law enforcement agencies from around Europe and the rest of the world on its platform, and although not all of them are involved in cyber investigations on a daily basis, most of them touch on it from time to time.

However, one of the weaknesses of a policing agency that bridges 28 separate countries is that each comes with its own criminal justice system. That doesn't always yield the consistency of approach that would make Europol's job any easier.

Common standards, such as the NIS Directive, are a start, but each country is free to implement them in its own way. Wainwright is sanguine on this point.

“We are dependent on the ability, willingness and efficiency of member states to implement those common standards in a uniform way,” he says. “At least we have identified what the common standards should be in the first place and that's something we didn't have before.”

What Brexit means

At the time we were speaking, Brexit was still some six months in the future, but of course as of 29 March, the Prime Minister Theresa May has triggered the process which in two years' time could lead to a number of different scenarios.

Wainwright is initially wary about answering questions about Brexit, saying only that he wished he knew what the future would bring.

Trying a different tack, I ask him what he fears might happen.

He says he would be concerned if Brexit damaged the ability of law enforcement agencies across Europe to work together. While there is no formal commitment, there is a shared view that the UK will find a way to continue working with its European partners.

“The UK understands that, inside or outside the EU, it will find a way to cooperate with its European partners,” he said, “but subject to the outcome of the negotiations, the form of the cooperation will change and could make it more complicated.”

Whatever happens between Britain and the EU, cyber-security is, in Wainwright's view, going to need to develop closer relations with the law enforcement community.

Third tier problem

Unfortunately, the tech industry – in its headlong rush to develop products and services – doesn't always take security into consideration, and if cyber-security is relegated to a second or third tier issue, as Wainwright suggests it is, then there is little hope that law enforcement will be taken into consideration in the design of the latest toy or gadget.

“We have been talking for some years, encouraging the view that we should have a greater approach modelled on the concept of security by design, so when you design a digital device, security should be one of the driving forces,” he says.

And does that involve giving law enforcement a backdoor into their products?

Wainwright doesn't answer the question directly but does take the opportunity to refine his argument in favour of giving law enforcement a means to gain access to data contained within devices.

“They [the tech industry] have a strong view based on a set of strong principles that I respect, and law enforcement generally have a different view. We need to close that space, of course, to make it a more constructive, mutually enforcing relationship.

“The problem is that those multiple, varying views are encouraged by the fact that we have a regulatory, legislative vacuum in that space. And an actor will say, OK, the law is silent on this, I'll do what I want. That's the problem.”

He says it is an aspect of life that is ripe for regulation.

“So we haven't found a way yet of regulating that part of our life yet, in the same way that we have in every other part,” he says.

“When the telephone was invented and became subject to mass use, we regulated the fact that the police sometimes need to have a lawful ability to intercept calls made by suspected criminals and terrorists.

“That was, or certainly is today, accepted by industry in every democratic country and accepted by the public at large. The fact that communication is now operating in an online environment in a different technical means doesn't change one bit the principles behind why such legislation is needed.

“But it hasn't been transposed into similar working proposals to allow law enforcement to intercept the communications of terrorists.”

Despite the world's heavy reliance on networked computers, there is still a large measure of ignorance as to how these systems actually work, and one can't help but wonder if the resistance to the surveillance tactics that Wainwright and others would like to adopt isn't based on fear of the unknown.

Meanwhile, in the veritable fortress in The Hague that is Europol HQ, law enforcement officials from dozens of countries in Europe – and from the rest of the world, as well – will use the tools they have at their disposal to track criminals and terrorists, collect what information they can and try to bring them to justice. For our sakes, let's hope they continue to be successful.