To catch a cyberthief – how the UK’s top online cop aims to ‘stay one step ahead of the bad guys’
Mike Hulett of the National Crime Agency's dedicated cyber unit tells PublicTechnology how the internet has transformed the lives of criminals and those that pursue them
Credit: National Crime Agency/CC BY 2.0
If you have attended as many IT vendor conferences as a career technology journalist, you will know that a typical keynote presentation on the transformational impact of the internet and digital platforms tends to call on one or more of a very familiar array of statistics and illustrative examples.
We’ve all heard the one about the number of connected devices outstripping the number of humans that use them. Not to mention the one about the one about how the hotel and taxi industries will never be the same again. And let’s not forget the one about how – every single second of every day – we are creating more new information than has ever existed in the course of human history. Or something like that…
A slightly darker stat – but one that is perhaps more instructive than any of the above – is that, according to many technology and law-enforcement experts, cybercrime has grown from practically nothing in the last 20 years to represent about half of all crime committed.
The UK’s central National Crime Agency, which leads the country’s response to the most serious organised crime, now has a division dedicated to the prevention and prosecution of major cyber offences.
The 300-strong National Cyber Crime Unit unit is responsible for leading law enforcement’s response to internet-based crime. This involves not only investigating the biggest and most complex cases, as well as co-ordinating and delegating investigations conducted by local police forces or one of the UK’s 10 regional organised crime units.
The unit is split into three areas, the biggest of which is the investigative function led by NCCU head of operations Mike Hulett. Under his watch are number of criminal investigation teams that have, over the last few years, led the response to incidents including the 2017 WannaCry attack on the NHS, and the cyberattack aimed at the Houses of Parliament later that year.
When PublicTechnology meets Hulett, these teams are conducting about 40 separate investigations.
“Like most policing senior leaders, the internet is something that happened to me halfway through my career… for young officers joining, they've known nothing but the internet, and that technology-enabled environment. Its perhaps not the scary culture shift that some senior leaders perceive it to be.”
On top of these investigators, the NCCU’s operations function also contains digital forensics professionals, and an incident-management team. This serves not only as the NCA’s “key gateway into the National Cyber Security Centre” but, Hulett says, also provides a “triage” function for the wider – non-cyber-specialised – law-enforcement community.
“Cyber is one of those things which, to the uninitiated, if you don't understand what's happening, something which is actually quite benign can appear big and scary,” he adds. “Equally, something which is quite impactful and dangerous can appear to be benign. So, our triage function tries to spot the most damaging things that are happening and allocate the right law-enforcement resource.”
Some regional organised crime units have just a few dedicated cybercrime officers, while others employ a few dozen. Hulett says that having a national cybercrime function – with the ability to oversee investigations and deploy resources across the country – helps ensure a level of consistency in incident response, regardless of local capability.
“I would say that across law-enforcement in general, we don't have anything like enough cyber investigators,” Hulett says. “Given that cyber in some way – whether that’s cyber-dependent crime or cyber-enabled [crime] – makes up over 50% of recorded crime in the UK, there is nothing like 50% of resources devoted to it. There is a cultural change needed, a training change, [and] an equipment change.”
No longer victimless
But the cybercrime chief says that the high-profile incidents of the last few years have prompted a marked spike in awareness of cybercrime and an appreciation of its potential impact. Not least, according to Hulett, among senior police officers and management figures.
“Various things that have happened… have caused a bit of a change in government consciousness, media consciousness, public consciousness and, with all of those, law-enforcement leadership consciousness as well,” he adds. “Prior to , cybercrime was perceived as, in some way, victimless. Most commonly it would be somebody losing money from their bank account, for example, through the result of credential-stealing malware somewhere in the system… If you lost money, the bank would probably recompense you. The public’s attitude tended to be that no-one had really lost.”
He adds: “With some of the things that have happened, particularly WannaCry affecting the NHS, it then starts to [demonstrate] a real-world, kinetic effect. And, let’s not forget, the NHS was not deliberately targeted – they were acting an accidental victim… when [an attack] manifests itself in healthcare not being available to a large number of people, and operations being cancelled, that is a real-world kinetic effect, and it starts to make people sit up and realise that, actually, this isn't a victimless thing.”
The month after WannaCry, the NotPetya malware assault provided further evidence of the potential destructiveness of cyberthreats. The attack had a huge impact in Ukraine, where various state and commercial entities were crippled by the malicious program.
Number of staff employed in the National Cyber Crime Unit
Number of separate investigations taking place across the NCCU
Number of businesses that have suffered a cyber breach in the past year, according to DCMS research
Year in which the UK’s Computer Misuse was published – shortly before the first formal proposals for the creation of the world wide web
But infections also spread to numerous other countries around the world – including the UK – with the operations of number of large commercial entities hit hard, including shipping company Maersk and delivery firm FedEx. This helped reinforce the potential impact of cyberattacks in the business world, according to Hulett.
In addition to responding to cybercrime incidents, the NCCU has a remit to try and prevent it. This mostly takes the form of efforts to engage with and provide a positive influence for young people who might otherwise “drawn into cybercrime – which is quite easy to get into”, Hulett says.
On top of the operational strand of the NCCU, the unit has an intelligence function which brings together “covert intelligence, open-source intelligence and threat intelligence”. This information helps the NCA target its resources at those threats with the potential for the biggest impact on the most people.
The cybercrime unit also has an in-house technical team which works on developing software tools. This team works closely with partners in industry and the intelligence services.
“They are developing some of the niche capabilities that we need to fight the top-end cybercrime,” Hulett says. “It is about recognising that what is boutique and niche today will be run of the mill next week. So, we're trying develop those tools to stay one step ahead of the bad guys.”
In addition to responding to cybercrime, the NCCU has a remit to try and prevent it. This mostly takes the form of efforts to engage with and provide a positive influence for young people who might otherwise “drawn into cybercrime – which is quite easy to get into”, Hulett says.
Virtual crime and virtual criminals
The connectivity and networks that ease the path into cybercrime also make the criminal landscape more diffuse than that of the physical. This can make it much more difficult for law enforcement to understand and disrupt the organisation that underpins organised crime online.
Hulett says that, for traditional crimes, the archetypal image of career criminals is “largely right”.
“People tend to graduate their way up, and there is a high degree of organisation, and a high degree of trust,” he says. “[Criminals are] working with people that maybe when they went to school with, or grew up on the same estate and, 20 or 30 years later, they’ve still got those connections with them. Cyber is different. We are dealing with people who, in many cases, don't know each other – and don't need to know each other. They know each other by online reputation. They almost certainly won't know someone's real identity.”
In this set-up, different members of what Hulett characterises as a “virtual crime group” will provide the various hacking skills and malicious programs needed to launch a cyberattack. This dissemination of activity presents investigators with new challenges.
Hulett adds: If you think back to the know the [Hatton Garden] safety deposit robbery… these were armed robbers of some repute that have worked together for donkey's years. In that kind of operation, once the police identify one person – if they identify that John Smith was involved… they know instantly that almost certainly he's going to be working with Fred Bloggs.”
This ability for police to forge likely connections was demonstrated by the main players in the Hatton Garden heist (pictured left, credit: PA) – a quartet of seasoned criminals who famously developed plans for the 2015 theft during their regular Friday-night meet-ups at the Castle pub in Islington.
Alongside the different kinds of criminals police now need to pursue, new types of investigator are also needed. While the NCCU does sometimes need the physical surveillance and investigative techniques needed by firearms or drugs units, this is a “relatively small element” of its officers’ duties.
“We've had to change our thinking in terms of the sort of person that we need,” Hulett says. “I need people that have got different skills… and we've had to change our recruitment strategy slightly in terms of how we get people in here compared with how we get them into other areas of the other areas of the NCA.”
He adds: “We've got a real range of people – some are pure techies, straight from university, some have got a background in project management, others are investigators from other areas.”
Hulett himself falls into the latter category, having moved into the cyber unit in 2015. Prior to this, he spent more than two decades as a police officer, primarily focused on organised crime, including “drug-trafficking, firearms-trafficking, fraud, corruption, and kidnap”.
Clearly, the skills – and the type of people – needed to pursue the perpetrators of those crimes are different to what is needed to investigate a malware attack. But, as time passes, the lines between old-school coppers and cyber specialists may begin to blur.
“Like most policing senior leaders, the internet is something that happened to me halfway through my career,” he says. “What we forget is that, for young officers joining, they've known nothing but the internet, and that technology-enabled environment. And its perhaps not the scary culture shift that some senior leaders perceive it to be.”
One cultural difference that Hulett says he found challenging was the need for cyber investigators to be more open with external parties. In order to ensure the NCCU has the “understanding of the strategic landscape in cyber”, the unit needs to engage with academics and commercial firms.
“That's the bit that is massively different to the rest of law enforcement,” he says. “My biggest culture shock, by far, in coming into coming into cyber from other law enforcement areas is the massive involvement, trust and reliance on industry partners. Whilst I've got a relatively small number of actual at my disposal, in theory, I've got a limitless army of people out there if who are generally on the side of the good – in IT companies, software and antivirus companies and cybersecurity researchers.”
Hulett adds: “When I first turned up, I’d go to an operational planning meeting and there could be someone from one of the big software companies in the room. My natural instinct would be to say: ‘do you mind stepping outside, because we're going to discuss some intelligence?’ The rest of my team would look at me like I just landed from Mars – and, in a way, I had. Because you soon realise that those guys would probably have brought you the problem in the first place – and they are more than likely going to be the answer to it as well. So, you have to get over that with natural law enforcement reluctance to share.”
While the internet has occasioned a sea change both in crime and in how it is fought, the law used to bring criminals to justice has not kept pace. Hulett tells PublicTechnology that, for the NCCU, the primary piece of legislation is the Computer Misuse Act [CMA] of 1990.
“Organised criminals used to work with people that they went to school with, or grew up on the same estate with… Cyber is different. We are dealing with people who, in many cases, don't know each other – and don't need to.”
This law, he adds, was drafted shortly before the invention of the world wide web.
Some more recent legislative changes have introduced harsher penalties and the situation is, Hulett says, “getting better” on the whole. But the international nature of cyber investigations, and the necessary cooperation with overseas counterparts, reinforces that “there are certain things which UK legislation is lacking”.
“It's a challenge for us working with other law-enforcement agencies who've got different powers to do things that we can't necessarily do,” Hulett says. “We do feel that, oftentimes, the sentencing which is handed down [for cyber crimes] is not reflective of the damage that's done.”
He adds: “If someone says fire to a building and causes a £100,000 of damage, they’re probably going to get a fairly hefty sentence for arson. Whereas, if someone launches a cyberattack against a company and it costs them £100,000 in mitigation and clean-up costs, they're almost certainly not going to get a custodial sentence. Now, I'm not comparing the risk that those two offences might present…. But, sometimes the cost to a company or a victim is not reflected in the sentence which is handed out. Is the deterrent effect there? Arguably not.”
Rise of the ransonmware
The forms of cyberthreat facing organisations have evolved of late, according to Hulett. For a number of years, financial malware, credential-stealing programs, and Trojans were cybercriminals’ “bread and butter”, he says. But the targets of attacks by these means have got significantly better at defending themselves.
In their place has come ransomware which, during 2018, firmly emerged as the primary cyberthreat. It is “much more cost-effective and much quicker” than the threats it has superseded, Hulett says.
Cost to the NHS of the WannaCry attack, as estimated by a government report
Number of ‘significant’ attacks investigated by the National Cyber Security Centre during its first year in existence
The most serious form of cyberattack – which would be declared a national emergency. The UK is yet to suffer such an attack; WannaCry was classed as category 2
The priority threat for the NCCU, according to Hulett, replacing the likes of Trojans and financial malware
Similarly, distributed denial of service (DDoS) attacks – in which sites, devices or networks are flooded with traffic to prevent legitimate use – have, in the past two years, have graduated from being seen as little more “a bit of an annoyance” to a more serious problem.
“We’ve learned about the importance of it,” Hulett says. “It’s very much a gateway offence; it's often the first thing that people do, and there's lots of correlations with gaming and modding, where people might want to shut off their mate’s Call of Duty account. [When they do so], they're actually committing CMA offences without realising it. Low-level DDoS is really simple to do – you could click and buy a service, if you want to. We don’t want to ignore it – because it is a gateway offence.
“Also, with the advent of the internet of things and the vast power of botnets that are out there – vastly more powerful than they were before – the actual damage that can be done by a DDoS attack is more significant. And we are increasingly seeing DDoS [as part of] a blended attack, with multiple things going on. Typically, the DDoS it might take down the public-facing website of an organisation. When that happens, all the network defenders will go scurrying in that direction. Whereas, actually the bad guys are trying to get in the backdoor… we quite often see a ransomware or a network intrusion on the back of DDoS – which is just there to create a diversion.”
While, for Hulett and his contemporaries, these initialisms and tech terminology may be a comparatively new feature of their working like, the NCA cyber head advocates that some eternal truths about the criminal landscape remain, regardless of the differences in the crimes and those who commit them.
“Without a doubt, cyber is complex – I'm not going to pretend that it isn't,” he says. “But I'm not a techie guy, and I like to keep things fairly simple. So, for me, it is always going to be about someone nicking something, or breaking something, or a combination of the two. I remind myself that, however complex it is, we still want to turn that case and that evidence into something 12 members of the public could understand.
“We're all seeking to answer the same question: who's done it?”
Ahead of technology- and data-led reforms, officials have been invited to vent their frustrations with how Whitehall works
Before entering bankruptcy OneWeb had been funded to the tune of $3.3bn with no revenues generated yet
Dominic Cummings’ ambitions realised as prime minister’s office seeks to recruit crack squad of data scientists for No. 10 skunkworks
Mark Sedwill says equipping government with ‘more expertise… is a good thing’