HOW TO CATCH CYBERCRIMINALS? OLD-SCHOOL SLEUTHING, WITH A DIGITAL TWIST
Bank robbers wear masks and escape in vans with stolen license plates. Kidnappers compose ransom letters from newsprint to elude handwriting experts. Burglars target houses with the upstairs window ajar. Cybercriminals do much the same. They hide behind software that obscures their identity and leads investigators to look in countries far from their actual hide-outs. They kidnap data and hold it hostage. And they target the most vulnerable companies and people whose information is poorly protected.
Cybercrimes, like the global ransomware attack that began on Friday and has affected hundreds of thousands of computers in more than 150 countries, are in a way an updated version of ancient criminal methods.
And in the global search for the criminals that continued on Sunday, investigators are following much the same process that detectives in the physical world have used for decades: Secure the crime scene, collect forensic evidence and try to trace the clues back to the perpetrator. But for all of their similarities to traditional crimes, cyberattacks have major digital twists that can make them much harder to solve and can greatly magnify the damage done.
The latest attack has claimed at least 200,000 victims worldwide, according to an estimate on Sunday by Europol, Europe’s police agency, and new variants of the malware are emerging, leading security experts to warn that the fallout could spread as people return to work on Monday.
Such a large, complex and global crime outbreak means any hope of a successful investigation will require close teamwork among international law enforcement agencies — like the FBI, Scotland Yard and security officials in China and Russia — often wary of sharing information with one another.
“With cybercrime, you can operate globally without ever having to leave your home,” said Brian Lord, a former deputy director for intelligence and cyber operations at Government Communications Headquarters, Britain’s equivalent of the National Security Agency. “Catching who did this is going to be very hard, and will require a level of international cooperation from law enforcement that does not come naturally.” The only institutional arrangement for international cooperation on cybercrime is the so-called Budapest Convention, whose membership is largely restricted to Western democracies, said Nigel Inkster, a former assistant chief of Britain’s secret intelligence service, MI6.
Authoritarian states such as Russia and China have refused to sign on to the agreement because it permits the digital equivalent of hot pursuit: A police force investigating a cybercrime can access networks in other jurisdictions without first seeking permission.
“Any investigation of the recent ransomware attack will have to be done by a coalition of the willing,” Inkster said.
There are signs a coalition is coming together, at least in parts of the international system. Europol said its team of cybersecurity specialists — made up of agents from countries like Germany, Britain and the United States — was investigating the attack.
Europe and Asia were the regions most affected by the crime, with hospitals, car plants and even the Russian Ministry of Interior falling prey to the malware, which takes over a computer, locks down the machine and releases it only when the owner has paid a ransom.
Hours after the attack was first reported in Britain, where the computer systems of the National Health Service were crippled, law enforcement agencies across Europe, Asia and the United States began looking for clues that could trace the assault to specific people or organisations.
As with a physical crime scene, the first step with any cyber investigation is to make sure the criminal is no longer hiding out, about to pounce again.
“Before we get into who did it, we try to figure out if the bad guys still have access,” said Theresa Payton, a former chief information officer of the White House and founder of Fortalice, a cybersecurity firm. “Are they still hiding? Are they going to come back tomorrow? Is the door that let them in still ajar? Can they inflict more pain?”
“And if so, where are they?” she added. “How do we cordon them off to mitigate further damages?”
©2017 The New York Times News Service