How does the police address cybercrime at a time when more and more of our everyday actions take place in cyberspace? We talked to Oskar Gross, Head of the Cyber Crime Unit at the Estonian Police and Border Guard Board to find out exactly what cybercrime entails, how it’s fought and how we can protect ourselves.
What is the function of the Cyber Crime Unit? How is it positioned relative to other organisations dealing with cybercrime and cyber security?
The Cybercrime Unit (C3) in the Central Criminal Police has two main goals. Firstly, we collect, manage and analyse information about biggest cyber threats and actors. Secondly, we take relevant action based on the former. From time to time we also work on the aspects of prevention, legislation etc.
The biggest difference when compared to other organisations is our monopoly of force, which means that we are successful when we attribute crimes and catch criminals. However, we cannot carry out this fight alone – in our criminal cases, much of the evidence is digital. Thus, cooperation with cyber security companies and other organisations is vital for us. Moreover, this applies to both scenarios, when we ask for information during criminal proceedings and when cyber security companies, CERTs or other organisations, discover something suspicious.
Prevention is also very important in this field, especially when it comes to young people, who might show curiosity towards the dark side of the internet. It is important to direct people back to the legal (and also very exciting) side of the cyber, before it is too late. Some countries in the world have started implementing interesting ideas for rehabilitation. In the coming years, we must also do the same.
The Cyber Crime Unit was established around three years ago. What changes and continuities have you seen in cybercrime trends during this time?
The most obvious aspect is the exponential growth of devices connected to the internet, which creates a wider spectrum of vulnerabilities and ways to use malicious tools against people. From the criminal environment point of view, it seems that the entry barrier has become lower and less computer skills are needed to start committing cybercrimes. One of the reasons for this is that quite a large part of the cybercrime environment has turned into a service-based economy. For example, in order to do a DDOS attack against a Minecraft server, instead of first infecting 1000 computers and then ordering them to make huge amount of requests against the server, you can instead go to a website, copy and paste the domain/IP address to a text field, pay the cost in cryptocurrency and press “play”. Some websites might even offer you free trials. This extends to many services, from infecting machines to money laundering services etc.
There are many discussions how cybercrime is a low-risk high-reward type of crime. Criminals, who in the past have focused on “traditional” types of crimes, might also become interested in cybercrime. As the world moves towards digitalisation, we see that the cyber component has a bigger role also in other types of crimes.
I think it is important not to mystify the cyber realm. It is very simple to make people feel they are not in control and that is a problem with mystifying the internet. We should remember that cybercrime is not something that “just happens”, but there are real people behind these events. People do have control online. Cyber-attacks may seem like a technological mystery, however, they have more to do with being inattentive. Mystification is what makes us think of the internet as a technological chaos, rather than see it for what it really is – a group of people online.
It might also be one of the reasons people tend to believe things they read online, which they would never believe in real life (e.g., an elderly wealthy person has 50 million to spare because their safe is full and they just need somebody to give the money to). If something sounds too good to be true, it probably is not.
Translating crime from the “real” world to the virtual space, what are the differences and similarities in protecting people from harm?
Investigation techniques are slightly different, however, cybercrime investigations involve much more criminal police work than people would imagine.
One of the differences is that in the real world the harm is rarely repairable. For example, physical violence cannot be undone, whereas in cybercrime it is possible to undo the harm in some instances. The No More Ransom Projects aims to provide tools to decrypt files, which have been encrypted with ransomware. A good example where harm can almost be undone.
It is possible to protect people from cyber-crime with preventive work, the same way we do about threats in the “real world”. We advise people not to click on suspicious links the same way we advise everybody to lock their door before leaving.
From the perspective of the police force, what is currently the greatest challenge in tackling cybercrime?
Anonymity is the name of the game in cybercrime. Most probably, one of the biggest challenges is connected to the aforementioned service-based economic model. Namely, for services the anonymity model is often built in and thus it makes it more complicated to investigate separate incidents.
Another challenge is of course hiring – as Estonia is very IT driven country and the sector is big with many opportunities. It is challenging to find people for our technical team. We deal with very versatile topics and each person in the tech unit needs to have quite a large spectrum of skills.
People have been deemed the weakest link in cyber security. What piece of advice would you give regarding cyber behaviour to minimise the threats they pose on themselves and their organisations?
I have always liked the comparison that reasonably safe cyber behaviour is similar to minimising infections in the real world – as we know 80% of the infections can be avoided by simply washing hands regularly. In computer security, unfortunately, it is not only one thing you have to do but many. Important things to remember:
• Use strong, unique passwords and two-factor authentication (if possible)
• When offered, always update software
• Use antivirus
• Make backups regularly
• If something looks too good to be true, it probably is
If you follow this advice, you are probably better protected than most people.
How can people’s cyber behaviour be improved through top-down approaches? What kind of prevention initiatives have proven the most effective?
Prevention campaigns definitely work and I am quite sure people perceive threats of the internet much better each day. For instance, even my grandmother forwards me different scam emails which promise great riches.
It is hard to say which initiatives are most effective – the problem of measuring this boils down to estimating the growth of the crimes committed on the internet and then analysing the dynamics of how many people fall victim. I think notification campaigns are always important, but in the future we hope to look into more tailor-made campaigns, where the targets of the messages are carefully chosen. For example, in preventing falling victim to the business email compromise scam, last winter we notified board members of Estonian companies. We received mixed feedback about the campaign, but the amount of notifications to our tip line about BEC frauds increased. The campaign was not perfectly executed, but next time we are smarter.