Hackers can damage critical infrastructure, ruin economy – UN cybersecurity chief

SS: Well I mean a cyberweapon is basically finding a flaw or a hole in software, right? So if the government develops a cyber weapon it knows about software issues. Why not tell its allies, why not tell the software company? Why make a weapon out of it? 

NW: I think that’s a question that you’d have to address to individual governments, where that was the issue. I think the clear point that comes across with all of this is the need for governments to work together. And within the United Nations Office on Drugs and Crime that’s what we do, we bring governments together from around the world, from around political persuasions to try and minimise these sorts of risks and help those conversations to occur. 

SS: But I mean your work -- is part of your work also convincing people who are placed higher up actually to work in communication with everyone else and not guard the secrets for themselves and maybe use it later? How successful are you in that? 

NW: The way that we work is we host for example an intragovernmental expert group on cybercrime and governments from around the world sit on that. It met most recently in April of this year. And it’s that sort of opportunity that we create, the mechanism for governments to talk to each other, to work together, to grow relationships. And ultimately all this is about minimising the risk to the public from cybercrime. 

SS: But how hard is it to make the governments give up those findings? 

NW: I think the way that the UN works, we don’t interfere directly in the issues of a sovereign member state. What we do is to create that atmosphere and that capability for governments to work together and I think what we seek to encourage are those sorts of relationships where governments from across the world, from across political divide so sit together to try and work their way through some of the most challenging issues in cyber. 

SS: So tell me something, how damaging can a cyberattack be? What’s the worst case? Do you have to hack into a military computer to do lots of damage, or can you mess with infrastructure instead - shut down an electricity grid, or a phone network, for example? 

NW: I think that this is a really important question and the context of that is exceptionally important, because depending on what country this happens in, depending on what their critical infrastructure is, you could have a really serious impact. We’ve seen smaller countries, more developing nations have suffered from attacks that have, for example, crippled the internet for a period of time. I was speaking with representatives of Kaspersky lab just last week and they were explaining with their analysis and from their data how the attacks on critical infrastructure have changed in the past year. So instead of energy attacks being the priority we’ve seen a rise in water infrastructure coming under attack. But looking at it in a different way, maybe for a country that depends on tourism as your primary source of revenue, so, for example, if an attack that took the tourist industry online, hit hotels, hit the infrastructure for bringing tourists around the country, that can be exceptionally grave for an economy as well. So it really is contextually dependent. 

SS:A London-based think tank says UK's Trident nuclear submarines can be hacked into, leading to all kinds of horrors including, potentially, a nuclear weapons launch. UK government has repeatedly denied any possibility that Trident operating systems can be hacked. What’s your take on that? 

NW: I have nothing really that I could comment on that. I’ve got no knowledge of Trident, no knowledge of any member states’ operating systems for nuclear weapons or anything like that. So I think you’d need to ask the government concerned. 

SS: Yea, but is it theoretically possible to hack into something so huge that would unleash a catastrophe? 

NW: Again, without having any knowledge of that system or how it’s built, I really couldn’t give you an honest answer to that. 

SS: It’s not only anonymous hackers from the Deep Web, we’ve seen states use malware like Stuxnet on adversaries already. Is cyber war the battleground of the future, is it all going to be done with computer programs? 

NW: I think what we see now, Sophie, from cybercrime and cyberattacks is that it has made things easier, whether it is a state-based attack, whether it is an organised crime-based attack or often the grey areas in between, and within my programme we seek to help member states from across the world on their request to build a capability to investigate such attacks and minimise such risk. But I think as the Internet of things - the devices that are connected to the Internet - grows then there needs to be a much stronger posture of cybersecurity around the world from both industry and governments to help minimise that risk. And the public are the key to minimising that risk. 

SS: What scale does a cyber attack have to be to provoke a real-life military response, to be seen as an act of war? 

NW: I think again, all of this is contextual, it would depend on the country involved and depends on what the nature of that attack would be. One of the biggest challenges that any investigators face in dealing with cybercrime is attribution: who did it, where did it come from? And as we have seen with many of these attacks -  you mentioned WannaCry, the recent ransomware attack -  it’s still unclear where that originated from. So our clear message to government is to work together around the world to minimise this risk, to grow those relationships and make sure diplomacy is the key to everything. 

SS: And there’s also how governments use the internet and hacking to its own advantage. In Qatar its neighbours cut ties with it partly because of something the Emir said, and now they’re claiming it was a hack. But with it being so hard to identify the perpetrators, are the unseen hackers becoming a convenient political scapegoat? 

NW: Again, I think this is a really good question, Sophie, and it brings me back to the previous response that attribution is the most difficult bit. And that’s where we need to ensure governments across the world, across political divide, have the capability to investigate and deal with cybercrime attacks. Because without that it is exceptionally difficult to draw a conclusion on the origin of that and to work on the policy that goes around that. 

SS: U.S. intelligence and lawmakers are considering investigating Kaspersky antivirus software, because they think that Moscow can use it to do bad things. Do you think that’s due diligence - or is it politics actually compromising security? And really just your personal take on that. I understand your position, working at the UN, you need to stay neutral, but I want to hear your take on that. 

NW: I think in all of this - and I wasn’t aware of what you’d said there about allegations about Kaspersky - if we look at Kaspersky, if we look at other Russian companies, Group-IB, for example, they work with industry, with law enforcement, with government in lots of different bits of the world. For example, Europol, the EU’s law enforcement agency, Kaspersky, Group-IB are a critical guidance factor to the European cybercrime centre. I think that shows to me how important the collaboration between industry and law enforcement is, and that’s the sort of thing that I would personally advocate for, push much more for. The importance of industry in being a preventive measure on cybercrime, on helping governments around the world to deal with these issues is absolutely fundamental. There is too much of cybercrime to investigate your way out of, and the role that industry would have in protection and investigation is going to continue to grow irrespective of where they’re based. 

SS: The NSA and major media outlets reported on the alleged Russian hacking of Emmanuel Macron’s campaign as fact - now we get information from the French intelligence that Russia had nothing to do with it. US claimed that Russia attempted to influence the vote in Austria - now Vienna itself is denying it. What’s up to the NSA expertise, how could they get it so spectacularly wrong? 

NW: Again, having no experience with the NSA or the substance of what you’re discussing, it’s exceptionally difficult for me to comment on that with any real substance, Sophie. What I do think this shows again and again is the necessity for diplomacy at the heart of countering state-based allegations of cyber. I think the way that we work at the UN by bringing governments together, we’re seeing a very good constructive process there, it’s something that we need to continue to do. And governments around the world are committed to doing that. It’s my role to help make that happen. 

SS: Is electronic voting safe enough these days? Or should countries just go back to good old paper ballot technology? 

NW: I think like anything we see in cyber there are elements of protection, elements of security that you can put around anything. There is no such thing as 100 percent security and each individual member state has to make their own decision on what’s right for them. We see some governments, some countries choose to use paper-based systems, we see others that choose to use electronic and really that is a decision for them. The key to all of this is making sure there is confidence in the system that’s in place. 

SS: You’ve been saying that the close international cooperation is needed to fight cyber crimes. But it does already exist in some form - so is it the countries that don’t really want to cooperate? 

NW: No, I don’t think that’s the case at all. What we see on a daily basis both on a policing and law enforcement level through to diplomacy is a real desire to work together. We had over 90 states from the UN in Vienna a few weeks ago discussing cybercrime, discussing matters of policy and diplomacy. That’s working. There’s more to be done, but it is working. And at a law enforcement level we see cooperation bilaterally, between states and multilaterally through institutions like Interpol and Europol. And that is working. I think there is that desire that we’re about working together, we’re about keeping countries and citizens safe from cybercrime.  

SS: But you’re still saying that more cooperation is needed, right? 

NW: Yea, there’s always more that can be done I think to enable closer working together to build those relationships and build trust across different bits of law enforcement and organisations.  

SS: So MI6 has been reinforcing its cyber security squads with hundreds more staff. Does that mean that intelligence agencies will rely upon internet and social media more than on Bond-style agents? 

NW: Again, a good question, but having no knowledge of MI6 or how that structure would work I think it’s a questions you’d have to refer to the UK government. But looking at the broader sense of that I think what we see if we look across crime, cybercrime as a whole, seeing the delineation of what happens online and offline is becoming increasingly blurred. One of the biggest risks that my staff deal with around the world is online child sexual exploitation and abuse. And as adults we might often have a perception of what a risk might be, but when we speak to kids, when we speak to younger teenagers, they’re understanding of what happens online and offline really is becoming a very grey area, there is no separation between online and offline. It’s just life. So that means that we as investigators, as diplomats have to have a different approach - an approach that recognises what children assess the risk to be now.  

SS: This, I’m sure, you know - Is cyber crime separate from ordinary crime? Is it all really all geeks and nerds in dark rooms, or is it organised and tight like a Mexican cartel? 

NW: It’s a good question. We tend to look at cyber as being cyber dependent, so where you need a computer to do something, so, for example, hacking a computer system, or cyber enabled. Let’s look at the traditional bank card fraud. Ten years ago I would’ve needed to steal your bank card to do it. Whereas now I can send you an email and socially engineer you to give me your bank card data. So really there is that broad mix of stuff that you need a computer system to do it and then other things can happen generally. Sometimes it’ll be an individual kid raddled with a coding capability, other times we look at a growing risk of cybercrime as a service where highly technical, highly experienced cybercriminals will offer their capability to other organised criminals, even individuals. So for someone with no IT capability, if they want to become a cybercriminal they don’t need to learn how to do it, they can just pay someone to do it for them. 

SS: So can you give me an example, how exactly can cyber capability help a regular criminal operation like an extortion ring or a drug smuggling operation? 

NW: Absolutely, there’s a case that’s in the press from a couple of years ago where there was a large drug trafficking group operating from South America through to Northern Europe through the port of Antwerp in Belgium. Cybercriminals helped the organised crime group to move their large amounts of cocaine tons of cocaine from South and Central America through to Antwerp by manipulating the computer systems within the dock, the port based companies and the container based companies where this was moved. It helped the organised crime group to traffick a large amount of drugs without detection for a period of time. And this is where we see that cybercriminals can help other organised criminals to reduce their risk and to really try and make a difficult venture much much easier.  

SS:  So is cyber crime mostly about hacking - is it mostly technical - or is it about making people do things like clicking on a bad link, duping them into doing something silly, blackmailing? Like if you remember the Albanian virus that was simply an email asking you to just delete important files… Are people the weakest link in cybersecurity? 

NW: Again, an excellent question and something that we hear regularly. You can look at it two ways - you can say the public is the weakest link because you put in infrastructure, technical protection into everything you’ve got, but still someone can come in and maybe put in an infected USB stick or click on an infected email or an infected web site. The alternative is to look at it as if the public can be the strongest link, the public can be the most important part of your defensive armour. And by education, by empowering the public we can help minimise the risk of cybercrime. Within my programme around the world, in Guatemala, El Salvador, Tunisia, Bangkok we’re educating the public in how to stay safe and how to become that critical part in keeping structures and infrastructure safe. 

SS: The WannaCry attack made a lot of noise, but didn’t bring much money for those behind it.  Is big money made quietly in cybercrime, and how - can you give us an example of how it’s done? 

NW: WannaCry is a great example of something that didn’t work. It’s attracted so much public attention from around the world and political attention. I think if there’s a good news story out of WannaCry is that it’s brought ransomware up to the top of the cybercrime political agenda. Something that law enforcement and diplomacy has been talking about for some years. The internet organised crime assessment the Europol publishes has been pushing ransomware as a critical threat. Now we see governments around the world talking about it. Even in Russia, as you know, 75 percent of victims of WannaCry were based in the Russian Federation. So we see that as a crime group or a criminal trying to make money and as you rightly said they haven’t made much money at all. In fact only around 50 bitcoin which is around a 100 thousand euro has been sent to those criminals’ bitcoin addresses and they’ve not been able to actually seize or take that money yet. So in effect, WannaCry has made the creators or the disseminators of it no money at all. So - a criminal business model that didn’t work. Where we see cybercrime making real money is the attack on banking infrastructure and institutions and sometimes on business as well. There is still often a reluctance of big business, of banks to report of they have had a breach if they’ve lost an amount of money. That may be because they are afraid of the reaction of shareholders or boards of directors, but we really encourage business to work with law enforcement to try and counter that threat. If it’s simply written off for fear of embarrassment that cannot help law enforcement, that cannot help the government to minimise the risk to economic prosperity and society. So when we see money like that being made, if we don’t counter that, we don’t counter the narrative of it, that’s where cybercriminals continue to exploit it. 

SS: Cyber crime is also made possible due to new digital currencies like BitCoin, that you mentioned - is this the ultimate crime enabler, or can you actually trace the end recipients of the currency? 

NW: I’m not sure I would call it the ultimate crime enabler, it’s just another way of doing business, in many ways no different to some informal ways of moving money. Bitcoin and other cryptocurrencies seek to be anonymous or semi-anonymous, however the work that we’re doing within the United Nations office for drugs and crime where we’re building the capacity of investigators around the world to counter cybercrime, we can investigate Blockchain, Bitcoin based transactions and we’re very good at workingwith partners such as Chainalysis to identify where those transactions are and who the users behind them are. So are you anonymous if you use Bitcoin? Can you get away with it? No, you can’t. 

SS: Can a hack be done completely anonymously, or is leaving a digital fingerprint inevitable? Can someone leave a fake digital fingerprint on purpose? 

NW: Again, a great question. And it’s back to that coversation about attribution - who did it? Some criminals, some cybercrime advanced persistent threat groups will seek to try and anonymise where they are or pretend to be somewhere else. The challenge for investigators is to try and identify those digital footprints, as you rightly call it, to try and work out who they are and where they are, try to identify on those occasions when someone is pretending to be somebody else or pretending to be in a different place. It’s not easy, but it’s not necessarily impossible either. But it takes time. 

SS: Theresa May wants more government regulation of the internet following the very real London attacks, but would that do any good? I mean if a person wants to hide online - they will, so are those kinds of gov’t proposals an overreaction? Or the lack of understanding of how the web actually works? 

NW: I think, Sophie, the key in these proposals is the necessity, the absolute necessity of governments to sit together, work together and talk through these issues. The risk of cybercrime, the risk of terrorists exploiting opportunities on the internet is a global phenomenon, it’s not just unique to the UK, we see it around the world. So I think for us at the UN to host that forum, give the opportunity for governments, for internet service providers, social media companies to sit together, discuss these problems and come up with workable solutions - that’s the key to it.  

SS: According to ThreatMetrix, a cyber security firm, 50% more cyber attacks originated from Europe than any part of the world over the last couple of months, overtaking U.S. for the first time. How do you explain that, how do you explain this shift? 

NW: Again, back to attribution - where it’s coming from, who is doing it and where do we identify, where those attacks have arisen from. Sometimes I think we see where there is a posture from law enforcement that shows cracking down on a specific geographic area or specific threat area, then we can sometimes see a shift in where those attacks, those crimes originate from . So I think when we see, like you say, from US to Europe we see a shift that will be for a period of time and then we’ll see it move somewhere else as well. Something that we’re very conscious of, very aware of is the risk of a jurisdiction of risk. So a country or an area where cybercriminals seek to exploit a weakness in legislation or a weakness in investigation or enforcement capability. And that’s where our role at the UN, working with others like Interpol, Europol, bilateral governments is to try to build that capacity to minimise those risks. 

SS: You’ve worked in actual law enforcement - you fought terrorism with the FBI, you worked with Interpol. Is the UN organisation you work for - can it only advise others on how to fight cyber crime or can it actually fight it as well?

NW: The United Nations Office on Drugs and Crime isn’t an investigative body. Our role is upon request to go to countries and help them build their investigative capability. So we don’t get involved in the investigation of an offence, we don’t get involved in the prosecution. What we can do and what we do do is build up that capability to investigate, help the infrastructure get in place, helping a government policy to get in place, helping investigators to grow their capability to investigate. We help them get in touch with other countries, build those relationships and to build that capability to do something. But the actual investigation process - that is a role for each individual country to do and we wouldn’t seek to get involved in that whatsoever. 

SS: Thank you for taking the time to talk to us today. We were discussing cybersecurity with Neil Walsh, chief of the United Nations Global programme on cybercrime. That’s it for this edition of SophieCo, I’ll see you next time.