A few weeks ago I sat down with senior law enforcement officers from Holland, Germany and the UK and asked them off the record the question "is there a ready role today for national crime agencies and cybercrime specialist divisions of Police forces in Europe in the Cloud age ?".
One thing was screamingly obvious that the interaction and information sharing between agencies is healthy and transparent and that's hugely beneficial to sovereign nations. However the reality is there is a gap between capability and actual delivery.
SOCA in the UK, folded into the National Crime Agency last year suffered from being seen as toothless and unable to deal in reality with cybercrime through lack of ability, lack of reach to actual sources from outside their jurisdiction (e.g mass mail spam / mail abuse and boiler office type schemes in overseas territories). We accept in Europe that there is a healthy impass between industry and law enforcement down to two clear issues,
1) Budget - even though the UK National Crime Agency has a £500m budget and interactions with intelligence partners it lacks the skillsets in depth and the tools and technologies to query data and to react at a pace thats efficient, and industry needs to assist. The current tools and database technologies supplied by one incumbent provider are anything but helpful and if anything set UK law enforcement back by comparison to the working practices of their partners in Europe.
2) In the UK an over-reliance on agencies such as Child Exploit and Online Protection Agency (CEOP) and the Internet Watch Foundation (IWF) who are mired in being stuck between being lobbying agencies and ineffective and entirely out of touch. Whilst CEOP's continued interaction with industry partners such as Virginmedia and BT show encouraging signs it's very little too late. There is a need for a clear rethink of how take down notices and more serious protective measures can be enforced, faster, with more clarity interacting with local police forces sharing information proactively in realtime.
3) Fraud protection. The majority of online fraud happens overseas and vulnerabilities in key cornerstones of the Internet such as Heartbleed which I broke to the world now two weeks ago (no guessing who the Senior Security Developer at the Operating System vendor quoted was) are just the start. The internet glue is held together right now at managed hosting providers and internet service providers by embedded routers, switches, content delivery platforms and web hosting architectures. It could be up to three years before the least proactive ISPs who simply don't have a clue or the budget (or the kick) to fix the underlying infrastructures that provide key peace of mind to internet users, consuming service organisations and platform providers. In fact one thing that has not been identified correctly with bugs such as Heartbleed is one salient fact. Plausible deniability. A determined minimally equipped hacker today with a basic live Linux distro who wants to play merry hell quietly will do so. Don't expect to find him or her as most ISPs and Telco's haven't got staff capable of spotting them realtime. I've physically proved that this is a fact in reality.
In a past life I uncovered (with authority) a massive exploit at a major UK household name telco involving a major datacentre breach with proven exploits and a complete papertrail and audit log of intrusions and proven hops into highly protected networks previously thought segregated. As with many telco's you never hear about it because the nature of an SEC filing or public slapping from the Information Commissioner carries both a fine and red faces, as well as loss of reputation. When I then uncovered a breach in their billing platforms affecting residential customer data this was once more "lost" even though documented and brought to the attention of the board and chairman of a major household name vendor. Patched and quietly forgotten. These things happen. They shouldn't - hopefully they happen a lot less now. I am prevented by being signatory to the Official Secrets Act to discussing far more scary real life scenarios that are in daily play today in larger infrastructures. Sadly vendor relationships and reaction need to be in a position where a reactive defensive stance should be taken ahead of time rather than faced with a major zero day exploit or data breach using publically available exploit code.
For six years I've talked about how we should practice security better. For six years I've worked with the Cloud Security Alliance and with Jim Reavis their chair. A few weeks ago I sat down with the British Standards Institute (BSI) who last summer worked with the CSA to adopt STAR and to push it to industry at least brings the UK up to speed showing, hopefully, law enforcement that they are playing behind the times and need to engage with industry better.
Relying on the badly constructed Computer Misuse Act and RIPA II is no longer good enough. If you can't communicate with industry, if you can't adopt open big data practices to analyse data and still rely on proprietary weak tools for analysis then the public suffers. If the public suffers then there is a tacit nervousness to go to the Cloud as actively as we'd like.
You can hear my interview with the BSI when I get back from the US, as to their take on why blended security controls and practical interaction between public disclosure and interaction is a great start to reacting, and to building preventative and lasting Cloud security and law enforcement. You can also listen to my interviews with Dr Udo Helmbrecht (Executive Director of ENISA) and Richard Clarke (White House Specialist Advisor on Cybercrime to the President of the United States) by following the inline links. If they take me seriously it would be nice if law enforcement woke up and changed working practices to take into account ever moving threat vectors and a larger than ever threat fabric that affects and impacts business confidence and technology investment.
Until then just cross your fingers as law enforcement are standing in the wind with their finger in the air. Call Heartbleed a call to arms, sadly I have doubts that there is a groundswell to proactively deliver change. Let's hope that this makes someone's radar.
One salient point: We are here to help - if people reach out and ask that help is forthcoming, bury communal heads in the sand and you end up depleted in capability and unable to prosecute with mandated authority and a lot more cases thrown out in court resulting in a waste of taxpayer funded resources and costs.
Working together is smarter. Let's try.