Head of Europol’s European Cybercrime Centre: there are no systems that cannot be breached
The distribution of child pornography, financial crimes, and ransomware remain a major headache for Europol’s European Cybercrime Centre (EC3). In 2020, there was a rise in cybercrime. Yet nothing caused disruption or damage beyond repair, the head of EC3 Edvardas Šileris told CyberNews.
Cyberattacks against FireEye or the Solar Winds hack doesn’t come as a surprise to Mr. Šileris. Not a single system is built in a way that can’t be hacked, and it would be very naive to think otherwise.
“Sometimes, the media covers breaches as if a disaster has happened. The truth is, in some cases, leaked data is not critical. It’s not something that could cause irreparable damage to the state. It happens rarely,” he told CyberNews.
VPNs have protected users’ privacy and play a crucial role in uprisings, such as we’ve seen in Belarus. But recently, Europol has taken down cybercriminals’ favorite VPN. So I wonder whether you see VPNs as doing more damage than good? How often are they just providing tools for malicious actors?
VPN technology is neither criminal nor illegal. It is legal, but sometimes cybercriminals also use it. We, too, recommend using a VPN, especially when a user is connecting to a public network. You can’t ban cars just because criminals also use them. There are quite a lot of VPN providers. Law enforcement closely monitors and reacts to criminal activity that is carried out while using a VPN. The crimes are all the same - exploitation of children or the distribution of pornography is illegal, whether a criminal is using a VPN or not.
If a critical mass of cybercriminals would use some particular VPS service, naturally, we would have a closer look.
We’ve seen an uptick in cybercrime during the pandemic. Has there been a significant uptick in cybercrime response?
For example, the distribution of child pornography rose four times. We also notice that cybercrime is often latent, meaning that it is not being reported as often as other crimes carried out in public spaces.
The fact is, half of the world went to work from home, and they are using a computer and wifi at home instead of their office. And not everyone knows how to protect themselves from cyberattacks. It is only natural that the number of cyberattacks rose. Cybercriminals have exploited the pandemic.
We just had a meeting with the European Banking Federation. The means that the method that cybercriminals are using to steal credentials remains the same. It has just scaled. We did not register anything that could have disrupted the cybersphere.
It’s all about demand and supply. If there are more potential victims, it is only natural that someone is looking for ways to attack them.
Last year, we had the first ransomware victim when a woman died in Dusseldorf hospital because the hospital’s computers were blocked, and she had to be taken to a different facility.
We warned that this would happen sooner or later. And now it did. It is natural that the more we digitize our society, the more threats it poses to us.
How do you warn institutions and organizations about the threats?
Every year, we publish the Internet Organized Crime Threat Assessment, where we list all the threats and give recommendations. It is widely read and implemented, both in public institutions and private sectors.
The Cybercrime Centre has advisory groups from financial institutions and internet providers. We share a lot of information with them.
We don’t go to company A and say “beware.” We have a department called “awareness and prevention.” Most of our recommendations are public. One of our main activities is the distribution of this information to the private sector because it owns most of the infrastructure and services. The more you invest in prevention, the less likely it is for a cyberattack to occur.
Are there any significant trends/attacks in relation to international events like the presidential elections in the US, or local events like Brexit or the Belarus protests?
I want to draw a parallel between the physical and the virtual worlds for you. You increase the patrolling of police forces before some important events. It's the same here. Only in our case, the patrolling happens in the cyber world, and officers sit in front of their computers and monitor networks, and look for vulnerabilities, and whether all known vulnerabilities are patched.
If something is suspicious, we provide recommendations on how to prevent attacks. If an attack has already happened, then we look for ways to minimize the damage so that systems would be restored to normal as soon as possible.
Are you surprised or shocked when attacks against security bastions, such as FireEye, happen? Has the Solar Winds hack shocked you?
It does not come as a surprise to me. There are no systems that can’t be breached. They are created by people. They are based on long and complicated algorithms, so, naturally, mistakes happen along the way. Look at any software and look at how many security updates there are to it.
Humankind has to choose between evolution by digitization, and stagnation. Naturally, the world is moving ahead. We can’t be naive and expect that bad things will not happen along with it. Resilience is important.
Sometimes the media covers breaches as if a disaster has happened. The truth is, in some cases, the leaked data is not critical. It’s not something that could cause irreparable damage to the state. It happens rarely.
There are no systems that can’t be breached. They are created by people. They are based on long and complicated algorithms, so, naturally, mistakes happen along the way. Look at any software and look at how many security updates there are to it.
Unlike the physical world, it’s hard to catch a criminal in the cyber world. They are almost untraceable and, therefore, unpunished. Is this trend somehow changing?
It remains the same. In the physical world, you have to cross the border between countries. In that case, you leave a lot of traces, and the jurisdiction is pretty clear. For the cyberattack to happen, it only takes seconds to connect from a whole different part of the world, and it’s very hard to pursue the criminal because of the legal procedures.
Law enforcement knows its way around and can do many things. But, in some cases, it’s very difficult to untangle a financial crime with the malicious actors being somewhere in the middle of Africa. Both sides - the victim's country and the attacker's country - have to be equal. Now, we have states of very different development and with different cyber capabilities. It’s not enough to have trained personnel and knowledge in Western countries. Sometimes those countries where the cybercriminals reside are very poorly developed in this field.
Last year, Maze formed a ransomware cartel. This means that cybercriminals are getting organized, they are sharing knowledge. Is this a trend? Is it worrying?
It is worrying because, in most cases, ransomware is publicly available. You can get it as easily as you can buy an app. You don’t need technical knowledge or be able to program yourself, which was the case previously. Now you just buy it as a service. Criminals have clearly understood that this is a low-risk and highly profitable illegal business without much responsibility. In absolute numbers, it seems that there are fewer ransomware cases, yet the average damage has increased. This means that ransomware attacks are targeting specific sectors. Previously, criminals were targeting the whole network and looking for vulnerabilities. Now, they specifically target critical infrastructure, hospitals, public institutions, and services. It’s very worrying.
Users and countries worldwide increasingly protect their privacy and data. Do laws like GDPR and apps that use end-to-end encryption make your task tracing cybercrime and preventing it harder?
I was always rooting for end-to-end encryption. Law enforcement has all the necessary means to get the data. It’s not completely convenient, but the states have the right and even obligation to protect people's privacy. This is an ongoing discussion.
Just imagine that all flats and houses are unlocked. Criminals would easily enter. Therefore, law enforcement invests in protection. It makes our work harder, of course. We are looking for mechanisms to investigate crimes without violating privacy.
Do you get many tips from society about possible crimes?
Society is participating. And I can give you a good example. Not that long time ago, we were investigating a case of child pornography, and we posted a photo on our Twitter profile. In 20 minutes, it became known that it was a hotel in Bangkok in that picture. People are proactive and contribute.
The profile of law enforcement is also changing. You have to be physically strong to catch a criminal. In the cyber world, we put an emphasis on technological knowledge. An officer has to be able to do a lot of things online himself now. It is evolution.
Do you have many women working?
In Europol, around 30% are women. And the number is growing. We don’t classify people by gender. Technological knowledge is important. Physically, men have an advantage when detaining a criminal. But here it’s not important. We organize a selection of candidates by giving them tasks, such as to decode some data.
As I understand, the crimes themselves remain the same. It’s just how they are carried out differs.
Ransomware, child pornography, financial scams, cryptocurrencies, the dark web - the global trends remain the same. Maybe only the manner differs every year. Theft has been known for thousands of years. It’s just that now they are carried out online.
Nothing is new. It’s well known that children get scammed through online games.
2020 stands out by how criminals exploited the pandemic. The vaccines just showed up, and they are already being sold online. Only they are not real drugs, they are fake. But there are credulous people around the world, and some will buy it.
Do you pay close attention to cryptocurrencies?
We do. Recently, the industry itself has also taken precautions so that you couldn’t transfer large sums of money anonymously. Now, it’s difficult to cash a large amount of money without being noticed.
Should cybercriminals look into 2021 with fear? What are your predictions for the year ahead of us?
The good news is that everyone learned how to use videoconferences, which previously seemed easy in theory, but no one was really doing it.
People will continue working from home. Therefore related risks will also remain. I don’t think that we will get back to our lives as if nothing has happened. We will continue using these technologies.
Digitization, autonomic cars, artificial intelligence, and big data will increase the challenges, and we will have to deal with them. We will need some new regulations in place. At the moment, it’s hard to investigate crimes between jurisdictions. Therefore, there will have to be changes in the lawmaking.
We will see more ransomware attacks that will target specific sectors.