Cybercrime , Fraud Management & Cybercrime
Scottish Police Face Toil and Trouble From Cybercrime
Scottish Cybersecurity Conference Focuses on Battling the Surge in Online AttacksMonthly rent, helium gas and cybercrime: These are things that seemingly always go up, never down.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
And Scotland is no exception. "Cybercrime is on the rise - whatever that is, however you define it," said Detective Chief Inspector Norman Stevenson, the cyber investigations and digital forensics lead for Police Scotland.
Speaking Tuesday at the annual FutureScot cybersecurity conference in Glasgow, Stevenson said more cases than ever before have a cybersecurity component, including investigations that involve cryptocurrency in some way. Police also face an explosion in the number of computing devices that need to be digitally forensically reviewed for evidence-gathering. Even in a single investigation, "it can range from one device to many, many more," he said.
The nation's police force defines its abilities across four Ps - pursue, prevent, protect and prepare - and from a cybercrime standpoint, that isn't purely about digital capabilities, said Chief Superintendent Conrad Trickett, the business lead for Police Scotland's Policing in a Digital World initiative.
"Who knew you could train dogs to sniff out digital SD cards?" Trickett said. "But you can, and we have."
He detailed the continuing rise in online crime and said that "since COVID, the amount of cybercrime reported to Police Scotland has doubled."
Police differentiate between cyber-dependent crime - such as ransomware - and cyber-enabled crime - crime that originally occurred in the physical realm but has now moved online. The latter encompasses everything from child sexual abuse material to fraud. Trickett said 95% of fraud now occurs exclusively online.
Multiple attendees questioned speakers and panelists about the sheer volume of fraud targeting consumers, and especially older people, and asked why police don't do more.
Scottish police receive 18,000 calls per year concerning cyber-enabled fraud, said Jude McCorry, CEO of the Scotland's Cyber and Fraud Center.
"Courier fraud is a huge one," she said, adding that her organization is helping to spearhead a public-private initiative, which includes the police and banks, to try and better support efforts to prevent fraud - especially because police cannot handle the volume of calls.
Another challenge for defenders is that criminal tactics constantly shift. "The use of AI or machine learning is generating lots of concern for us in the cybersecurity world and the cybercrime space," Trickett said, referring specifically to a recent case in Hong Kong in which criminals used deepfake videos to steal millions.
To try and better track and respond to threats, the Scottish government last year launched the Scottish Cyber Coordination Center. Known as SC3, its mission includes intelligence sharing and early warnings for public organizations, running cyber exercises, focusing on supply chain assurance and sharing lessons learned from major incidents, said Alan Gray, the deputy director of the Scottish government's National Cyber Resilience and Security Division.
"As G.I. Joe teaches us, knowing is half the battle," Gray said, referring to the importance of proper preparation. "The doing is the other half."
Multiple conference speakers said they often find themselves sounding the same types of "do the basics" warnings they were spouting a decade ago.
"Simple things I was talking about in 2014, and I'm still talking about them in 2024," said Paul Peters, a detective superintendent in the Welsh police force who serves full time as the director of the Cyber Resilience Center for Wales.
"We continue to see older software vulnerabilities being exploited at scale," rather than newer vulnerabilities, said Jonathon Ellison, director for national resilience and future technology at the U.K. National Cyber Security Center. "All of those vulnerabilities could have been mitigated by installing a vendor update."
Healthcare Under Fire
One of the big areas of concern in Scotland remains its National Health Service, which comprises 22 health boards across the nation.
"The health sector in general is a very, very attractive target for organized crime," in part because "it's a cash-rich business" that handles and processes billions of pounds of public money every year, said Scott Barnett, head of information and cybersecurity for NHS National Services in Scotland.
His group, comprised of 60 full-time cyber and information security professionals, protects NHS Scotland and its 150,000 endpoints, 170,000 employees and 250,000 digital identities.
Top cybersecurity challenges he detailed include bringing together the information security experts across those 22 health boards and dealing with budget realities. Also not helpful are "legacy systems," typically matched with "many legacy attitudes," as well as the massive number of online attacks, including phishing emails and social engineering attacks aimed at healthcare staff.
One key role for NHS cybersecurity teams is expressing cybersecurity risks in terms of clinical risk, since "the big driver for us in the NHS is reducing clinical risk," Scott said. "We're dealing, without being too dramatic about it, with matters of life and death." At the same time, "financially, we're on a real precipice from an NHS perspective," as is reflected in challenges in delivering healthcare, including well publicized point-of-care delays.
"Behind the scenes, we're also struggling" with budget shortfalls, he said. "Make no mistake - cybersecurity is expensive."
As public services get stretched thinner than ever before after more than a decade of austerity, numerous speakers repeated the oft-heard government mantra about having to "do more with less."
Focus on Collaboration
"In the public sector, any and all support we can do in a collaborative way is essential," said Keith McDevitt, the cyber incident, vulnerability and exercising lead at SC3.
Local and international relationship-building remained a common theme for speakers at the event, which drew cybersecurity professionals, government and law enforcement officials based in Scotland but also beyond.
Julie M. Johnson, the first-ever attache for the U.S. Cybersecurity and Infrastructure Security Agency, who's based at the U.S. Embassy in London, shared lessons learned from attempting to secure America's critical infrastructure, which is run by a patchwork of public and mostly private organizations. She stressed the importance of finding people who know where the problems are and people who have the answers - and trying to bring those people together.
"What is our superpower? We are literally the agency where we know a guy who knows a guy," Johnson said.