23
Joint Committee on the National Security Strategy
Oral evidence: Ransomware
Monday 24 April 2023
4.20 pm
Members present: Margaret Beckett MP (The Chair); Lord Ashton of Hyde; Lord Butler of Brockwell; Baroness Crawley; Lord Dannatt; Dame Diana Johnson MP; Stephen McPartland MP; Lord Reid; Lord Robathan; Lord Snape; Viscount Stansgate; Lord Strasburger.
Evidence Session No. 3 Heard in Public Questions 35 - 52
Witnesses
I: John P Carlin, Partner, Cybersecurity & Data Protection at Paul, Weiss, Rifkind, Wharton & Garrison LLP, and former acting US Deputy Attorney-General; Aidan Larkin, CEO of Asset Reality; Jamie MacColl Research Fellow—Cyber, Royal United Services Institute (RUSI); Emily Taylor, CEO of Oxford Information Labs Limited, and Associate Fellow of Chatham House.
John P Carlin, Aidan Larkin, Jamie MacColl and Emily Taylor.
Q35 The Chair: I welcome you to this committee and thank all of you for coming to give evidence, particularly Mr Carlin, who is joining us on Zoom from the United States. Thank you all for taking the time.
This is the third evidence session of our inquiry into ransomware, which we began in October. Today, we will focus on the international dimension, although we are interested in your views on other areas of reform, particularly to the British Government’s approach to ransomware.
Western Governments, including our own in the UK, tend to refer to ransomware as a type of hostile state threat, but organisations that are under attack might feel more like victims of crime. It is a matter of balance and it is probably not an easy balance. This committee’s role is to scrutinise the work of the British Government, so we tend to look at it as more of a national security threat. In your view, should Governments be treating the issues primarily as a national security threat, which calls for a strategic response, or as a criminal activity, which needs operational disruption?
Aidan Larkin: I will defer a lot to my learned colleagues, because I will be giving a wider look at the overall asset recovery ecosystem in this. Importantly, it is in the nature of this criminal offence and our response to it as a Government that we come across criminal and civil tools. It does not neatly fit into one category, so it would be incorrect for us to badge it. How a business in Devon or Cornwall becomes a victim of ransomware will not feel like a national security issue to them, but the same technology and our inability to deal with it effectively is also a national security issue. I defer to my colleagues, however, as this is certainly not my area of expertise.
Emily Taylor: Thank you for that question. As you say, for those experiencing a ransomware attack, it will feel a lot like a crime. I do not think it is wrong to categorise ransomware as criminal activity, because often the perpetrators are non-state actors and organised criminal gangs.
However, as Oliver Dowden referenced last week, it is also a national security issue. Perhaps it is more helpful to think about the implications of those two definitions. If it is a crime and we are dealing with it as a crime, a whole load of international co-operation needs to take place, and frankly needs to improve, between democracies and our allies—those who are signatories to instruments such as the Budapest cybercrime convention.
There are also states that are not signatories to these conventions; according to some estimates, maybe 50% of ransomware attacks emanate from the Russian Federation. What is the toolkit available to deal with this and with the impact of ransomware attacks? We saw the impact of the Colonial Pipeline attack and, at the moment, Capita is unfortunately going through problems. Those impacts can be felt as national security issues, so I am not hedging my bets here: I think it is correct to classify it as both.
Jamie MacColl: I agree with both my colleagues that it is both. It is experienced as a criminal issue by the victims, but the cumulative effect of incidents, even victims that are SMEs, creates a scale of societal harm that makes it a national security threat. It requires both a strategic approach that brings together all parts of government, the private sector and civil society, but also operational disruption from the UK intelligence community and law enforcement acting in co-ordination.
Also, unless it is treated as a national security threat by politicians and parts of the national security apparatus, it will not receive the level of prioritisation and resourcing that is necessary if we treat it as a purely criminal issue.
The Chair: That is a good point, and it has also been put to us that in some cases what looked like a ransomware attack was perhaps just a disguise for what was actually a straightforward political cyberattack.
Jamie MacColl: We have certainly seen that since the war in Ukraine, with parts of Russian intelligence using ransomware in Poland and Ukraine to conduct disruptive operations, while having some plausible deniability.
John P Carlin: In the United States, we have taken what we call an “all-tools” approach, which is based on the lessons that we learned post September 11 but frankly were not applying to the cyber realm until about 10 years ago, when this transformation started to take place. By that, I mean a focus on the criminal side of the house and on not viewing success as the successful prosecution of a defendant after the fact. In the case of September 11, families were grieving and had lost loved ones, but success would have been preventing the attack from occurring in the first place. One of the failures of September 11 was the failure to adequately share information within government and across law enforcement, from the criminal to the national security community, and to share it, effectively and at speed, with international partners.
When I moved from being chief of staff at the FBI to running the national security vision at Justice, I saw similarly, when it came to cyber, that we treated certain offences, such as cyberattacks, as criminal, and then looked at national security actors, nation state actors, as an intelligence problem. But we were not putting the information together to see whether we could use every available legal tool, some of which came from criminal authorities and some from national security.
When I came back to the justice department in the Biden Administration, fresh from helping companies to respond to attacks, we increasingly saw a so-called blended threat, as the other witnesses have said. A criminal actor would attack a private company. Sometimes they genuinely wanted to make a buck and were doing it just for profit, but many of the times that same criminal actor would be leveraged by the state that was giving it safe harbour—be it Russia, North Korea or Iran—for national security purposes or to encourage these non-state actors to commit attacks consistent with the goals of the state.
If there was a dispute between the US and Iran, we would see an increase in so-called criminal actors acting under the state direction of the Islamic Revolutionary Guard. Similarly, in 2014, prior to its incursion in Ukraine, Russia used the access of a very prolific most-wanted criminal, who did things like spam and was really about making a profit in Milan, to gain intelligence information. Accordingly, if they are blended, our approach needs to be blended accordingly.
I will add one thing that makes it so much more difficult. When you consider the billions of dollars, alliances and close US-UK partnership to combat terrorism, it was all about sharing information within and between states. What makes cyber more difficult—I am so glad to have the attention of this committee—is that it does just not require sharing information at speed and scale within and between Governments. To adequately combat this threat, we also need to share information with the private sector, and incentivise it to share information with the Government and to help. Later, we can talk about some of the great successes that depended on that private sector partnership.
This is about both national security and the criminal, and it requires civil authorities in partnership with the private sector.
Q36 Lord Robathan: Mr Carlin, you brought up the sharing of information post 9/11. I understand that a young national guardsman was arrested recently because of the sharing of very highly classified information with up to 3 million people. Do you see any danger in sharing information about cyberattacks and ransomware having any similar problems?
John P Carlin: That is a good point. One of the lessons of September 11, as you say, was that to act on the information it needed to be shared sufficiently. Otherwise, we were gathering intelligence about threat actors who were going to cause real and imminent harm, but collecting it solely for strategic purposes was not sufficient. We needed to put it in the hands of people who could act on it. With that, comes the additional risk that there are those who will betray their oath to protect such information. That requires an increased focus on insider threat-detection programmes and, ultimately, a balance between sharing information in order that it can be acted upon and the risk that sharing that information means that it can be disclosed.
Look at some of the great successes in cyber recently—for example, the take-down of the so-called Hive ransomware group. This group caused hundreds of millions’ worth of damage across the world, especially in Europe, the UK and the US. The FBI, working with private partners, using lawful authorities and working with foreign partners, was able essentially to hack the hacker. For months, it secretly stole the decryption keys—keys that allow you to unlock your system if you are attacked by this group and malware prevented you from accessing it.
After stealing the keys using its lawful authority, the FBI provided them to the victims who voluntarily came in but provided them secretly. That worked for months and months, so the bad guy—the criminal group Hive—did not know why nobody was paying. It was deploying all its resources to do these hacks, but, unbeknownst to it, the FBI was providing the keys, so no one was paying to receive them. That was a phenomenal success, but for it to work it required trust to share information with private partners and with foreign partners ultimately to take down and dismantle the servers that Hive was using and to make arrests.
Q37 Lord Strasburger: What has been the impact of the war in Ukraine on the nature and scale of the ransomware threat? Is there any evidence that the Russian authorities are encouraging more attacks against western countries?
Aidan Larkin: I will defer that question to my learned colleagues. I would not want to take up the committee’s time.
Emily Taylor: I will do the same.
Jamie MacColl: I can come in. I know that this was addressed in the previous session and I will go over some of the same points.
The ransomware ecosystem is made up of multiple nationalities from former Soviet Union countries, including Ukrainians. Certainly some of the largest operations, such as the so-called Conti operation, had a number of Ukrainians in them. In the immediate aftermath of the war, elements of that group pledged allegiance to the Russian Government, which seemed to create splits within that group. I am sure there have been similar splits in other cybercriminal groups.
Some have disavowed the Russian Government and some have remained apolitical. The changes that caused have not necessarily made the threat less acute or persistent, but just meant that the criminal ecosystem has become more fragmented, with smaller groups and different criminals using a wider range of ransomware strains, which also makes them harder to disrupt.
So I do not think we can say that this has made the problem better, but it has made the threat different—more challenging, in some ways.
John P Carlin: It is hard to determine the sole factor, because we have seen a shift in approach in going after the ecosystem that criminals use, by which I mean cryptocurrency—the manner in which they get funds digitally and try to convert them into fiat currency. We will talk more about that later. We are using new techniques, doing things like hacking the hacker and taking their keys, and taking the currency once it has been stolen, seizing it back and returning to the victim.
Last year, one of the most prominent cybersecurity analysis groups saw a decrease of about 15% in successful ransomware attacks and payments. Some of that has been caused by the Russian aggression into Ukraine, which has distracted the country that is one of the foremost perpetrators of ransomware. As a cautionary note on that front, at some point Russian aggression will cease to be an all-consuming resource for Russia, those hackers will be freed up again and we may see an increase here—building on my colleagues’ remarks.
Emily Taylor: Looking at the likelihood of international co-operation, the war in Ukraine makes international agreement on a global cybercrime treaty even more unlikely. It also makes some countries abiding by norms for responsible state behaviour in the context of another UN process, the open-ended working group, all the more unlikely.
Therefore, to go back to points made by other witnesses, this heightens the need for information sharing, particularly among allies and to and from the private sector, in those trusted relationships, freeing up the perceived challenges to data sharing that are still causing an awful lot of delay and frustration, even among close allies in cybercrime investigations and within the national security communities.
Q38 Lord Ashton of Hyde: We have heard in some evidence and reports that ransomware attackers are increasingly targeting countries in the so-called global South. Is that because the wealthier countries are responding more effectively? If true, it would be good news as it shows you can, but not so good for the countries from the global South.
Leading on from that, if it is true, to what extent is ransomware being adopted by organised criminal groups in the south, or is it mainly at state level?
Emily Taylor: I can speak a little to the victim side of it and leave it to other colleagues to talk about perpetrators. Ransomware attacks are certainly being experienced by those in the global South. A very good report came out recently on ransomware in Africa. The main case study over the last year would be Costa Rica, which was devastated by a succession of ransomware attacks over a period of several months.
From a victim perspective, it is truly international. If we look at the number of incidents, there is certainly a long tail, with the United States being way out in the lead. If we think about the impact of those attacks on the victims and countries, the case of Costa Rica shows us how devastating they can be, and even more so for victims in the global South, because they often do not have the capacity within their own borders to provide a rapid response or the resilience that I know this committee has been hearing evidence on. This is what makes norms such as mutual assistance from other states really important.
It is also important to think about cyber capacity building, not only in a technical sense but in the context of the number of important international processes that are going on. What has been appreciated within those processes, such as the open-ended working group in the United Nations, is that capacity building among global South participants enables them to participate in those conversations and negotiations with confidence. I believe that speakers from Costa Rica have been participating in side events in those arenas to share their experience—just as your committee heard the experience of victims of ransomware—so that others in the global South can really understand what is at stake for countries and what the risks are.
Aidan Larkin: It is important to look at the wider context. The reason why we see these offences taking place in the global South is linked to crypto adoption. In reports by Chainalysis on crypto adoption, 16 or 17 of the top 20 countries are those that have the traditional challenges of lack of infrastructure and the ability to combat these crime types—indeed, any crime types—effectively. These are global asset recovery challenges. Where there is more adoption of crypto in general, there is an inherently higher risk: if you swim in those waters, you will meet more predators.
When these offences take place in those jurisdictions, the impact is compounded because there is greater adoption and use of digital payments. Many residents in Africa, for example, would not blink at having their monthly salary on a mobile network provider’s app and sending money to their family through mobile sims; that is commonplace. In countries with hyperinflation, you are seeing more crypto adoption. The numbers of offences are directly linked to the sheer scale of adoption, but they are compounded by the inability to then investigate, recover and share information. They are the softer target, I believe.
Jamie MacColl: What is driving that trend of a broader targeting in ransomware—this is speculation on my part—is probably a combination of improved resilience in developed countries and some of the more aggressive law enforcement and cyber operations conducted against some criminals to try to draw red lines around what is and is not an acceptable target, particularly in the US. At the same time as that has been happening, there has been very rapid digitalisation in the global South, partly as a result of Covid but also just because of economic development and how essential digitisation is to development.
A lot of countries do not have cybersecurity standards and are using outdated or unlicensed software, even within national Governments, which is one reason why we have seen some of these devastating attacks against the Governments of Costa Rica and Montenegro, for example. As Emily said, when you have an attack on a small country, nationally important processes are disrupted. In the case of Costa Rica, it was paralysis of the tax and customs systems and large-scale theft affecting every taxpayer in the country. In these instances, ransomware is disproportionately felt by such countries, even if the volumes are not the same as they are in North America or Europe.
John P Carlin: I agree and will not repeat other remarks. The West moved further and faster to connect almost everything we value through the internet, which is a fundamentally insecure medium—the TCP/IP—and subsequently we are all racing to catch up on security. Now the global South is coming on board and reaching the same level of digitisation, but it has not yet invested the same amount into resilience and deterrence.
The one thing I will add is that the US has focused on this, with the FBI and Department of Homeland Security computer emergency response teams in the lead. There has been a focus on trying to provide rapid services to help countries that are under attack—obviously with the permission and at the request of the sovereign state. This includes deploying teams to fly out to help them get their systems back online, trying to help them in advance of an attack on resilience, and helping them with investigation and attribution to ensure that there are consequences for actors who target nation states.
Q39 The Chair: Thank you. I will bring you back a moment to our own circumstances. You have all indicated that ransomware is both a criminal and a national security issue. Is your perception that it is being treated accordingly in this country, or is there a risk that law enforcement agencies either cannot do it because they are underfunded or they see it as somebody else’s problem?
Emily Taylor: The difficulty faced by both law enforcement and national security communities is that any cybercrime or other cyber incident is international in nature. We have evolved our analogue law enforcement structures on a very local basis. We see, in the offline world, criminals exploiting county lines just as they do in cyberspace, but it is much more international in cyberspace.
You really can see investigations turning into a pumpkin at national borders. You need a lot of structure in place to ensure that data-sharing is done in a timely and trusted way and in ways that provide safeguards for human rights. This has been and continues to be a real issue, both in the law enforcement and the national security communities.
The fuzzy boundaries, where we started this conversation today, between national security and cybercrime make this even more challenging, because in many democracies there is a really hard dividing line between those two functions. As others have mentioned, it is becoming more and more artificial to divide them in such a strong way, but the structures are just not there at the moment. It is particularly disappointing to see such challenges continuing among very close allies and strong democracies that respect the rule of law and human rights frameworks.
At Chatham House, where I am an associate fellow with the international security programme, we have been doing a project on trying to understand the obstacles to data sharing in the national security context. That, of course, brings in the cybercrime dimension as well. It is really not easy, unfortunately. It is not just someone else’s problem; it is just a very frustrating and complex picture.
Jamie MacColl: It is being treated as a national security threat by parts of government and parts of the national security apparatus, particularly the NCSC and the NCA, but I am not sure that that is reflected in prioritisation or resourcing from other parts of government and the UK intelligence community, to be frank, just because there is so much focus on the state threat and on terrorism, and the national security apparatus is not that comfortable dealing with cybercrime, and maybe with organised crime generally to some extent. Culturally, it just does not consider it to be a threat on the same level as state threats or terrorism.
The Chair: I take your point.
Q40 Lord Butler of Brockwell: I will ask some questions about the White House International Counter Ransomware Initiative last year. I will start with Mr Carlin, but I hope that others will comment. Until I read the brief for this meeting, I did not realise that this conference had happened, and on the face of it it is rather impressive that 30 countries took part. They then issued some quite pious-sounding statements that they had agreed, but I found myself wondering how much these amounted to in practice.
John P Carlin: As you say, the project is well taken, and it reflects in part a signalling from the White House—along with other members of the 30-country coalition of the willing, if you will—recognising that a lot of the ransomware problem emanates from certain countries. Russia, North Korea, Iran and, to slightly different extent, China provide safe harbour for these actors.
So in order to combat them effectively we need, first, to set up the prioritisation as well as the legal regimen so that you can share information; the taskforce is working on that.
Secondly, we need to encourage private sector owners of things like the critical infrastructure that is being exploited to work together to share information.
Thirdly, we need to figure out ways to do joint attribution, so that we can agree together on things like the group that attacked Costa Rica, Conti, which is a well-known ransomware group emanating from Russia. There need to be consequences, and imposing them takes working with an international coalition.
Ultimately, success on this issue requires a restructuring within one’s borders and establishing these mechanisms to share information and take collective action. Together, there have been successes.
Q41 Baroness Crawley: Following on from Lord Butler, could Mr Carlin perhaps comment on the fact that, as Lord Butler said, 30 states took part in the White House summit last year, but only 16 states engaged in the test for ransomware attacks on their electricity and energy sectors? Did those who did not participate not have the capacity? Perhaps there were other reasons. What lessons were learned from that?
John P Carlin: Technical and legal-policy capacity is a critical issue internationally, and we are at the early stages of developing regimes that match each other in the ability to collect information and, just as we are discussing here, work across the law enforcement/national security divide in country, with mechanisms to chair, to collect information from the private sector and then to share that information across international borders. Included in that is ensuring that there are statutes on the books—they do not need to match exactly in order for treaties to provide information sharing—for both the prosecution, like the US Computer Fraud and Abuse Act, and the collection of evidence, like the Electronic Communications Privacy Act.
So you need to work to make sure that these statutes and existing treaty mechanisms work for a problem that is being driven by a new technology. It will not happen overnight or with one meeting, that is for sure. It will take a concerted strategic effort over years to establish that legal policy, along with technical infrastructure.
Baroness Crawley: Thank you. Lord Butler has another question.
Lord Butler of Brockwell: I want to invite the other witnesses—the non-American witnesses, as it were—to say whether they had seen beneficial results from this White House initiative.
Jamie MacColl: It is too early to say whether it is a talking shop or whether it will become more of an operationally focused taskforce. We have certainly seen summits and initiatives like this that have never gone beyond just being talking shops. That is fine: there is value in that when you are bringing together quite a diverse range of countries, particularly countries outside Europe and the Five Eyes, such as Brazil and India, which are historically quite distrustful of UK and US intelligence and law enforcement.
Emily Taylor: I was going to make a similar point about the actors and countries that are engaged. A lot of the focus over the last few years has been on trying to normalise data sharing between the US and the EU, for example, or e-evidence among EU member states. This taskforce has India, Kenya, Nigeria and Ukraine as members, and, crucially, it has a strong emphasis on including the private sector, which is where a lot of the data is held, along with a lot of the expertise to try to combat these threats. Therefore, inclusion of the private sector is vital to making forward progress.
I was hopeful, reading the outcomes of the Second International Counter Ransomware Initiative summit, because a lot of where it is going is very practically orientated, which is good. Encouraging joint advisories outlining tactics, techniques and procedures is vital to get that information circulating at a very early stage so that others can protect themselves from the same sorts of attacks, as is developing capacity-building tools—we just spoke about the global South—and undertaking practical exercises, which help people to imagine what they would do if the worst happened and can be very useful. So I am hopeful.
Aidan Larkin: On that point, the taskforce approach is the only way to address this quickly. We have seen fantastic results from things like Operation Venetic in EncroChat, where entire criminal networks have been dismantled through multiagency taskforces and the use of public and private sector collaboration, which is the only way to address novel problems.
On the previous question about the definition of ransomware, it is a typology. If we look at the individuals and expertise required to deal with it, what is being done with the White House initiative at least allows you to capture best practice and, as John said, creates signalling: it gives people a direction to go in and allows you to start gathering data points to assess where the weaknesses are, look at training requirements and all of that. At Asset Reality, we help Governments with their infrastructure, and we see this on the ground: there is simply no point in sending an international request to an agency that does not have anyone trained to deal with it.
The taskforces have a wonderful track record of utilising things like CARIN—the Camden Asset Recovery Inter-Agency Network—and the Egmont Group of Financial Intelligence Units. So we already have the bare bones of the infrastructure, and having a focused taskforce of some description on ransomware, for example, would be a very good way to go. There is no such thing as cryptocurrency crime: if someone steals a car, we do not have just a car crime unit that is the only way we can investigate that. We categorise this digital asset at our peril: it is completely borderless, with unknown actors and entities. We need to look at it on a very wide basis.
Q42 Dame Diana Johnson: I will ask about the number of successful international law enforcement operations. It has been interesting to hear how success is defined. Is success really the prevention that Mr Carlin talked about? Is it not also right that these organisations will just change into something else? Are we dealing with the problem or, in fact, just displacing it?
John P Carlin: That is a great question. I look at it similarly to other criminal and national security problems, where success is unfortunately not eradication; it is increasing the costs to the threat actor, whether the criminal group or nation state, from taking the action. At the same time, it is trying to mitigate the impact of that threat.
When viewed in that manner, it was almost a cost-free crime for a period. They were getting billions of dollars and turning them into more and more sophisticated back-end operations. Nation states were taking note of what were essentially cyber weapons of mass destruction that were created by these criminal groups and their ecosystems. There were masses, hundreds of thousands, of compromised computers that could be used for everything from ransomware to distributed denial of service botnet attacks with command and control. You would fire requests at public-facing websites and cause them to go down, as we saw the Iranians do against the US and other financial sectors. Similarly, they do it for extortion.
In viewing that collective threat, in 2021, during Covid, they had their best year ever. It was important to start increasing the costs and to say that there are certain red lines: “If you cross those red lines, you’ll see us work to seize the proceeds. You won’t gain from the proceeds, because we’re going after your wallets after the victims pay. We’re going to steal the tools that you’re using and give them back to the victims”, as in the case of seizing the decryption keys. “We’re going to take over your own botnet and, by using a combination of civil and criminal authority, we’ll patch all the compromised computers to make it more difficult for you to operate. If you ever travel, we’ll work with foreign partners and arrest you, so you’re confined to the nation that’s giving you safe harbour”.
The fifth step needs continued work: “We’re going to increase the costs to the nation states that give you harbour and say, ‘You’re not part of the civilised world as long as you’re allowing this activity to emanate from your borders’”.
Finally, “We’ll disrupt the ecosystem that allows for digital currency payments to be made”. Blockchain is in some ways terrific for law enforcement and intelligence purposes, in that you can track where the money is going. So the next step is getting the exchanges and mixers that are taking that money, get into the amenity and seize it, and make it more difficult for it to be converted ultimately to fiat currency.
The combination of all those new efforts, working in the taskforce approach that you see now, is what caused a decrease in 2022 instead of the continual escalation that we saw over the past five to seven years prior to 2021. So we finally saw a decrease, but, as you say, they will continue to evolve as we evolve, and it will take continued attention by nation states and the private sector from around the world in order for that trend line to continue going down.
Jamie MacColl: With respect, John may be a little optimistic about the problem getting better. There has certainly been reporting from the start of the year about ransomware returning to pre-2022 levels. NCC, which is a British cybersecurity company, said that March was the worst month on record for the number of victims posted to leak sites. From what I hear from people working in the industry, the number of incidents they are working on has returned to a very high level after the fall last year.
Individual law enforcement operations are often successful in meeting their objective for arrest and disruption. The operation against Hive that John mentioned, from January this year, was particularly successful in its outcomes for victims. The more difficult question is whether the strategy is leading to significant positive outcomes. I am less sure that we can definitively say that it is.
It is admirable that the strategy is increasingly moving away from the traditional “investigate, arrest, name and shame” approach, which will always be relatively limited, given the number of these criminals who are harboured in Russia or other safe harbours with which we do not have extradition treaties. We are moving towards more of a strategy of long-term infiltration of these groups by intelligence and law enforcement, and then disrupting their infrastructure, stealing decryption keys from them or even just sowing distrust and paranoia within these communities. These cybercriminal ecosystems need a degree of trust to operate. If you can emphasise that they have been penetrated by intelligence agencies and law enforcement, that trust breaks down. That is probably the best long-term approach for law enforcement, as it creates more friction for criminals.
Emily Taylor: I agree with Jamie’s analysis. According to figures from the Cyber Defence Alliance, the number of ransomware attacks and incidents in the first quarter of this year is about 17% higher than it was in the equivalent quarter last year.
You asked about successes. From the conversations I have been having, there is a sense that the regulation of exchanges and crypto exchanges is having an impact. Quite simple things that apply in the regular world, like anti-money laundering and know your customer, are having an impact on the very large exchanges and driving criminal behaviour to the margins. Aidan will have much more on that, I am sure.
We have sort of normalised the idea that no one goes to jail as a result of this crime. It will need international co-operation for that to happen. If there can be no international co-operation on cybercrime, there must be some sort of response from the international community that abides by the rules. That is where its classification as a cybercrime or a national security threat has a real relevance and impact.
We should not be ready to give that up as a goal, because, as has been said, although it is really important to disrupt, infiltrate and educate to make sure that people are not just creating incentives for more ransomware attacks by paying the ransom, in any functioning criminal justice system there has to be the idea that criminals also go to jail. We do not even talk about that in cybercrime now, because it is definitely in the “too difficult” pile. However, there have been significant advances in the OECD principles, the second additional protocol to the Budapest convention and the e-evidence Act of the European Union. These are small steps, no doubt, between close allies, which probably ought to have got their act together way before, but there are significant challenges. That was my final reflection.
Aidan Larkin: It is too early to assess a lot of the effectiveness, because unfortunately the methodology by which we disrupt and dismantle, as Emily quite rightly pointed out, is disincentivisation. Right now, crime pays. The ROI for cybercrime is so high that, if I wanted to go into a life of crime, why would I get into anything else that is messier and where I might risk my own life when I can sit back at a laptop and target thousands of people, using sophisticated algorithms and scams, and no one knows where I am?
We are not sending a strong enough message that there will be that pursuit of the criminals, because ultimately they are still making money. There is so much that we are seeing, but we do not know what we do not know when it comes to reporting. I always take those reporting statistics with a pinch of salt, because a lot of people are suffering this vicious circle. We all know that the victims are not coming forward. We have very willing law enforcement, but it does not have the tools. Then you are taking these incredibly technical cases and expecting them to be responded to by law enforcement with limited means. The civil recovery and criminal asset recovery statistics make for horrific reading, even before cybercrime—let alone ransomware—comes along. There is a lot to do before we can assess this effectively.
Jamie MacColl: Success does not just mean the number of attacks that are happening. It can also be the return on investment and the amount of ransom payments that the criminals are generating. There is some industry reporting that suggests that in the last 12 to 18 months the funds that they are generating are going down and the willingness of victims to pay is also going down. That is another form of success, even if the frequency of attacks is staying fairly consistent.
Q43 Lord Dannatt: Can I just bottom out one thing? Mr MacColl, I think you raised, and Mr Larkin answered, a point about a rise in the number of incidents. Do we think it is a real rise, or is there a greater willingness on the part of people to report that they have been attacked? Has there been a nervousness up to now and people holding back for a whole variety of reasons?
Jamie MacColl: Most incident statistics are not based on reporting to law enforcement or government; they are based primarily on incidents that private cybersecurity companies are working on, or on postings to data extortion sites which the ransomware operators use to post victims who will not pay the ransom in order to pressurise the victims. As Aidan says, the data is incredibly imperfect and is based in large part on what the criminals say, not what is reported to government.
Lord Dannatt: So there is a high probability that the number of attacks is going up.
Jamie MacColl: It is hard to say with any sort of certainty.
Lord Dannatt: It is not getting better anyway.
Jamie MacColl: That would be my take.
The Chair: Do you think that we in the UK impose enough cost on ransomware attackers?
Jamie MacColl: Through cyber operations and law enforcement?
The Chair: In any way. Cumulatively.
Jamie MacColl: The National Cyber Force has stated publicly in the last month that it has conducted disruptive operations against ransomware criminals. The same level of public engagement has not been seen from the US Government or US Cyber Command, which is the military cyber unit in the US, in the specific operations that the UK has conducted. That might be a cultural thing, in that we are less vocal in talking about successes, but I do not think that is happening at nearly the same level or frequency as it is with US counterparts.
Q44 Stephen McPartland: I have a quick follow-up question to the question asked by the Chair. Mr Larkin, from the evidence you just gave, do you feel that if you are a very small business in the UK, the chance of receiving any protection or support from law enforcement is quite limited? Does it focus predominantly on large, international criminal gangs as opposed to somebody who, as you said, has just set up a laptop in London and is attacking a business in Birmingham?
Aidan Larkin: Unfortunately, it has been widely reported internationally that, because of a lack of resources, there is a sad hierarchy of who gets a response. Law enforcement is expected to do a lot with very little. A company with 2,000 employees that is the victim of a multi-million-pound scheme is more likely to get a response than a small or medium-sized enterprise in a local jurisdiction. You will probably also find that the latter is less likely to even come forward in the first place. We have existing reporting systems that have been widely debated and discussed, such as Action Fraud, or IC3 in the US.
There are lots of platforms on which you can report, but I have dealt with victims at first hand and the response is, frankly, little to non-existent across the board. That traditionally comes down to the tools available. These are highly specialised forensic examinations of offences. To take the issue of jurisdiction from an earlier question, law enforcement would say, quite rightly, that this is a Vietnamese company carrying it out, for example, and the suspect may be somewhere else. All of a sudden, you struggle with the very basic reporting issue of whether it is in your jurisdiction so that you can take the case forward. Then you have to get into whether you have the ability even to investigate it.
Zooming out, the wider fraud lens has the same issue, and victims of regular crypto crimes, not just ransomware, are in exactly the same category.
A more whole-systems approach as to how we deal with any fraud or crime involving digital assets needs to be addressed. Specifically in answer to your question, I believe that, right now, the larger corporate entities are the ones getting the responses.
Q45 Stephen McPartland: I turn to international matters. The Russians have proposed a new cybercrime treaty, which is being negotiated at the UN. The Russians did not get involved in the Budapest convention. Do any of you feel that we need a new treaty and, if so, what are your thoughts on the Russians being involved in it?
Emily Taylor: There are two relevant processes going on in the UN, and Russia was the motivating force behind both of them. The first in time was the open-ended working group on responsible state behaviour in cyberspace. That was motivated by Russia and, when the process began, to say that expectations were on the floor is to massively overstate the excitement. In fact, the first process came out with a set of norms that had actually been established by a different group in previous years, but they were adopted by all members states.
Substantively, did they invent something new or make progress? Not really. But it was progress, because something that previously had felt like an exclusive club—the group of governmental experts—came out with very solid norms that ended up being adopted by all member states. So regardless of the provenance of the process, which did not inspire confidence, and regardless of the fact that they did not invent anything new, there was still significant progress. To make progress, all states need to sign up eventually.
The ad hoc committee had substantive negotiations last week. Again, these processes take a while. We do not yet have a text—it is expected in July—but some progress will be made. Is there real confidence that they will reach agreement? I do not think so. Why would every country not just adopt the Budapest convention? After all, 66 countries have done so and it is something that we have already. It is not perfect, but it kind of works and it would work better if more countries signed up. That is the argument for not having an international treaty, but other countries feel that the convention came from the Council of Europe and they are not part of that club, so they need something international.
Eventually, it will need to happen. International co-operation at this time is incredibly challenging, but the open-ended working group has shown that, through diplomacy, progress can be made. Eventually, we will need something international if we really want criminals to go to jail.
Stephen McPartland: Thank you. Does anyone else want to add anything?
Jamie MacColl: I defer to Emily on that.
The Chair: Have we lost Mr Carlin? It looks like he has dropped out.
Stephen McPartland: My next question was to Mr Carlin.
The Chair: That is rather awkward.
Stephen McPartland: We have to go to the next question.
Q46 Lord Robathan: To follow up on Stephen’s question, international operations and signing up to conventions are fantastic, of course. Russia signed up to the last Budapest convention that I know of, which was dependent on Ukraine giving up its nuclear weapons—
The Chair: Indeed.
Lord Robathan:—and guaranteeing its borders, and they did not seem to do much on that. From Russia’s point of view, is this not just a bit of window dressing?
Emily Taylor: It may be, and it may be a delaying tactic to show willing in the international system while not signing up to or abiding by a perfectly reasonable set of rules. All the things that you say are true: some countries will never abide by their responsibilities. The ability to hold them to that, to call them out for failing, will not solve the problem, but we are all part of an international community, and to solve this problem, which is international in nature, there will have to be co-operation.
At the moment, Russia is an outlier problem. Lots of non-aligned states can be brought into that sort of framework and included in the process. We would be better off for it. Will it all be perfect and will everybody abide by it? No, but the framework is important for all the countries that do want to abide by the rule of law and international law, in my opinion.
The Chair: One slightly wonders why Russia would bother. It is an interesting question.
Emily Taylor: It is mysterious.
Q47 Lord Ashton of Hyde: While we are waiting for Mr Carlin, I wonder if you could broadly say what percentage of ransomware attacks originate from or have the tacit support of Russia, China, Iraq or North Korea?
Jamie MacColl: On Russia, I have seen figures of between 50% and 75%. As we have said, all these statistics are imperfect. In my view, where these cyber groups are based is predominantly an issue of Russia and the former Soviet Union. I know there was an earlier question about whether ransomware has been adopted by other or more traditional organised cybercriminal groups. We have not seen anything in public purporting to indicate that, say, the mafia or drug cartels are using ransomware, but because of the low-cost nature of it and of other forms of cybercrime, I would not be surprised if we start to see that being adopted.
Lord Ashton of Hyde: That sort of links in with Lord Robathan’s question. If the majority—let us put it like that—originate from those countries, particularly from Russia, it calls into question what advantage we would have from pursuing a new convention or treaty with those actors.
Emily Taylor: I join you in a sense of despair about the likelihood of a good outcome that would involve Russia. If we come back to the national security approach, we have some norms for responsible state behaviour in cybercrime that would be helpful in calling out Russia and holding it to account, such as the due diligence norm. That would prevent it from harbouring those organised criminal gangs within your territory and allowing them to attack others. That may provide some recourse for other states either to call out Russia or to take some action in their national security-type work.
The Chair: Mr Carlin, can you hear us all right? If you can, we have some questions for you.
John P Carlin: I can. I note that, as soon as you asked a question about Russia, I was disconnected.
The Chair: That was just an unfortunate coincidence.
Q48 Viscount Stansgate: From our point of view, we were just about to ask you a question directly when you were disconnected. We have a couple of specific questions for you. What was the impact of the Colonial Pipeline attack on the United States Government’s approach to ransomware, including to cybersecurity resourcing?
The second question is whether the US authorities would respond in a different way were an attack like Colonial Pipeline to occur today.
John P Carlin: Right before Colonial Pipeline, recognising the exponential increase in ransomware and the fact that it posed a national security and public safety threat, along with a criminal threat, I had just announced the formation of a taskforce at the justice department focused solely on ransomware.
Then Colonial Pipeline hit. It was instructive in several regards. First, it focused the American public by showing that a not particularly sophisticated attack, which did not actually succeed in disrupting critical infrastructure, could still have the impact of causing lines at gas stations. That was an immediate, tangible impact on people’s lives.
Secondly, it showed the risk of what would happen if it had actually impacted critical infrastructure. That supercharged US efforts, with the creation of the international taskforce on ransomware. It increased resources throughout government, with a continued focus on using tools to cause, as Jamie put it, immediate ways to deprive the threat actors of their ill-gotten gains. That was a well-publicised case in the United States in which Colonial Pipeline paid the ransom but then the US, with the help of partners, was able to legally seize that which the victim had paid from the bad guys’ digital wallet and return it to the victim. The speed of that response would improve today. It also changed the way the US regulates critical infrastructure and increased requirements to show that it could be resilient. It also now imposes requirements to report incidents, which was not legally required before.
Finally, we have not talked much today about the use of sanctions. Through the Treasury Department’s Office of Foreign Assets Control—OFAC—we were used to having sanctions against nation states and terrorist groups. If you were wondering whether the group in the case of Colonial Pipeline was good or bad, luckily it named itself REvil, so you know it is probably not good. Under OFAC, that group was designated an actor to which you cannot make a currency payment that touches the US financial system. I know that the US would really like to co-operate with the UK and other foreign partners to ensure that such an approach has bite. As someone who now helps victims on the private side to respond to these attacks, that means that a public company is not going to make a payment and risk violating the sanctions regime. That imposes real consequences for the threat actor and it has now become a more regular part of the playbook.
My final thought is that I was accused by Jamie of optimism, when I am normally known as doom and gloom on these issues. To the extent that I have given that impression, I would not say that I am optimistic and I agree that I am seeing the trend line starting to increase again. However, if we all prioritise the threat, as we did in the US, post Colonial Pipeline, after suffering real damage, and work together co-operatively and internationally, there are steps we can continue to take to deprive the threat actors of the money. That is what motivates them here. If we can deny them the proceeds, ultimately they will move to some other type of crime. But we are at the very early stages of shifting to that approach. For it to succeed will take years of effort and the type of priority and focus that this committee is placing on the issue.
Viscount Stansgate: It would be fair to say that this was a wake-up call that worked and has had specific consequences. Is the requirement to report a particularly important feature of the US response, and has it had a noticeable effect?
John P Carlin: It is a little too early to tell. Right now, the response from victims has increased, but more because of carrots than sticks. That is why actions such as getting the money back or getting the keys have been so publicised. Part of the strategic effort is to make that very public, so that when the board of a public company, for instance, is deciding whether or not to tell law enforcement, their calculus is to tell them.
To your question on mandatory reporting, the statute that will require mandatory reporting in the US was passed about year ago, but it has a two or three-year window before it goes into effect. So the statute has passed, but, to give teeth to it, the Department of Homeland Security now needs to issue regulations on who needs to report and what they need to report. So the verdict is not yet in on the success of that instant reporting regime.
Q49 Viscount Stansgate: The new cybersecurity strategy in the United States references the use of offensive operations against cybercriminals, which is sometimes referred to as “hacking back”. Is it your view that this will be the major tool of the future—to hack back, deny the money and stop this activity in that way?
John P Carlin: I do not know whether it will be “the” tool, but it is “a” critical tool in the toolbox. By “hacking back” they mean under lawful authority with the co-operation of other sovereign states, not the idea of the wild west—to use the US idiom—where each private sector entity could hack back.
It is an important tool. I think it was Jamie who said earlier that part of its use is in sowing distrust within the adversary. It is ironic that there is trust, since they are a bunch of criminals, but one group we disrupted was called In Fraud We Trust. We were able to disrupt it because it made a mistake. Its members should not have trusted their fellow fraudsters, because one of them was a law-enforcement informant, which allowed us to disrupt the group. You can use intelligence or other national security means to accomplish the same effect of causing a lack of trust among the threat actors.
Q50 Lord Dannatt: Perhaps we could switch away from the United States and ask Mr Larkin about cryptocurrencies. We are told cryptocurrencies, or crypto assets, have been a major enabler of ransomware. In your view, are cryptocurrencies a force for good, or have they predominantly facilitated other forms of illicit activity? Is this just another opportunity for those who want to make a large buck?
Aidan Larkin: John brought up the analogy of the wild west. All the reports in the public and private sectors overwhelmingly show that a small percentage of cryptocurrency is used and designated in illicit activity. I would always take those figures with a pinch of salt. It is like the global response to and assessment of money laundering: we simply do not know how much fiat currency is laundered. UNODC uses an estimate of between 2% and 5% of GDP to come up with the eye-watering figure of €1.87 trillion as the amount laundered each year, but we simply do not know.
You can safely apply the same lens and backdrop to crypto assets: there is a technology in its infancy that is being abused by some people, but overwhelmingly it is a force for good. Going back to the wild west analogy, we are at that early stage in the technology, and we are in a bit of a rat race. The criminals are operating without borders, and just like in the wild west they are able to pull off sophisticated heists, and we, as global law enforcement, often play catch-up. So the picture will be very different in the future.
As a former criminal investigator for Revenue and Customs, I think it is important to note that, for crypto, we have the capabilities to follow the money in crypto investigations, which is what we talk about in traditional money laundering investigations. Following the money through four offshore bank accounts takes years, whereas following a crypto transaction takes seconds and minutes with the technology and the tools. So we have a little parity, and we have a dog in the fight.
But we see a global arbitrage, whereby, if I am a criminal carrying out a ransomware attack, I will use cryptocurrency because I know that law enforcement globally will not have the same capability to respond in the way it would through the more mature traditional financial system. The example I often use in lectures is that it is like having an international airport without yet having X-ray equipment, sniffer dogs or financial intelligence capability. These small offshore jurisdictions, where the bad actors are setting up shop, can be targeted because they simply do not have the tools. So it would be unfair to paint the ecosystem like that, but it is right to designate it as very high risk because of the current lack of guide-rails and safety nets.
Lord Dannatt: That is very interesting. You are getting at something that we touched on earlier: criminals have no boundaries, but we have compartmentalised too much of our response. If I understood you correctly, what you touched on is a little more encouraging.
Aidan Larkin: It is about having an all-systems approach. That sounds like a cliché, but ransomware—I completely understand the national security implications of it—and what is happening sit within a wider crypto asset and fraud ecosystem, and a wider criminal ecosystem. The statistics on global asset recovery are an estimate—the report was last done in 2016—but we are recovering an estimated 1% of criminal proceeds globally, which, again, comes down to a lack of accountability and definition.
Unfortunately, ransomware looks like it is heading to exactly the same position, unless we have that accountability and unless units or taskforces are set up and say, “We’re responsible for this. We’re the lighthouse that people go to”. If we have that, we can start to create data and build out a better response. But, currently, a chief of police can easily steer a case away if they are under political pressure to get a result. No one likes stand-alone money laundering investigations because they are complicated and do not get headlines, and ransomware could also end up in the “too difficult” box, as Emily said.
Lord Dannatt: That is a very helpful observation.
Emily Taylor: I will add to Aidan’s remarks. There are a lot of perverse outcomes in this. You would think that the regular financial environment would be much easier to conduct investigations in, but there is a lot of transparency in the crypto environment, which can be useful—people often overlook this. I edit the peer-reviewed Journal of Cyber Policy, and a really good article in that said that, in the land of the cybercriminal, cash is still king. You would think that cryptocurrencies are used in quite a lot of illicit activity—they probably are—but criminals still need to cash out and are subject to the same risks of volatility that we have seen over the last year. So if you can sit at the exchanges where there is the transition from the crypto environment into the fiat environment, that would provide some possibilities for good outcomes.
Q51 Lord Robathan: That is rather encouraging. I think that the majority of the population, including me, know very little about cryptocurrency. The Government are currently consulting on a new regulatory regime for crypto. I am not sure of the details, but what will the impact of its proposals be on the ability of ransomware operators to profit from untraceable cryptocurrency payments?
Emily Taylor: Generally speaking, regulators internationally are struggling to know what to do with cryptocurrency. A whole load of countries are just banning it, and others are adopting an approach of “Well, we should license it and try to apply the same sorts of principles to it as we would to any other financial sector”. That is probably the more realistic approach. Banning it will not get rid of it, even if it makes you feel better as a regulator. Countries like China seem to be stuck between wanting to ban it and wanting to benefit from it.
So regulators are still trying to make up their minds about the correct approach, but the more forward-thinking approach is to accept that it is here, accept that it is used and try to apply licensing-type approaches for a better outcome.
Aidan Larkin: To continue Emily’s point, the horse has already bolted to a certain extent. The Chainalysis adoption report states that “the UK is the most active jurisdiction for crypto assets in Central, Northern and Western Europe with the value received between July 2020 to July 2021 reaching $170 billion”. The UK is in the top 20 countries for global crypto adoption. There is a fantastic economic opportunity, but I go back to my airport analogy from earlier: if we are going to be open for business, we need to have the capabilities to deal with the bad actors. They should not poison the overall well.
On this panel, we have not been all doom and gloom, but we have been realists. It is important to point out that the traditional asset recovery ecosystem is well noted to be broken. However, on crypto asset recovery, IRS criminal investigations in the US, for example, have crossed $10 billion in crypto seizures. To put that into perspective, the entire US normally recovers around $2 billion to $3 billion per year across all categories of assets. So we truly now have an opportunity: we are sitting on gold and oil that we are not digging or drilling for.
What worries me is that the levels of adoption and of crypto activity that we have in the UK are not seen in the Home Office statistics for crypto asset recovery returns. Where are the billion-dollar seizures, the £100 million seizures or even the £10 million seizures? The Metropolitan Police, the NCA and others have reported some excellent statistics on crypto seizures, but not at the rate that you would expect for the amount of crypto activity that is going on here. We should look at crypto and ransomware through that lens. There are opportunities, because of best practice, that have been laid down; we are just not cashing in on them.
John P Carlin: I just add some steps that the United States has taken, for you to consider. One is that, under the justice department, we created the national crypto enforcement task force, which is a group that cuts across and has expertise in tax, asset forfeiture and criminal investigations; it works with the FBI, IRS and others in order to effectuate the seizures that Aidan was talking about. We have seen a dramatic increase in our results.
Secondly, you can think of the world of cryptocurrency as being those who seek to be legitimate and do legitimate traffic and those who are illicit. For the legitimate—there are many—who want to serve as exchanges, we can try to impose the same regime on anti-money laundering and countering the financing of terrorism that other financial institutions have put into place, including know your customer rules. The more successful that is, the more we can focus the national security and criminal tools on the illicit exchanges, and the harder it is to move digital currency. This is still, as Emily alluded to, a very difficult problem, both for criminals and rogue nation states: how do they get the money out of digital currency and into fiat currency? The more we can focus through regulation, law enforcement action and national security action on preventing that movement from digital to fiat currency, the harder we can make it for criminals to benefit through the use of digital currency.
Q52 Lord Dannatt: Mind reading works well across the Atlantic: you have just answered the question I was about to ask you, so I will switch to Mr Larkin and bring it back to the domestic situation. Our Government’s Economic Crime and Corporate Transparency Bill aims to improve law enforcement agencies’ ability to seize crypto assets from criminals. You touched on this, but could you say more about your assessment of the likely impact of that Bill?
Aidan Larkin: I welcome the proposed changes; law enforcement has been asking for this for a very long time. In simple terms, it is quite easy for a law enforcement official to take a gold bar or a diamond off someone in an airport if they cannot explain where that asset has come from. You listed asset provisions, and crypto did not neatly fall into that category. Also, a lot of the technical aspects of crypto seizures, such as the ability to move it from A to B—to take it from the criminal’s possession into a more secure form of possession—were open to challenge by aggressive defence counsel in some cases.
So the reforms’ recommendations are superb: they will make it much easier for law enforcement to do what it needs to do. But I go back to my earlier point: there are not enough people, tools or training to do that work. In the US and in other entities, I note the ROI for law enforcement from investing in dedicated teams to target this en masse in multi-taskforce ways. On the global response to money laundering, in the UK we had the Joint Money Laundering Intelligence Taskforce—JMLIT—and we need similar things where we assess the accountability and the performance. This is a balance sheet of seized assets, and we should be talking about hundreds of millions of pounds seized in the UK that, through the asset recovery incentivisation scheme, can go back into law enforcement. We should see that virtuous cycle.
A lack of funding meant that we did not have enough trained officers to use Section 47 on anticipatory seizure powers—an excellent tool—through the National Crime Agency. There are anecdotal stories of people taking two years to get trained. So I would hate to see this very good set of reforms sit on the sidelines, not being utilised.
Lord Dannatt: I suppose it is obvious to say that, given the scale and size of the problem, it is a shame that a lack of resources is hobbling our ability to get stuck in.
Aidan Larkin: Precisely, and we see the clear results in other countries, so we should be encouraged to make the investment in that. Even from a tax-evasion perspective, the amount of illicit crypto in circulation is astonishingly high. Everyone has collectively said that, if we can target the ill-gotten gains of criminals, they are less motivated to use this type of avenue. But, currently, ransomware enabled with crypto is a very attractive avenue for illicit activity, unfortunately.
The Chair: Thank you. We would have like to have touched on another couple of things, but we are out of time, so we will write to you all with a couple of questions, particularly about sanctions. Thank you for this excellent session. I particularly thank Mr Carlin for joining us from the United States. We are grateful to everyone.