Interpol: We can't arrest our way out of cybercrime

As cybercriminals become more sophisticated and their attacks more destructive and costly, private security firms and law enforcement need to work together, according to Interpol's Doug Witschi.

It's tough to argue with either of these two statements. But considering the constant barrage of ransomware-attack headlines, as well as politicians' calls for more public-private threat intelligence sharing, they both begin to sound a bit hollow.

Witschi, the assistant director for cybercrime threat response and operations at Interpol, told The Register about recent successes that the agency's Gateway cyber-threat intel sharing project has had, and the increasingly well-funded, targeted attacks that law enforcement agencies are trying to prevent. 

"We're not going to be able to arrest ourselves out of this problem," he told The Register. "We need to work as a global community on this challenge. And Gateway is one step in that direction."

Through the project private-sector security shops including Fortinet, Palo Alto Networks, Trend Micro, Kaspersky Lab and others share intelligence with Interpol member countries' law enforcement agencies to help them investigate cybercrime and attribute attacks to the various crime rings.

Recently, the public-private effort participated in an operation that led to the arrest of 11 people in Nigeria, thought to be members of a prolific business email compromise (BEC) scam ring that victimized "thousands" of companies globally. 

And late last year the Interpol-led effort led to the arrest of six Clop ransomware gang members in Ukraine, following an international law enforcement operation code named "Operation Cyclone."

This 30-month-long operation was coordinated from Interpol's Cyber Fusion Centre in Singapore and used threat intel provided by Trend Micro, CDI, Kaspersky Lab, Palo Alto Networks, Fortinet and Group-IB through the Gateway project.

• Interpol: Policing model needs to change with cybercrime
• Cuffed: Ukraine police collar six Clop ransomware gang suspects in joint raids with South Korean cops
• Reward! Uncle Sam promises $10m for info about DarkSide ransomware gang chiefs
• Now Mandiant says 2021 was a record year for exploited zero-day security bugs

"Cybercrime is such a global threat, unlike transnational organized crime," Witschi said.

If a gang was funneling drugs and drug money between two countries, the local cops could work together to take down the crime ring using legal tools like mutual assistance treaties and bilateral agreements between the two, he explained.  

"But cybercrime is just purely global," Witschi added. "I can't see a single nation being able to get on top of it when you think that 13 percent of countries don't have law – let alone policy – around cybercrime. It just means that any international legal framework doesn't exist in those countries."

Plus, law enforcement agencies typically don't have the budgets to hire cybersecurity and other technical specialists to help combat cybercrime.

'You need a room full of these people'

"I'd love to have those people within my teams here at Interpol," Witschi said. "But the problem is, I generally can't afford them. And when you think of the nuances and the issues across all cybercrime, you really need a big room full of these types of people to canvas all the issues – whether it's DDoS or BEC or ransomware attacks or phishing."

"The Gateway project really gives us a lot more capacity and capabilities to get things done on a global stage," he noted.

Fortinet is one of Gateway's founding private-sector partners. In an interview with The Register, Derek Manky, chief security strategist at Fortinet, said that this partnership is different from other threat-sharing relationships between private vendors and public agencies. These typically involve working with government agencies to harden infrastructure, create new security policies or share technical indicators of compromise, he explained.

"But within the Gateway program, what's unique is that it allows us a channel to respond to requests for intelligence," Manky said. "It could be a piece of malware, or a new vulnerability that's breaking. And we contextualize that."

Global security vendors have much greater visibility across regions that a local law enforcement team has, which helps with the contextualization piece, he explained. They can also look at the key indicators and techniques to tie a campaign to a particular threat actor and help with attribution, Manky added.  

"But then, how do you operationalize that? That's critical, and that's where we pass the ball" back to Interpol and law enforcement, he said. "This is how we work together. It can lead to arrest, it can lead to prosecutions, it could lead to possible freezing of assets. Any one of those is a step in the right direction and it sends a message back to the criminals."

Interpol 'cyber surge' targets African crime rings

Over the summer, Interpol will lead what it calls a "cyber surge" in 30 African countries. These coordinated efforts, which also involve the Gateway threat-sharing security partners, focus on pumping resources into both identifying threats and then helping local law enforcement disrupt cybercrime rings. 

Fortinet participated in this surge, and Manky said these efforts illustrate another point about why Gateway works: because it makes it more expensive for cybercrime rings to operate. "You have years of profiting, deeper pockets, which allows the cybercriminals to invest and create more," he said, noting that last year NIST's National Vulnerability Database tracked more than 20,000 new vulnerabilities, which set a new record. "So that's also driving this," Manky said.

This is why efforts like Gateway are needed, he added.

"We need to partner to fight back and disrupt" cybercrime, Manky said. "Because without that, it's a runaway train." ®