As law enforcement in the UK and beyond are now expected to tackle the plague of cybersecurity-related fraud, scams, and crimes being committed for the purposes of identity theft and financial gain, they must also now become familiar with the threats, concepts, and -- at the least -- the basics in how such attacks are conducted.
The police cannot always be on the front line especially when it comes to targeted attacks and scams conducted online. However, in their duty to the public, they do need to be able to advise victims, send them in the right direction, and make them aware of their rights.
As of March 2018, the equivalent of 122,404 full-time police officers were employed in the 43 police forces in England and Wales; and the equivalent of just over 17,000 members of the police are operating in Scotland based on figures from early 2018. Together, the UK has an estimated population of over 66 million.
We have few police officers on the beat and the numbers appear to be dwindling year after year. So, the few we have left need to understand today's digital threats.
If a friend of mine -- a recently anointed member of the UK force -- is to be believed, they have such knowledge locked down and know as much, or perhaps more, than your average cybersecurity journalist.
This statement might prompt mirth and mockery for one or both parties involved, but the question remains: what do police officers in the United Kingdom know when it comes to cyberthreats, and how are they given this information?
ZDNet decided to find out.
In November 2018, Cisco announced a partnership with the UK police force which involved the launch of a nationwide initiative to provide access to cybersecurity training for officers.
Through the Cisco Networking Academy, police officers will be offered courses to improve their cybersecurity knowledge.
Andy Beet, from the National Police Chiefs' Council, Data Communications Group, said the courses and initiative at large would, "raise awareness and increase their understanding of cybercrime and cyberthreats," and that "it is important for all police officers to understand cybersecurity as fully as possible; by doing so they can develop their knowledge in this increasingly important area, improving security in both their professional and personal lives."
In order to gain some insight into what training they will receive, I undertook some of the same courses that today's UK officers will be able to access and will be taught, both online and in person, according to a Cisco spokesperson.
The courses in question are Introduction to Cybersecurity and Cybersecurity Essentials, both of which can now be undertaken for free by anyone as part of the European Cyber Security Awareness Month initiative.
Anyone can self-enroll by registering. I did so, albeit raising an eyebrow in the process when I realized that a platform which hosted cybersecurity training did not insist on a strong, complex password -- probably not the best start, but we're here to learn about such practices, right?
Introduction to Cybersecurity
The first course began with one of the most important elements to understand if you are to connect the dots when it comes to digital crime: data.
Amusement over the password element aside, undertaking the course through the perspective of a former teacher, the materials are laid out in bite-size chunks, clear, with an easy-to-follow layout.
The course is US-centric; for example, when discussing the what, how, and structure of data, many of the examples given were US-focused -- such as explaining how the theft of annual tax return information can be used to defraud the IRS -- but the message was clear: data is valuable, and in the wrong hands, can be abused for the purposes of identity theft and more.
The material moved from what kinds of personal data can make up someone's virtual identity to what information is held by corporations and financial systems.
A section of the course then covered IoT and Big Data which, in the grand scheme of things, isn't really relevant to a bobby on the street dealing with an elderly person who has just been scammed out of their life savings by a criminal who has sent them an email claiming they won the Spanish lottery.
The Confidentiality, Integrity, and Availability (CAD ) triad was then discussed, which Cisco calls the "guideline for information security for an organization."
"To protect an organization from every possible cyberattack is not feasible, for a few reasons. The expertise necessary to set up and maintain the secure network can be expensive. Attackers will always continue to find new ways to target networks. Eventually, an advanced and targeted cyberattack will succeed. The priority will then be how quickly your security team can respond to the attack to minimize the loss of data, downtime, and revenue." - Introduction to Cybersecurity
Checksums -- a means to validate the integrity of files -- and hashes were then explored, leading to an online lab test to compare data with hashes.
At this point, I became somewhat despondent with the course. While a good, thorough guide to the basics of cybersecurity, there was little beyond an exploration of the concept of data that could be considered relevant.
Eventually, however, the topic of phishing came up.
Phishing is the use of fraudulent messages to entice a recipient to click a link, visit a malicious domain, hand over sensitive information, or download malicious documents embedded with malware payloads.
This is an extremely common attack vector and one experienced by the general public on a daily basis. Fraudsters will impersonate everyone from banks and financial services that operate in the UK -- such as Lloyds, Barclays, Mastercard, and Visa -- to the UK Student Loans Company (SLC) and Her Majesty's Revenue and Customs (HMRC).
The problem is widespread enough that organizations including HMRC have been forced to issue warnings against such spam and have published examples of what to look for.
It is not just emailed phishing campaigns that consumers -- and the force -- need to be aware of. Text messages, social media links, and even cold calls which use telephone number spoofing and masquerade as legitimate services are all common scam techniques.
In this section of the course, the material accurately described how phishing attacks occur, what they may involve -- although there was no mention of social engineering -- and used the 2015 LastPass data breach in which user data was compromised due to weak passwords as an example.
Social engineering should not be overlooked. While it is mentioned briefly later on in the course, more emphasis on social engineering should be emphasized for this particular study group.
Social engineering is a blanket term for methods that attackers, criminals, and fraudsters will use to psychologically manipulate a target.
This attack method requires human interaction. A fraudster may pretend they are an employee of a company or government organization, a friend, or another trusted source.
The Facebook post which begs help for a dying child; the email supposedly from payroll which urgently needs your bank details so you can be paid; the call from the tax office in which someone demands you immediately pay a fee or risk jail -- all of these scams aim to elicit an emotion such as sadness or panic to push a victim into handing over money or sensitive information.
In the UK, some of the most common forms of social engineering-assisted scams are insurance and lottery scams; fraudulent pension schemes and soliciting; and copycat fraudulent websites -- such as in the recent case of a couple who were jailed for 35 years after making £37 million from selling fake passports and driving licenses through fake UK government portals.
After exploring phishing, a few examples were given of recent security breaches, including Equifax and Vtech, which led to a lab class on how to ferret out the facts and finding other recent incidents.
However, the examples given were in a clunky format which in my opinion is not easily digested by any student and assumed technical knowledge of terms which had not been explored. (A glossary at this point would have helped.)
The course then covered the following:
- Different kind of threats and hacker types, such as white, gray, and black explained
- The history of cyberwarfare, including a discussion of Stuxnet
- Security vulnerabilities, types such as non-validated input flaws, buffer overflow bugs, and race conditions
- Types of malware including spyware, adware, ransomware, and Trojans. Man-in-the-Middle (MITM) attacks were also included under the malware umbrella, which could be confusing.
- Wi-Fi attacks, packet sniffing
- Denial of service (DoS) attacks
- SEO poisoning
- OAuth 2.0
- Cybersecurity tools & practices: firewalls, proxy servers, port scanning, incident response. honeypots, and kill chains.
Interesting, but irrelevant in many cases to law enforcement -- unless they are being trained to specialize as criminal investigators in the cybersecurity realm.
There was then a chapter detailing basic security advice, two-factor authentication (2FA), the risks public Wi-Fi poses, and how to create strong complex passwords.
I found the next stage in the course somewhat amusing: a how-to on encryption, backups, browser incognito modes, and data deletion. Since my homeland is the creator of the Snooper's Charter and has waged war on the use of encryption, your average officer being taught how to use these technologies did prompt a smile.
However, the following chapter was important: a guide to online behavior: what is considered risky -- such as poor passwords, oversharing on social media, and the use of public Wi-Fi -- and how individuals can improve their general cybersecurity stance.
It is this kind of material which is key for today's law enforcement. Digital services are now firmly enmeshed within our lives and there can be generational disconnects and education deficiencies, in all ages, which can open us up to exploit by savvy cybercriminals.
My interest was also piqued when the phrase "legal issues" came up. I was hoping to see a brief overview or two on current UK laws relating to cyberintrusions, fraud, and in the case of financial theft, what victims can claim back, and who they need to talk to.
Sadly, this was not to be.
In brief, the most relevant UK laws surrounding cybersecurity are:
General Data Protection Regulation (GDPR): An upgrade on the UK's 1998 Data Protection Act, GDPR now enforces a strict set of regulations for data storage and sharing within the European Union. UK businesses must take adequate steps to protect data and only store what is necessary or face a heavy fine. At least, for now.
Security of Network & Information Systems Regulations (NIS Regulations): Laid out in 2018, NIS Regulations require UK operators in critical services -- such as energy, transport, and health -- to improve their cybersecurity practices.
The Computer Misuse Act (CMA): This 1990s law is currently the UK's main way to prosecute hackers. The CMA can be used to prosecute cybercriminals for obtaining unauthorized access PCs and causing damage to machines. However, only 47 cases of illegal hacking resulted in prosecutions in 2017.
The course, instead, provided a brief overview of legal issues; personal, corporate, and international. However, these were based on the behavior of would-be hackers and the consequences of illegally breaking into systems, rather than anything concrete, or what can be done by law enforcement themselves to track down perpetrators.
Overall, data, phishing, online risk behaviors, and password use were the most relevant topics to law enforcement explored throughout the course. However, historical cyberwarfare, security vulnerabilities, OAuth, cybersecurity professional tools, and far more topics were not suitable.
All in all, the course could be condensed to several pages to maintain relevancy to law enforcement.
After a brief introduction mentioning the history of hacking and Sun Tzu's Art of War, this course dived into more in-depth detail of topics which had already been covered in the introduction.
Much of the course was recycled, such as an exploration of the kinds of hackers in existence, data types and risk factors, Big Data & IoT, and the kinds of external and insider threats in workplaces today.
There was a brief discussion on advanced persistent threats (APTs) which would likely be of interest to learners, as well as information on the principles of security, data states and integrity, data safeguards, access controls, and a more detailed explainer on malware types and families.
Some sections include lab exercises to practically apply what you are learning, and these tasks help cement the course content.
"You do not even have to be an employee to be subject to cybersecurity laws. In your private life, you may have the opportunity and skills to hack another person's computer or network. There is an old saying, "Just because you can does not mean you should." Keep this in mind. Most hackers leave tracks, whether they know it or not, and these tracks can be followed back to the hacker.
Cybersecurity professionals develop many skills which can be used for good or evil. Those who use their skills within the legal system, to protect infrastructure, networks, and privacy are always in high demand." - Cybersecurity Essentials
This course is very much geared towards would-be security researchers, rather than professionals in other fields who need a cybersecurity foundation in order to impart information to the public and to deal with criminal cases.
Don't get me wrong: it is an excellent introductory guide and will give learners a stable foundation for kickstarting a potential career in cybersecurity. The course material also explores cybersecurity specialty areas, frameworks, professional organizations, and industry certifications which can only be useful to aspirants.
However, the in-depth coverage of Telnet, SSH, packet tracing, cryptography, and steganography are not required for general law enforcement.
The courses themselves are -- mostly -- easily digestible, clear, and well-written explainers on the basics and foundation of cybersecurity risks, research, and career options today. However, as teaching tools for today's law enforcement, only a few sections are relevant or applicable, and there is a lot of work to be done if law enforcement is going to get the most out of their studies.
According to Cisco, the program is still in the early stages and many details still need to be determined. I would hope to see more emphasis placed on common scams, UK law, and what information should be imparted to the general public to educate them on risky online behavior -- as well as who to turn to in the case of fraud and successful attacks.
However, if you are interested in taking a few introductory courses to the world of cybersecurity, I would recommend signing up.
"While there will be a strong focus in cyber security and networking, but areas like the Internet of things, programming and operating systems may also be covered," the spokesperson said. "I would imagine there is some flexibility in terms of what aspects of the courses officers can take."