As has often been the case in Ireland, it is only when something goes wrong — typically badly wrong — that people want to know what the State is doing.
This year, the HSE cyberattack, along with the tsunami of scam calls and texts, have shone a bright light on cyberdefences in this country.
And, as is usually the case in these situations, the government of the day lists off plans and commitments and strategies.
There is a promised expansion of the National Cyber Security Centre (NCSC), albeit from a low base and after many years of neglect.
A redacted summary of an external review of the NCSC, published last week, praised the quality and experience of staff in the centre.
The review, ordered before the HSE attack, says the NCSC is under-resourced and overworked, and that its workload is only going to increase.
It says the centre needs its own dedicated office, independence, and budget.
The Government has pledged that staff at the centre will grow from 25 to 45 over the next 18 months and to 70 within five years.
New laws will be brought in to put the body on a statutory basis.
Ossian Smyth, the Minister of State with responsibility for cyber, told the Oireachtas communications committee last week that the centre will be given powers to “gather intelligence” and engage in “cyberdefence”.
The other key cyber-arm of the State, he said, was An Garda Síochána, tasked with conducting criminal investigations.
Leading that charge is Detective Chief Superintendent Paul Cleary, head of the Garda National Cyber Crime Bureau (GNCCB), set up in 2017.
Like the NCSC, the bureau has been waiting many years for the necessary investment in its staff and technical capabilities.
The bureau, and its predecessor, the Garda Computer Crime Unit, had too often been in the news with judges criticising long delays — often many years — in waiting to have computers and other devices examined in online child sexual abuse cases.
The Garda Inspectorate too was heavily critical of the backlog in a major report in 2018.
Plans to boost the GNCCB and set up regional cybercrime units were first detailed in the Garda’s Modernisation and Renewal Programme, launched in June 2016. This envisaged regional units being in place by the end of 2017.
The report of the Future of Policing in Ireland Commission, published in September 2018, said the cybercrime and security capacity and expertise of the Garda needed to be “substantially expanded as a matter of urgency”.
Two pilot regional cybercrime units have been operating in recent years, in Ballincollig, Co Cork, and New Ross, Co Wexford.
In October 2019, officers in GNCCB told the Oireachtas justice committee that the bureau had 32 members, but that Garda commissioner Drew Harris had approved a plan to bring the number to 120 over the next two years, which would also include staffing local cyber units.
Last September, thereported that Garda HQ had been waiting since March 2019 for funding approval to set up regional cybercrime “hubs”.
The following month, Garda HQ an expansion of the bureau had been sanctioned, with necessary resources, including additional staff, accommodation, and technology to provide “an enhanced response to cybercrime”.
It said an internal recruitment campaign had started and that an external competition would result in the “unprecedented” introduction of civilian digital forensic investigators.
It said the regional units would be in place by the close of 2020.
Sitting in his office in Harcourt Square, Det Chief Supt Cleary leads a bureau that is in a far better place than when he took over in June 2020. Just in the last week or so, he has formally opened a number of the regional hubs.
“Last year, there was an internal competition for sworn detectives and 59 people were successful,” he said. “The vast majority had a technical background, most had a high-level computer qualification, for example, a master’s in computer science.”
He said that in April, 25 of that 59 joined the bureau. “In addition to supplementing different sections here, they were also assigned to four brand new satellite hubs across the country — in Cork, Galway, Mullingar, and Wexford.”
The pilot unit that was in Ballincollig is now located in a purpose-built office in Anglesea St Garda Station.
“The hubs are an extension of the bureau,” said Chief Cleary. “The staff are trained to the same standard, and they have the same equipment. They are there to ensure a more localised response.
“It complements the training of 200 digital-first responders, who are in every district. It shows we have the capability and capacity across the jurisdiction to deal with cybercrime.”
Det Chief Supt Cleary said each hub will have one detective sergeant and five or six detective gardaí. “We are not at full capacity yet. Cork has one [sergeant] and five [gardaí]. We are waiting on the additional 34 gardaí. We have to build.”
Referring to the hub in Anglesea St Garda Station, he said: “They remodelled a whole section of the building to accommodate our needs. We have specific requirements for networking, equipment, and accommodation, different any other policing environment.”
He said figures from the Cork unit show that phishing and smishing attacks in the Southern Region account for 20% of total cases in the country and 25% of offences against computer systems.
Giving examples, Det Chief Supt Cleary said the Cork unit is working on an investigation with a drug unit in the region involving monitoring sales activity on the darknet. It is also working on a child abuse imagery case and a cyberattack on a company in the region.
Det Chief Supt Cleary said that while 25 of the 59 detectives on the panel had joined the bureau, 34 are awaited.
He said their allocation “depends on availability of resources”, but pointed out that there were competing demands for scarce resources throughout the organisation. “Rightly so, the commissioner will give priority to the frontline,” he said.
“Hopefully, in the short term we will get those 34 because we need them.”
The competition for the 25 civilian digital forensic investigators is also awaited and Chief Cleary said they will add significantly to their resources and technical expertise.
And despite the restrictions and uncertainty on further staffing, he said there will be further expansion with a new hub due in Cavan next year and, after that, one to follow in Dublin.
He cites the various sections of his own bureau to highlight the need: Cybercrime Investigations; Computer Forensics 1 & 2; Cyber Intelligence; Cybersecurity; and Cybersafety.
He said the bureau’s total caseload has “increased significantly”.
This has been seen most dramatically in the Investigations section, which tackles the likes of scam calls and texts, cyberattacks, and hacking.
Comparing January to August 15, 2020, to the same period this year, bureau figures show:
- Phishing and smishing are up 1,440%;
- Unauthorised access of computer systems (hacking) is up 146%;
- Data interference is up 183%;
- System interference us up 275% (but low numbers, four to 15).
Det Chief Supt Cleary said the figures for phishing and smishing, which includes the scam calls and texts, increased from 213 reports between January and August 15, 2020, to 3,282 in the same period this year.
“That’s a huge increase and I’d say even in the last six weeks, when you look at the amount of scam text messages, there has probably been a significant increase since then.”
While traditionally there has been an unwillingness, particularly among companies, to report, he thinks the HSE cyberattack has changed that. “The HSE attack has single-handedly created more awareness of cybercrime, because it was the most serious cyberattack ever in this country, because it attacked our critical national infrastructure and because it affected sick people, children, and vulnerable people.
“Obviously, it’s a massive story and still is a big story and it’s a massive investigation for us.”
Parallel with this has been the surge in criminals looking to defraud people online and through mobile networks.
“There’s no doubt that since the pandemic started, there’s been a rapid progression of digitisation in society,” Det Chief Supt Cleary said.
“More people working from home online, shopping, banking online, social media — it all creates multiple opportunities for cybercriminals to steal data, steal money, or just to disrupt. They are very inventive, all the time looking at new ways to target people, attack people.”
He said “everyone has seen a huge increase in the amount of scam messages and phone calls” and that the scammers are very technically aware and convincing.
“The likes of text messages are very challenging for us,” Det Chief Supt Cleary said. “We have found most would emanate outside the State, so all we can do is provide an evidence pack, forward it on to law-enforcement partners in the country, and hope that they follow through, but it is difficult.”
He said this was “not just a law enforcement issue” and that “the likes of the telecoms companies, messaging platforms, need to be more involved”.
He said the criminals involved are sending “500,000 texts” at one time from a phone abroad — in a process known as robodial — completely different from the standard person sending one or a couple of texts one after another.
“Surely they can be recognised and put appropriate firewalls in place to address this issue,” he said. “It is getting bigger and most First World countries are victims of this and we need to address it.”
He said that by the time it’s reported to gardaí, it’s “too late” and that prevention measures are needed.
“We are currently linking in with our law-enforcement colleagues in the UK, who have the same problem and we are looking at what they are doing.”
Det Chief Supt Cleary said gardaí were treating the matter with “urgency” and working hard with the telecom companies on it. “We are in the middle of trying to work with the telecos and get on top of this and I would hope the work we are doing will reduce it in the short time.”
In addition to Cyber Investigations, another key section is Cybersecurity. “This is to do with the security of the State and the State’s critical national infrastructure and supply lines,” he said.
He said while a separate Garda section, Security and Intelligence, would have a link with the NCSC on matters of State security, his bureau has a role from a “technical aspect”.
A massive investigation was, and is, the HSE attack.
“Look at the response to the HSE attack — it was a good response,” he said. “What was meant to happen happened; the NCSC takes the lead, they pull together all the relevant stakeholders, the priority for them is the safety and security of the systems and get them back up running.
“We then come in as law enforcement to keep people safe, our job is attribution and working with the criminal justice system for sanction, as a deterrent. We might have a different agenda, but we all work together.”
The bureau has an officer seconded to NCSC.
As detailed in the media in previous weeks, he said the bureau’s investigation led to a disruption operation, which identified, targeted, and seized the “technical infrastructure” of the gang believed to be behind the HSE Conti ransomware attack. By doing so they protected 753 other organisations that were potential victims of the gang and put up an online splash screen saying the Irish police had seized this domain and advising people to check their systems.
“It was very successful,” Det Chief Supt Cleary said. “It’s not to say this gang can’t set up new technical infrastructure — they can — but we are getting an insight into them, their finances, and, working with law enforcement around the world, we were able to make tangible progress.”
He said there was “more to come” but declined to go into specifics.
There’s no doubt the general threat continues. Late last week, the NCSC reported on estimates from the US Cybersecurity and Infrastructure Agency that 400 US and internal organisations had been hit with a ransomware attack similar to the one that “severely impacted” the HSE.
Det Chief Supt Cleary said he was recently at an Interpol conference on cybersecurity: “All agreed that cybercrime and ransomware has reached a tipping point. It’s not that we weren’t always proactive, but if people are in other parts of the world, it’s very difficult for us to reach them — unless we collaborate.
“The approach being taken now [on cybercrime] is more of a collaborative approach and I think you’ll see more worldwide operations regarding cybercrime.
“Even those countries associated with cybercriminals or gangs, they are being bombarded with cyberattacks, so it’s in everyone’s interest to collaborate.”
He said this links in with another section in the bureau: Cyber Intelligence. The unit liaises with law enforcement across the world, including the likes of the FBI and Homeland Security in the US and the National Crime Agency in the UK, as well as Interpol, Europol, private industry, and academia.
He said the bureau is a member of Cyber Ireland, which brings together industry, academia, and government, and works closely with the banking and financial institutions, consultancy firms, as well as the tech industry.
While there has been some talk of the vulnerability of the tech industry in Ireland, set to grow with the planned expansion of data centres, Det Chief Supt Clearly pointed out that these companies put “significant investment” into cybersecurity.
“They absolutely think of it as an investment, not an overhead — the way it should be.”
Much of the bureau’s activities feed into another section: Cybersafety. The task of this unit is to spread education and awareness about cybercrime. This month is European Cybersecurity Month and the bureau, along with the NCSC and its parent department, the Department of Communications, is highlighting different issues over the weeks including cybersecurity at home, ransomware attacks, and school cybersecurity.
The final section in the GNCCB is the busiest, reflected in it having two teams: Cyber Forensics 1 & 2.
It is also the most disturbing of areas the staff have to work in, with the bulk of it relating to child sexual abuse imagery.
“I would say digital forensics takes up 60% of what we do,” Det Chief Supt Cleary said, “and, within that, you have child exploitation, fraud, harassment, and of course child abuse imagery — and that’s where the backlog it.”
He tries to explain why the backlog is a reality: “As cybercrime grows, obviously the amount of cases referred to us would grow and, as cases come in, we find more and more devices in each case.”
He said in the past there might be one laptop and one desktop per case — now there’s USB cards, SD cards, SIM cards, multiple phones, laptops, hard drives. We could have 40 devices in one case, so that’s a challenge; it’s more resource-intensive. A lot of time is spent on child sex abuse images.
“So, is the backlog increasing? Yes, it is, but with the 25 new members in April, we are starting to see, in the last few weeks, the impact on the backlog.
“When we get the other 34 gardaí and other 25 garda staff [civilians] I hope the backlog would be reduced week to week or month to month. I’d like to think that by this time next year we will be very much on top of that.”
Det Chief Supt Cleary asked critics, including the judiciary, to be “cognisant” of the massively increased storage capacity of devices, cloud storage, and layers of encryption, pointing out that a basic laptop could house 250,000 images and each of them individually has to be examined.
But he stressed: “I will rely on the system we have in place here. As the cases come in, they are risk-assessed and prioritised, so we are not going to leave any vulnerable victims or not take a chance that a suspected offender might abscond.
“When the cases come in, the system we have will give a loading to each case based on a metric and it has worked very well.”
Det Chief Supt Cleary said the work can be “emotionally and psychologically demanding” and that the welfare of his staff is a top priority, with enhanced counselling and 24-hour support services available.
What has aided their work on forensics and encrypted devices was the arrival this year of a decryption device. “We have upped our game in terms of the equipment we are using, and we took delivery of a state-of-the-art decryption suite earlier this year, that gives us an edge,” said Det Chief Supt Cleary, adding that the device has massive processing power.
“If you need blunt force decryption, this is the thing to use. It does take time and you can’t say you’ll always have success, but we are a lot further down the road than we were.”