OTTAWA – Police frustration of dealing with the ever-increasing amount cyber crime businesses and citizens face compared with limited law enforcement resources burst out for a few minutes at a conference here Monday when a senior RCMP officer said more has to be done on prevention.
“We’re not going to be able to put these things (cyber crime) through the courts and expect to solve it,” Scott Doran, director general for federal policing for criminal operations including online crime, told an international cyber crime police summit here.
“So, how much effort are we as putting into prevention as a law enforcement community? … I don’t think we’re doing enough.”
The Mounties’ cyber strategy includes reducing the impact and victimization of cyber crime by identifying and prioritizing threats. But, Doran said, “we’re probably not doing a great job … The reality is we don’t have the resources. We ‘re so busy responding that to get out ahead of the thing is very, very difficult.”
“We do a good job when we get our hands on a ‘meaty file’ and are able to pursue it,’ but we have to select highest priority files.”
He and other police officers who spoke suggested that the public may have to lower expectations about the ability of Canadian police to solve every cyber-related complaint they file.
Police forces have to “get our best propeller heads together to solve this issue. We can do it, provided we set expectations and we put our best foot forward and we have a common message.”
In 2014 the RCMP fielded 7,965 complaints of cyber crime, he said. That rose to were 9,217 a year later and 11,518 in 2016. That doesn’t include reports to other forces or the Canadian Anti-Fraud Centre.
In an interview later Doran expanded on his comments. “I think we’re doing a great job with the capability and capacity we have … At the end of the day what we’re probably not doing enough of… is to make more Canadians aware of the threat of cyber crime.”
“We need to be realistic in espousing expectations to the public – what the government and police can and cannot do,” he said. “We need to take a step back from the way we do business every day and look at different models – for instance, the Canadian Anti-Fraud Centre may be an area where we need more investment, it helps with prevention … Sadly, they’re underfunded, the good work they do isn’t known enough, but there’s other things we can do other than investigate. And police need a leadership role in that evolution.”
He would also like Ottawa to amend the Privacy Act so police can in certain circumstances share personal information about suspects or victims with IT security companies who may have more tools and be able to help an investigation
There are 125 registered attendees for the three-day event, mostly from police forces across the country, including two speakers from the FBI.
Doran wasn’t the only one sounding frustrated. Mario Harel, president of the Canadian Association of Chiefs of Police (CACP) and chief of the Gatineau, Que., police complained that reports of cyber crime “has not resulted in a great deal of action” by Canadian policy makers “Are we making it more difficult for police to respond to the demand for greater digital evidence in the shadow of the Supreme Court decision in Jordan [which puts time limits on bringing criminal cases to trial]?” Look at the Spencer decision [which said police need a search warrant to get basic subscriber information from Internet service provides] digital encryption and password protection and the challenges they pose for law enforcement.”
“From a policy perspective, law enforcement does not believe it has the right tools to help us deal with these issues to respond appropriately. Our lawful authority to collect digital evidence is eroding and criminals are benefiting. The CACP recognizes the importance of judicial oversight and authorizations in balancing public safety with privacy rights. What we have not seen is a great deal of action from a policy perspective to assist us.”
Canadian police here said they are hoping a proposal for a National Cyber Crime Co-ordination Centre (known among cops as the N3) will be favourably received – and financially supported – by the federal government and will go a long way to filling in the lack of cyber crime stats here. Those numbers would be used by police for public policy recommendations.
The N3, which is still in the design stage, would be a central clearinghouse for cyber complaints from small and medium businesses.
The conference also heard about the fledgling eCrime Cyber Council, a group of Canadian police departments, private sector firms and academics supported by the Canadian Advanced Technology Alliance (CATA). Among its goals is to work on prevention and help for cyber victims.
The conference is an opportunity for police to share trends they’ve seen and best practices, as well as to remind themselves that the fight against cyber crime needs the support of academics and the private sector.
Parts were conducted under the Charter House Rules, which forbids speakers from being publicly identified unless they give express approval.
One theme that popped up often was the reluctance of victimized businesses to call police for a variety of reasons: Embarrassment, fear of reputation damage and an assumption that the perpetrator is out of the country. “A lot of victims want you to mitigate, and I don’t blame them,” said one speaker … We’ve had several ransomware calls where there isn’t a lot we can do for you and as far as investigations go, it’s going to be tricky.” Organizations mainly want to get back up and running as soon as possible and prevent the attack from happening again, he said.
“We start with asking [the business] for a victim impact statement,” said one speaker, “and that’s often where it stops. They don’t want to admit there’s been an impact.”
But another noted the need for police to get to know businesses in their community and partners – like law firms and private forensic investigators businesses will call — and their needs before a cyber event. “I don’t think everyone understands the roles and expectations of all the partners … “Being proactive, being ahead of this is critical when it comes to an actual event. It’s not about calling the police, but when you call us, how do you handle the evidence — do you know how to handle the evidence — what evidence do we require and what are your expectations once we have it?”
In an interview, Scott Tod, deputy chief of the North Bay, Ont., police force and co-chair of the CACP e-crime committee, admitted the impact of businesses getting better at cyber security will ease the load on police “a lot.”
“One of the most vulnerable sectors is small business. They don’t have the funds to set up a good cyber security structure within their networks. Having a good, robust cyber security awareness program for small business could have an impact on prevention, and more importantly, reduce the number of cyber crimes.”
One way to get to that level is to reward firms that bolster cyber security, he said, with perhaps a tax incentive or a recognized designation.
It’s not all bad news, Det. Insp. Rick Hawley, manager of cyber operations at the Ontario Provincial Police, said in an interview. Canadian police have made “great strides” in fighting online sex exploitation of children, fraud and identity theft. But data theft, DDoS attacks, ransomware and hacking police here still don’t have the people and technology resources they need.
As for whether firms should report cyber crime, he admitted it’s a business decision. But he added, “criminal activity should never go unreported.”