Organizations are too afraid about reporting cyber crime to police, says a Toronto police investigator, which impairs law enforcement’s ability to go after criminals.
“Corporations are concerned about their reputation, their stock price and share valuation, and these are the things that prevent them from coming to law enforcement early in the process,” Det. Const. Kenrick Bagnall of the Toronto Police Service’s cyber crime unit told a conference Tuesday.
“The sooner an individual or a corporation comes to law enforcement it increases the chances of a positive result tremendously.”
Bagnall was a speaker at a day-long financial crime seminar in Toronto put on by SERENE-RISC, a network of academic, public and private sector researchers promoting the spread of IT security knowledge. The seminar was a prelude to the annual eCrime conference of the Anti-Phishing Working Group, being held this year in Toronto.
A former computer consultant who became a cop, the 12-person unit he works in supports other police sections in their investigations for things like capturing evidence from social media, a video or tracing MAC and IP address.
In an interview Bagnall expanded on his comments. “Companies aren’t coming forward because they’re ill prepared …Their systems aren’t logging traffic properly. We need server logs, we need firewall logs, we need this log, that log and they don’t have anything for us, or they have a small portion or they’re not archiving stuff so they can go back 60, 90 days and give us information.” Instead organizations bring in in private analysts to look at the data they have, he said, but that risks contaminating potential court evidence.
“Eventually they come to law enforcement, and they’re closing the barn door after the horse has been let out. And there’s only so much we can do, because even if we do make some headway we run into a continuity of evidence issue (in court).” A defence lawyer will ask, ‘Who’s examined this file, this firewall before you officer?”
“Unfortunately we do live in a world that’s monetarily driven and when share prices and stock valuations and things like that (and) corporate reputations are at play, sometimes in my humble opinion, doing the right thing and going to law enforcement early takes a back seat.”
Some industries, he added are better than others. Going back several years when he was a fraud investigator he found Canadian insurance companies were much more willing to call police. “Very good investigators internally and they’re putting together packages and saying ‘This is our guy, here is our body of evidence, you do your thing now” — and they hand over a CD fulled with copies of documents.
Utilities, healthcare and organizations with network attached machines are also among those willing to call police. Retailers and banks less so on large breaches, he said.
Bagnall also had tart words for some social media sites and service providers who are not, in his words, “law enforcement friendly.”
In one case Bagnall had to track down the IP address of someone who had made a suicide threat (He didn’t detail how police learned about it). Initially it was traced to a small chain of hotels in Southern Ontario. When he asked the service provider by phone for the subscriber information because there was an immediate threat to life, a supervisor refused unless there was a court order. Bagnall demanded the supervisor’s name for a report “because in 30 min when I find out this person has ended their life it’s on you.”
The provider called back in two minutes with the subscriber information. “Not all providers are friendly but we make inroads every day,” Bagnall said.
In 2014 the Supreme Court of Canada ruled police can demand personal information from a provider in exigent (urgent) circumstances.