Reimagining Cyber - real world perspectives on cybersecurity
Explore the critical intersection of cybersecurity and business impact while gaining insights into CISO priorities with "Reimagining Cyber." Stay informed on the latest cybersecurity news, trends, and solutions tailored for today's CISOs and CIOs. Episodes cover a range of topics, including the role of AI in cyber security, technology, preventive measures to stop cyber attacks, response strategies for cyber attack victims, cybersecurity challenges in healthcare, the future landscape of cyber security, computer security essentials, managing cybersecurity budgets, and the implications of SEC rulings.
Engage with industry experts and CISOs who share their perspectives on what matters most in the cybersecurity landscape. Hosted by Rob Aragao a seasoned security strategist with CyberRes, this podcast is your go-to resource for staying updated on cybersecurity developments and addressing common challenges in the rapidly evolving digital landscape.
Reimagining Cyber - real world perspectives on cybersecurity
Cyber Resiliency on a Global Scale: More INTERPOL insights - Ep 114
In this episode of "Reimagining Cyber," host Rob Aragao continues his insightful conversation with Craig Jones, former Director of Interpol’s Global Cybercrime Directorate. They delve into the countries most targeted by cybercrime and the regions where these crimes often originate. Craig highlights the challenges of combating cyber threats in areas with limited law enforcement capabilities and underscores the critical need for international cooperation. The discussion explores successful regional collaborations, the development of international cybercrime conventions, and the importance of resilient infrastructures, especially for SMEs. Craig also emphasizes the need for security by design in technology, regular preparedness drills within organizations, and ongoing global efforts to enhance cybersecurity through awareness campaigns and private sector partnerships. Despite the challenges Interpol faces, the episode underscores the importance of operational relevance, capacity building, and community engagement in the fight against cybercrime.
Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com
[00:00:00] Rob Aragao: Hello and welcome to reimagining cyber. I'm Roberego. And if you've listened to last week's episode, you have heard me speaking to Craig Jones, the most recent director of the global cybercrimes directorate at Interpol, Craig explained how Interpol connects to various international police forces and collaborate through cybercrime operations, the challenges of dealing with borderless cybercrime and the critical roles of cyber resiliency in protecting organizations, a subject very close to my heart.
[00:00:30] But before we knew it, we were out of time, and there were still so many more questions I wanted to ask of Craig. So Craig was so kind to come back on and join us for a second week running. Craig, thanks so much for joining me again.
[00:00:42] Craig Jones: Yeah, thanks Rob. It's really good to be back with you on a second episode, looking forward to our discussion.
[00:00:47] Rob Aragao: Let's continue our conversation and look at the countries that are most targeted for cybercrimes, as well as who the perpetrators are that you're most concerned about.
[00:00:55] Craig Jones: Let's break this down, Ben. So we look at, you know, victims first of all, where are you more likely to be a victim of cybercrime? I think you're more likely to be a victim of cybercrime in a country or an economy which is more digitally advanced effectively.
[00:01:10] So Historically, we can look at the West in that. So this is the ransomware piece we have coming out time and time again, and the business email compromise. So the cyber criminals would look at that, that financial side of things. So that's probably more in the English speaking sort of West where you've got a combination of both sort of frauds, as well as those technical attacks.
[00:01:34] So being the technical side, they go off the vulnerabilities and the frauds, They go after, you know, the opportunities to engage on a one to one basis or do a volume and then narrow it down and do those sort of business email compromise. So we're seeing it more and more. You then look at where's the infrastructure base?
[00:01:51] Well, the infrastructure is everywhere. So that's one of the big challenges we have is, you know, the infrastructure is used by the cyber criminals and used by everybody else as well. So how do you identify that infrastructure and then get that taken down? So I think there's a technical aspect to this, which we could be better at.
[00:02:07] But then you come into those, let's call them hard to reach jurisdictions. And I probably best for me to talk about some sort of examples here. When we look at that, we see about the cyber attacks are reported emanating from Iran or emanating from the African subcontinent or emanating from the Far East or emanating from Russian speaking companies, countries as well.
[00:02:29] So you, you've got those. Same countries coming up time and time again, and you've got then that piece, whether it's a state act, whether it's a near state act, and these are sort of in the cybercrime space, and I should add here, you know, uh, North Korea is not a member of Interpol, so we don't have reach into or with North Korea effectively.
[00:02:53] And so some of the examples I'll give in that is the way law enforcement is trying to operate now. And we have seen some good examples where we've seen cooperation between the US and Russia. Um, Colonial Pipeline, we've seen. Yeah, okay. Sometimes there has been that cooperation and some arrests have been made.
[00:03:11] But I think if you looked, um, at where If you look at a clear global graphic about where the main rataware attacks are happening, there's not many happening in sort of Eastern Europe, Russia, those sort of countries. So I think, you know, it doesn't take a particularly savvy analyst to work out, well, okay, well maybe quite a few of the attacks are coming or we, you know, cybercrime is emanating from that region effectively.
[00:03:39] I think also I'd sort of mentioned Africa in that as well. What we're seeing is where you have economies that are growing really, really quickly. Um, in Africa, you know, you've got a lot of people, it's more on the micro side. So using their mobile phones to conduct their businesses, sharing mobile phones with each other's swapping SIM cards in and out.
[00:03:58] Um, you know, that's potentially more vulnerable, but then you look at, you know, Crime emanating, let's say, Nigeria, for example, you know, there is an organized crime network in sort of Africa, whether you call it Black Axe, which is a wider organized crime group, or whether you look at some of the smaller villages.
[00:04:16] And we've seen here where you've got extreme poverty in that country, you know, there is an opportunity for them to make money through committing cybercrime. If it works. You know, they're going to do it so that very similar to Eastern Europe where we have the villages in Eastern Europe were identified back, you know, the nineties, early, early two thousands where you had a whole community there committing cybercrime.
[00:04:43] So it is, it is a global challenge as we know, um, where and how we then take the prevention piece in there or we take the operational piece. We've seen some really good coordination in Africa recently and that partly stems from us as Interpol setting a desk up. So 2019 it was my first regional cybercrime working group meeting in Africa.
[00:05:07] I was in a classroom in Nairobi in a police training school. There's probably about 15 people sat around the table, um, and we were talking about a challenge that they were faced. And I think it was someone from DACA said they'd done a raid recently in a house and they thought it was human trafficking going on, people being put through that house.
[00:05:25] But actually when they went through the door, it was effectively, uh, an online. Cybercrime farm. So you have people sat there behind screens committing cybercrime. They didn't know what to do. Um, they didn't have that capability or that capacity. Now that's 2019. So fast forward during COVID and we've seen what's happening now.
[00:05:45] Currently we're seeing cybercrime groups who are emanating from the Far East. They're setting up You know, very large cybercrime centres, let's call them, in the Far East. They're attracting people saying, Oh, here's some jobs, come and work for us. And it's a good IT job. You've got people going there.
[00:06:04] They're then met at the airport, passports taken off from them and bang, you know, they're all based, it's that modern human slavery effectively in that digital space. So we, we see that come through. But in Africa, as a result of that, we decided then to let's set up a regional operational desk. And by that, we looked in our four regional bureaus in Africa, which are spread out, sort of, northeast, southwest, so we could place staff in those regional bureaus.
[00:06:30] We then put threat intel piece into Singapore, which is where we run the main center from effectively. work with the private sector. And in recent years, we've carried out multiple operations, either targeting specific organized crime groups, especially in Nigeria. And, you know, and you say to Mr. Uchila, I'm really sorry, we're going after these criminals.
[00:06:50] No, great. We, we know we've got criminals. We want to. Demonstrate to the world that we are disrupting cyber criminals in this country. So that was going after the people, but also then there's the infrastructure side of that. So we created a framework. So I said previously about the processes, we created a framework, but on the top of that framework for doing cybercrime operations in Africa with the countries in 2022 in Rwanda, we had 40 plus countries agreeing to that framework with AfriPol, the African Union.
[00:07:22] So we got buy in from those regional entities as well. And that's really, really important. We then signed the framework off, but at the same time, we trained staff there for what we call the surge operation. So what we looked at there is, We provided secure platforms for them to come on to. So let's remember the countries here, some of them don't even have ways of communicating.
[00:07:43] So we were able to then provide them with secure interpol platforms. We could put the data on there. And that was looking at compromised infrastructure on ISPs within those countries. And we then analyzed the legislation in that country. So within our team, I'm working with those countries. So look, this is your legislation, Under that legislation, they are potentially committing an offense by hosting that on their infrastructure in the ISP, or the terms and conditions which the customer, i.
[00:08:12] e. the cyber criminals have signed up to, is being breached, so you can take that down. Last three years now, we have maintained that work match surge operation within Africa, so what we're doing there effectively is we're going in and giving some training. But on the back of that training, that always has to be an operational outcome.
[00:08:30] I think, you know, you look at some organizations that do a lot of training, but how do you then back up that with operational activities? Trust me, as a law enforcement official, we all love doing a nice course for a week and getting tea and biscuits and a certificate at the end of that course. But then you need to use that.
[00:08:47] Now what we can then do, we can then plug that desk into those countries that do have those capabilities, or are able to identify the victims, and then they can share that victim data into Nigeria, so then Nigeria can do that prosecution. So coming back to your point there about where are the cybercriminals emanating from, what we should be able to do is use the processes that Interpol have put in place, which I spoke about, those sort of operations, and then when.
[00:09:17] The FBI unseal indictment on three Iranian cybercriminals and say these are three Iranian cybercriminals that are committing crime globally, ransomware, et cetera, but also they're committing crime in Iran. I should then be able to speak with the FBI and say, right, FBI, how can Interpol support you in that investigation?
[00:09:37] Because you've got the evidence. How can we now take that into Iran and go after the cybercriminals? My language here is very clear, criminals. Not talking about the countries, not talking about the politics side of it. We're shut to one side, that's where law enforcement is maturing, but we're not doing it quickly enough, effectively.
[00:09:57] Because what is happening is, you know, it's like anything, the criminals will take the path of least resistance. They will go, where we may not get caught. They may go where it's easier for them to operate effectively. Um, so investing everything in one country is not always the answer. And I'm not saying Interpol is the perfect solution.
[00:10:16] Far from it. It is a lever that can be used by all 196 member countries effectively.
[00:10:24] Rob Aragao: No, and that's excellent. Now, one of the things you discussed briefly, I wanted to delve a little bit deeper, is the issue around jurisdiction. You talked about it as it relates to, you know, hosting centers and, you know, an organization may operate out of one particular country.
[00:10:38] The reality though is that it's traversing different ISPs to get to wherever the infrastructure resides. How do you, well, I guess maybe, let me ask this way. What are the common issues you've come across in dealing with jurisdiction? So I think,
[00:10:53] Craig Jones: let's put the geopolitics on the table to start with. There is, the countries will not cooperate directly between themselves because of the, uh, governmental challenges, things like that.
[00:11:03] So that, that, that's one part of the challenge within this. Um, I think also it's how do you regulate or how do you address a global problem through global regulation. Because that's one way that you have to do it. So do you do that through the prevention and resilience piece? Absolutely. You know, that should be the first piece we're doing.
[00:11:26] Totally is about how do we make it more resilient? I think maybe we've all got a little bit too used to the speed of the internet, being able to get on and use things more effectively. We don't want to be bothered with that security nonsense. You know, someone else does that. So how do we put that more in the background that doesn't harm the user experience, but makes them more secure?
[00:11:44] Embedded into it. Yeah, that's that's that's that's one side, but the second side is okay. Well On a regional basis, where can we do this more effectively regionally? So where's that political will regionally? So looking at through that political lens of the European Union, the European Union has 27 plus countries as part of that European plus like minded country.
[00:12:05] So you've got one body there. So that's one area. Look at it. If you look at the Shanghai corporation organization, that's a huge regional entity. Um, you know, Russia, China, India, Pakistan, Lots of people within in terms of population sizes in there. So how can you pull on those different regional entities on the on the prevention piece?
[00:12:27] But then also how you pull that into the operational piece as well. Now, you know, we know some of these cybercrime investigation can take 345 years. That's that's that's too long effectively. A lot of that is because they cross jurisdictional issues. So piece of work has just been completed. United Nations.
[00:12:45] Um, it was kicked off by Russia, actually, probably about 2019 20. And what was that looking at was a new international convention to, um, counter the use of information, communications, technology, and criminal purposes. It's been known as the Ad Hoc Committee for Cybercrime, effectively. Now, from a law enforcement point of view, that's really important, because what that was looking to do was provide a new, international convention for cybercrime.
[00:13:11] So having some common language in there. So coming back to my point where this is cybercrime in one country, it needs to be a cybercrime in another country. Right. That piece of work was just signed off the United Nations, that convention back at, uh, beginning of August, actually, that'll go to the United Nations General Assembly to be voted on.
[00:13:29] And then what happened then is the country should ratify that in the coming years. So again, that's putting some of that process. It's boring. I know that. For some people, they'll look at it, but we, we, we, we need that in there first of all, because if you don't have that common language, that now gives me or gave me an opportunity when I went into Russia and spoke.
[00:13:48] In Moscow to a number of senior people in Russia about that. They said it's all you have to agree that our convention is to correct. And I was able to say, no, I don't have to agree. I worked for 195 other countries and that process will go through United Nations. I recognize what you're saying. I recognize there's a need for that, but there's a different body that that will go through effectively.
[00:14:11] So once you have these things in place, once you start shining the light on where the cyber criminals are, you can then start putting the pressure, for want of a better word, for those jurisdictions to deal with it effectively. But again, you know, we, we're always going to have, you know, one country will say, oh, that's white.
[00:14:30] Another country will say, well, no, that's black. So you're going to have those, those, those differences. I think what we do is we build this out through, uh, use a case example. So we, we, we talked briefly about Africa, that regional guests we've got there. We've set one up in Asian South Pacific now. So we're looking at, okay, what's going on in that region at the moment?
[00:14:51] Now that's more of a hybrid type thing where you've got people. In or being held against their will or committing crime in these calls when a call centers digital centers. We start the call centers emanate from India and they did a lot of work in that space. So, you know, the mobility of the criminals.
[00:15:08] We need to make sure we're as mobile. We do that disruption as well. But we see some great examples just recently where we saw sort of, um, some malware which was developed in Brazil affected by cyber criminals in Brazil. And then was impacting into Spain into the banking system in Spain. So we were able to work with Brazil, with Spain and some other countries on that.
[00:15:33] And I think right about March time is two year on investigations, a number of arrests were made. What happened there is you had Spanish officers and Interpol officers going to Brazil. They don't have the right to arrest, but what they can do is act as that trusted advisor on the ground and reach back into their country very, very quickly.
[00:15:54] So that model of policing around making sure that the on the ground support is there when the criminals are being arrested, or the infrastructure is being taken down, is absolutely crucial. And we've also seen this in things such as the Olympics and the World Cup. Interpol can bring together the private sector, the government, um, law enforcement into, if you like, one operating space when there is one major event to help make that more resilient as well.
[00:16:22] It comes back to your point, Seb, being able to share that information in real time, making sure that gets to the right people so they can take the right steps and measures to either shut that vulnerability down. or disconnect effectively.
[00:16:38] Rob Aragao: Those are great examples, by the way, Craig, for actually kind of, again, putting the light on the reality of what you've seen out there, um, transpiring in that, in that regard.
[00:16:47] What I wanted to do is start transitioning now into the recommendations coming out of Interpol, you know, how to best deal with different types of, um, cybercrimes and prevent them ultimately. Also maybe, um, amplify a little bit on detection. and prevention. So, you know, what are some of the kind of guiding principles around detection?
[00:17:07] And then also the, the disruption aspect as it relates to judicial outcomes. So do we, you know, do we really go after this thing because we, we feel we're going to be in a good shape to be able to actually prosecute or not? Like, you know, how, how do you kind of gauge that? So maybe again, overarching, what are some of the common recommendations that are coming out of Interpol?
[00:17:25] Craig Jones: So I think we did a piece on ransomware. I want to say it was during COVID, I remember it was very late in the evening. We, we ran a sort of A global workshop on ransomware. So we had, you know, well over 500 people on that global workshop, looking at that ransomware. One of the parts we looked at there was how, how do we prevent it?
[00:17:45] And, you know, a lot of the onus here is around that. Coming back to that resiliency piece, you know, what is it that we're trying to protect? So being able to identify what's within a company or within a group Government agency or as an individual. So first of all, having that that awareness we we've seen and I'll use the UK as an example here.
[00:18:10] The first one, uh, we had a thing called cyber essentials, which looked at what are the essentials that you need? And we were focusing them on small medium enterprises. So you almost had a big gap here. You had Large corporations, organizations that had money but could afford that protection and buy that in.
[00:18:28] You had the people at the bottom layer there, but, you know, yeah, okay, if they were going to become a victim of cybercrime, on a volume side of things, there'll be an impact. But actually, the middle tier, those sort of small, medium enterprises, they were the ones that were particularly vulnerable because you've got small agile startups or companies that are part of that supply chain.
[00:18:51] How do you make them more resilient to a cyber attack? So where do you do that? So you start off with that simple, simple advice. So there's a campaign. How do you draw them in? So it It's almost like any business. You have to identify the market and how you're going to get into that market. One of the ways the UK did it, they set up Cyber Resiliency Centres, CRCs.
[00:19:14] In fact, I'm heading up to a conference this afternoon in Aberdeen, where we're bringing everybody back together to work through that. It's actually a global conference, but the centre there brought together law enforcement, small media enterprises, so, you know, it's a very, very, very Those trade industrial bodies that represented small businesses all came together and also um, universities where you had students that are doing um, cyber security degrees or computer science degrees.
[00:19:44] So what was able to be brought together there was, well this is the problem we're trying to address. How do we make businesses more secure? Here's the businesses and here's the future. But I'm looking to address that. So bringing that all together. So as a law enforcement, you're looking to help protect then as the industry, you want to make yourself more resilient.
[00:20:03] And then as the sort of students you're able to come in and whether you're doing a project pro bono or something like that. For a business, you're able to get back to experience. So you have to start on that, that, that, that small scale. You can't do this on a volume piece to start with. It's really, really hard when you look in the U S at the moment, I, I, I just call it security by default, but how do you build in that security at the very start when you're writing your program, you know, how do you put that in there where the user is not interested?
[00:20:33] The user does not worry too much about. What they're doing they just want to be able to get online They want to be able to use that service that software that app. How do you make that more secure effectively? And we've seen that Amplified out from the U. S. out into the far east in Singapore. You've got a number of countries.
[00:20:52] You've got a number of companies signing up to this. You know, secure software. Effectively, I probably haven't got the wording right, but you know, it's coming back to those core principles. How do you do that prevention side? We're in Nepal. We've run global awareness campaigns. So, you know, um, you know, Mhm.
[00:21:11] OneClick was one of the ones we used, so making people think about, you know, when you are clicking that, you are one click away from potentially becoming a cybercrime victim effectively. So you've got many different avenues, but I think for me it should be more in the background. Um, so the user experience is there, which you want them to have, and whose responsibility, it's all of our responsibility, we know that, you know, where it's the user.
[00:21:38] Whether it's a cyber security company, whether it's the government, you know, we all have that responsibility. You know, I, I know when I was in Singapore, for example, I could walk through the Botanic Gardens at one o'clock in the morning. I could walk down and I knew I was in a very safe country. That's just an example.
[00:21:56] In a physical sense, because of the security levels that were put in there and, and the environment that I was. In the online space, it's slightly different, isn't it? You know, um, you've got people maybe take a more relaxed, risk based approach. Again, thinking of my words here, on the different sites they'll go on to, what they would download.
[00:22:20] Um, and you know, cyber criminals will look at, okay, well if you're going to download this app so you can watch Premier League football for free. We're going to put something on there, you know, so again, it's that that understanding within that space and I'll only mention AI once, but this is where we're going now where we have this real change coming and it's going on at the moment.
[00:22:43] So in the cyber security space, how AI can be used more effectively protect us, but then the criminals are looking at as well. So we won't go down that route now because we'll be here for probably a week talking about it. But, you know, there is always something around the corner.
[00:22:57] Rob Aragao: Yeah, and there always is.
[00:22:58] We've, we've, I'm not going to shock you by this, but we've had plenty of discussions on the podcast on AI.
[00:23:04] Craig Jones: Yeah, yeah. Yeah,
[00:23:04] Rob Aragao: yeah. And there's no question that, you know, the cyber criminals, the bad guys are absolutely, you know, no question again, leading in the way. You, you mentioned a couple of things in your response to my question that I do want to call out because they're so critical.
[00:23:16] Uh, the core principle, which I, I've been driving that for such a long time too, which is the aspect of, uh, security absolutely needs to be embedded in. Right. It's all about the experience, how seamless can that experience be. Not having the end user look for the loopholes because they're so sick and tired of how difficult it is from a security perspective, right?
[00:23:35] Um, and that really drives back into the secure by design principles, as you were discussing. Um, the other thing you were alluding to was more of a SBOM software bill of materials, right? So we've been pushing hard on, you know, the need for that kind of the, the ingredient label, if you will, when you go and take a look at something in a grocery store, as an example, kind of that, that keeps it really simple.
[00:23:53] So all. really important aspects of, again, just making security that much more easier, but absolutely baked in at the very onset of any sort of program.
[00:24:03] Craig Jones: And I think just to go with security, and I think, you know, we're guilty of this. So we talk about cybersecurity, we talk about technology. For some people, it just, they switch off straight away.
[00:24:13] As soon as you hear that, they switch off. How can we use this language? How can we make it more relatable to that end consumer? You know, IOT. Okay. Well, how do you know what you're plugging into? How do you know whether that's secure or not? Well, they shouldn't really have to worry about that too much.
[00:24:30] Really. They want to be able to, you know, have a system where they can, if they want to log in and see what's in their fridge, I don't know why someone would want to do that, but I'm sure there are some, but, um, again, I think quite often what happens is, um, We develop technology very quickly, and then we look for a user case about how we can use it, rather than doing the other way around.
[00:24:52] And I'm not saying that doesn't happen, far from it. But I think actually we create things sometimes, and think, oh, we could use it there. Oh, that's not actually what it was designed for. But do you know what? If that works, yeah, let's adapt it and put it in there. And with a couple of tweaks, I do those tweaks now, but now introducing vulnerabilities into it as well.
[00:25:10] Um, so yeah, it's, it's the whole ecosystem, but again, I'll just transfer that back into the physical sense. You know, when seatbelt, well, when we first had cars, this is going to be terrible, we're going to cause it to be terrible, you know, we then had brakes with developed cars going too fast. Then we had seatbelt.
[00:25:29] you know, unfortunately there are still accidents that happen. My son yesterday, bless him, managed to have an accident in his own car. Um, you know, this happens. Um, but I think what happens in that cyberspace when we do have the, let's call them accidents, the amplification of those accidents are massive because, you know, whether it's a cyber criminal or whether it's a A faulty software release or something like that can have big ramifications.
[00:25:55] Right. Um, and all of a sudden, bang, that is out there and everybody is aware of it.
[00:26:00] Rob Aragao: And, and it's, it's a great analogy, right? It's that minimizing the impact, right? It's about safety. So as these accidents will continue to happen, of course, but the key is that we're making it safer. We're minimizing the impact.
[00:26:11] It's the same as you're calling out. Translation into the cyber security world and again, those analogies, I think it's what's critical when we have these conversations, especially at the business level. So, I want to pivot into kind of this, what I like to call, you know, the, the crystal ball, if you will, Craig, look at the future, right?
[00:26:28] And so, um, again, You've just transitioned away from your role at Interpol and running the Cybercrimes program. Um, Tons and tons of great evolution of the program that you and your team have put in place. You're leaving, I think, the incoming team members in a great spot. What's next? What's desired? What's part of that?
[00:26:50] Here's what you wanted to accomplish and kind of what you're also seeing, you know, the greater of Interpol to become.
[00:26:56] Craig Jones: I think for me, I'm a program manager as well. So I came in to take on the program and basically crash the program and rebuild it. So the first part was to make Interpol more operationally relevant.
[00:27:07] So it's not saying we're going to leave the operation. So identification of threat. As I came back to it at the start, threat, risk and harm. So what's the threat? What's the risk? What's the harm it's going to cause? And then how do we mitigate that? So that's that normal program manager blah speak. I think I was there only for about eight months and COVID came along.
[00:27:24] Now that was a really good opportunity because that allowed me to sort of shut the program down and rebuild it. And we, we built it on that principle of reducing harm to communities from cyber crime. So we've got four main areas we focus on. I think moving forward is We've got to narrow those areas down because we can't do everything.
[00:27:42] When you look at the funding that goes into Interpol, um, I think the budget we used to have in the UK for doing prepare work for law enforcement for cyber was about 40 million pounds per annum. My budget at Interpol running a global program was, was even, was about one tenth of that, so I'll let the viewers work that out.
[00:28:04] So in terms of investment, I think first thing I'll say to countries is, where do you make that investment where you're going to get a good return? Hopefully, over the last five years, we've demonstrated Interpol can implement on the cybercrime piece. Good programs of work, which have an impact, but a lot of our work is, is funded through project funding.
[00:28:25] So we look at these cycles in countries, US is a good example. You're just coming through a new election. I, I, when I arrived, Interpol, you have one administration in, and another administration came in. So I could see those differences in the uk in um, Europe, in some of the far East countries now in Singapore.
[00:28:45] You had a very stable government there, but invest over a period of time. So they will be looking five years ahead. In the Middle East, you have countries there looking 10, 15, 20, 50 years ahead. So, how do we look at this over a longer time period, and how do we fund into that? So, what are the resources we're going to put in there?
[00:29:04] I think the challenge Interpol has, and will always have that challenge, is, you know, we have, to quote, you have nefarious countries within Interpol. Yeah, that's good. Because we've got them in the building. We've got all countries in the building. And just because you say that country's in the fairest country, that country might be saying you're in the fairest country.
[00:29:23] So, you Get away from that side and look at the crime side of this. So how do we reduce that, that crime aspect? So understanding the fret work of the private sector, we see some great work now with the private sector coming together. So you, you, you touched on it earlier around that competitive edge that private sector has.
[00:29:41] Well, the UN have introduced the ESG reporting. So this is the environmental social governance reporting. So companies have been made more. Aware first of all of what their social responsibilities are. So how do you invest? Do you invest in money? Do you invest in data and information? So that's one example where companies are coming together now.
[00:30:05] And there's a piece of work we did for the World Economic Forum called Partnerships Gain Cybercrime. It started off as a paper back in 2020. You've now got a number of leading cybersecurity companies coming together and working and looking at the four main threats. Partnerships Gain Cybercrime. for organized crime groups, gunners, threats, and looking at a crossover point and then pulling that data out and putting that into Interpol and Interpol's endpoint at the country.
[00:30:25] So there's, there's a good example, right? You're thinking back, back and growing further, but then you need those operational deaths and making sure that you've got the connectivity between those countries. And it does come back to those person to person contacts, right? You know, It's really hard. That that trust model is really hard.
[00:30:43] You build up over time. So, you know, the new director, uh, Neil Jetton from U. S. Secret Service, he's got some really great ideas that he's going to help build on some of the things that are already in place. But looking at the operational side of it is absolutely crucial, operational coordination.
[00:31:00] Interpol's not going to be able to build in every country those capabilities and that capacity. And for me, there's a, there's a subtle difference between capability capacity. We hear a lot about cyber capacity building, but what that means is, okay, what, what, what are you trying to build? So when I have a drink of water, the capability of that water, you know, quenches my thirst.
[00:31:26] If I had a whiskey, there'll be a different capability within that, wouldn't there? So identifying those capabilities and making sure that you can build those capabilities, but then on the capacity side of it, I'd say we need to build more capacity into that resilience in that crime prevention side. Um, but again, as Interpol, you're going into multiple jurisdictions, multiple countries, so you've got to have that cultural sensitivity about how you deliver that into those countries and Again, coming back to the private sector, being able to be that vehicle to help deliver that as well with, with, with governments and regional bodies.
[00:32:03] So looking it through a regional lens, looking it through a cybersecurity lens, and then looking it through a national lens, and making sure you're doing that prevention piece and that detection piece first, because if you can detect, then you can prevent. And then, yeah, you might do an investigation. But actually, what does that investigation lead to at the end of the day?
[00:32:21] It might give some more information. Okay, we can build that back into prevention. And then the disruption bit, which you touched on there is, you know, we do need to lock cyber criminals up. There has to be some consequences to their actions. And I think there was a Canadian that was arrested in Florida.
[00:32:36] Um, a couple of years ago, uh, and the judge in his summing up said if he hadn't pled guilty, I mean, he's an affiliate for ransomware, uh, syndicate. If he hadn't pled guilty, pleaded guilty, he would have, he would have got life. I think you've got something like 18 or 20 years that sent out a really, really strong message to the cyber criminals, folks.
[00:32:56] These are the consequences of your actions, and when you see your actions have consequences and you are going to get pulled up on those, you know, that again will, will make a difference. But I'd, I'd caveat all of this by, you know, we still have crime in that physical sense. I think in the technology sense of cybercrime, initially we thought we, we could design our way out of this.
[00:33:20] Technologize us our way out of this. We're not really going to be able to do that because we've got the people to factor into this as well. So we're going, how do we do that more effectively in the future is a challenge, not just for Interpol, but for our listeners here as well. Now, I'm coming back to my point.
[00:33:40] You know, a lot of this is about that creating communities to protect communities, having that common mission, having that common purpose. Effectively I'm retiring, but I'm going to continue in that space for a little while
[00:33:49] Rob Aragao: longer. There's a passion behind it, obviously. It comes across. So, you know, Craig, first off, thank you, thank you so much for coming on and sharing more about the reality of what Interpol does in the cybercrimes program.
[00:34:02] Thank you for the great work that you've done over these past years in evolving the program, getting additional buy in from all these different countries, which is I can only imagine the feat involved behind getting them to collaborate, as we discussed. But also, you know, sharing some of the examples, I think it's critical for people to understand kind of, um, the interconnection points of where Interpol is able to engage, um, and those examples you shared are great ways for people to better understand that.
[00:34:27] And then the last question I actually have for you in closing this out is, Where can our listeners go to hear more, listen to, you know, some different conversations maybe you and the team have had, resources they can read, kind of, what's that point? Because we'll definitely include that in our show notes as well.
[00:34:41] Craig Jones: Yeah, I think, you know, one thing I'll say is just search Interpol cybercrime. We've got a whole section within that. But I'd also say, look at nationally what's available as well. So on that national context, again, coming back to that, having the, the different cultural. inferences within cybercrime, uh, within prevention works is really, really important as well.
[00:35:05] They, they are quite nuanced. You, you will see some countries will take a, a more foreign territory started where they will block, you know, they will just block services and things like that. Other countries don't so much. So I think what I've seen from sort of cyber security centers in countries, there's some fantastic advice coming out from there, but you know, It's a CTO in a company might look at it.
[00:35:28] Um, but a board probably wouldn't do. So how do we draw back? How do we make that realistic? Um, one of the things I always like to say to sort of boards when I'm speaking to the boards, okay, well, I'm sure you've got a really Great procedure for how you deal with a cyber incident. You don't want to be pulling that out and using that in anger.
[00:35:49] When you have that incident on a Friday night or a Saturday early as a Saturday morning, you, you've got to run these drills, like a fire drill. You've got to have these regular drills. Yeah. You've got to build that in, in, in, into that company ethos. And it's got to start at the bottom and at the top and all points in between effectively.
[00:36:07] Rob Aragao: Yeah, totally agree with you. And again, you know, things like tabletop exercises, these, these great examples of, again, run through the different scenarios to your point. Don't do it while the fire is burning. Right. So, yeah. Thank you so much again for, for all this information that you've been able to share with us.
[00:36:22] We truly appreciate it. Until next time, my friend, good luck on your new opportunities. Thanks very much indeed Rob, and uh, thanks very much for everybody taking the time to
[00:36:29] Producer Ben: listen to this as well.
[00:36:34] Hello, producer Ben here, and if you cast your mind back to the start of this episode, Rob said that cyber resilience was a subject close to his heart. Well, if you also feel that way, then there are plenty of editions of Reimagining Cyber that you need to be aware of. One being episode 5, called the Evolution of Cyber.
[00:36:53] from cyber security to cyber resilience. It featured Ron Ross, computer scientist and a fellow at the National Institute of Standards and Technology.
