Email a colleague    

June 2015

Law Enforcement & Security in a World Where Industry and National Boundaries are Blurred

Law Enforcement & Security in a World Where Industry and National Boundaries are Blurred

Society never advances.  It recedes as fast on one side as it gains on the other.  The civilized man has built a coach, but has lost the use of his feet.  He is supported on crutches, but lacks so much support of muscle.  He has a fine Geneva watch, but he can no longer tell the hour by the sun.             Emerson, Self-Reliance 1844

Our society loves technological advances but often fails to see the downsides of its progress.  And in telecoms, the trade-off for greater convenience and versatility is very often increased fraud and lower security.

Take GSM.  It triumphed over CDMA partly because it was more versatile.  Users loved the idea of popping a SIM card in and out of a handset.  But that versatility also came at a cost, for it has enabled SIM box fraud.

Likewise, a PBX’s ability to redirect phone calls is a huge convenience for business people, but that feature opened the door for International Revenue Share Fraud (IRSF), a fraud which costs telecoms $4 billion a year according to the CFCA.

Are we destined to be forever reactive over security, fraud, and risk issues?  Or will we put wise standards, regulations, and frameworks in place that allow us to deliver technology that’s relatively secure and fraud-resistant?

This is a key issue of our time and here to discuss that — plus a broad range of fraud/security/risk threats on the horizon — is Mark Johnson, principal consultant at The Risk Management Group (TRMG).

Dan Baker: Mark, it’s been three years since we did our last interview together here.  I understand today you are focusing on a much broader plate of fraud and security issues — across both telecoms and other industries.

Mark Johmson: Dan, it’s well-understood that the technically-savvy need to be up to speed on fraud and security issues, but today tremendous education is also required of the decision-makers — the non-technical people, and lately we’ve focused on helping those folks understand the big picture.

Certain things are inextricably linked, I think.  We make a distinction between telecom fraud, financial theft, and cyber security, but the fraudsters don’t really care what silo we put a problem in.

When you look at the modern handset, it is a cyber device that happens to do phone calls — and lots of financial fraud is being pumped through that device too.

So our main audience today is folks at the Board level, executive board, middle management — people who are not computer geeks or telecom experts but who make decisions that are relevant.

We do a lot of one-day seminars and other awareness-raising activities and we have got quite a lot of business out of the public sector, the police and what they call in the UK, the Home Office, which is a mixed bag.  From a US perspective, imagine Homeland Security with all the main agencies reporting to it, it’s something like that.

Great, so as you and your colleagues in fraud, security and law enforcement look out on this complex and vulnerable scene, what concerns you the most?

Certainly one of the key things we are concerned about is big data.

Our view of big data is that big data brokers have already taken out all the information and are now packaging it up and selling it.  It may already be too late to think about effective privacy controls for the current generation of consumers, but we do need to think about them for the future.

The impact of big data on fraud and security is enormous for two reasons.  One is obviously that the exposure of citizen’s data is a security risk; fraudsters would love to get their hands on that kind of personally identifiable information and the concern is that outside the financial services sector, control is pretty lax in terms of who can collect the data and what they can do with it.

The second side of big data, though, is an opportunity for security professionals to profile good customers and digitally fingerprint suspected ones.  Powerful things can be done in terms of looking at a customer'’s online behaviors, at the signatures left by their devices, how they move through a website, where they land on the site, etc.  This information can be used to build up intelligence on what good and what bad customer actions look like.

And of course, the law enforcement use of sensitive data to track terrorists is one of the biggest news stories of our time.

Perhaps you heard about the case of these girls who went to Syria from the U.K. to join ISIS?  They had been following a blogger who was radicalizing people and encouraging them to go.

Demystifying Comms Risk

The parents of the kids complained, saying, if they follow a tweet, that should have been sufficient for the authorities to take some action.  In fact, the authorities did take some action but they blundered a little bit, sending letters that ended up in the hands of the girls themselves instead of going to the girls’ parents.

The girls were 16 and 15.  The case demonstrates, on the one hand, the authorities were aware and following this radical conversation and were sufficiently concerned to send the letter: — that was a good thing.  But obviously, they need to get it right next time and they have been intercepting would-be travelers since that time, based on a combination of tip-offs and surveillance.

My point here is there’s huge potential for technologies to be used for good and to prevent crime as well as obviously investigating crimes that have occurred.

Now the same principles would apply to a pattern of phone calls or text messaging between individuals.  I’m fairly agnostic in terms of whether it falls in the bucket or the cyber bucket.  I don’t make that distinction myself these days; data is data and a network is a network.

The Eric Snowden case and abuses of the Patriot Act are the stuff of legend in the US right now.  How well are privacy matters handled in the UK and Europe?

RIPA in the UK, which is the Regulation of Investigatory Powers Act, has one of the strictest regimes limiting what the authorities can see and the sense I have, based on some recent hearings in Parliament and a fair bit of press is that those restrictions work.

There may be individuals or departments that I am not aware of who are doing something they shouldn’t be doing, but the average law enforcement organization is not getting that data without demonstrating a genuine need.  If fact, they are frustrated over the tightness of controls.

So, obviously in other countries different rules apply but that is how it seems to be in the UK and Europe in general, so I think it’s fairly safe to say that across the EU, citizens are quite well protected in that sense, relative to many other parts of the world.

Aside from the question of law enforcement’s access to big data, the problem of sifting through all this information to find something is a huge challenge in itself.

Dan, one of the biggest problems there is the wide range of communications options that are open to people.

Users are rather agnostic about how they communicate.  So I can WhatsApp you and then 10 minutes later call you by phone.  We might have a Skype call an hour after that, and then I will send you an email with an attachment.  Then I will point you to a drop box to download something.  I will send you a message through Facebook and you will answer me with a LinkedIn message.

So these multi-channel correspondences between individuals are commonplace today.  And this is one of the biggest challenges security and law enforcement face because they now need to talk to multiple sources in order to access data.  And that’s assuming they even know which services an individual is using, and under what identity.

And we’ve become highly reliant on this multi-channel communications network.

Yes, with every passing year, we become more dependent on communications technology to the point that if we lost our phone networks and the internet for a few days, we will probably lose the entire global economic system.

That is not an exaggeration.  Take a look at something as simple as food supply here in the UK.  Our grocery stores use just-in-time delivery systems right now.  There’s only minimal warehousing, and if you lost the ability to process orders, there is no manual backup.  The consequence?  We wouldn’t eat.  Most of us would have three or four days food supply and that would be it — if they didn’t get it working again.

In the words of Black Swan author, Nassim Taleb, the world has become more fragile.

Absolutely, and it concerns me greatly.  When I think just how fragile it is and what the implications of the loss of communications really would be, it does worry me.

But the warehouses and sufficient reserves were eliminated to become more efficient.  From a risk management perspective, what we have is a single point of failure and that single point of failure, which is IP, is riddled with security vulnerabilities, under constant attack, and accessible to every enemy on the planet.

I think the cause is our migration to an online world.  We have reached a point where not only is everything online, but people have forgotten the manual process behind their systems.  Today a whole generation of employees only knows the automated process.  And as time passes, it becomes harder and harder to envision how you would recover if you lost that technical capability.  It might sound like I am overstating this, but I do worry about that.

What about the Internet of Things.  What are the chief security concerns around that?

It should really be called ‘The Internet of Hackable Things’!  However, I think the most interesting thing about the Internet of Things is how it leads into robotics and related technologies.  And this is everything from the driverless vehicle to the embedded chip in the body.

Some clinical trials are going on with chips embedded in the back of the eye: it’s almost like Google Glass technology but without the glass.

Now naturally, the initial trials are focusing on helping those with impaired vision but longer term this will become an enhancement for someone whose vision is perfectly fine.  And they will have communications, location information, and other data on that chip in the future.

I think that becomes really interesting when you look at malware.  You think about a mobile connected chip embedded in the body providing location-based information and perhaps having a payment capability for automatic payments if I pass through a given location, etc. and you think about malware in that context, you think about hacking, and in law enforcement you think about evidence.

What does a law enforcement official need to do to recover that chip from a suspect, for example?  This is not as far away in the future as we think.  There is already a company in Scotland that has chipped its employees, if they volunteer.  They chip them ostensibly so they can pay for lunch in the canteen without producing a card, but allegedly they are also using that technology to monitor their location in the building!

It brings back memories of Brave New World and 1984.

This is not science fiction anymore, and there are a lot of issues around integrating communications and computing equipment with human physiology.  The field has become quite active and it is going to be an issue for fraud and security and risk managers.

Now there are precedents in terms of contraceptives.  There are contraceptive devices put under the skin that sort of leak chemicals into your system.  So, the practice of inserting a device in the body for lifestyle reasons is already out there.

Then you marry in things like 3D printing and intellectual property of designs.  Nano or micro technology is something else on the horizon.  So these are a few of the future risks.  Google any one of those topics and you might be surprised on what you find.

One of the key challenges in communications fraud is the fraudster’s ability to mimic human behaviors to hide their activities.

Well, that takes you back to big data, which tends to establish what normal human behavior is because it creates a profile.  Therefore anyone who can access that data can create similar profiles.  So that is certainly a big issue, especially if you tie that into spoofing the IP address.  Companies look at the IP address as a marker of whether or not to allow a transaction to take place or allow a film to be watched even.  And people are using tools like Hideman to spoof their IP address and put themselves where they would like to appear to be, so that sort of undermines a lot of security.

So the big data world is the wild west.  It is poorly managed as a security platform: In fact, the internet is very badly designed as a security platform: and that creates a whole range of challenges for society.

Writing certain laws could help in telecom fraud.  For instance, if certain countries like the US and the UK had laws requiring PBX manufacturers to open up their APIs for anti-fraud protection, a lot of IRSF fraud would disappear.

One of the problems with the regulatory framework is the best we have are national regulatory frameworks.  We use Westphalian legal frameworks in a globalized market and that is never going to work.

Globalized networks demand a global legal framework.  Nothing else can succeed and it seems it’s going to take 50 years for them to understand that.  So, you can pass as many laws as you want to in America, it’s not going to stop someone in Taiwan doing something, unless their actions have a direct impact on the US.  So, you have got to have universal rules and all nations need to sign up and those who won’t sign up, need to be barred.

And it’s not only for telecoms.  Look at something like malware.  It’s my view that regulators should have said years ago to device manufacturers of mobile devices, laptops, PCs, and other computing devices — you can’t retail anywhere unless you have pre-installed antivirus.  It shouldn’t be down to the consumers to opt in to an anti-virus program.

In fact, the same principle should apply to baseline security levels, social media, and identity validation.  I should at least have the option in Facebook to validate my identity in the same way that I would for online banking services so that I can then apply a filter and say if you haven’t validated your identity on Facebook, I don’t want to be your friend.

That will take away 80% of the fraud right there.  So, I think there are some basic 101 level security controls that regulators just fail to enforce, and companies fail here because they do not exercise sufficient due diligence.

Mark, this is marvelous perspective.  Thank you.  To close, I’d be curious about your methodology when you consult with companies.

Well, the last telecom project we did was an interesting one.  It was a risk assessment.

I think one of the main things a consultant does is to slice through the politics in the sense that you don’t care: you have no axe to grind.  And everybody recognizes that you have no ulterior motives.  You can listen to all the different views, filter them, produce a set of outputs that you think make sense, but you also think is balanced.  Best of all, people will actually read it because you are an external consultant.

A guy in the organization could write and report it ten times better, but no one would read it because he is from a different department.  So, as a consultant you have that advantage.

The key in consultancy is to be a good listener and be careful not to be influenced by the guy who brought you in, because they will always try to influence you.  At the same time, you have to be reasonable, and not too extreme.  But you shouldn’t be afraid to make the recommendations and to point out things that could be improved because you will be listened to — at least the first time, you have got an audience.

They will tend to give you an audience with the senior managers who have funded the project, so there you have the opportunity to get into a room with five, six or maybe ten decision makers — which again the guy down the ladder probably tried to arrange years ago, but never succeeded.  So you have got that 20 or 30-minute period where you are going to really get that key message across to them.

That’s the key thing.  You can effect change by winning hearts and minds in a way that nobody inside the building can do.

Copyright 2015 Black Swan Telecom Journal

 

About the Expert

Mark Johnson

Mark Johnson

Mark Johnson is a former drug enforcement operative and a corporate fraud manager for several major international communications firms, including Ericsson and Cable & Wireless.  He is the author of two books on communications and cyber security, and another two on Second World War history.

Mark now provides training and consultancy for UK Police forces, the UK Home Office, the financial services sector and a number of global compliance and risk training organisations.   Contact Mark via

Related Stories

Related Articles