GCHQ to deploy offensive cyber operations to deter cybercrime

The threat from cybercrime to individuals, businesses and governments is growing at an increasingly dangerous pace. Ransomware currently represents the key threat. The CEO of the National Cyber Security Centre (NCSC) suggested in a speech to Chatham House last month that it was “the most immediate danger” faced by the UK. Last week the head of GCHQ said in a speech to the Cipher Brief annual threat conference (full transcript) that the number of ransomware attacks against British institutions had doubled in the past 12 months.

This is not an isolated statistic. Analysis of suspicious activity reports in a US Treasury Report released in October 2021 suggests that there has been a boom in the impact of ransomware on the financial sector: 635 SARs were filed in the first six months of 2021, up 30% on the whole year figure for 2020; and ransomware related transactions documented in those SARs topped $590m in the same period, again exceeding the entire reported value for such transaction in 2020 ($416m). All told, the top 10 ransomware variants were linked to at least $5.2bn worth of bitcoin payments in the first six months of 2021. The costs can sometimes go far beyond the financial, as graphically illustrated earlier this year by the disabling attack on the Colonial Pipeline, which provides roughly 45% of the US East Coast's fuel, leading to shortages.

It is not difficult to understand why the threat from cybercrime, and ransomware in particular, is growing at such a pace. Unfortunately, it works; it is now a proven way for international criminal gangs to make money. It is highly profitable. Barriers to entry are falling on account of the increasingly wide availability of AI tools, now widely being made use of by criminal gangs, and the influence of ransomware-as-a-service groups. There is increased opportunity as a result of remote working due to the pandemic having increased many companies’ vulnerabilities.

There is also a sense that such crime is – per the head of GCHQ - “largely uncontested”. There is no functioning international criminal justice system capable of policing and prosecuting the key criminal actors, particularly where those are based in uncooperative states.

As such, Western states appear to be increasingly adopting the techniques of – to all intents and purposes – cyber warfare to seek to disrupt and deter cybercrime. GCHQ has suggested it will make use of “the pointy end of the spear” against such threat actors, which would involve offensive cyber campaigns. Such suggestions are not novel. In late 2020 the UK announced the creation of a National Cyber Force – a partnership between the Ministry of Defence and GCHQ – the purpose of which is to conduct offensive cyber operations (the ‘sword’, to the NCSC’s ‘shield’), which expressly includes “prevent[ing] the internet from being used as a global platform for serious crimes, including sexual abuse of children and fraud”. During a US-Russia summit in Summer 2021, President Biden suggested that the US government would “respond with cyber” if Russian based hackers targeted critical US infrastructure.

For obvious reasons specific examples of such offensive cyber operations rarely become public; however, the FBI’s successful recovery of the Colonial Pipeline ransom payment this Summer may be an example. We have commented previously on the implications of the FBI’s success in tracing that payment here.

These efforts appear to be escalating. On 8 November 2021 the U.S. Department of Justice announced the seizure of a further $6.1m tied to alleged ransom payments and the imposition of sanctions against the Chatex cryptocurrency exchange for allegedly facilitating ransomware payments (the second crypto exchange sanctioned for this reason). According to the Justice Department, more than half of Chatex’s known transactions were linked to ransomware and the dark net; a strategy of punishing rogue exchanges may be increasingly successful, particularly as exchanges strive to gain regulatory approval and mainstream acceptance. The DoJ also indicted the alleged hacker from whom the $6.1m in funds was seized; the hacker is believed to be based in Russia and has not been - and likely will not be - taken into custody. This illustrates the degree to which conventional law enforcement’s reach is limited in this area, but DoJ officials have been keen to emphasise how law enforcement can disrupt such activity without local cooperation.

The increasingly assertive approach taken by governments as ransomware and cybercrime garners ever greater recognition as a major national security issue is a positive step. It may go some way to reducing the sense of impunity. But it is unclear whether it will be enough to reduce the growth in this criminal ‘sector’, which is powered just as much by the increasing criticality of data to all sections of the economy and progress and democratisation of advanced computing technologies as it is by any failure of law enforcement. Given the overlap between such efforts to combat cybercrime and national security concerns, there is a risk that it could merely prompt escalation in the methods used by cybercriminals.

One thing that is clear is that companies need to be ever more vigilant and ensure that defensive policies and procedures are in place, and – in the event they fail and become the victims of a ransomware attack or another form of data breach - be clear on what steps must be taken. We have published a data breach framework that may be of assistance and have previously commented extensively on the legal risks involved in a ransomware attack, our most recent international Tech Focus webinar on that subject is available here.

If you found this interesting, there's a lot more comment you may find helpful on UpData, which provides regular updates on contentious, criminal and insurance risks relating to data, from cyber-attacks to regulatory enforcement.