The recent disruption of Emotet, conducted by a worldwide coalition of law enforcement agencies, has huge significance. There are the obvious cybersecurity implications of disrupting what’s been called the “most dangerous malware in the world,” but it’s also a strong reminder of the importance of public and private collaboration in fighting cybercrime. The takedown of Netwalker and Egregor are additional examples, further highlighting the need for this type of coordination.
In January, Europol announced that a worldwide coalition of law enforcement agencies across the U.S., Canada, United Kingdom, Netherlands, Germany, France, Lithuania and Ukraine disrupted Emotet, known as the world’s most dangerous malware. The global effort, known as Operation Ladybird, involved coordination with private security researchers as well. Together, they were able to take control of the botnet’s infrastructure.
Another major cyber action announced in late January by the U.S. Department of Justice also involved a coordinated international effort by law enforcement agencies. Their target was NetWalker ransomware, which has impacted many victims across sectors – including companies, schools, hospitals and municipalities – with attacks specifically targeting the healthcare sector during the COVID-19 pandemic. Authorities charged one person and seized almost a half-million dollars in cryptocurrency from ransom payments.
In a joint Ukrainian, French and U.S. operation, authorities broke up a cybercrime group involved with Egregor, which uses criminal affiliates to help carry out its ransomware attacks. Authorities targeted both the group’s leaders and its affiliates and made several arrests; the operation disrupted the group’s website and command-and-control server.
All of these cases are perfect examples of the need for increased coordination when it comes to cybersecurity. There is progress but we need more and it is urgent.
Cybersecurity’s global problem
Cybercrime has no borders, which makes it difficult to track down and stop. Today’s global network infrastructures connect different groups through a single, interconnected framework. This makes interagency and cross-agency collaboration easier, but it also enables cybercriminals to reach out across borders and strike at victims in a way that law enforcement cannot. As a recent threat trends show, cyber adversaries are increasingly targeting the ever-expanding digital attack surface with disruptive cyber attacks.
Such global interconnectedness exposes everyone to the challenges presented by the weakest links in the worldwide cyber chain. Compounding this further are the issues of extradition and safe havens, long-standing roadblocks for international criminal investigations of any kind. Some countries’ cybercrime investigations have been thwarted by other countries’ refusal to reciprocate in terms of extradition. And that’s not to mention issues of capacity and lack of training; many municipal organizations struggle with a small budget that prevents them from having the manpower and skills they need in this regard.
Private and public sectors must come together
This isn’t just a matter for law enforcement, however. The private sector can also play a key role. To truly address the cybersecurity challenges that continue to morph and grow, the private sector must partner with law enforcement. This includes organizations like INTERPOL and the FBI, as well as local agencies and departments, and the criminal justice systems of nations around the world.
The private sector’s advantage lies in its ability to identify, track and analyze cybercriminal infrastructures and services. This gives the sector better technical information, which it can share and use. Professionals in the private sector are able to discover criminal activity and disrupt criminals’ infrastructure in targeted ways. But they don’t have all the information – or the enforcement power. This is where the government can step in to prosecute cybercriminals and impose penalties. The public and private sectors don’t have everything they need on their own to stop cybercrime; they must work together.
However, that’s easier said than done. It’s been a problem of context. It is difficult to place raw information into its larger context about the attackers’ who, what, when, where and how. In this era of big data, any information being shared also needs to be suitable for automation, and not everyone has experience with sharing information of this type.
In addition, information sharing needs to be quick, keeping pace with or ahead of the attacker’s movement. This has often been a weak spot of public-private collaboration. The information also needs to be trusted, especially when dealing with automation. And finally, confidentiality and privacy issues complicate the situation even further – but this can be managed through the sharing of only non-personally identifiable information.
Iterative, collaborative security
There are plenty more global-sized threats where Emotet and Netwalker came from. The public and private sectors worked together well across borders to disrupt these two destructive forces. Each side of the public-private collaboration has resources and capabilities that shore up the other and increase effectiveness in combatting cybercrime. Challenges of information sharing remain, but collaborative processes will improve as more such partnerships emerge. Organizations will learn from each other and from past collaborations in a process of continuous improvement that will shift the balance of power in favor of the good guys.