Cybercrime is one of the greatest risks for the German economy. Unfortunately, the fewest cases are still reported to the police. This would make a positive contribution to the rate at which cyber incidents are solved. The police depend on the help of companies to put a stop to hackers.
In conversation with Peter Vahrenhorst, Chief Detective Inspector at the State Criminal Police Office in North Rhine-Westphalia. In this role, he is also responsible for cybercrime prevention.
How do you assess the current threat posed by cybercrime to German companies?
There is no classic grading system from 1 to 6 that can be used for evaluation. The industry is organized in very different ways. There are many large players that have their own IT department and are therefore already quite well positioned. In addition, there are many small, medium-sized companies, which are of course immensely important for the German economy, but which are causing a bit of a problem. These companies focus on their core business and also have to take care of IT tasks. In some companies this works very well, but in others these IT competencies are lacking. Clustering is therefore almost impossible, as the ratios are very different. It is more or less like a general store. Some medium-sized companies are already very well positioned, while others definitely still need to do something.
Is there a tendency which industries or companies are particularly affected?
I would not name any industry explicitly. It can certainly happen that attacks on an industry accumulate. Nevertheless, as a company, you should never sit back and count on the fact that you don’t fit into the pattern. The recent attack on the University Hospital in Düsseldorf is a good example of this. The attack was originally aimed at the university, and the hackers attacked the hospital because of the similarity in names. Companies should therefore not rely on other industries being affected. That would be a false sense of security.
Can seasonal fluctuations be identified? Is there a summer break in cybercrime?
No, cybercrime is not a seasonal business. There was a kind of “corona break” if you look at the spread of the Emotet malware. Here, however, the corona period was mainly used to improve the systems and come back stronger. On the other hand, however, there were cybercriminals who exploited precisely this Corona period or home office phase. There is a range of perpetrators who act completely differently. When some take a break, others continue. We don’t notice a “summer break” or a period where there is stagnation.
In general, how has the situation changed in recent years? Is there an increase in economic crimes by hackers, or are the numbers decreasing?
That’s a difficult question, because as police we can of course only evaluate what is reported to us. There is a large dark field. The reporting behavior of the parties involved does not reflect reality. So if we only look at the reports that are actually reported, we are not close enough to the actual situation. There are many companies that have reasons – or think they have reasons – why they don’t go to the police. You can advocate that or not, but the number of reports does not reflect reality, so you have to look at other factors to answer that question.
Should a company that has been the victim of a cyberattack inform the police in any case?
We recommend that companies report any incident of this kind to the police. Ultimately, companies only perceive their own case. Supposedly, however, a number of other companies feel the same way. Individuals don’t see this, but for us it results in important correlations in rates. An example to illustrate this: a few days ago, an email was sent to a company threatening that a fire device had been installed in the company building and that it would not be ignited if an amount X was paid in Bitcoins. However, quite a few other companies received this mail as well. Buildings were cleared and searched for fire devices – but nothing was found. Examining the emails then showed that the same wallet was deposited in all of them. The perpetrator would not have been able to determine which company paid the amount. In detail, this knowledge could not have been gained. However, the fact that various companies reported the incident made it possible to determine that the mail was insubstantial. For these reasons, we recommend that companies contact the police with all incidents.
Do I dial the classic 110 for this?
It has been shown that the classic 110 is not the right way for business enterprises to inform the police. The watchdog officers all do a good job, but they are not cybercrime experts. In NRW, there has been a 24/7 hotline since 2011. Using the number 0211 / 939 4040, companies can contact the police and report their cyber emergency. Specialists will then get back to you and coordinate the necessary measures.
How do the police proceed with the investigation? Is the crime scene examined in detail, as in any other crime?
That certainly depends on the case. There are circumstances where we don’t necessarily have to be on site. If a company receives an extortion e-mail, for example, we don’t have to be on site. But if, for example, as was the case at the University Hospital in Düsseldorf, a company catches an encryption program, we are on site and support the company with our expertise so that the damage is limited. That is an essential part of our police work. However, we do not decide how to proceed on our own, but always in consultation with the damaged party.
Do you work closely with IT service providers and IT forensic experts or do you bring in your own experts?
We have our own experts. In most cases, however, an IT service provider is already involved. We then work together in a team, even if the respective requirements vary. But in the specialist circles, people know each other, they know about each other’s skills. So it’s a good collaboration.
Afterwards, do you give the affected parties tips on how to protect themselves from a cyber attack in the future, or is this beyond your scope of responsibility?
Prevention is part of the police portfolio. We don’t take on any technical prevention, which means we don’t give advice on which checkmarks or filters to set. However, we do support companies in coordinating processes. Processes play an essential role in digitization and are therefore an important part of prevention. Above all, we advise companies on how to react correctly and quickly in the event of a cyber emergency. This is definitely a preventive area that we cover as police. In the best case, we come in before a cyberattack takes place, but of course we also provide support after the emergency, so that people are better prepared should a second incident occur.
So companies can contact the police for information on cyber risks and cyber protection?
Yes, we offer that. But of course you have to consider the scale: There are about 860,000 companies in North Rhine-Westphalia. We are not set up in such a way that we can advise every company. But we try to use platforms to reach a large number of companies.
What are the current opportunities for reconnaissance?
It would be fatal if I said we have no opportunities at all. That would also be wrong. But again, we can only refer to what is reported. According to the recently published 2019 crime statistics*, we have a clearance rate of 26 percent in the area of cybercrime, which is above the general average and thus in a good range.
*These statistics refer to the federal state of North Rhine-Westphalia
So hackers do leave traces in the network that can be tracked?
Hackers make mistakes and are not always so careful in what they do. We find these mistakes, and that provides good leads to ultimately put them to rest. In most cases, hackers are in it for the money – that’s another lead you can follow to find cybercriminals. These are approaches that we follow up on, just like any other investigative work. Police work is Sisyphean work, where you connect individual dots to ultimately end up with the perpetrator. The only difference is that in the field of cybercrime, we don’t work with physical traces, but with digital ones.
Is there international cooperation to track down cybercriminals?
In individual cases, we also cooperate with other countries. There is a European office, there are other areas of international cooperation. We also occasionally travel abroad with our own investigators and cooperate with local colleagues to arrest a perpetrator. There are also foreign colleagues here on the ground with whom we cooperate. However, the type and extent of cooperation varies from country to country. In some it works better, in others less well. Digitalization has made it normal to look beyond one’s own borders.
Is it possible to say whether there is an increase in hackers from a particular country?
No, there is no focus. There are good hackers in Russia, there are good hackers in Israel, in South America, and of course in Germany. So it’s not possible to make a generalized statement about which country hacker attacks mainly originate from. Again, perpetrators are international.
Can you name an average period of time in which a cyber incident is solved?
The range is wide, and there is no valid average that can be drawn. You can catch the perpetrator within a week, or you can work on a crime complex for three years and still not solve it.
Last but not least – the crime scene question: Is a digital trail cold at some point?
There is this statement: “After 48 hours, the tracks are cold”. It generally doesn’t work that way. The reality of police work is different. Even with homicides, longer downtimes do happen, and the perpetrator is still caught in the end.