Cybersecurity | Cybercrime | Attack Vectors
Cybercrime is one of the greatest risks for the German economy. Unfortunately, very few cases are still reported. This would make a positive contribution to the clearance rate of cyber incidents. The police are dependent on the help of the companies in order to be able to put a stop to hackers.
In conversation with Peter Vahrenhorst, Chief Detective Superintendent at the State Criminal Police Office in North Rhine-Westphalia. In this role, he is also responsible for the prevention of cybercrime.
How do you assess the current threat of cybercrime for German companies?
There is no classic grading system from 1 to 6 that can be used for evaluation. The economy is very diverse. There are many big players who have their own IT department and are therefore already quite well positioned. In addition, there are many small, medium-sized companies, which are of course immensely important for the German economy, but cause a bit of a problem. These companies focus on their core business and also have to take care of IT tasks. In many companies, however, this works very well, but in others these IT skills are lacking. Thus, clustering is almost impossible, as the conditions are very different. It’s almost like being in a general store. Some medium-sized companies are already very well positioned, while others definitely still need to do something.
Is there a trend as to which industries or companies are particularly affected?
I wouldn’t name any industry explicitly. It can certainly happen that attacks on an industry become more frequent. Nevertheless, as a company, you should never sit back and count on the fact that you don’t fit into the grid. The recent attack on the university hospital in Düsseldorf is a good example of this. Originally, the attack was aimed at the university, and due to the same name, the hackers attacked the hospital. Companies should therefore not rely on other industries being affected. That would be a false sense of security.
Can seasonal fluctuations be detected? Is there a summer break for cybercrime?
No, cybercrime is not a seasonal business. There was a kind of “corona break” if you look at the spread of the Emotet malware. Here, however, the Corona period was mainly used to improve the systems and to get back on the grid stronger. On the other hand, however, there were cybercriminals who took advantage of precisely this Corona period or the home office phase. There is a range of perpetrators who act completely differently. When some take a break, others continue. We do not notice a “summer break” or a phase in which there is a standstill.
How has the situation changed in general in recent years? Is there an increase in economic crimes by hackers, or is the number decreasing?
This is a difficult question, because we as the police can of course only evaluate what is reported to us. There is a large dark field. The reporting behaviour of the parties concerned does not reflect reality. So if we only look at the ads that are actually reported, we are not close enough to the actual situation. There are many companies that have reasons – or think they have reasons – why they don’t go to the police. You can support this or not, but the number of ads does not correspond to reality, so you have to look at other factors to answer this question.
Should a company that has been the victim of a cyber attack inform the police in any case?
We recommend that companies report any incident of this nature. In the end, companies only perceive their own case. Supposedly, however, a number of other companies feel the same way. The individual does not see this, but for us there are important contexts between the crimes. An example to illustrate: A few days ago, an email was sent to a company threatening that an incendiary device had been installed in the company building and that it would not be detonated if an amount X was paid in Bitcoins. However, several other companies have also received this mail. Buildings were cleared and incendiary devices were searched for – but nothing was to be found. Examining the emails then showed that the same wallet was stored in all emails. The perpetrator would not have been able to determine which company had paid the amount. In detail, this insight could not have been gained. However, due to the fact that various companies reported the incident, it could be determined that the mail is without substance. For these reasons, we recommend that companies contact the police with all incidents.
Do I dial 110 in the classic way?
It has been shown that the classic 110 is not the right way for commercial enterprises to inform the police. The security guards are all doing a good job, but they are not cybercrime experts. In NRW, there has been a 24/7 hotline since 2011. By using the number 0211 / 939 4040, companies can contact the police and report your cyber emergency. Specialists will then get back to you and coordinate the necessary measures.
How does the police proceed in the investigation? Is the crime scene examined in detail, as is the case with any other crime?
That certainly depends on the case. There are issues where we don’t necessarily have to be on site. For example, if a company receives a blackmail email, we don’t have to be on site. If, for example, a company catches an encryption program, as was the case with the University Hospital Düsseldorf, we are on site and support the company with our know-how so that the damage is limited. This is an essential part of our police work. However, we do not decide on our own how to proceed, but always in consultation with the injured party.
Doyou work closely with IT service providers and IT forensic experts or do you bring your own experts with you?
We have our own experts. In most cases, however, an IT service provider is already involved. We then work together in a team, even if the respective requirements vary. In the specialist circles, however, people know each other, they know about the abilities of the others. So it’s a good cooperation.
Do you then give the affected parties tips on how to protect themselves from a cyber attack in the future or does this exceed your area of responsibility?
Prevention is part of the police’s portfolio. We do not take on any technical prevention, which means that we do not give advice on which ticks or filters need to be set. However, we support companies in process coordination. Processes play an essential role in digitization and are therefore an important part of prevention. Above all, we advise companies on how to react correctly and quickly in the event of a cyber emergency. In any case, this is a preventive area that we as the police cover. In the best case, we come before a cyber attack takes place, but of course we also provide support after the emergency, so that you are better prepared should a second incident occur.
Companies can therefore contact the police to be informed about cyber risks and cyber protection?
Yes, we offer that. But of course you have to consider the order of magnitude: There are about 860,000 companies in North Rhine-Westphalia. We are not set up in such a way that we can advise every company. But we try to use platforms to reach a large number of companies.
What are the current chances of clarification?
It would be fatal if I said that we have no chance at all. That would also be wrong. But here, too, we can only refer to what is displayed. According to the recently published crime statistics for 2019*, we are above the general average with a clearance rate of 26 percent in the field of cybercrime and thus in a good range.
So hackers leave traces on the net that can be traced?
Hackers make mistakes and aren’t always as diligent in what they do. We find these mistakes, and that offers good approaches to ultimately ask them. In most cases, hackers are after money – this is another lead to follow to find cybercriminals. These are approaches that we pursue, as with any other investigative work. Police work is a Sisyphean task, in which you connect individual dots to ultimately end up with the perpetrator. However, in the field of cybercrime, one does not work with physical, but with digital traces.
Is there international cooperation to track down cybercriminals?
In individual cases, we also work together with other countries. There is a European service, there are other areas of international cooperation. We also occasionally travel abroad with our own investigators and cooperate with local colleagues to arrest a perpetrator. In addition, there are foreign colleagues here on site with whom we work. However, the nature and extent of cooperation varies from country to country. For some it works better, for others less well. Due to digitalization, it has become normal to look beyond one’s own limits.
Is it possible to make statements about whether hackers from a certain country are increasingly active?
No, there is no focus. There are good hackers in Russia, there are good hackers in Israel, in South America, and of course in Germany. So it is not possible to make a generalized statement about which country hacker attacks mainly originate from. Here, too, the following applies: Perpetrators are on the move internationally.
Can you name a period of time in which a cyber incident is solved on average?
The range is large, there is no valid average that can be drawn. You can get the perpetrator within a week, or you can work on a complex of crimes for three years and still not solve him.
Last but not least – the Tatort question: Is a digital trace cold at some point?
There is this statement: “After 48 hours, the traces are cold”. It generally doesn’t work that way. The reality of police work is different. Even in the case of murder offences, longer standing times do occur, and the perpetrator is ultimately caught anyway.
