• United States




Former Scotland Yard detective discusses cybercrime and threat intelligence

Apr 05, 20167 mins

Steve Santorelli, passionate about Internet security and committed to bringing folks together to attack the problem in many ways.

new scotland yard
Credit: REUTERS/Stefan Wermuth

Steve Santorelli became a police officer in 1994, working in London, UK. He worked his way up through various detective grades and branches until he joined Scotland Yards Computer Crime Unit in 2000. 

During the following five years he specialized in malware and botnet cases and reached the rank of Detective Sergeant. Santorelli received several awards and commendations from various international law enforcement agencies and judges. He was also an associate instructor for the CISSP certification.

He then left law enforcement to join the Microsoft Internet Crimes Investigation Team, based in Redmond, Wash. He spent the next two years investigating botnet cases which were then referred out to law enforcement officers around the world for further work and arrests.

[ MORE ON CSO: Accenture managing director talks IoT risks and cyber insurance ]

During this time he also developed the International Botnet Task Force, a unique group of industry and law enforcement from 35 countries, dedicated to working together to combat botnets and ruin the lives of botherders. He was also the lead investigator on the Zotob case.

He left Microsoft in 2007 to join Team Cymru, a small group of researchers who work to discover who is behind Internet crime and why they carry out their activities. Still actively involved in investigations, he is the director of analysis and outreach, enabling him to use Team Cymru’s unique position and insight to improve lives around the world. He runs a series of conferences around the world each year where infosec and law enforcement specialists share case studies they have work recently.

You were a detective sergeant with the Scotland Yard Computer Crime Unit when cybercrime was just starting to make its way into the minds of the public, legislators and industry, what was it like being on the bleeding edge of a new law enforcement challenge?

Hot and frustrating. Hot because we were working under the auspices of the Fraud Squad in standard police offices, with HVAC systems that simply could not cope with all the computers we had running in our labs. I think we would have had to arrest ourselves under health and safety legislation if we tried to do that today. Frustrating because hardly anyone wanted to report any cybercrime and, when they did and we managed to make an arrest, the far harder part of the case was to persuade the authorities to take the case to a jury.

Law enforcement worldwide are still, to this day, working a 19th century process that simply doesn’t map to a 21st century criminal evolution. Things have improved, especially when it comes to having geeky cops who have grown up with this technology and care passionately about the Internet, but we still have a long way to go, overall, in how we disrupt and deter criminals.

Having worked in the private, government and not-for-profit sectors, from a cybersecurity perspective what are the advantages and challenges for each organization structure?

It is pretty simple, and the key reason why so many of us spend so much time trying to bridge the gaps and bring both sides to the table: the cops are the only group that can make arrests, industry is (still, to a large extent) the only group that has the expertise to track down the miscreants and the NFP sector has the remit to build capacity in places that lack the expertise around the world. Separately, we’re screwed. But combined, with a little luck, a lot of trust and sometimes a little beer, we can really make inroads in this fight.

You are the director of analysis and outreach for Team Cymru, a not-for-profit cybersecurity research firm, could you tell us a bit about how your firm came to be and what it does?

We were founded over a decade ago by four geeks who became obsessed with understanding the motivations behind the early denial of service and malware attacks. What makes us unique is that, from the very early days, we have been entirely mission focused as opposed to profit centered. Our motive has always been to ‘save and improve human lives’ and we really cleave to that in everything we do. We have the support we need to do (somewhat) crazy things that don’t generate any profit, but benefit the infosec community and frankly, need to be done by someone to prevent the criminals from utterly ruining the Internet for the next generation. That’s why we get to attract so many talented people: you bring your ‘A-game’ every day and you get to really see the difference you make to the Internet, not just a spreadsheets bottom line.

[ ANOTHER Q&A: Aetna CISO talks about threat intelligence and enterprise risk management ]

4) What are your thoughts about the recent cyberattacks on the Ukrainian power grid and Kiev Airport? Are we seeing the start of cyberterrorism or is this nation state posturing using vulnerable technology as a diplomatic weapon? Perhaps a bit of both?

It’s an inevitable evolution in motivation but one that is actually a natural progression of the second oldest profession in the world. We’ve been seeing this kind of attack since the Georgian and Balkan conflicts, the attack surface is now much broader and the skillset needed by the attacks is commensurately lower in that they can outsource a lot of the tools needed, buy them in or simply deploy automated tools to look for that single mistake that gives them the foothold they need. I often reflect back on this quote from the IRA after the Brighton Bombing: “Today we were unlucky. But remember, we only have to be lucky once – you will have to be lucky always.”…its as relevant today in the cybercrime fight as it was back then, all it takes is one error on our part, one missed anomaly and we might miss our chance to prevent something horrific. 

A question you yourself would like to be asked… Is there any hope for the future of the Internet?

Not really. We have been talking about this for years and the fundamental dichotomy relates to funding and collaboration. The miscreants are light years ahead of the Internet security community in terms of their R&D budgets and the maturity of their marketing and sales operations. They don’t need the MLAT procedure and a book worth of paperwork for the simplest of tasks.

According to the U.S. State Department, a Mutual Legal Assistance Treaties (MLATs) allow generally for the exchange of evidence and information in criminal and related matters.

We’re struggling every day just to get people to talk to each other and share the lessons they have learned, whereas our targets have entire forums devoted to sharing best practice in how to maximize their profits and minimize their exposure to the risks we bring to their business models. Until we catch up, we’re always going to be one massive step behind them, and I don’t relish that job security. The only saving grace comes back to the same IRA quote as I mentioned above: good cybercrime investigation is about turning over 10,000 little rocks looking for the one mistake that the miscreant made; so really they have to be lucky always, we only have to get lucky once.


Over twenty years of experience as an information security professional, serving in executive and senior management positions, in the US and the UK. My responsibilities have included the development and implementation of global information systems security management programs aligned with NIST CSF, ISO 27001:2013, elements of the NIST 800 series and HIPAA/HITECH. Also, I have created new corporate risk programs including the formation of a board level Risk Committee. Implemented new vendor management programs to track the compliance state of our key vendors and data holders with HIPAA/HITECH and PCI DSS. Completed the requirements, testing and installation of a state of the art security information and event management (SIEM) platform with IBM’s QRadar and ArcSight. Also, completed the requirements, testing and installation of two vulnerability scanners, IBM's QVM and Nessus. Developed an information security awareness program which included annual training for all staff.

Served as Chairperson of the Communications and Public Relations Project Group of Interpol's European Working Party on Information Technology Crime, as well as advising their Wireless Applications Security Project Group. I am the former, the President of the United Kingdom and Bluegrass chapters of the Information Systems Security Association (ISSA), also editorial advisory board of the ISSA Journal. I have attended numerous courses on cybercrime and white collar crime through both the Kentucky Department of Criminal Justice Training and the National White Collar Crime Center.

It has been my honor to receive an ISSA International Fellow (2015) and the International Information Systems Security Certification Consortium, Inc. (ISC)^2, President's Award for service to the information security community (2002 and 2004, 2009).

Lastly, I hold a Master of Science in Information Security from Royal Holloway, University of London, a former senior instructor for the (ISC)^2 CISSP CBK seminar, MCSE and BS7799 Lead Auditor.

The opinions expressed in this blog are those of Richard Starnes and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.