Former Scotland Yard detective discusses cybercrime and threat intelligence

Steve Santorelli became a police officer in 1994, working in London, UK. He worked his way up through various detective grades and branches until he joined Scotland Yards Computer Crime Unit in 2000. 

During the following five years he specialized in malware and botnet cases and reached the rank of Detective Sergeant. Santorelli received several awards and commendations from various international law enforcement agencies and judges. He was also an associate instructor for the CISSP certification.

He then left law enforcement to join the Microsoft Internet Crimes Investigation Team, based in Redmond, Wash. He spent the next two years investigating botnet cases which were then referred out to law enforcement officers around the world for further work and arrests.

[ MORE ON CSO: Accenture managing director talks IoT risks and cyber insurance ]

During this time he also developed the International Botnet Task Force, a unique group of industry and law enforcement from 35 countries, dedicated to working together to combat botnets and ruin the lives of botherders. He was also the lead investigator on the Zotob case.

He left Microsoft in 2007 to join Team Cymru, a small group of researchers who work to discover who is behind Internet crime and why they carry out their activities. Still actively involved in investigations, he is the director of analysis and outreach, enabling him to use Team Cymru’s unique position and insight to improve lives around the world. He runs a series of conferences around the world each year where infosec and law enforcement specialists share case studies they have work recently.

You were a detective sergeant with the Scotland Yard Computer Crime Unit when cybercrime was just starting to make its way into the minds of the public, legislators and industry, what was it like being on the bleeding edge of a new law enforcement challenge?

Hot and frustrating. Hot because we were working under the auspices of the Fraud Squad in standard police offices, with HVAC systems that simply could not cope with all the computers we had running in our labs. I think we would have had to arrest ourselves under health and safety legislation if we tried to do that today. Frustrating because hardly anyone wanted to report any cybercrime and, when they did and we managed to make an arrest, the far harder part of the case was to persuade the authorities to take the case to a jury.

Law enforcement worldwide are still, to this day, working a 19th century process that simply doesn’t map to a 21st century criminal evolution. Things have improved, especially when it comes to having geeky cops who have grown up with this technology and care passionately about the Internet, but we still have a long way to go, overall, in how we disrupt and deter criminals.

Having worked in the private, government and not-for-profit sectors, from a cybersecurity perspective what are the advantages and challenges for each organization structure?

It is pretty simple, and the key reason why so many of us spend so much time trying to bridge the gaps and bring both sides to the table: the cops are the only group that can make arrests, industry is (still, to a large extent) the only group that has the expertise to track down the miscreants and the NFP sector has the remit to build capacity in places that lack the expertise around the world. Separately, we’re screwed. But combined, with a little luck, a lot of trust and sometimes a little beer, we can really make inroads in this fight.

You are the director of analysis and outreach for Team Cymru, a not-for-profit cybersecurity research firm, could you tell us a bit about how your firm came to be and what it does?

We were founded over a decade ago by four geeks who became obsessed with understanding the motivations behind the early denial of service and malware attacks. What makes us unique is that, from the very early days, we have been entirely mission focused as opposed to profit centered. Our motive has always been to ‘save and improve human lives’ and we really cleave to that in everything we do. We have the support we need to do (somewhat) crazy things that don’t generate any profit, but benefit the infosec community and frankly, need to be done by someone to prevent the criminals from utterly ruining the Internet for the next generation. That’s why we get to attract so many talented people: you bring your ‘A-game’ every day and you get to really see the difference you make to the Internet, not just a spreadsheets bottom line.

[ ANOTHER Q&A: Aetna CISO talks about threat intelligence and enterprise risk management ]

4) What are your thoughts about the recent cyberattacks on the Ukrainian power grid and Kiev Airport? Are we seeing the start of cyberterrorism or is this nation state posturing using vulnerable technology as a diplomatic weapon? Perhaps a bit of both?

It’s an inevitable evolution in motivation but one that is actually a natural progression of the second oldest profession in the world. We’ve been seeing this kind of attack since the Georgian and Balkan conflicts, the attack surface is now much broader and the skillset needed by the attacks is commensurately lower in that they can outsource a lot of the tools needed, buy them in or simply deploy automated tools to look for that single mistake that gives them the foothold they need. I often reflect back on this quote from the IRA after the Brighton Bombing: “Today we were unlucky. But remember, we only have to be lucky once – you will have to be lucky always.”…its as relevant today in the cybercrime fight as it was back then, all it takes is one error on our part, one missed anomaly and we might miss our chance to prevent something horrific. 

A question you yourself would like to be asked… Is there any hope for the future of the Internet?

Not really. We have been talking about this for years and the fundamental dichotomy relates to funding and collaboration. The miscreants are light years ahead of the Internet security community in terms of their R&D budgets and the maturity of their marketing and sales operations. They don’t need the MLAT procedure and a book worth of paperwork for the simplest of tasks.

According to the U.S. State Department, a Mutual Legal Assistance Treaties (MLATs) allow generally for the exchange of evidence and information in criminal and related matters.

We’re struggling every day just to get people to talk to each other and share the lessons they have learned, whereas our targets have entire forums devoted to sharing best practice in how to maximize their profits and minimize their exposure to the risks we bring to their business models. Until we catch up, we’re always going to be one massive step behind them, and I don’t relish that job security. The only saving grace comes back to the same IRA quote as I mentioned above: good cybercrime investigation is about turning over 10,000 little rocks looking for the one mistake that the miscreant made; so really they have to be lucky always, we only have to get lucky once.