Cyber criminals. Who on earth are they? Are they evil masterminds bent on world domination or are they awkward teenagers in gloomy bedrooms? Could they possibly be people like me or you? It depends on what we mean by cybercrime and it depends on who is asking. Popular culture tells us that the typical cyber criminal looks like this and the eagle eyed amongst you will recognize this as one of the images used to promote this lecture. One would hope that if we were to turn this person around, we might find out more about them, but no, as often as not, and as we explored in last year's lectures, cyber criminals are curiously faceless, techno grim reapers. So this set me thinking, what could I do to uncover these faces for you? I have cases that I've worked on, but I'm not allowed to tell you about those. Well, I could tell you, but I'd have to kill you. How else then can we shed light on these evidently shady characters? We at least need some kind of starting point, a stereotype that we can either confirm or shoot down. Well, it's become very fashionable to use generative AI to produce content. So I asked Darlene two a model that generates images from natural language descriptions to give me a typical cyber criminal and this is what it generated. What do you think? In my opinion, this is a pretty good effort. It certainly seems to conform to the stereotype we see in movies and TV series that of a young white male. Now I am not suggesting for a second that generative AI knows the answer to the question, what do cyber criminals look like? The chances are that young white guys in hoodies were prominent in the set of images used to train it, but at least now we have a visual representation of our expectations as shaped by our exposure to mainstream media. The sensible scientific next step would be to test this using good solid data, but there is, I'm afraid, spoiler alert, no global database of cyber criminals, not even of those who have been caught. A further complication is that very often evidence of a cyber crime is not easily linked to a human, at least not in the first instance. In that respect, it's unlike a murder investigation where you can immediately interview people in the victim's family or the acquaintances. It's unlike an assault where victim and eyewitness statements can help to identify a suspect, and it's unlike a burglary where C C T V fingerprints and even shoe prints can provide vital clues. Income comparatively. Simple cases like unauthorized access to a Facebook account, the available data doesn't directly identify a potential suspect. On screen is real data showing IP addresses and session cookies for a device logged into an account. An investigator can take those IP addresses to an internet provider or a mobile operator and they can ask them to identify the account holder for that internet connection at that particular time. But without further investigation, they can't say who the likely offender is. Law enforcement cannot or at least should not go around simply arresting the person who pays the internet bill when any number of people in a household or a business or an internet cafe might share that access. So in their quest to identify human suspects, analysts and investigators use a combination of technical clues and intelligence. For example, from criminal forums where people do like to talk about themselves, hawk their wares and brag about their exploits. The more sophisticated cyber criminals are inevitably better at concealing their true identities. State sponsored groups or apps standing for advanced persistent threat, they can operate for several years before any of their members are identified by name. In the meantime, groups are given alternative monikers, which are sometimes based on a numerical system starting at a p t one at others on a taxonomy of animal species. That's partly based on national associations. I've been mussing on these classifications for some time now and I'm not altogether convinced that they're entirely helpful, but let's see what you think. And let's again ask generative AI to help us visualize some of the world's most notorious cyber criminals. Well, first off, the rather dapper looking character on the left is Dali Two's depiction of Fancy Bear, also known as a P t 28. This group's targets have reportedly included European governments, domestic political opponents of the Russian government, French television station, Teve Sank Mon, the World Anti-Doping Agency, the US Democratic National Committee and the Ukrainian military. And on the right is Cozy Bear implicated in attacks on the US during the 2016 presidential elections on the Norwegian and Dutch governments and in the theft of government data related to covid vaccines and treatments In several states, both groups are believed to have close links with or to be employees of Russia's foreign intelligence service, the SS v r. Next up, do we have any guesses for these two thinking of animals national associations? Yes, indeed. They are two faces of Chinese cyber crime. So allow me to introduce you to Vertigo Panda, A k a Red Delta Estates farm group believed to be behind attacks on the Vatican and the Catholic church in Hong Kong. And as I'm sure will be obvious from the buoyancy aid on the right is aquatic Panda, a k, a earth lusca and red deaf 10 known for its attacks on a range of organizations of interest to the Chinese government, but also on cryptocurrency payment platforms and exchanges. At this point, it all starts to get rather tenuous. Here we have Dali Two's depictions of Cosmic Wolf, a group that reportedly conducts targeted attacks in support of Turkish state intelligence gathering and my personal favorite, an Iranian hacktivist group known to the cybersecurity community as frontline jackal. You can see, can't you, how generative AI came up with this particular image. Now these naming conventions came about as a practical workaround, a means for defenders and investigators to refer to cyber criminals prior to their identification as individuals. But I would argue that styling them as fantastic beasts mythologize them. It presents prevents us from getting the measure of them as humans. It bestows on cyber criminals precisely the kind of kudos many of them seek unless of course they are unfortunate enough to be in the crack Iranian unit known as banished kitten <laugh>. Over time law enforcement can get closer to identifying individual members of these groups and the international dimension of cyber crime. The extent to which offenders are very often in a different country to their victims is evidence in some lists of persons of interest. Now this is the FBI's Cyber Most Wanted list and it's publicly available on the internet and this names 15 suspected members of that Russian group Fancy Bear. And these three North Korean nationals are believed to be members of Stardust Cha, A K A A P T 38. They're popularly known and you will probably know them as the Lazarus group in case you're wondering because I certainly did. A childer is a mythical winged horse rather like Pegasus Lazarus has been active since at least 2009. It's believed to be behind the hack of Sony Pictures in 2014, the theft in 2016 of close to a billion US dollars from the Central Bank of Bangladesh and the 2017 WannaCry Global ransomware attacks that impacted the UK National Health Service among others. When we review all of these mugshots on the FBI's website, we can see that ethnically they're quite diverse, not necessarily however, in other respects which we will come to shortly. So how does this compare with national statistics on people who make it to court Here in the uk, the Ministry of Justice publishes statistical data on criminal prosecutions in England and Wales under the Computer Misuse Act. And this covers unauthorized access to computer material that is hacking and interference, but also writing and selling tools to help cyber criminals. And when we look at the data for the last three years, we see that 85% of defendants are white, which is not too far off their 82% representation in the UK population as a whole. This is, however, quite a small data set of just 441 prosecutions and there are so many things it doesn't tell us. It tells us nothing at all about the cyber criminals who get away with it and inevitably it tells us nothing about cyber criminals in the rest of the world, rather frustratingly for us researchers. Many countries simply don't publish criminal justice statistics for cybercrime and in their absence law enforcement operations can be quite informative. What we tend to find is that press releases from law enforcement in other countries mostly feature their own nationals, and the images you see on screen here are taken from the Facebook page of the cyber crime units in co deir. Most if not all of those arrested are ovarian. Why is this? Why don't we see the ethnic diversity so evident on the FBI's most wanted list? It's largely a question of jurisdiction. Law enforcement has the authority primarily to pursue criminals who are physically located within their national borders. So if there is a suspect in another country, it's often more practical to pass the information to the authorities there so that they can arrest and prosecute. Extraditions do happen but rarely and they are even less likely when the suspect is working for the government. Consequently, many wanted cyber criminals are destined to remain just that. Now, you may have noticed that not a single one of the 119 individuals on the FBI's list appeared to be female. What could account for the complete absence of half the world's population from the ranks of the world's most sought after cyber criminals? As you can see, women represent 12% of cybercrime offenders in the criminal justice data set for England and Wales. And it may be tempting to see this as confirming the belief of some that they are simply less technical than men. Leaving aside the extent to which the assumption of technical in capability can actually exclude girls from an education in STEM subjects. That's a a, a discussion for another time perhaps or the question and answer session afterwards. This explanation ignores several other possible factors among them, an increased likelihood that state sponsored cyber criminals either work or have worked for the military and a hypothesis that links male dominance of cybercrime to a higher prevalence of autism. When we look to other less technical online offenses for comparisons such as trolling and hate speech under the malicious Communications Act, we see a similar gender distribution, although I should state that this is a smaller dataset of just 153 prosecutions in those three years. And I should also clarify that the data here currently provides for only two genders in England and Wales, between a fifth and a quarter of all people in the criminal justice system are women. And this suggests that there may be other factors at play here than technical skill alone. And just because women are not dominant in cybercrime, that doesn't mean that they are absent. People who identify as women do write malicious software as demonstrated by the conviction of Avita. In the top left here for creating the trick bot banking Trojan and ransomware suite, they do gain unauthorized access. Page Thompson Top right was found to have compromised an Amazon web server containing the data of a hundred million Capital One customers. They've also been active in ensuring that cybercrime pays Christina's fetch in Scre bottom left as a money mule for a group operating the ZE banking Trojan. And in July of this year, Heather Morgan in the bottom right, a k a, the wrapper razzle calm, pleaded guilty to money laundering and conspiracy to defraud the United States for her part in the hack of four and a half billion US dollars worth of Bitcoin from a cryptocurrency exchange. Then we have Bulgarian national Rouger iva, A K a crypto queen. She may not have made it onto the FBI's cyber most wanted, but she is in its top 10 of most wanted fugitives for her alleged participation in the fraudulent OneCoin cryptocurrency scheme that resulted in investors all over the world losing billions of dollars in the cyber criminal ecosystem. The people who can dupe victims and turn data into hard cash are not bits players. They are central to the business model. Researchers at cybersecurity firm trend micro analyzed visits and posts to five English language and five Russian language cyber criminal forums. They used marketing tools and textual analysis and they found that around 40% of visitors and 30% of active participants were women. They advertised their services and they talk about their exploits just as the male contributors do. So this prompts us to consider further intriguing questions. How are we to explain the gap between female representation in the cyber criminal ecosystem and criminal justice statistics are UK women simply less present in the 10 forums that were analyzed by trend micro? It's possible might women show up less frequently in criminal justice data because they're less likely to get caught? We shouldn't rule it out at this stage. It may be the case that women are more successful cyber criminals better at avoiding law enforcement detection. Could it be that law enforcement doesn't catch many women because it's not expecting to find them? We would need a lot of additional data in order to answer any of these with any level of confidence. At the moment, I'm afraid we just don't know. What about the third attribute of the stereotype of the young white male? Popular culture does tend to associate technical ability with youth. Hackers are often portrayed on screen as boyish whizz kids younger in years and less mature than other underground types. So we may be surprised to find that under eighteens represent just 3% of cybercrime defendants in England and Wales. Now the way the Ministry of Justice sets the age ranges here is a little misleading as you might be able to see. They're not all the same length in years. In fact, the largest proportion of those prosecuted for computer misuse offenses in blue are actually in their twenties. It's those two here adding up to 35%. You may also be able to see that there is no one in the data who is under 15. The age of criminal responsibility in England and Wales is just 10. It's among the lowest in the world. The complete absence of 10 to 14 year olds here would suggest either that they aren't coming to the attention of law enforcement or that any charges against them do not go to court. And to that end, offenders who are under 18 may be given a youth caution for a first offense. Having said all of that, when we add malicious communications offenses to the mix here in Orange, we can see that prosecutions for the more technical cybercrime offenses do appear to have something of a younger demographic than those four cyber enabled trolling and hate offenses. That tiny blue block towards the far right of the chart just before the final orange one that represents just one offender in the 60 to 69 age range and we don't have any 70 plus for cyber crime. Earlier I used the phrase business model, which rather suggests, doesn't it that all cybercrime is motivated by financial gain? We might assume, for instance, that organized crime is driven by profit governments and activists by ideology and teen hackers by the esteem and satisfaction that comes from beating a system that is designed to keep them out. In reality, it's not always that clear cut. A court in the UK recently heard how two teenage boys both diagnosed autistic were part of the LAPSIS international gang of cyber criminals. The elder of the two gained access to servers belonging to telecom's company BT and mobile operator ee, and he demanded a ransom of 4 million US dollars on pain of deleting the data. The boys also stole close to a hundred thousand pounds from a number of cryptocurrency accounts. The prosecution cited a juvenile desire to stick two fingers up to those they were attacking. But clearly the prospects of huge sums of money was something of a draw. We've also seen state-sponsored cyber criminals using ransomware to extort money. North Korea reportedly uses this business model to fund its espionage operations and its nuclear weapons proliferation. The Bank of Korea in Seoul estimates that in 2020 Pyong yang derived 8% of its G D P from cyber crime. So just think if you've ever paid a ransom to cyber criminals, you could have chipped in for a missile. For King Jong un, one would naturally expect the spread of fake news and disinformation to have purely political objectives. Government agencies who want to influence the outcome of an election or so discord in a community may well be ideologically motivated, but the grunt work of spreading false information is often outsourced to private companies and individuals whose motivation is financial. When the Russian government wanted to spread fake news during the 2016 US presidential campaign to the effect that the Pope was backing Trump, that Hillary Clinton had sold arms to ISIS and that Michelle Obama was a man, they reportedly paid young people in North Macedonia to do it. The town of Ves there that you can see highlighted southeast of the s Copia, has since become synonymous with the disinformation industry. Speaking to Channel four news in 2016, a 16 year old contractor said he was doing it out of boredom and because there wasn't much for kids to do around there in 2018, another explained to France 24 that creating fake news websites allowed him to buy some new trainers sneakers for our international audience and to go on holiday to Greece. Now in my lectures last year, we explored how cybercrime can be prevented through digital hygiene measures, the basic steps members of the public can take to protect themselves, their friends and family, their businesses, and the wider community. And we considered how the sheer scale of cybercrime its international reach and its pervasiveness in society, make it a suitable, um, public health response with a focus on prevention at a population level, but also targeted interventions for at risk and affected groups in order to counteract cybercrime effectively. What we need to do is engage not only potential victims, but also potential offenders and to understand that their motivations are several, not confined to a particular demographic and not always distinct. We can't always say with confidence that a cyber criminal is motivated solely by money or ideology or kudos. Timing is also key. Some government programs seek to raise awareness among young people that hacking is illegal. Others seek to harness their abilities and their need for achievement for good, for which read government approved activity. These initiatives depend on diverting young people before they commit a crime that comes to the attention of law enforcement and to ensure that they follow the path of the white hat instead of going over to the dark side with the black hats. But once an individual has been convicted of an offense, it can be challenging legally and practically to integrate them into the cybersecurity workforce. And this means that the very people who can be of most use to a company or a country are often those who have previously been identified as a threat. Equally, there are cyber criminals whose motivations don't quite fit the archetypes. Um, this is generative AI's depiction of insider threat and it's fair to say if you look closely, um, there are a few things that are not quite right with this image. Perhaps the most obvious and unnerving being the two neck ties, one of which is protruding directly from the subject's flesh. Now, insider threat can present itself in a number of different ways. Career cyber criminals may apply for jobs at organizations that they wish to infiltrate. Existing employees may go rogue because they have money troubles or a grievance or both. Well-meaning employees may fall for phishing attacks and social engineering because it can take time to establish whether a breach is accidental or deliberate. Some cybersecurity specialists prefer to see all employees as potential threats until proven otherwise. We are all then to some degree under suspicion. Everything we've considered so far presumes that people engage in cyber crime willingly, albeit not always wittingly, but the last few years have seen the emergence of a new criminal business model in which people from East Africa, the Middle East and South America, have been deceived into traveling to Southeast Asia where they are then forced to work as online scammers. According to the United Nations, this bears all the hallmarks of human trafficking and the UN estimates that 120,000 people in Myanmar and a further a hundred thousand in Cambodia are currently being forced to work in this way. Are these people cyber criminals or trafficking victims or are they both? Should they be prosecuted or rescued? Duress under threat of death or serious injury is a recognized defense in a court of law. But how should society treat cyber criminals who are economic captives? It can also happen that people who are motivated by ideology do not consider themselves to be criminals, even while they may actively engage in stealing data, disabling digital services and interfering with communications. You may recall that in 2013, Edward Snowden removed and leaked highly classified information from the US National Security Agency about its online surveillance operations. Whether you think he's a dangerous criminal or a public servant depends to some extent on your personal evaluation of the trustworthiness of governments. But what about where many thousands of otherwise law abiding citizens participate in cyber attacks because they believe it's the right thing to do? People from all over the world have joined the volunteer IT Army of Ukraine. Its telegram channel boasts a quarter of a million subscribers and a bilingual website provides attack instructions, suggested targets, command tools and bots for distributed denial of service attacks aimed at disabling Russian government infrastructure. Several governments have warned their citizens against getting involved because there is no legal protection for civilians who conduct cyber attacks. Even if the cause is widely held to be just cybercrime, is cybercrime is cybercrime or is it? In the first lecture of last year's series, who owns the internet? We discovered that definitions of what constitutes crime can differ from one country to another. In the ongoing negotiations for a UN cybercrime treaty, several states have proposed that certain types of speech be criminalized worldwide. Belarus, Burundi, China, Nicaragua, Russia, and Tajikistan want to outlaw quote the distribution of materials that call for illegal acts motivated by political, ideological, social, racial, ethnic, or religious hatred or enmity advocacy and justification of such actions or to provide access to such materials by means of I C t. Egypt has called for criminalization of the spreading of strife, sedition, hatred or racism. Jordan hate speech or actions related to the insulting of religions or states using information networks or websites with such elastic terms as enmity, strife and insult. There is a risk that many more of us could be branded cyber criminals in the not too distant future. Simply for expressing our political views or criticizing someone in authority balances need to be struck carefully between, on the one hand, minimizing the use of it to incite physical harm and on the other ensuring that our freedoms of speech and assembly are not unduly restricted. So are we all cyber criminals? Now, we clearly don't all commit technically sophisticated offenses on a regular basis, but an appreciable minority of us actively bend the rules and even break the law when using it. A survey conducted by Forbes found that 42% of respondents used their work virtual private networks to bypass geographical restrictions on streaming services. You know who you are. Extensive sharing of passwords led to Netflix changing its policy in an effort to combat mass freeloading. In a 2021 survey of nearly 8,000 European youths, aged 16 to 19, one in eight reported engaging in money mulling or laundering the same proportion in online harassment, one in 10 in hate speech hacking and cyber bullying respectively, and one in 11 for each of phishing non-consensual sharing of intimate images, online fraud and identity theft. The signs are then that the cyber criminal population is diverse. It spans all age groups, all ethnicities, and all genders at the same time. Not all cyber criminals are stereotypical geeks. Not all are driven by a lust for profit, an extreme ideology or devotion to a motherland. This matters for several reasons. A diverse population demands a range of prevention, disruption, and enforcement measures. Someone who is motivated by an extreme ideology may require de-radicalization to desist from offending while someone who is driven into criminality by poverty may be better served by alternative employment opportunities. A deeper appreciation of cyber criminal demographics and criminogenic factors should result in better defense and better enforcement. The assumption that cyber criminals are male may well reflect male dominance in the cybersecurity industry and in law enforcement cyber crime units. It may also lead to missed opportunities to profile suspects and defend against them effectively here too, we really do need more data, but it's reasonable to infer that the more representative they are of the offender population, the better the insights and responses defenders can provide. Now you'll be unsurprised to hear that there is growing concern about cyber criminal misuse of artificial intelligence. And yes, this is what Dali two generated when I asked it for a robot. Cyber criminal still wearing a hoodie. You notice cyber attacks are already automated to some degree. Automation is what enables scammers to target many thousands of victims at once. And criminals can already use chat G P T to generate scam marketing content and code tools that scan for vulnerabilities in networks and systems remove the need for a human to do so manually and they enable tasks to be completed more quickly and at scale. The potential for AI powered self-learning malware has been recognized, but so far September, 2023, in case you're listening after the fact, we haven't seen it in the wild. At some point we may need to entertain the prospect of machines as bad actors, cyber criminals in their own rights, which will then prompt some interesting legal questions among them. If AI commits a criminal offense and it is ostensibly autonomous, is it criminally responsible or would the authorities always pursue a natural person for creating it and deploying it? Would we need to prove that that human had knowledge of AI's criminality or would we hold the human responsible simply because the offense happened on their watch? Much as we do CEOs for the misdemeanors of their employees ease as the images generated for this lecture demonstrates, I think we have a way to go. Yet for the time being at least there is still a person behind every cyber crime. A human operator understanding their thoroughly human attributes and impulses is challenging because we don't have those large international data sets that we would need to match the huge scale and the global reach of the crime. What we're able to glean from national data research with limited sample sizes and media coverage provides an incomplete picture, but also some fascinating insights that can test our assumptions and it sets us thinking about how the cyber criminal population might evolve in the future. The cyber criminals we know are getting older. The hackers and social engineers of the seventies and eighties are already dying out. And if indeed it is the case that a large number of cyber criminals are motivated by the challenge of gaining unauthorized access to data and systems, well then we shouldn't necessarily expect them to hang up their black hats as soon as they reach the national retirement age, not least because they don't have workplace pension schemes. So we should probably prepare ourselves for a larger number of computer misuse offenders over 60 years of age than that lonely one that we saw earlier. When we look at cyber criminal demographics and motivations, we are forced to conclude that keeping an open mind and continuing to question that stereotype of the young white male gives us a better chance not only of preventing as many people as possible from becoming offenders, but also of stopping them re-offending. And as digital technology presents us with a plethora of temptations to misuse it, as governments increasingly seek to define cybercrime as any misuse of it, there is a real risk that even more of us will be cyber criminals. Hoodies of course, will always be compulsory, but the world's most notorious cyber outlaw could turn out to be an elderly woman, perhaps even a middle-aged one. Imagine that. Thank you very much. Right, I have a couple of questions online. I'm, I'm so glad you're taking Fantastic. I'm so glad you're taking these questions, not me <laugh>. Um, now are there any, Martin asks, are there any statistics on accidental cyber criminals, i e the prevalence of people without man intent being taken to court for cyber crimes? So the short answer is statistics, no <laugh>, um, perhaps Information Case studies, do Such people exist? Um, so I think where we have that insider threat is really where we see, you know, most opportunity for that to happen. Um, we also have, you know, when I think about high profile prosecutions across national borders for, um, people with autism, that's not accidental necessarily, but the, the extent to which you can say that someone mm-hmm.<affirmative>, um, exerted their own impulse control, made an informed decision to commit a crime is called into question and is frequently called into question in courts of law. Um, I'd love to find some statistics on accidental. I think one of the problems we have with that is responsible breach disclosure. So a lot of the time if a company is breached and that's happened unwittingly or because someone's been tricked, that will stay in-house or in the uk it'll be reported to the information commissioner's office, the I C O, but you wouldn't necessarily have that person named and shamed, um, in the public. Um, 'cause from my perspective, what I want to do is, is encourage a responsible culture where people feel it's safe to come forward and say, I'm really sorry I clicked on that email. I know I wasn't supposed to but it, you know, I thought it was from my boss, et cetera. So statistics, not necessarily, we do have a few cases. People tend, I would like to think in democratic countries not to go for prison for things that they've done by accident in the cybercrime world, but I'm not ruling it out. Mm-hmm. Yeah, there's a PhD thesis way to be written, Yeah's. Absolutely. Absolutely. Yeah. Okay. Um, oh good lord. Suddenly we've got millions of questions. Um, uh, this person is interested in what can be done about state sponsored, uh, I'm paraphrasing the question here 'cause it's rather long, but what can be done about state actors? Gosh, it's at what level? I'll try and break it down. I, Is there any hope is for dealing with, um, uh, Right Goodness cyber criminals who are essentially shielded by the state? I'm, I'm gonna try and break this down in a number of levels, but try and do it as quickly as possible. So apologies if we fly through this. Okay. Um, so, um, if you came to see my, um, fake news lecture last year, then you'll know a little bit about this. If you didn't, then please listen to it. I thought it was quite good. Um, and what we talk about state on state influence operations and disinformation campaigns, um, and I think the short answer is there will always be espionage, even quote unquote good countries like the US hack, German chancellor's phones and things like that, allegedly. Um, so, you know, espionage isn't gonna go away anytime soon. Propaganda isn't gonna go away anytime soon, but what we saw certainly around 2016 with those influence operations, those disinformation campaigns, is that you and I became the front line of that because when we fell for it and when we shared those posts about Michelle Obama being a man, et cetera, um, we were doing their work for them. We were sharing, we were becoming part of the machine. So for all of us in this room and listening at home, the thing we can do is we can, by keeping ourselves safe and secure online and, you know, going through those basic digital hygiene measures that I outlined last year, um, by, you know, not becoming a victim of ransomware, et cetera, you know, we're actually starving North Korea of revenue. That feels pretty cool to me. So, you know, that's, that's the frontline. Then there is of course the diplomatic aspect of this and I said, didn't I, that extraditions happen? Very rarely they do happen, but they happen between countries like the UK and the US that already work with each other. One of the reasons why there are still so many people on the FBI's most wanted list is that the prospect of Russia and China and North Korea turning around and going, actually you can have those guys, we'll send them over to you and you can lock them in prison are very, very slim. But what we do sometimes have also in the context of the UN Cyber Crime Treaty is people negotiating and navigating around each other to come to an agreement about how they deal with state sponsored attacks. Because state sponsored attacks are a problem for everybody. It's not just Russia and China doing it, it's the IT army of Ukraine. You know, kind of getting all these volunteers, everybody's at it, nobody wants it, but it's a little bit like brinkmanship. And I mean one of the problems is of course scale. I imagine, you know, when a state gets involved in some, some of those numbers seem very large to me, large numbers of bad actors. There's a question here which I think is rather interesting, which asks you to talk a little bit about Bellingcat and or citizen investigation of cyber crime.'cause presumably that's a way you can get scale of investigation on the other side. Is that a realistic Prospect? Oh yes. So, um, if anyone is sitting in here and sitting at home thinking, I'd like to become a civilian cyber crime investigator, I've had to have this conversation with my mom. She's the daughter of a police officer. She's very, very good at open source investigation. But I've had to say to her, no, stop it. Right? Because as I pointed out with the IT army of Ukraine, unless you work for law enforcement, unless you work for the government, um, it's a little bit like the accidental question. You don't have any legal protection to do this. What you can do is look into information that everybody can access publicly. And that's where Bellingcat, I think has been absolutely fantastic. Um, so you can do that and there are some operational security tools that I would recommend everybody uses like virtual private networks to mask your IP addresses, mask your identity so that you can do that safely without being outed or doxxed to use cyber, uh, terminology yourself. Because it's not fun being outed as somebody who does these kind of investigations. Um, what I would advise you against doing is setting up fake profiles to go and pretend to be somebody else to go and interact with criminals. Um, you know, people do do this and, and for really, really good reasons and they mean very, very well. Um, but you can suddenly find yourself in a space where you're having, you're being forced to commit criminal act, you know, criminal offenses, and I don't want you to be in that situation. Um, what I do think is that Bellingcat and others have been fantastically useful in getting some of this data out. And I think one of the things we started to see as well, um, is, you know, more technical means of scraping data that help us understand, um, cyber criminal forums a lot better. Um, but scraping data, I mean, we've talked about this before, scraping data is good when the good guys do it, and scraping data's not great when the bad guys do it. So double-edged sword as ever. So for, I've got loads of questions here, which is great. So you mentioned forums, uh, and um, this question says there are many forums on the internet full of cyber criminals and they're not trying to hide themselves. Why do you think no action is taken about the forums? I think not the crimes, but the Yeah, the chat Between them. Yeah, so you've got, I mean, we Stop the chat, stop the crime, And, and I think part of the problem is we talk about the dark web as a single thing, but actually, you know, the, the, the person asking this question is absolutely right. There are spaces where people are saying, I've got credit card details and we'd like to buy them, and you can just go and look at that and it's quite scary. Um, scale is one thing. We've mentioned scale. There is so much cyber crime that ordinary law enforcement agencies will struggle to deal with it. So we need technical means to deal with that. That's why when we've talked about cybersecurity before, that's why cybersecurity companies and vendors get so involved in threat intelligence because they have resources that law enforcement doesn't. So scale is certainly one aspect of that. Um, I think it's also the international dimension again. Um, so if you think about a, a website where people will paste a load of stolen data or say I write malware, would anybody like to hire me? And actually that trend micro report that I mentioned is just one of, you know, those, those forums are exactly that. People even pro post profile photos of themselves and they have certain badges about, you know, things they can do. I can write ransomware, et cetera. Um, that there, There are people who've got their own photos up on. Yeah, Well you should have a look at that gender report. It's fan, it's fantastic. It's almost like, um, top Trump's cards. So really sticking two fingers up to law enforcement when you do That. Certainly. Yeah, certainly. And, and so the international dimension of this is, is really tricky. I mentioned five of those forums are Russian language, so they're probably in Russia or Belarus or somewhere, you know, uh, Russian speaking. Um, and you know, the prospects of UK or US law enforcement dealing with, those are quite limited. What they can do is they can work with the hosting companies if they're legitimate hosting companies to get the websites taken down. But, you know, um, the bad guys learned from this quite a long time ago and they set up their own criminal hosting networks. This is going back almost 20 years. So you, you know, you have things like bulletproof hosting, which is designed to be safe from law enforcement. So it is that cat and mouse game of every time we develop a solution to deal with a problem, there's a workaround that the bad guys do. It's not hopeless, but it does mean that, you know, know law enforcement is constantly having to play catch up. And there's a related question here, which says, and why is it taking so long for the, the platforms to take responsibility? I'm not quite sure what is meant by the platforms, but possibly it's Facebook and the alphabet. Yeah, Yeah. And it, it depends responsibility for what I suppose would be my, you know, my, but let's, let's try and break that down a Bit. Yeah. So the first question I guess is, are those platforms a major source of communication between hackers or cyber criminals? Um, So it depends whether you're talking about technical cyber criminals or cyber enabled crime mm-hmm.<affirmative>, and it varies a great deal from platform to platform. Um, so if we're thinking about dark web forums quite often they're not indexed by Google, so you wouldn't necessarily stumble across them in a, in a, in a Google search. Um, but, you know, some of the most, um, persistent techniques for criminals of all flavors to communicate with each other is to just use web-based email like we do. Um, but rather than sending an email, saving a draft email in your drafts folder, which means it's not intercepted in transit, it stays in your email drafts folder. So that's quite low tech, isn't it? It seems quite low-fi, but some of those things still occur. So, um, at the same time, so you, They share the address and they all log into the same, So yeah, and you just log into the same account at the same time. Um, there were services like Enro Chat that criminals developed themselves to be an encrypted messaging system because they didn't trust that WhatsApp as soon as it was bought by now Meta as was Facebook, that it would still be secure for criminals. So there are, you know, specifically criminal designed communication systems. Um, I mean with something, with a service like Facebook, um, it depends whether you are talking about frauds, counterfeits, child abuse. If we're looking narrowly at cyber crime, um, really that's where the victim pool is, is on social media. Um, more sophisticated cyber criminals will tend to keep themselves in proprietary spaces. So that coordination tends not to happen, I would say so much on mainstream platforms. Um, but we are there and we're rich pickings if we don't protect ourselves. Right. So as an attack platform, a place where they can be attacked Yeah, it remains a problem. Yeah. And I didn't quite tease out a view whether they were being too slow or not. I mean, that was the nub of a question, I think. I think that's a really, really difficult one to answer. And not simply because for those of you who don't know me, I did used to work for Facebook in their law enforcement liaison quite a few years ago, and what I saw was that they were doing a lot and I, and I was part of that, you know, working with law enforcement cybercrime units, um, but with, you know, however many, I think we had 2 billion users at the time mm-hmm.<affirmative> developing tools at scale meant that you had to have automated solutions. There weren't, there literally weren't enough people in the world to work those cues to keep people safe on those platforms. Which raises another question of, well, are some of these platforms just too big to be safe? That's a philosophical question. I think that, yeah, it might take a little bit longer to answer, but it's, it's challenging. And I think the short answer is that it's, they must and they should always do more and whatever they possibly can. I'm gonna sneak in one more. Yeah, perfect. If that's all right. Yeah. I know I'm putting you on the spot. To what extent has our culture of immediacy facilitated cyber crime? Should we just slow down and introduce more air gap systems? Yes, you can see what, you can see why I picked that as the final question, don't you? Yes. That's a fantastic question. Whoever, whoever asked that. Yes, absolutely. Right. Um, so as you know, I'm, I'm quite a fan of looking at social engineering and the, and the psychological and the emotional side of that. You know, what do most scams have in common? They say to you, you have won a massive prize, you have five seconds to claim it, <laugh> what? So it's really heightening that sense of urgency. Yeah, yeah. And of course our use of technology that is to a certain extent promoting a a, a feedback loop of instant gratification. I think we should, you know, that we keep ourselves safe by going, oh, that doesn't look quite right. I'll just put that down and go and make a cup of tea and come back. And if the free iPad offer is no longer there, oh well it's gone. Now, when we talk about the metaverse and when we talk about, um, things like heads up displays and displays that are delivered in our line of sight rather than on a screen at arm's length, we may have a bit of a problem with air gapping because if something, if a piece of fake news or an offer is displayed here and it runs as a ticker tape in front of your eyes or in the air, you don't have that opportunity to have that same critical physical critical distance. Um, and I wonder what we're going to need to develop as the human race to make sure that we still have that emotional air gap. Interesting. Yeah. And we Need, without having to take everything off, we need To slow it, don't we? Slower it time is pressing upon us. And on the topic of immediacy, well that was actually for me, instant gratification. So, uh, Victoria, thank you very much. Thank you.