From terrorism to Trojans

If you were looking to recruit a national lead for cyber security, the murky world of counter terrorism policing might not, on the face of it, seem the obvious to start. 

But that is precisely the trajectory of Neil Sinclair’s career, via a stint in financial crime. Starting with London’s Metropolitan Police in 1985, he eventually found himself dealing with domestic and international terrorist threats, both in Scotland Yard and around the world, in locations like Ireland, Moscow, Colombia and North America. 

Post 9/11, the focus of counterterrorism policing shifted towards the financing of attacks, recalls Sinclair. 

“So I moved across, having got slightly older and deciding that running around with a gun under my arm wasn’t such a good thing with young children around, into the financial investigation side.

“Post that period, virtually every big terrorist incident that happened in the UK came across my desk and I was involved with it at some level. And that culminated in me moving across to a government agency and being their financial intelligence lead.”

After a career that had seen him move from police officer into specialist operations such as intelligence, surveillance and financial investigations, Sinclair hung up his Met boots in 2016, expecting to find himself another role in the financial intelligence world.

But that was not to be.

Cyber symbiosis

“Various people approached me and said, Well, the cyber world is where the interest is and with your background, having been involved in breaking that in some ways to do the intelligence work I was doing, there was a natural symbiosis.”

Sinclair outlines the areas of convergence between handling cyber crime and counterterrorism and financial investigations. 

“Social engineering is very much assumed to be a cyber-related asset, but it isn’t. It’s something that I have been aware of and used in investigations for a very long time, so from that point of view, I’ve got a developed understanding of how people are susceptible not only to being victims of crime but of actually committing the crimes in the first place. 

“There is a big difference in the way the cyber security is portrayed, being about processes and about equipment, to the way I look at it, which is much more about the people and what is happening in people’s lives and the business life cycle.” 

“What I did laterally in my career was actually using the holes, particularly in the financial sector, to gain intelligence that, for the most part, people believed was innately secure. So I’ve kind of gone from a little bit of poacher to gamekeeper. Obviously there’s a lot of ethical hackers who maybe have come from the “dark side”. But the interesting thing about me is I’ve been a spook and now I’m not. So that also gives a slightly different perspective in the room.”

That diversity of perspective could be an invaluable tool in a sector that is plagued with misperceptions, both about the nature of the work and the people doing it. A study conducted by (ISC), a US-based international cyber security association, uncovered “a perception gap about the realities of the profession. There is no educational foundation to awaken interest in the field or even influence the public’s understanding of what it is and how those who participate in it perform their tasks. It appears that gap is being filled by media stereotypes.”

… “In almost any procedural drama on television, there is one character who possesses uncanny technical abilities that enable them to ‘hack a mainframe’ or decrypt databases within seconds and retrieve the key data that saves the day. This archetype is not relatable to a majority of people and is a fictionalized representation of those in cybersecurity. The image is positive but distorted, possibly contributing to the perception of the need for highly specialized, technical skills to do the job.”

Such perceptions may be divorced from the reality of cyber security work. But, nevertheless, Sinclair believes there is a place for addressing the realities of cyber criminality at the level of the average small business owner.

“I think a lot of the technology side of the business – and this is a conversation that I have had – is they’re quite proud of their knowledge, but also quite dismissive of people who don’t have it. And so there is this massive divergence at a broad level that the people who know what the problems are don’t really talk to the people who have to pay to have it improved in a language that they understand.

“I’ve spent a lifetime talking to people who I can’t actually tell everything to because of security clearances and that sort of thing, so my ability to sometimes dumb down or obfuscate the real problem is quite a strength in doing that.”

Catching criminals

From the mid 2000s, cyber crime had become an area of increasing importance for policing, as both individuals and businesses began to succumb in greater numbers to fraudulent online activity. 

Sinclair explains that among the difficulties of policing cyber crime is the fact that it often crosses police lines, spanning Met and regional constabularies, as well as international boundaries. In addition, in the UK, criminal prosecutions predominantly take place under one piece of legislation, the Misuse of Computer Act.

“So the police are inundated with requests to help, but are hamstrung by legislation and geography, and just the pure physical thing of having enough people, and enough experience, enough know how to do a full on investigation,” says Sinclair.

“It emerged really that a lot of the cyber security vendors, although they were interested in the concept, they actually themselves couldn’t service the SME market”

There had been a police-sized hole to deliver services to an area of crime that traditional policing, with its emphasis on crimes against individuals rather than businesses – though this is changing, Sinclair says – often hadn’t been able to reach. Yet it is often businesses that reach out to the police when attacks happen.

Sinclair was approached by Police Crime Prevention Initiatives (PCPI), a not-for-profit organisation owned by the police that focuses on innovative crime prevention and demand reduction initiatives. He identified the need for something to akin to Cyber Essentials – a Government-backed scheme to help organisations protect themselves against online threats – but specifically for the SME market.

“I established that the one thing that the marketplace at both ends really appreciated was something that had a police standard in it. You can extrapolate that across to everything in the world, really – even your most hardened criminal likes to put police-endorsed doors and windows in their property to stop everybody coming in (not least the police). And so it’s the same with the cyber world. A lot of people were saying that if there was something out there that was police-backed, then that would that would really work.” 

Meanwhile, the London Digital Security Centre (LDSC) had been set up in 2015 as a joint venture by the Mayor of London, the Metropolitan Police and the City of London Police. Its remit was to protect businesses, especially SMEs, to operate securely in the digital environment.

“It emerged really that a lot of the cyber security vendors, although they were interested in the concept, they actually themselves couldn’t service the SME market… they just didn’t have the pricing points or the capacity to service those, so there was a big fall off, really, of what the LDSC’s partners wanted to do and what could actually be delivered to the LDSC’s members, who were these small businesses.”

Sinclair wanted to combine the idea he had taken to the PCPI with the issues faced by the LDSC.

“A lot of the work that the LDSC was doing, particularly in the community, has a very unique selling point in that rather than do things online, which obviously mostly cyber security does, LDSC actually goes into the communities, usually accompanied by police officers, and talks to businesses – that old-fashioned thing of actually talking to people face to face – and that was very well received.” 

But a London-centric organisation would have less resonance in other parts of the UK, and so the Police Digital Security Centre (PDSC) was formed, of which the London Digital Security Centre is now part, with Sinclair now as National Cyber Lead.

Getting the message across

As far as the dangers facing SMEs go, Sinclair sketches out the likes of phishing, malware attacks, risks arising from sharing personal information on social media, use of insecure devices at a time of mass remote working, and the burgeoning adoption of the Internet of Things. 

As far as longer term trends go, however, he is firmly rooted in the here and now. 

“Users are a long way behind than the technical people. So what the technical people see as happening, the users are so far behind it, most of them are still getting to grips with the fact that they should have two-factor authentication – they’re not really worried about quantum computing or anything like that. So we have to be, from where I am, talking to small businesses who will generally do nothing, because it’s cheaper and it takes less time to do nothing and everybody tells them they’re going to get hit anyway so why bother wasting any time?”

“There’s an awful lot of talk about really good stuff [in the cyber security world], but it’s only applicable to enterprise for the most part, and enterprise are way ahead of the curve without doubt.

“But they have not only left behind 97% of businesses, they also don’t give them any consideration. It’s all very well for somebody who’s got the support of GCHQ, NCSC, the Department of Culture Media and Sport for everything that they do and have been told they have to have Cyber Essentials Plus, and ISO 27,001 [certification] to get contracts, but that is only 3% of businesses, and even some of those haven’t done it. And they can spend thousands on their tech department and their cyber security. But most businesses will rail at having to spend £350 pounds on Cyber Essentials.”

“If you or I walked into a florist’s on a high street and said, We’d like to talk to you about your cyber security, they’d probably, quite rightly, tell us to sling our hooks”

 Despite huge amounts of effort ongoing from all corners of the cyber security sector, for businesses at the SME end of the market, sometimes the message struggles to get through.

“There is masses of advice and, for the most part, the end user, particularly in the SME area, doesn’t know where to turn to. Because they don’t. They just don’t. And the end result of that is that they turn off completely.” 

For Sinclair, the USP of the PDSC remains face-to-face contact with everyday, high street businesses that might not be switched on to cyber security concepts.

“If you or I walked into a florist’s on a high street and said, We’d like to talk to you about your cyber security, they’d probably, quite rightly, tell us to sling our hooks. But if you’ve got a uniformed police officer or community support officer with you, they’re much more likely to say, Oh yes I’ve got 10, 15 minutes. And actually that’s all we need to make them think.

“There is a prevalence of fraud in the industry that everybody knows what cybersecurity is and why they should be doing it. Well, I can walk into any number of hairdressers’ and florists’ along any high street and say, What can you tell me about your digital footprint? And a high number of them will say, I don’t actually have one. And I’ll look at their desk and say, Okay, there is a machine that takes payments, that’s connected to the internet isn’t it? Oh no, it’s Wi Fi. Yes, well that’s a start. And how do you keep your diary and your calendar? Oh, we use Google mail. So there’s a second one. What would happen if you lost that calendar for 72 hours? Oh, all my customers would go next door, and I’d probably never see them again. So that’s quite a big thing to lose. How do you protect it? Oh, it’s in the cloud. And so is every model in Hollywood’s photos in the cloud, and we’ve all seen those.”

Sinclair flags a lack of communication between funded bodies addressing cyber security issues, which is the case from the national right down to the local level. 

“The analogy that I use is we’ve all been asked to go away and make this huge tank move forward. We’ve all worked out it’s got to have treads on it, but nobody’s told us what size it is, so we’re all developing different size wheels. We’re all trying to do the same job but at the end of the day the tank’s not moving. And I think that is a big problem.”