Boosting Specialist Cybercrime Capabilities through Regional Special Operations Units

In this case study, we’ll look at how regional special operations units are improving defences against cybercrime.

We heard from members of Northumbria Police, the North East Regional Cyber Crime Unit, Durham Constabulary, and Cleveland Police.

They discussed the overarching national and regional strategies, with a focus on improving incident response in the education sector.

National Cyber Security Strategy and Regional Special Operations Units

The National Police Chief’s Council (NPCC) launched the National Cyber Security Strategy in 2016, with the aim of making Britain secure and resilient in cyberspace. The strategy set out cyber security plans from 2016 to 2021.[1]

This strategy funded regional organised crime units, within which the North East Regional Cyber Crime Unit (NERCCU) operates.[2]

There are ten organisations dedicated to fighting serious organised crime throughout the UK, forming a network aiming to protect citizens from organised crime, including cybercrime.

Each regional cybercrime unit is split into four teams, in line with the four P’s of policing and the national strategy for fighting organised crime; pursue, prevent, protect, prepare.

Pursue
Pursue officers investigate criminality, execute warrants, and put people in front of the courts.

Prevent
Prevent officers are dedicated to identifying those on the periphery of cybercrime, educating them and steering them onto a different path such as academia or employment.

Protect & Prepare
These areas are interlinked with officers working across both protect and prepare teams.

Prepare officers are concerned with thinking about how organisations can respond if they find themselves victims of cybercrime.

This includes creating business continuity plans and incident response plans.

Protect officers disseminate information to businesses, organisations, and members of the public in order for them to better protect themselves against cyber attacks.

The NERCCU began in 2014, with the hiring of three detectives and an investigator, operating mainly under the ‘pursue’ remit, but it quickly became apparent that due to the nature of cyber crime the unit were not going to be able to “arrest themselves out of the problem.”[2]

To provide a more comprehensive approach, two protect and prepare officers were hired in 2016, and in 2017 three prevent officers were brought in.

In 2019, the Regionally Managed Locally Delivered (RMLD) framework was introduced nationally, across all four P’s of policing, aiming to increase the capability of regional police units.

RMLD works via a supervisor who operates at the regional crime unit who takes claims made by victims and delivers those to ActionFraud, then disseminating action points to the local forces.

Tackling cybercrime has become a priority for the UK government for a number of reasons:

• 39% of businesses in the North East identified cyber security breaches or attacks in 2020
• £8,460 is the average annual cost for businesses that lost data or assets after a breach
• This amounts to 27,869 businesses experiencing breaches, totalling £235,775,124 in losses across the North East[2]

The types of things the team are defending against include phishing campaigns, ransomware, and vulnerable software and hardware.

Ransomware is commonly used by criminals who will steal or encrypt files and demand a monetary sum for their return.

Vulnerable software and hardware can mean either vulnerable to attack or too error-prone meaning mistakes can be made too easily.

Due to the large uptake in people working from home, phishing campaigns have massively increased, with millions receiving false emails with malicious software attached.[2]

Regional Strategy

The role of the regional special operations units has been to translate the overarching national strategy into regional action plans.

This has included engagements with sole traders, charities, individuals and communities in order to better equip them with the knowledge and resources to eliminate potential cyber-attacks.

There is also an emphasis on engaging with the victims of crime through ActionFraud referrals, helping them recover from any losses.

Alongside this, front line policing has also been undergoing a large upskilling and training programme, improving capacity across the force to deal with cybercrime.[2]

The NERCCU has executed the strategy by coordinating proactive and reactive engagements with small to medium enterprises, large businesses, business clusters, and banks.

They have also established the Influence Network to share best practices through the national working group.

There has also been a large effort made to increase the provision of products and services across the region, improving the project’s development and capability to tackle and prevent cybercrime.

Some of the available protect products include:

• Cyber Basic Reviews
• Vulnerability Assessments
• Police Cyber Alarms
• Staff training
• Cyber meetings and webinars
• Cyber exercises[2]

Claire Turnbull, Force Specialist Cyber Prevent and Protect Supervisor at the Durham Constabulary highlighted the benefits to being part of the North East Cyber Protect Network.

Claire highlighted that the support, guidance, and effective communication provided by the network was invaluable in upskilling all members of the team, which is then passed on to businesses and the community.

The increased capability of the Durham Constabulary to deal with the impacts of cybercrime as well as better prevent and protect against it has also proven pivotal.

Finally, the increased reach of engagements in the community through the help of the network has helped more people and organisations prepare for any potential cyber-attacks.

Improving Incident Response

An example of the work the NERCCU has carried out is providing support and coordinating responses to the increased cyber threat to the education sector.[2]

In August 2020 two universities in the North East fell victim to individual strains of ransomware, resulting in sensitive data breaches.

The NERCCU attended daily group meetings to provide victim care in collaboration with Northumbria Police, as well as coordinating the ‘protect’ messaging.

This messaging detailed how the ransomware was operating and how it had accessed their systems, and the messaging was then disseminated to others throughout the sector to help them spot the signs of this strain of ransomware being active.

January 2021 saw another increase in the ransomware threat to the education sector, in part due to the Covid-19 pandemic forcing rapid digitisation across the industry.

The NERCCU created and distributed core protect messaging to Directors of Education in local authorities as well as via school liaison officers.

In February 2021 a specific strain of ransomware was identified as a method of attack against the education sector. The NERCCU distributed the ‘Indicators of Compromise’ messaging through their established links in Directors of Education across local authorities, as well as helping to build a better picture of what was happening through collaboration with industry partners such as Cijax.

In March and April 2021, further ransomware attacks were identified, and the NERCCU continued to coordinate response plans and share information with established partners to continue fighting against the cyber threat.

Whilst the aforementioned threats occurred in the Northumbria area, being part of the North East Cyber Protect Network meant the messaging and learning could be distributed across the entire North East, preventing other institutions from suffering from the same attacks.

The shared learnings have also improved investigations into cybercrime, as a more coordinated approach has allowed Pursue Officers to spot commonalities and pool resources to catch the perpetrators of cybercrime.[2]

---

[1] Gov.UK. 2017. National Cyber Security Strategy from 2016 to 2021.

[2] Hudson, Jon. 2021. Regional Cyber Protect & Prepare Officer, North East Regional Special Operations Unit. An overview of Regional Special Operations Units.

[3] Turnbull, Claire. 2021. Force Specialist Cyber Prevent and Protect Supervisor, Durham Constabulary. Improving Incident Response.