It takes a complex coordination of law enforcement, judicial processes, and technical capabilities in order to truly disrupt cybercrime. What’s more, all of this work has to be able to cut across barriers of language, culture, and geopolitical divides. So much of cybercriminal activity today is run by very mature criminal gangs who operate widespread global organizations that have no respect for laws or borders. This is why takedowns of cybercriminal activity and widespread preventative campaigns need a high degree of international cooperation in order to truly make a difference.
This is the role that the International Criminal Police Organization (Interpol) plays in the fight against cybercrime. Interpol recently celebrated its 100th anniversary, and as it steps into its second century of operation it remains highly relevant as a policing organization of our technical age. Interpol’s global cybercrime program is one of four law enforcement pillars of the organization, alongside terrorism, organized crime, and financial crime and corruption.
Just in the last couple of months, Interpol has led publicized cybercrime-fighting efforts through its Synergia operation, which led to widespread takedowns and numerous arrests in the Middle East and Africa, and its Operation Storm Makers II campaign, which targeted criminals operating in dozens of Asian countries who ran cyberfraud operations that engaged in human trafficking to perpetuate their scams.
In spite of the kinds of public actions, many in the cybersecurity community may not fully understand how Interpol has the authority and trust to get all of this work done. At the RSA Conference USA 2024 last month, Craig Jones, Interpol’s director of cybercrime offered a deep-dive look into how the organization works and also how it cooperates with private firms to carry out its mission.
Here are some of the most relevant facts for cyber defenders to know about how Interpol runs its global cybercrime program.
The Facts
-
Cybercrime is one of Interpol’s Four Global Programs
Interpol operations are centered around four global programs. In addition to cybercrime, the three other major areas the organization covers are terrorism, organized crime, and financial crime and corruption.
-
Interpol Doesn’t Directly Lead Cyber Investigations
One of the common misconceptions about Interpol is that it directly leads investigations and that its agents are the ones that make arrests of cyber kingpins. The reality is that Interpol is more like a program management agency. It helps different countries’ law enforcement agencies work with one another; it brings analysis of data about cybercrime from different countries and can help track down global cybercriminal organizations; and it can offer significant administrative support and professional training to law enforcement at different agencies around the world. In many ways, Interpol is the largest threat intelligence operation in the world.
“I cannot lead an investigation. I can coordinate, I can support, I can help facilitate those operations, but I can’t directly tell a country what to do,” explained Interpol’s Jones.
While Interpol may issue advisories about criminals, it is up to local law enforcement agencies to make the arrests when they find these lawbreakers. It takes coordination and negotiation between countries to decide on criminal jurisdiction, depending on where the crime was determined to happen, where the criminal is from, and where they were nabbed.
-
Work Is Coordinated Across 196 Member Countries
Interpol is a politically neutral organization that is run through a constitutional system that operates through the full support and representative governance of its 196 member countries.
“We have elections, and in 2024 we’ll have a new Secretary General elected, and that Secretary General sets the direction for the organization,” Jones said. “We have a constitution, and we have different articles in that constitution that precludes us from being involved in anything of political, military, racist, or religious.”
Think of member countries as a pyramid, Jones said, where at the top there are 30 to 40 countries with advanced cybercrime fighting capabilities.
“They can run a full investigation, they can do everything that needs to be done and they can work very, very effectively together in that trust model with certain countries, but also in those 30 to 40 countries there are going to be those that are not going to speak to each other,” he said.
In those instances, Interpol acts as a neutral go-between to help coordinate between those different countries that may not play nicely together and to help them safely collaborate on what they each know about cybercriminal activities in order to help aid global investigations.
Meantime, in the middle strata are the countries who have a “reasonable capability and capacity” for fighting cybercrime. For these countries, a big part of the focus is global information-sharing and analysis.
“So, we look in their countries and say: ‘Okay, where are the victims? Where are the threat actors? Where did they structure that country?’ Then, through our response, we activate those data sets, we share that information into those countries affected by that activity, and we offer to help support and coordinate those operations with them,” he said.
Finally, there are the counties that have very few capabilities and very little capacity for fighting cybercrime. In those cases the goal is to help them prevent crime in their country, feed them information, and help them build out their capabilities through training and support.
-
Interpol’s Global Cyber Program Consists of Three Major Components
The mission statement of the Interpol cybercrime program is “Reducing the global impact of cybercrime and protecting communities for a safer world.”
According to Jones, while this may mean helping to orchestrate arrests and shut down criminal groups, a lot of this work is around investigating cybercriminal activity and gathering evidence, disrupting cybercriminal capabilities, and helping countries build up their internal capacity to do this work themselves — and also to prevent attacks in the future.
In order to carry out this mission, the program is broken up into three major components.
Cybercrime Threat Response covers the aggregation of data and information from law enforcement and private sector partners around the globe. This is Interpol’s threat intel powerhouse, which puts out threat advisories and threat assessment reports. Then there is the Cyber Strategy and Capabilities Development component, which handles a lot of the outreach and training between agencies and private enterprises. And, finally, there’s Cybercrime Operations, which handles not only law enforcement coordination but also takedowns of compromised infrastructure.
“Over the last five years we’ve become more operationally focused,” Jones said, explaining that this means that they’ve blended capabilities development with operational work, so they’re training countries as they help them run investigations. “The way we’ve moved is that now when we do a training, it comes with an operation — we’ll provide the training to the countries that don’t have those capabilities and that want to increase their capacity to deal with cybercrime.”
-
Coordinated Through Regional Desks
Coordinating investigative and operational cyber research can be a tough task when Interpol deals with its members on a country-by-country basis, explains Jones, who says that this kind of 1:1 communication doesn’t scale well. In order to help facilitate investigations and operations, Interpol organizes a lot of its work through four regional operations desks in Africa, Asia & the South Pacific, Europe, and the Americas.
“When we go into a single country at a time, that’s not always really effective or the best use of our resources, which is why we have a regional model to do that work,” Jones said.
Each of the regions is an important spoke of the work, though a lot of the leadership for Interpol’s cybercrime program is based in Singapore, which is where the ASEAN regional desk is located and where Jones himself is headquartered. Singapore is the home of the Interpol Innovation Centre, which runs four labs for facilitating research around responsible AI, emerging threats, digital forensics, and global developments around tech, strategy, and policy.
Built and funded in partnership with the Singapore government, this hub was built to help break Interpol out of its mold as a “Western-leaning” organization and to tap into Singapore’s position as a leader in tech and finance.
“You have all the big tech companies that have their regionals there, and all of the banking networks are there as well,” Jones explained. “I’m able to jump on a bus, go down to Microsoft, and have a meeting with the APAC CISO without having to fly 13 hours somewhere.”
-
Public Partnership Depends on Reporting and Data
In addition to coordinating data collection and action across law enforcement and other government agencies, another big part of Interpol’s cybercrime program is collaboration with private partners. Whether it is financial organizations or giant global tech firms, private partners feed Interpol with valuable data that feeds its threat intelligence capabilities. The giant tech firms are also big partners in helping to disrupt cybercrime operations, taking down infrastructure that feeds illicit activity “without breaking the Internet,” Jones said.
“We’re able to receive data sets from private partners that are phenomenal — data sets I would not normally see at a national level,” Jones said, explaining that the quid pro quo value for private companies often comes in the fact that Interpol can help them fight the criminal elements that are causing financial losses in a very tangible manner.
“Sometimes you need that handhold on (criminal) shoulders — having them arrested and taken off the street.”