Ciarán Galway sits down with the Garda National Cyber Crime Bureau’s Detective Chief Superintendent, Paul Cleary, to discuss his Bureau’s role and expansion, as well as cybersecurity trends.
Headquartered at Harcourt Square, the newest bureau within the Organised and Serious Crime (OSC) section of An Garda Síochána, the Garda National Cyber Crime Bureau (GNCCB) is tasked with providing top tier digital forensics on behalf of the Garda organisation.
Established in 1991, the GNCCB was previously a section of the Garda National Economic Crime Bureau and was known as the Cyber Crime Investigation Unit. As a result of the proliferation in cybercrime worldwide, and following recommendations in the Commission on the Future of Policing in Ireland report, An Garda Síochána was tasked with greatly increasing its capacity and capability in the area of cybercrime. The Bureau was subsequently re-established in its current configuration in 2017. Since June 2020, GNCCB has been led by Detective Chief Superintendent Paul Cleary who has been entrusted with its expansion.
“This gives an indication of how serious the organisation is taking this particular type of crime,” Cleary asserts.
Cybercrime can be separated into two components: cyber-enabled crime and cyber-dependent crime. Cyber-enabled crime is traditional crime, such as theft, harassment, child exploitation or fraud, that can be committed without a computer but are enabled by a computer in certain circumstances. Cyber-dependent crime includes hacking, ransomware, DDoS attacks and malware. As such, the GNCCB head affirms: “Today, most crime has a digital footprint, whether in the commission of the crime, the preparation beforehand or in the cover up afterwards.”
While cyber-enabled crime is generally investigated by colleagues across An Garda Síochána, the GNCCB is entrusted with digital forensic examination of computer media seized as part of investigations, including phones, laptops, desktop computers, SD cards, memory sticks and hard drives.
Meanwhile, cyber-dependent crime falls under the GNCCB’s proactive investigations and different sections within the Bureau ensure that it has the capacity and capability to investigate all types of cybercrime.
Structure and expansion
Overall, the GNCCB comprises two top tier digital forensics units known as Computer Forensics 1 (CFE1) and Computer Forensics 2 (CFE2); the Cybercrime Investigations Unit; the Cyber Intelligence Unit; the Cyber Security Unit; and the Cyber Safety Unit
Discussing the Bureau’s expansion, the Detective Chief Superintendent highlights the recruitment of 25 new members of An Garda Síochána to the GNCCB in April 2021. A further 34 members are expected to be allocated in the coming months.
This is in addition to the decisions to recruit 20 Engineer Technician Grade III Garda staff, the first time that civilian staff have been recruited at this grade and at this scale. While not sworn members of An Garda Síochána, having been initially assigned to CFE 1 and CFE 2, they will effectively be undertaking the exact same role as GNCCB detectives.
“Initially, they will be in the Computer Forensics Section,” Cleary indicates, adding: “That is where our biggest backlog is. We are anxiously awaiting the competition for the 20 civilian staff members to be advertised because we could do with that additional manpower here.”
Simultaneously, in recent months, four satellite GNCCB hubs have been established in Galway, Cork, Mullingar and Wexford. Although geographically disparate, these hubs fall under the governance and oversight of the GNCCB.
In addition, as part of its expansion, in conjunction with its partners in UCD, the GNCCB has trained almost 200 digital first responders across every district in the country. Whereas the GNCCB and its satellite hubs provide top tier digital forensics, the digital first responders are trained to assess, triage and preserve evidence on devices that they examine.
“Issued with specialist equipment, they are attached to district detective units around the country. We have them trained to a level whereby they can be brought on searches by detectives. If they come across devices, they can have a look and analyse it to determine whether it contains data of evidential value. They are a very important component of the GNCCB’s expansion plan,” Cleary maintains.
Acknowledging that talent retention can be a challenge for An Garda Síochána, given the competitive salaries available in the private sector, the GNCCB head argues that job satisfaction and the ability to “make a difference” matter more.
“Policing and law enforcement will always be attractive to those people who have public service values and who want to pull on the green jersey and assist in their communities.
“Working here in the GNCCB, undertaking the type of work that we do, people can absolutely make a difference. Plus, the type of experience that individuals get with the law enforcement grade toolsets that we use here is invaluable,” he says.
In recent times, instances of cyber-enabled crime, including phishing, smishing, vishing and scam calls, have increased exponentially. Simultaneously, cyber-dependent crime attacks are increasing greatly in numbers and sophistication.
Organised crime gangs are being increasingly attracted to cybercrime due to it potentially lucrative profits and limited risk of detection. If they are prosecuted, the Detective Chief Inspector suggests, they know that very often, the perceived white-collar crime can result in low sentences.
“We are all aware of the rapidly progressing digitalisation of society and business and the endless new opportunity this presents for criminals to steal data, cause disruption, and gain very lucrative financial rewards with limited risk. Over the last year, we have observed first-hand how the Covid-19 pandemic and the increased prevalence of remote working on unsecured devices have enabled cybercriminals to adapt their scams to profit from unsuspecting people and unprepared businesses.
“One of the biggest trends that we see in the cyber-dependent crime sphere is a lack of reporting by companies affected. We are very aware of the commercial agenda and potential reputational effects of a known data breach, but we would always ask companies and victims to report to the gardaí, even if they do not want to follow through with official attribution, we can still learn from the cyberattack and hopefully warn others,” Cleary reflects.
Ransomware is a form of malicious software or malware that infects a computer or network by encrypting its essential system files, preventing it from starting up. Other ransomware encrypts an owner’s files, leaving them inaccessible to the user. Infections can be downloaded or injected into the system from emails that appear to come from trusted contacts. They can also be embedded in attachments that appear important or have filenames that suggest they are worth opening, or they can also be downloaded from infected or insecure websites or personal devices.
Once the malware has been opened or downloaded, it can reside in a device’s memory until triggered or it can immediately begin encrypting documents, spreadsheets, or other files. The files are scrambled using a mathematical algorithm and a decryption key, known only to the attacker, is required to unlock them. Often, a message is displayed onscreen, telling them that their content is locked and that they must pay a ransom to regain access. In some cases, the attacker may claim that they are from a law enforcement agency and that the victim must pay a fine for accessing illegal material online.
Worldwide, the law enforcement community believes that ransomware has reached a tipping point, with many countries having elements of their critical national infrastructure crippled due to such attacks. INTERPOL advises that the projected worldwide financial loss to cybercrime for 2021 is valued at $6 trillion, twice as much as in 2015.
“We need a coherent effort to tackle this because if we are all working in isolation, it can become complicated by interjurisdictional issues. Cybercrime does not respect national borders; therefore, we need to get to a point where we can tackle it worldwide,” Cleary maintains.
The advice from An Garda Síochána and the GNCCB is that ransom demands to recover data should never be paid. There is no guarantee that the data will be released once a ransom is paid, and it is likely that more demands may be made following the first payment. As such, acquiescence encourages further ransomware attacks, creating more victims around the world.
While describing the recent ransomware attack on the Health Service Executive (HSE) as “an eyeopener for all of us”, the GNCCB head insists that the subsequent response was effective. Initially, the NCSC took the lead, and its priority was to restore the HSE systems safely, limiting the damage. Once that was complete, the GNCCB then moved in and began its investigation.
“There have been a lot of lessons learned through this attack which will only make us more prepared in the future,” Cleary observes, adding: “There was some level of preparedness there already, the response was good. It was great to be able to demonstrate how we can immediately come together to act and make tangible progress.”
The organised cybercriminals behind the attack utilise Conti ransomware and are known as the ‘Conti Ransomware Gang’. “To date, our investigation over the last 14 weeks has made great progress. We have a very good insight into how these cybercriminals conduct their business. We have seen the modus operandi that they use and know that they are financially motivated, as well as seeking to cause as much disruption as possible to their targets in an effort to encourage them to pay,” the Detective Chief Superintendent outlines.
Despite the challenges, including pursuing cybercriminals across multiple borders, Cleary believes there is a realistic prospect of justice being served. “We always have to be optimistic because yes, while it does present challenges, I know from my experience that criminals will always make mistakes somewhere along the line and we will always be there to capitalise on those mistakes. They only have to make a mistake once.
“We are collaborating with INTERPOL and EUROPOL on a concerted effort to use our combined law enforcement skills and resources to mutually beneficial aims. If you consider how we are already doing this with drug trafficking and importation and human trafficking investigations, you will see the same standard being applied to cybercrime investigation as is assigned to those other investigations. Yes, it is difficult. Yes, there are some areas of the world which are not as receptive to our inquiries as others, however, we keep going.
“Sanctions do not always come in the form of putting handcuffs on someone, there are a number of alternatives that can be attributed to these cybercriminals. I am cautiously optimistic that we will see attribution and sanction against those involved in these cybercriminal gangs.”
On a personal level, for Cleary, the greatest successes of the Bureau to date have been in the area of child exploitation. “The exploitation of children and the proliferation of child abuse material is one of the most heinous crimes that the GNCCB investigates. This crime targets the most vulnerable in society and there is a victim in every case,” he notes.
A significant amount of GNCCB time is willingly spent on identifying the perpetrators of these crimes and their victims. The Bureau uses recognised tools and techniques to ensure its examinations can locate and identify the best evidence to prove the guilt or the innocence of the suspects involved.
“We also draw on the investigative skills of examiners that they have built up over their experience as gardaí in regular and specialist policing roles,” the GNCCB head says, elaborating: “This is essential to their work which does not just involve the examination of computers, but must also involve an interpretation of the evidence, based on experience and what their investigative head tells them.”
Consequently, the work of investigators and examiners at GNCCB can be emotionally and psychologically demanding, especially those involving physical or sexual assaults on children. The wellbeing of his colleagues is at the centre of Cleary’s work, and he identifies staff welfare as a primary priority.
“Our teams are encouraged to use the supports that exist within the organisation, including mandatory supports, enhanced counselling, the employee assistance service and the peer support network, while also looking out for each other.
“I take staff welfare very seriously and it is a priority for me that we do have the supports in place to assist the members when they are tasked with this challenging and demanding work,” Cleary concludes.
Detective Chief Superintendent Paul Cleary
A native of Ronanstown in Dublin West, Paul Cleary has 28 years of policing experience. Starting off in the north inner-city, he spent three years in the North Central Divisional Drugs Unit, two years in the Special Detective Unit and another five years as a district detective in Store Street Station.
Cleary then spent several years as a detective sergeant in the Operational Intelligence Section as a CHIS handler, three years as detective inspector in Kevin Street Station, investigating serious and organised crime, including gangland murders. He then worked as the Dublin Regional Detective Superintendent in charge of CHIS and as a detective superintendent for west Dublin, based in Blanchardstown.
After promotion to Chief Superintendent, he spent a year-and-a-half in the Garda National Roads Policing Bureau at Garda Headquarters. Since July 2021, Cleary has been assigned Head of Bureau as Detective Chief Superintendent in charge of the GNCCB. He also has additional responsibility of two other OSC bureaus, they are the Garda National Technical Bureau, and the Garda Operational Support Services.