NCA Boss Says Agency Had No Power to Prosecute Russian Cyber Gang

NCA Boss Says Agency Had No Power to Prosecute Russian Cyber Gang
A computer keyboard is lit by a displayed cyber code in this picture taken on March 1, 2017. Kacper Pempel/Illustration/Reuters
Lily Zhou
Updated:

Russian hackers who were sanctioned for targeting hospitals during the COVID-19 pandemic couldn’t be prosecuted because the National Crime Agency (NCA) lacks the legal power, the head of the agency said.

NCA Director General Graeme Biggar told a joint committee of parliamentarians that the agency would “very much like” its extraterritorial jurisdiction expanded so it can extradite foreign cybercriminals.

In February, the UK issued its first cyber sanctions with the U.S. government against seven Russian cyber criminals who had been “associated with the development or deployment of a range of ransomware strains” and malware including Conti, Diavol, Ryuk, Trickbot, Anchor, BazarLoader, and BazarBackdoor.
According to a joint statement issued at the time by a number of government departments, the NCA had identified 149 British victims including British schools, local authorities and firms. Other victims of the ransomware included U.S. healthcare providers, Ireland’s Health Service Executive, and the Costa Rican government.

Speaking to the Joint Committee on the National Security Strategy, Biggar said, “What we’re not in a position to do—because they are based overseas, they are not UK citizens, and they weren’t using UK infrastructure—is to have arrest warrants out against them.”

Biggar told the committee it’s currently “very hard” to get a case taken to court if the suspect is not a citizen or resident of the UK and not using UK infrastructure, meaning perpetrators of the “vast majority of online crime” can’t be prosecuted.

“So we would really very much like the extraterritorial jurisdiction of the CMA to be expanded to allow us to do that in a way that many other countries, including the Americans, can,” he said.

He noted that a suspect would need to be arrested in a jurisdiction that would extradite them to the UK, citing an example of a “relatively major cyber criminal” who was arrested after travelling to Switzerland.

In November last year, CNN said Swiss authorities had confirmed that Vyacheslav Penchukov, a Ukrainian hacker wanted by the FBI, was arrested in Geneva and was awaiting extradition to the United States.

Sanctions Do Work

Noting concerns that ransomware groups were able to “rebrand and develop new strains to evade sanctions,” crossbench peer Lord Dannatt asked if the NCA wanted more “weapons” other than sanctions, to which Biggar said while it’s preferable to “arrest them and put them in prison. ... Given what is possible, we do think it is a useful tool.”

Rob Jones, NCA’s director general of operations, told the committee that sanctions have bigger effects on criminals than people think.

Citing the example of Maksim Yakubets, a Russian hacker wanted by the FBI, who’s known for his playboy lifestyle including driving a Lamborghini and keeping a tiger as a pet and who’s allegedly the leader of Evil Corp, Jones said: “By being able to publicize them, call them out, restrict their travel, prevent them from being able to spend their money and travel around the world, that starts to bear down on ... the incentives for criminality.

“It does matter to those individuals whether they can travel, whether they can spend their money, and whether they can access a Western lifestyle,” he said.

“Unfortunately, most of that measurement effect is classified, because we collect it through classified sources. But we’re content that that effort made a difference.”

Other powers

Biggar also called on the legislators to give the NCA more powers by criminalising data theft and increasing the sentencing for cyber crimes.

According to Biggar, there is currently no offence the NCA can use against data theft. “Nor is it an offence to handle stolen property if it is data,” he said.

“Those are major impediments for us in being able to investigate and disrupt the crime, because data is the currency of the modern age and there is a massive value to that. So to not criminalize the theft of it or the handling of it is just wrong,” he argued.

The directors also argued that the sentencing in existing legislation, such as the Computer Misuse Act, needs to be higher, both to fit the crimes, and to give the NCA more snooping powers.

Jones said the 1990 law was designed to deal with “people stealing each other’s passwords or doing stupid things on computers,” not “ elite Russian-speaking actors targeting the UK and extorting millions of pounds.”

Low sentences for cyber crimes, often a maximum of two years, also mean the NCA can’t use covert powers, such as hacking the suspects’ equipment because they can only use those powers on crimes serious enough to warrant sentences of more than three years, Jones said.

Related Topics