Features
A holistic approach to fighting cybercrime: A conversation with the RCMP’s Chris Lynam

Chris Lynam has been with the Royal Canadian Mounted Police (RCMP) for over a decade, but his public servant days started long before this. He has worked in several other government departments, including National Defence, Public Safety Canada, as well as the Privy Council Office, where he focused on emergency management, security and intelligence work. He also has a background in the military and has been a reservist in the Canadian Armed Forces for almost 30 years.

“My initial role within the RCMP was in the policy space, and then I started looking at how the RCMP could better address cybercrime,” he says. When the opportunity came for Lynam to lead The National Cybercrime Coordination Centre (NC3), he jumped at the position and has now officially been in the role for four years. The NC3 has a team of approximately 80 people, 10 of whom are police officers, and the rest are civilian members and public servants. It’s a diverse, multi-interdisciplinary team that focuses on intelligence, technical aspects, behaviour analysis and more.

Law enforcement’s role in combatting cybercrime

Cybercrime is a growing challenge for all of society. Victims can be individuals, businesses, or any kind of organization in Canada. Lynam suggests that the types of cybercrimes are becoming more complex and impactful than what has been seen previously. “In many cases, what we used to consider a serious cybercrime a few years ago, now we wouldn’t think of them as serious.”

As an example, in 2015, the website AshleyMadison.com was breached, and highly sensitive data about the website’s users was posted online. “At the time, this seemed like the biggest kind of breach, but when you fast forward to now and see the Toronto Sick Kids Hospital getting hit with a ransomware attack right before Christmas that impacted their systems, we see how much the cyber space has changed and evolved throughout the years.”

What causes the biggest challenge for law enforcement is the borderless nature of cybercrime. There may be victims all across Canada, but the perpetrators are often in other countries all over the world. “Finding data or evidence to build your investigation for another jurisdiction is extremely difficult, and we run into a multi-jurisdictional challenge that our traditional policing model wasn’t set up to tackle.”

So what does this mean?

The RCMP’s NC3 was created to try to bring synergy to all the different police services in Canada that are looking at and working on cybercrime. “We wanted to try to move them all in a similar direction, and enable them to carry out investigations with the help of specialized tools and intelligence, and partnerships. These partnerships reach across the country, of course, but also reach to our neighbours to the south in the U.S., to Europe, to any like-minded country, so that we can have a team approach to going after cybercriminals.”

Lynam knows that there is a lot of work to do but sees that they’ve made significant progress over the last few years. They’re starting to see a lot more operational successes these days.

How the world of cybercrime is changing

Lynam believes the biggest change seen over the last few years is how cybercriminals are continuing to adapt, whether it’s their tactics or the technology they are using. “They’re constantly evolving, at it’s really accelerated over the last four to five years.”

Another big change the NC3 is seeing is the education level of the cybercriminals. Years ago, to be a cybercriminal, a person often needed to have high-end software development and coding skills, and they needed to understand how the internet really worked. “That model has now changed. These days, cybercrime groups offer what we call ‘cybercrime as a service’. You don’t need to be a cybercriminal, you don’t need to do the coding yourself—you can buy, or lease, an attack. So you could, with minimal technical knowledge, attack another organization very easily, which is why there are more cybercriminals popping up.”

In a recent project called Operation Cookie Monster, officials took down Genesis Market, which was an online marketplace that offered access to people’s online accounts. “This didn’t just provide people with stolen credentials; it also provided the ability to emulate someone’s device or computer. As an example, the Market would put malware on your computer, gather information, and then sell access to your various online accounts to others. You wouldn’t even know that they’d logged on as you, and could do whatever they liked.” Lynam explains that law enforcement teams came together to take down the marketplace and seized their infrastructure and domains. As another step, the NC3 – in partnership with other Canadian law enforcement organizations – went after the users who were purchasing the stolen credentials.

“In Canada, there were many people doing this because it was so easy to do. In this investigation, we worked with 28 different police services across the country to execute nine search warrants and nine arrests. There were over 60 incidents where the police officers went to the home of a suspected user and asked to speak to the person in question. In some cases, they learned that the user had almost no idea what they were getting themselves into,” says Lynam. “In this way, we were able to show them that they really don’t want to get involved in this type of activity, and maybe we diverted them from becoming a hardcore cybercriminal down the road.”

Technology needs are changing

Cybercriminals are amongst the first to adopt new technologies. As an example, some have embraced AI (artificial intelligence) and new platforms such as ChatGPT. “We do our best to adopt new technologies, but of course, we don’t have an endless budget for that. We also need to use technology legally and think about privacy considerations. This is where cybercriminals sometimes have a leg up, because they’re not worried about breaking the law,” says Lynam.

Working hand-in-hand with law enforcement agencies is just one piece of the ever-evolving puzzle of fighting cybercrime.

His team works hard at building their own tools in-house to better detect what cybercriminals are doing, or better analyze how an attack occurred after it has happened. “It’s really important for us to stay abreast and try to adopt the newest technologies out there, when we can.”

A holistic approach

When Blue Line asked Lynam about the success rate of arresting cybercriminals, he responded that, unfortunately, it’s not as simple an answer as you might think.

“We’re trying to move away from the simple metric of success coming from how many criminals get arrested and charged. Our mandate is to reduce the threat and impact of cybercrime on Canadians, and so we’re using a much more holistic approach to reduce those aspects,” he says.

As Lynam describes, on one end of the spectrum is the preventative work: this is where law enforcement does the diversion work and focuses on the offenders themselves, and they give as much information to potential victims so they can stay safe online. At the other end of the spectrum, there are the apprehensions, the arrests, charging individuals through investigations, etc. But what’s more important is what police are increasingly playing into, which is the disruption space.

“It’s hard to put handcuffs on a cybercriminal located in another country, but we can work with our international partners to disrupt their activities by seizing the infrastructure they use, taking their domains down, helping interdict the flow of money or cryptocurrencies, and help victims get some of their money back.”

Strategic partnerships

Working hand-in-hand with law enforcement agencies is just one piece of the ever-evolving puzzle of fighting cybercrime. Working with the private sector is becoming increasingly important. “Everyone from the private sector and non-governmental sectors, to academia, to legal firms, to tech giants—we need everyone to work together. We spend a lot of time and effort building those relationships and figuring out ways to collaborate.”

Lynam also sees a reluctance from the public to report to police when they—or their organizations—are victimized. By working with their strategic partners, like incident response or cyber insurance companies, or even lawyers, they can advise victims on why it’s important to report the incident, what role law enforcement plays, and their successes at solving these kinds of crimes.

This leads into another part of the holistic approach to addressing cybercrimes, which is the victim notifications. “What a lot of people don’t know is that our law enforcement partners, particularly international law enforcement partners, sometimes even companies from the private sector, will come to us and say, ‘Hey, we’re seeing a ransomware attack happening against a Canadian victim. Can you do something about that?’ Once we have this information—whether it comes in the form of an IP address, or we’re given a name—we find this victim and reach out with the help of our partners across the country and tell them what’s happening. They’re told that they’re being attacked, and they need to pull the plug on their devices, and so on. Sometimes they already know they’re being attacked, but other times, they have no idea,” says Lynam. “At the end of the day, we want the public to have a trusting relationship with us, and we want them to know that the police are out there in the cyber realm trying to help out folks.”

Cyber hygiene

In closing, Lynam shares the importance of cyber hygiene for everyone—including police officers. “Make sure you have those really hard passwords, the multi-factor authentication, and think before you click on any link. If you take that extra two seconds to think ‘Is this real? Does this make sense?’, you could be saving yourself from becoming a victim. We often say that if people took a little bit more time, or reached out to someone before they clicked on something, we’d be able to prevent a lot of cybercrime and online fraud.”

Editor’s note: At the time of this interview, Lynam had recently addressed conference delegates at the 35^th Annual Forum of Incident Response and Security Teams (FIRST) event in Montreal, Que.