Complex threats in a globally connected world

From organised crime and fraud to insider risk and national security, complex threats present universal challenges. Only by leveraging data, intelligence, collaboration, and technology, can organisations develop effective strategies to outpace adversaries in this increasingly interconnected world.

In the run-up to the UK Finance Economic Crime Congress on 12th December 2024, I’ve been reflecting on how we can transfer knowledge and experience of complex intelligence and investigative operations across domains.

At the UK National Crime Agency I was accountable for threats ranging from organised crime groups (OCGs) carrying out global drugs and weapons trafficking, to cyber actors conducting ransomware operations. Or predatory paedophiles grooming and abusing children, through to economic crime OCGs committing fraud, money laundering, or circumventing sanctions.

When I transitioned to Clue Software my remit diversified substantially. We support organisations combating economic and organised crime, delivering economic deterrence, protecting against insider threats, and safeguarding national security — on a global basis. This ranges from global technology providers to governments; major retailers to international sports; law enforcement to critical national infrastructure; and financial services.

Through this journey it has become evident to me that the same intelligence, investigative, risk and prevention challenges apply in law enforcement and government, as they do across the broader threat landscape where Clue’s customers operate. I’ll delve into a few of these below, draw out the learnings and the opportunities for improved response.

Navigating large and unstructured datasets

In all the complex cases I have seen, both in my operational life and subsequently when supporting operational personnel with technology, data has exponentially increased in volume, complexity and diversity. Examples include data harvested from online infrastructure or chat groups used by cybercriminals, and the expansive digital forensic yield from servers, computers, and mobile devices encountered during most intelligence and investigative operations.

Also noteworthy are the large sets of transaction data, either financial or communications, which are captured or monitored as part of an operation. In each of these situations, the challenge is not only identifying the alerts, markers and hits needed to intervene early, but also building up a multi-layered and connected intelligence picture which will enable deep insights to be unearthed and illuminate the bigger picture.

The capability to work with disparate data regardless of origin and make links between entities such as people, online identifiers, locations, organisations, events, communications, and financial assets is mission critical.

This applies whether you are countering sanctions circumvention, organised fraud attacks, or the corrupt activities of Politically Exposed Persons. It applies when conducting due diligence on high-risk clients, as it does when facing criminal actors seeking to steal intellectual property or encrypt your data for ransom. Likewise, it is vitally important if you are combating OCGs and national security threats or protecting the vulnerable from exploitation and abuse.

Unmasking threats through anonymisation and encryption

Whilst I was leading complex cases and when supporting Clue customers in their vital missions, I observed that clandestine behaviours, and obfuscation through anonymisation or encryption always feature heavily. This includes cyber actors or paedophiles operating under online aliases, using anonymisation techniques or communicating via the dark web.

Other examples include OCGs using specialist ‘high end’ communications platforms incorporating end-to-end encryption and other countermeasures to law enforcement tactics. Alternatively in sanctions, fraud, money laundering or corruption we see shell companies, complex business structures and trusts, incorporated in multiple international jurisdictions, to hide ultimate beneficial ownership of assets or funds.

In these varying situations, common patterns often emerge, including the need to attribute a real-world identity to an online moniker or communication selector. Intelligence, investigative, security or risk teams need capabilities to peel back the layers of obfuscation and make links between disparate sources of data to prove the ‘who, what, where, when, and how’ that are so important in complex cases.

Addressing the international dimension

Contemporary threats frequently materialise across international borders, including via the online environment, bringing additional challenges for operational teams responsible for their mitigation. Threat actors do not respect jurisdictional boundaries and actively exploit weaknesses in international cooperation between states. They also need to move commodities, funds, people, and assets across continents requiring substantial global transport and logistics infrastructure.

Likewise cyber actors choose to reside within hard-to-reach or outright hostile foreign states and often work in partnership with hostile regimes. And commodity based OCGs will create powerbases in jurisdictions which offer attractive benefits of access to networks in source countries, specialist criminal services, or perceived protection against extradition.

Organised fraud networks attack citizens, financial institutions, and the public sector from the other side of the world. Meanwhile the proceeds of crime are frequently divided, moved overseas through mule accounts and layered through opaque business structures in multiple jurisdictions to avoid detection and seizure.

Law enforcement, intelligence or judicial cooperation are critical components of addressing international challenges within complex case. But even where an organisation lacks statutory or judicially authorised methods in the international environment, there are still effective tools that in my experience? all complex casework relies upon, such as open-source intelligence (OSINT).

I have lost track of the number of times during my career that intractable challenges with attribution in complex operations such as cybercrime, economic crime, or organised crime have been cracked open due to innovative use of OSINT and by following the digital breadcrumbs left by adversaries.

Tackling the role of corrupt enablers

Enablers, professional or otherwise, are also a hallmark of complex casework, regardless of threat type or domain. From resellers of specialist encrypted communications within organised crime to specialists in technical surveillance countermeasures, offering services to locate listening devices and tracking equipment used in surveillance.

Likewise, corrupt or criminal enablers can be found in any chokepoint or logistical infrastructure through which illegal commodities move, for example transport providers, or borders, ports, and airports. And, of course, corruption in public bodies, law enforcement, or within private sector organisations can give threat actors access to insiders with privileged access, the ability to tip them off, or the ability to facilitate their criminality.

And enablers are common-place in economic crime or economic deterrence focused operations. For example, facilitators working for oligarchs seeking to protect their wealth, or corrupt legal, business registration, and accountancy professionals sustaining money laundering and proceeds of crime. This is also a significant issue in the evasion and circumvention of sanctions, enabling corrupt and hostile regimes to bypass controls, facilitate their economic activities, and access technologies, materials, and knowledge needed to sustain hostile aggression and war.

Whilst the typology of the enablers may vary by crime type and threat type, the basic underpinning aspect — that corrupted people with privileged or trusted positions, or with specialist knowledge and access, are a threat — is true across the board. And it is only through meticulous intelligence development, analysis, enrichment, and sharing between agencies and organisations that these well-embedded enablers of crime can be identified and addressed. There is of course much more to do on the issue of enablers than pure intelligence and investigation alone; supervision, enforcement of professional standards, monitoring, reporting, and whistleblowing are all equally important.

Keeping pace with technological advancements

Technology enablers exploited by threat actors are both prolific and fast-evolving. I spent a significant part of my career countering the impact of encryption in respect of serious organised crime, working on methods to lawfully acquire access to data through digital forensics or through lawful and warranted intelligence collection.

I also witnessed first-hand how the cyber domain poses challenges including how to employ effective threat intelligence to acquire foresight on attacks, or how to attribute the identity of those responsible. The additional demands of negotiation, incident response, remediation, forensics and other investigative methods combine when dealing with cybercrime operations of sophisticated adversaries, including those operating under the authority or consent of hostile nation-states.

In economic crime terms, we see the increasingly ubiquitous use of virtual assets and cryptocurrencies in a wide range of offending, from frauds and ransomware to laundering the proceeds of organised crime. Criminals and other threat actors will frequently adopt technology to facilitate their enterprises, hide their identities and whereabouts, or to simply operate faster and at greater physical range than they could in an analogue sense.

Commodified access to generative AI technologies also offers threat actors new methods to escalate and accelerate fraud, identity obfuscation, malware coding, and more. For those leading complex cases in economic crime, organised crime, public protection and security, or corporate threats, the fast-evolving nature of technology will always create a sense of an ‘arms race’ between adversaries and protectors.

Concluding thoughts

Detection of threats and identification of adversaries through intelligence collection and data analytics are vital for any team or organisation with complex operational challenges in terms of managing threat, risk and harm. But in my experience, these capabilities are often emphasised at the expense of developing an effective strategy and capability to manage the ‘so what’, or the next steps following the identification of threat and risk. Tasking sources and collection assets or consolidating wide-ranging data sources provides the lifeblood of any effective operation. But identifying what is important to your intelligence picture, or your investigative strategy, and distilling that within a core knowledge base that provides a single version of the truth upon which an effective response can be managed and delivered is equally vital.

In tackling complex cases, whether in economic crime, organised crime, or national security, common themes emerge: the effective use of data, collaboration across borders, managing insider threat risks, and addressing the challenges posed by enablers including corrupt professionals or the criminal exploitation of technology. It is only by combining advanced intelligence methods, innovative technology, and coordinated efforts, that we can outpace adversaries and deliver meaningful impact against complex and evolving threats.

If you'd like to delve deeper into the themes explored in this article or learn how Clue Software is helping teams to tackle these complex challenges, connect with me on LinkedIn or meet me at the UK Finance Economic Crime Congress on 12th December 2024.