Bridging Borders: How INTERPOL Tackles Cybercrime Worldwide with Craig Jones

Joseph Carson:

Hello, everyone. Welcome back to another episode of the 401 Access Denied Podcast. I'm the host of the show, Joe Carson. It's a pleasure to be here. And we're always exciting to bring new guests, new people, new ideas, to really share with you some of the best practices, knowledge, and really help you make the world a safer place. So I'm going to pass it over to Craig. Craig, welcome to the podcast. It's a pleasure to have you on. I'm really excited. I'm excited about today's conversation. Do you want to give the audience a bit of a background about who you are, what you do, and some interesting things about yourself?

Craig Jones:

Absolutely, Joe. But thanks very much for having me on. And, obviously, you couldn't get someone of interest today, so you've got me, effectively. Craig Jones-

Joseph Carson:

Absolutely not.

Craig Jones:

So recently retired from public service in the UK, about 40 years public service. My last position was at the National Crime Agency, part of a national cybercrime unit. But I've been seconded out from there to INTERPOL, where I've been running their INTERPOL Global Cybercrime Program in Singapore, from 2019 up until July this year, effectively. So, yeah, really happy to be here, and have a discussion with you about all things cyber.

Joseph Carson:

Absolutely. So where did it all start? What was your journey? How did you get into this situation? What was your background originally? Because this probably wasn't the place where you thought you'd end up.

Craig Jones:

No, I joined the Royal Navy when I was 16. And my first assignment, you go into the careers' office, and I think they obviously have a quota to fill, and the quota they were looking to fill that day was in communications. So I went into the Royal Navy as a junior radio operator, second class. Got sent off to do my basic training, but I ended up in a place called HMS Mercury. And I got taught to touch type. And as a 16-year-old, being taught to touch type, many years ago... And we'll work ages out later. But doing A-S-D-S, J-K-L, and for what a waste of time. Morse code, I enjoyed doing Morse code. But, actually, that was the start of that digital journey for me.

So in communications, then, when I joined my first ship, lowest of the low, your job was still all those menial tasks. So I used to take out, at eight o'clock in the evening, probably about 20 boxes, unscrew them, pull all the wires out, use the codes, and then start physically wiring the codes for encryption. And as you changed over at MidnightZulu, you just crossed your fingers and hoped, as the ticker tape came through, words came through and not gobbledygook on the screen, effectively. And I've just waved my hands, and we've got some balloons coming up.

Joseph Carson:

I love that. That's fantastic. We'll keep that going.

Craig Jones:

And then, I then have one too many Sunday nights in railway stations, going back on trains to ships, decided for career change, and went into the police. That was in the early '90s. Was going through down the investigation route, unfortunately, got injured on duty, and pensioned out. So I had to pivot on what was I going to do then. And, actually, went into an organization called the Federation of Communication Services, FCS, because my last role in the police when I had... Sorry, I've got a reconnecting thing here. Apologies, Joe. That was just a thing going around my screen.

Joseph Carson:

No problem.

Craig Jones:

It's growing. Yep.

Joseph Carson:

I'll correct it a little bit later. You'll see the blurring stuff, but we should record enough, obviously.

Craig Jones:

No, this is like the wheel of doom going round on my screen, so yeah.

So yeah, I came out from policing and went to the Federation of Communication Services. And my last role in the police, I'd been looking at mobile phones. So how could law enforcement use mobile phones, effectively, we'd go after the bad guys? And it was when we still had analog phones, so there was no card in there. And we did cell site analysis and mapping. It was uber secret at that time. This was the biggest secret. But what we had was criminal groups were stealing mobile phones and re-chipping them. So I went to the Federation of Communication Services, and was basically then training police about how to investigate mobile phone crime, how to go after the criminals. But it was in a physical sense then because they were using phones. Then went off to the Probation Service and other things, but ended up back in forensics in the police. And then started that digital journey properly in about 2000, when we really started looking at law enforcement, one, about how we could utilize digital forensics, but also draw data sets out from the criminals.

And then that led into the cyber piece. So one of my roles in 2012 was to set up a regional cybercrime unit. How do you go about that? Who's done it? Well, no one has. Okay, well, how do we do this in the best way to start developing a team regionally? And then ended up with the National Crime Agency in 2017, under the National Cyber Security program, not long after WannaCry. And that's probably a story we can get into because I've got an interesting story on that as well. And then, 2019, got supported in an application to INTERPOL to be their Director of Cybercrime, got through the interview process. And then I found myself sitting in an office in Singapore, running a global cybercrime program. And here we are today, maybe six years later, retired, maybe a few more wrinkles, a few more gray hairs. But, yeah, there we go.

Joseph Carson:

I'm in a similar situation with the wrinkles and the gray hair, that's for sure. I think your background is fascinating. Definitely, when I hear you talking about in the Navy, talking about communications, that's a huge foundation because of understanding about everything we do today in security, all comes down to communications. A lot of people try to, say, expertise with ham radios because of the connections and the background. They're so still running on all systems and fundamental-

Craig Jones:

Yeah, if you want to start talking propagation, DEF, one or two layers at night, then combining, and things like that, we can have a whole separate conversation on that.

Joseph Carson:

But one of the things is for me is absolutely, when you talk about the timelines as well, is that through those early 2000s and 2010-plus, is that the crime wave. The way the crime was being done was going through a massive transformation, where people were no longer going into doing the old brick and mortar type of crime, they were moving online. What were some of the early crime things that you started seeing, doing the forensic side? I think because one of the things is, there was this transition where it was about using technology in traditional crime, to your point, mobile phones communicating and so forth. Then it moved into being 100% in the cyber side. What were some of the transitions you saw? What were some of the interesting moves or techniques of that?

Craig Jones:

Yeah, I think what we saw is exactly that. In the digital economy that the internet then helped support, develop and grow, allowed companies, organizations, businesses, to be more effective, reach audiences in different ways, do different ways of working. Criminals just did exactly the same. Go back to why was the FBI formed, back in the day? Well, it was because, all of a sudden, you had criminals who had access to motor vehicles. And they realized, if they went over state lines, they could do a crime in one area, drive across a straight line and they wouldn't be touched.

Now, that's an interesting analogy for where we are at the moment around the criminals online, around the world. But exactly that, the criminals looked at an opportunity. It's like everybody didn't quite maybe understand what was involved to start with, but then realized, "Hey, we can make some money here." And, actually, chances of being caught for doing this initial scam, or the tele-frauds, where they would set up a premium rate line, divert phones and things like that so they would make money that way. And then they became... I don't want to use the word sophisticated. But as the technology became more sophisticated and more adaptable, the criminal groups adapted in that environment as well.

Joseph Carson:

Absolutely. The bar came lower, the onboarding in technology made a much more broader perspective of everyone having access to it.

Craig Jones:

For sure. Let's go back, maybe even just 10 years, some of the tools that we can just sit and download on our phones now, that was state-level capability. And only a few of those states would be able to access that. And I think this is where we're going to have the blurring within that cyberspace, where, is it a state actor? A near state actor? Is it a mercenary? Is it an organized crime group? Is it a single script kiddie? We've got such a wide range in that space, it then makes it hard sometimes for law enforcement to differentiate who are the threat actors. And, historically, and still now, law enforcement is set up to deal with crime on a local level. There's always a victim locally, so that's not going to change. 101 of policing, protecting communities.

But when we come at looking at that outcome around arresting a criminal, and that law enforcement outcomes, judicial outcomes, locking people up, yeah, we can lock people up. And that does give, shall we say, society a break, and we lock criminal up. It protects society from that criminal. But we don't see that so much in this space. And what we haven't done effectively, I would say, at this moment of time, and the challenge that I had at INTERPOL, was how do we change that model a little bit? How do we make sure that we're not going to be judged on the amount of arrests we're going to do? Because that's not really that efficient. How do we look at the vulnerabilities, and actually do that community-based policing with, effectively, the private sector of the industry? Because they're the ones that are able to make those changes.

Why is it that the brakes improved on cars? Well, cars got faster. There was an accident, and people started being injured. Seat belts. So there were improvements made, but that was sometimes pushed within a certain sector or industry, and you'd see that in a certain country. So some countries have got really great roads, great infrastructure, great cars. And you'd probably mirror that in terms of their cybersecurity and platforms. You go to other less developed countries, you will see that level of technology in the vehicles, maybe not as high, or the infrastructure, but actually you will see it a little bit higher within the tools. Because they're able to reach in and grab those tools from wherever around the world.

Joseph Carson:

Absolutely. It reminds me of all the places I've been driving around the world, where you've got some countries where the infrastructure's really good, where you have those guardrails. You've got the rules, you've got guardrails, you've got signs, you've got warnings. And in other countries where, basically, it's just a free-for-all, and there's no rules, no guardrails. And you just have to know what the other person's going to be doing and try to avoid it.

Craig Jones:

And, also, underlying all that is, that's done for safety. So when we have the language and the conversation, we're looking at keeping pedestrians, cyclists, drivers safe. And people can identify with that. I think if we then use that analogy in cyber, and we start talking about security, technology, vulnerabilities, but the language doesn't quite translate then, in terms of your general public or communities under... "Oh, cybersecurity. Oh, I've got to keep updates, patching. What? No, I don't get it." Just click, get me online, sort of thing. So, sometimes, the analogies just work very well but, sometimes, maybe they don't, yeah.

Joseph Carson:

So I've got one story that I want to share with you, and get your insights into it as well. Because I think it was important, as part of the transition I find, when working from cybercrime, and then also working with law enforcement as well, was quite number of years ago, I was brought in to help. It was a government that asked me to look at the forensics of a specific case. And, basically, it was an incident where a government official had received a death threat. And it was via, basically, email. So they'd received an email, death threats, they're going to harm the person. And getting into the forensics, and looking, and tracing, going back to tracing all the sources, and looking at the multiple hops that that email had made. So one of the things that... First, it came from another country. And then you had to work with that country, law enforcement for the ISP, in order to get them to share data. Because if you don't find out information about where the source was, once it leaves your borders, it gets very, very challenging.

Lucky enough, these countries had good relations, so they were willing to share the information about the account and where it was signed up from. And all of this led back to a internet cafe, in the same country where the threat was made. So we left the country, out to the borders, came back in. And then, so, basically, then, working with the law enforcement. Yeah, it goes all these dots around the world and, basically, comes back. So ended up getting into where we had, basically, information about where the origin came, which was an internet cafe. And, again, into then where... It was then handed over to local law enforcement to go and collect the evidence. So they got a court order, they got all of the information. And they went into the internet cafe. And their instructions was to collect the computers, is to gather all the computers, in order to then go and start analyzing where this original... Which machine was this originally sent?

Now, at the time, the local law enforcement, really, they weren't ready for these types of cybercrimes or warrants, when they saw what was in the collection order was computers. And they went in, they collected the computers. But when we went in afterwards, we found that, actually, they only collected desktops. There was so much other things like network devices. There was games consoles. There was lots of other devices in there. And we had to go back, and had to get a request in to go and collect pretty much everything.

So, eventually, going back to finding out, of course, the problem was the internet cafe. They didn't keep good records of who was coming and going. It was all paper scribbles. It was all cash in hand, a lot of the time. So it was very, very difficult to find out who the person was. But, ultimately, what we ended up finding, the original source, actually, the email was sent from a PlayStation, which was from the internet cafe. But because of that, local law enforcement... It was that time where we were cross-educating law enforcement into letting them know what types of systems they need to be collecting, what things they need to be looking into. And then, actually, of course, they find the person of high confidence, and that person was then put on their watch. But it was an interesting case for me because it was showing where the cyber knowledge and the law enforcement knowledge was starting to converge.

Have you seen that type of... I guess, for INTERPOL, that's something that is probably one of the main initiatives is to educate and to get in that operation. How has that been transitioning over the years?

Craig Jones:

Yeah, exactly that. I think what happened is, we started seeing these crime types, and a report would come in. And quite often, you'd say, "Well, it's not really our jurisdiction. It's not in our area. It's not this." And you'd go through quite a lot of effort not to take the report, potentially, because you knew, or didn't know, how you were going to investigate it effectively. Or what was the likelihood, coming back to my comments earlier about the judicial outcome. Now, in your case, that's a great example where at least you had it in the country. So you probably had the legislation was the same, so you had a good start there. But then you saw the same things, and the same things we're seeing now is, what's the evidence you're looking for? And how can you secure that evidence? Noting that, historically, some of our investigations, we would just go in and seize everything. So, actually, that business would stop functioning.

And then, how do we then analyze that evidence? So it's not just like going in, "Oh, you saw this, you saw this. Okay, let's write a witness statement." Get it signed, done. You're done in 30 minutes. It's all the after bits to it as well. And that comes back to my earlier comment about law enforcement being effectively set up to deal with these types of cases.

What we've seen, certainly from the INTERPOL side, we had four objectives within our strategy. One was understanding the threat picture. So looking at that criminal... I've got a thumbs up now. The threat picture, we then had setting up operational teams, so in countries or regions, operational teams to do that operational activity. But we had to keep it at a fairly high bar. Crimes that are causing high harm, high impact, high volume, or of high interest.

Thirdly, capability and capacity building, that's the key one. So I divided the world into a triangle. You had countries of 196. Top tier were really good capability, good capacity. But as you said, sometimes countries don't speak to each other. So INTERPOL's role there is to make sure we act and facilitate as that key nuclear interlocker. I'm probably maybe getting some experience on that side of it. The middle tier was those countries that had some capability, and we could help provide platforms in order for them to communicate and share information and evidence, but also hook them into the private sector as well. And then the bottom tier were those countries that didn't have that capability or capacity, would not have been able to investigate that type of crime you mentioned, and are still not able to now. But where we can work with them is understanding who the victims are, who's been impacted from cybercrime, which then comes back into the first one about understanding that threat picture.

So we're taking a global challenge, and trying to deal with it on a global scale. But we're really trying to break it down into manageable parts. And where INTERPOL tools and platforms can be used in terms of sharing information and best practice, or operational activities and coordinating operations, or building out capability and capacity. I would caution on this as, law enforcement, we love a good training course, we love a certificate on a Friday afternoon, but how effective is that training? So one of the things we introduced, or I introduced as part of the program is, when we did training, it had to come with an operational activity. So whether it was compromised servers and ISPs or things like that, we trained law enforcement how to deal with it. We gave them the tools and then said, "Right, here's an operation you can go and do now."

Joseph Carson:

That's really interesting. One of one things to... We went through this whole transition, where ransomware became one of the top criminal activities. And that was always a massive challenge globally for the organizations and countries around the world. And I think one of the momental shifts was during the WannaCry and NotPetya. And I'll never forget having to work around the clock in the months after, helping organizations recover and get back to operations. How was that time for you, and what was your experience during that time? Because that was probably one of the realizations. It was the pinnacle point, where a criminal truly went 100% online. It was like, this is now cross-border, they can operate, they can get paid from anywhere through cryptocurrency. How was that experience for you?

Craig Jones:

So I think we were on this steady curve and trajectory. And then I would call, certainly those cases, as high harm, high impact, and high interest. But, actually, the scale was high volume as well at that time. And all of a sudden, we had this situation. If I take the WannaCry one, where on a Friday lunchtime, we started mobilizing. We were getting the calls, and then mobilizing internationally, nationally, regionally, and locally. So I was driving down to Ilfracombe at the time, and there's an interesting connection there, as Marcus Hutchins was in Ilfracombe at that moment in time, in his bedroom, at his mum and dad's house. What we had to do then was understand, well, what role does law enforcement have in this moment in time? Where's that global coordination?

So we did lots of work, going out to hospitals saying, "Okay, we need to seize this, this, and this, because we need to understand what's the malware, how does it work?" It really was like a water spout, effectively. It was massive, loads of water gushing out, effectively. Okay, we've got to try and capture some of that.

When we stood back and reflected on it afterwards, and looked at what our responses were, and we did the wash-up and things like that, what law enforcement did, at the time, were not funded to do under the program. So all of a sudden, we had law enforcement go off and do a lot of work, and what it meant was we stopped doing our day jobs. So those investigations that we're working on, because we have this major incident, so it's a bit like a bomb going off. You have a major incident, you all go quickly to it, and then you can go back to your day job. But what happened with WannaCry is, people stayed on that investigation. So other investigations didn't get the attention they deserved, or should have had, at that time. And that was a real wake-up call, I would say, for law enforcement in the UK.

But, also, one of the things it underlined to me was that that global coordination wasn't there as well for law enforcement. So INTERPOL or Europol, they had a really key position in that. It's a bit like, you can have all these plans set up about how you're going to deal with things, and when the incident happens, those plans fail normally, but then you don't always practice those plans. One of the pieces, at INTERPOL, we were looking at how do we coordinate? How do we make sure the right people are doing the right things?

And I think we saw it during the attack on the Irish healthcare service, 2021, 2022, 2021, I think it was, where there was a huge amount of interest. And the Garda were getting loads of inquiries from around the world, "Well, how's this? What's this?" And what INTERPOL's role was there, almost to act as a buffer then, for them, to say, "Put those inquiries into us. We can help filter that out, and be a conduit into a single entity in a country." Because, let's face it, they had their hands full at the time, trying to get that all sorted out. So coming back to how we're maturing, are we there yet on the journey? No. Are we in a better place than we were when WannaCry happened? Yes. And this is going to be a continued journey for law enforcement, but it does come back to those basic roles and responsibilities. And, actually, how much resource do you put into something where you achieve those desired outputs and outcomes? Put my program manager head on and project manager head on here. What about the resource that goes in? And what about the outputs, effectively?

Joseph Carson:

How to get the most maximum efficiency and output as you possibly can is critical here. Because, to your point, the world is not all in the same maturity and level. I've always found that, in my career, when I get pulled into incident response or digital forensics, I always find is that, sometimes, you end up dealing with a country where those laws don't apply, or the legal framework doesn't support you. How would you approach these situations? The world of laws are so different across the world, and law enforcement also can operate differently as well. So how do you get everyone almost to the same level? What do you prioritize?

Craig Jones:

So, first of all, you prioritize at a national level. So you make sure you've got the legislation in place nationally. Secondly, you look at it on a regional level. So look at those like-minded countries that can work together effectively to aggregate your resources. Finally, at an international level, such as INTERPOL. What I did in my time there was, I set out resolutions and recommendations. And this is the boring stuff. But this is about having an international organization which works on resolutions with 196 member countries, getting them all to agree to investigate cybercrime. And guess what? They all signed up to it in 2021 in our general assembly in Turkiye. Then, on a regional basis, putting recommendations in place.

Joseph Carson:

And that's amazing.

Craig Jones:

I had bits of paper, and all of the law enforcements signed that. So it didn't matter about geopolitics. INTERPOL's a neutral organization, non-political, non-military, non-racist, non-religion. So we can't deal with any of those, we can only deal with crime. But then, just recently, the United Nations, we've got the new convention to counter the use of information and communications technology for criminal purposes. Really trips off the tongue. But two and a half years' negotiation by diplomats in the UN to give us a common language, or a convention for law enforcement. It's the first one in over 20 years. It's taken two and a half years to negotiate. I led INTERPOL's work there at the United Nations. Joining the Navy, doing the boxes, never imagined I'd be sat at the United Nations, making statements.

But we gave four priorities that we wanted to see in that convention. We wanted to say, "Look, we should prioritize cybercrime and international cooperation between countries," one. Two, make sure we level up the capability and capacity. So bring the countries closer together, narrow that gap, and build the bridges between them. The third one was around don't duplicate. Use the tools and platforms that are out already. We're really good in law enforcement at saying, "Oh, we need to do this." It's normally not a new idea, someone's already done it, but what we didn't do is implement it properly. So using the correct platforms, making sure countries could access what they needed. And the final one was working with the private sector. That's the one that didn't get into the body at the end, unfortunately. But that's coming back to your point, make sure there's that common language and understanding.

Now, this will take years. This comes back to that step change in policing, but being able to use that. So when I have, let's just say, an operation between Brazil and Spain, where you had a whole bunch of cyber criminals in Spain, designing malware that would impact Android users or banks in Spain and Europe. They could actually then speak and work together. Or you could have countries that maybe wouldn't have those political alignments, where INTERPOL can then come out and act as that neutral interlocker.

I've got some examples of maybe where that didn't work, and could work in the future. But a lot of that comes back to, who is it we're trying to protect here? We're trying to protect our communities. And that's a basic tenet of law enforcement policing in any country, is we're there to protect our communities. We're not there to, effectively, get involved in the politics. That's a whole different level of conversation for other different forums and things like that. But it comes back to where these tools used to be available to only states. Now, you see those blurring of the lines, effectively, between state actors, near state actors, non-state actors, who's doing what to who, effectively.

Joseph Carson:

Yeah, absolutely. Yeah, so one of the challenges I've always had is that I've seen, more in recent years as you get... I refer to them as the cyber mercenaries, which are basically they wear multiple hats. One day, they might do a traditional crime, just for monetary focus for themselves. Sometimes, they might be brought in as a service provider for another criminal organization to specialize and just initial access brokers, or to create the malware. And then, if the government of that country where they're located comes in and says, they need them to operate in certain types of campaigns for them to continue operating the criminal campaign. So some of those lines sometimes blur. And, for me, it's always been challenging about which... The government, sometimes, they keep enough distance from those mercenaries that it's really hard to tell what's the motive. Because I always get the idea, what's the motive intention, who's the victim?

Craig Jones:

Yeah. And that's that plausible deniability. But we know cyber criminals are there to make money. That's the bottom line in this. So how do we disrupt that model, effectively? And some of that is about ripping down infrastructure, but we don't want to rip down the infrastructure that is enabling other things as well. So, again, this is the challenge about you don't go and ban all motor vehicles because someone's used that motor vehicle to go and commit a robbery. It's understanding what are the safety measures you can put in there to make sure that it's not used for a purpose that it was not intended for. And when we look at some of these user cases and the technology being developed, it's absolutely brilliant. But criminals are really now quick to monetize that, and they are exceptionally good at that proof of concept, and then turning that into a business model very, very quickly, effectively.

Joseph Carson:

Absolutely. The intelligence sharing, and the acceleration I've seen in adoption of a technology, has been so fast, where I've seen even the latest cyber criminals using generative AI in order to do translations. Estonia used to be very protected because the language was so complex. It's no longer the case. We can't rely on language being a barrier. That barrier is gone. So, now, you have to think about what's other techniques? And that means better educating the citizens into being able to detect, and see scams, and be able to see where monetary crimes are. So, sometimes, those technologies mean that you have to shift your focus a little bit into where you can be as effective as best as you can. Because, sometimes, those things that you did in the past are no longer effective today.

Craig Jones:

And it's also down as us as users. So I just arrived in Dubai yesterday morning. I needed to get my eSIM sorted out. I needed to get back online for some of the apps I used to have. And I got really frustrated because, all of a sudden, we've got two-factor authentication. I don't have access to wireless and, actually, what wireless am I accessing? I'm thinking, in my mind, the worst-case scenarios. And it took me quite a while to get some of those things back on my phone, and I found that frustrating. Now, if I'm finding that frustrating, but I'm understanding why I'm doing that or need to do that, other people don't. They just want to get on there as quickly as possible. And I think this is where that maturity in building the safety, and I'm using my words carefully here, the safety into our use online. And that awareness in the psyche of the public that uses the business, we've all gotten used to everything being very quick, very on... It's there in seconds. And if it's not, it damn well should be.

So, again, that's a challenge. And, again, that is a long journey for everybody, isn't it? But the problem is, technology changes so quickly, we can't afford that time. So we need to make sure that technology is protecting us, or that safety's being baked in at source, so we don't actually even notice the safety aspect of it. We just know, actually, when we go on that platform and use that tool, we're pretty well protected.

Joseph Carson:

Yeah, the guardrails are there by design, which I'm a big fan of... release. This is an initiative which is the Secure Our World, which is for Cybersecurity Awareness Month. And they also focus on security by design, which translates into security by default, is that the guardrails had to be in place, had to be there, and has to be for everyone. And you might decide to opt out or do something different, but it's on by default, it's by design.

Craig Jones:

But I think also, and I keep using the word safety, don't I? We talk very much in the police about community safety. When the technology's safe, we talk about security. And we know, in the technology space, that helps sell things as well. Safety doesn't sound that... "Oh, okay, whatever." But the reason why we have health and safety is because people were losing limbs, or being killed, by improper use of equipment, or maintenance, bad equipment, bad practices. And it's like that thing when things go bang, or start bleeding, that elicits a response. It's still that high in with... Well, it's a bit of a white collar crime. It doesn't impact on someone personally. But, actually, it does. There's always someone at the end of that chain that that directly impacts on when there's a cybercrime, effectively.

Joseph Carson:

Absolutely. I completely agree. It comes down to is, really, the impact. And, sometimes, for organizations, sometimes, safety actually has a bigger budget as well. Because you want to make sure that, from a life expectancy and sometimes from a safety, that's where sometimes the prioritization is. So as technology is changing quite quickly and advancing, how does INTERPOL, and how do you, yourself, how do you stay up to date? What's some of the resources? Are you still innovating? Are you looking at new technologies and platforms, and a way to make sure... So what's some of the ways that INTERPOL stays up to date? And what are some of the resources you leverage to keep moving forward?

Craig Jones:

So we've got fantastic resources, or I did have fantastic resources when I was at INTERPOL, just in terms of 196 countries. We can reach into 196 countries. We can reach into law enforcement in those countries. But, also, we have the private partners that we work with. So our Gateway initiative allowed us to work directly with cybersecurity companies, such as, let's see, some of them would be Cisco, Fortinet, Palo Alto, Trend Micro... Group-IB, Bisan, Kaspersky. Now, that's a really broad spread of companies, but under our rules of processing data, we can bring data sets in from them. But, more importantly, our member countries could access those companies as well through us. So, again, understanding what the current threat landscape looks like, but also what are the criminals doing? And more importantly, identifying the infrastructure and the criminals. And that helps us then build those operational activities, coming back to what I was saying about understanding the threat picture, building out those regional desks.

So one of the pieces we did in Africa was, we put teams into Africa, seconded officials, paid for by the UK government through project funding, private partners. And we joined all of that together with some training around operations, and doing surge activities in the internet service providers. Or going after the organized crime groups in Nigeria, doing the arrests directly in the communities where the criminals were operating.

Now, I mentioned Nigeria on purpose there because they were willing to do that. Sometimes, we see in countries identification of cyber criminals, but then no prosecution or disruption of those criminals. And what we were doing at INTERPOL was trying to call that out, effectively. Because remember what I said a moment ago about they all signed up this resolution to counter cybercrime. So why is it that NTERPOL can't be used as a conduit to go to Russia, or into Indonesia, or into Brazil, or into the US, where cyber criminals are identified. And then we act as that neutral interlock to provide that information into that country, and have those countries working together, effectively. Sometimes, we see that, but the geopolitics, to be very honest in this, sometimes do get in the way of policing internationally, effectively, especially in the cyber environment.

Joseph Carson:

Absolutely. And I think what you're doing is amazing. I definitely think it's something that we need the cooperation and transparency and work together. Because that's the only way we have forward. If we have too many silos, cybercrime will just continue to flourish and accelerate. If we work together and cooperate, and to your point is working with the private partnerships and intelligence sharing, that's huge. Because I think that really gives you insights into the techniques, the tools, the mindsets, the motives. And if you've got victims in many countries, if you're able to really get to the source of the country, and they will operate to mitigate it, that will ultimately make the world a safer place. So I can't thank you enough for everything you've done over the years, and we've worked together some amazing people.

Craig Jones:

Yeah. I just think on that point, you've also hit the piece on there is, when we look at the private sector cooperating, there is commercial advantages to be had in this as well. And I think maybe in the last 10 years prior, that's got some of the cooperation going. But I think, now, companies and organizations are seeing the benefits of coming together. But some of the stuff they're doing, they're doing it themselves now. So they're almost taking on that, and I call it creating communities, tech communities, so they created a community.

Now, we've looked at regulation as well in countries, and that, sometimes, can have a knock-on effect through secondary consequences where people don't want to report. But what we're starting to see now is the private sector coming together more and more, and actually providing that information into the communities, whether it's into governments, whether it's into the wider cybersecurity industry, whether it's into law enforcement. So we're seeing that developing now, which I look on as a really, really positive piece, from where I started INTERPOL to where it is now. And don't get me wrong, it's going to even improve significantly more in the next couple of years, with Neal in there as the new director, it will improve. And it has to improve as well, effectively.

Joseph Carson:

Absolutely. I'm really excited. The significant improvements I've seen over the years has been amazing, and it comes down to a lot of what you started and what will continue to go forward. So, Craig, it's been fantastic having you on. I really enjoyed the conversation. I want to have a follow-up at some point. I want to continue the conversation, because I've got so many questions, and stories, and things to share with. But for the audience, I think you've been of huge value, really given them the insights into what INTERPOL's... Where the responsibility is, where they're making the world a safer place, and really bringing that cooperation. Because I remember, when I worked in GDPR, to get 28 countries to cooperate together to create a cyber framework in the land regulation. And then we realized that, actually, it doesn't apply in international waters. Now, we need Maritime to go, and that was like 180 countries. To get 194 countries to cooperate together is impressive. So that's something that I applaud. And I think definitely those initiatives, for me and my family and everyone that I know, are in a safer place today.

Craig Jones:

Thanks very much, Joe. Yeah, my role is to keep my mum safe at the end of the day.

Joseph Carson:

Exactly. It's to keep our social sphere, everyone we interact with. Anyway, if the audience want to reach out and connect with you, what's the best way, if they have questions or follow-up?

Craig Jones:

They can find me on LinkedIn. I'm on there, effectively. So feel free to look at me and ping me a question or something on there. I'm sure if people come to you, Joe, you can point in to my direction as well. I'm not going anywhere soon. I'm now doing my own thing, which is great. I don't have a government employer anymore. I'm the employer of myself, so that allows me a certain leeway now. So I'm looking forward to new opportunities in the next few years as well.

Joseph Carson:

So looking forward to catching up with you more in the near future. And many thanks, Craig. It's been awesome having you on. But for everyone, make sure... This, hopefully, has been educational, gives you a bit of insights. And let's work together, let's cooperate, let's share information. Let's be transparent. Let's make the world a safer place for everyone online. So tune in every two weeks for the 401 Access Denied Podcast, and look forward to seeing you on future episodes and shows. So thank you, take care, and stay safe.