Richard Berry: ‘In the UK today, statistically cyber crime is 50% of our crime’
Richard Berry is the United Kingdom’s National Police Chiefs’ Council Lead for the Investigatory Powers Act. He has over 28 years of policing service, with significant focus upon investigat ion san d intelligence.
Berry worked as an adviser for the London Olympics 2012 and last week he visited Buenos Aires at the invitation of the Security Ministry. His visit is evidence of a growing level cooperation on cybersecurity between Argentina and the UK and, for the first time, a British official participating in this sensitive exchange offered an interview toan Argentine outlet.
You worked with cybersecurity for the London Olympics, and I understand that some of that experience was used during the G20 meeting here in Buenos Aires. Were you involved?
I didn’t have [an] involvement with the G20 but yes, the Olympics were a hugely significant exercise for us in learning around interagency cooperation, models of operation and event management. You had two huge events here in Argentina recently, the G20 and the WTO meeting, and we transferred some of our experience and it was applied very successfully here in Argentina.
Which kind of cyber threats are relevant for common people here in Argentina?
It works on recursive layers, everyday there are challenges and threats to people that every citizen should be aware of. In the UK we have a rule of thumb that suggests that 80 percent of cybercrimes could be prevented by good hygiene, having a strong password, making sure your antivirus [software] is up to date, just the basics can reduce a lot of the challenges to the population. So it’s not only about the big, statelevel attacks, it’s also about the everyday security of the citizens. We have to recognise that in the UK, statistically cybercrime is 50 percent of our crime.
The Global Cybersecurity Index (GCI) places Argentina at mid-level. Where do you think that our country is, in terms of cybersecurity?
I think it’s difficult to offer a review, but I can tell you that what I’ve seen here this week is incredibly encouraging. I attended a cybersecurity conference and met an incredible enthusiastic and capable group of colleagues working very hard in this area. And I think that every country has a different context, and different threats, so this idea of indexes could be quite misleading.
Could you elaborate on the differences between a developed country like the UK and a developing country like Argentina, in terms of the threats they face?
We have different issues at state level, we have different infrastructure to protect, we have different populations with different habits using the Internet…
In the UK we have a cybersecurity strategy with four ‘Ps’: Protect, Prepare, Prevent, Pursuit.
Pursuit is about investigation, prevent is about working proactively with offenders, so they don’t continue their offending pathway. But the big ones are protect and prepare. How do you protect from and prevent a large-scale event and that includes working with business. If a business is badly affected, it can affect community. This week we have shared some of the practices that have worked for us, to see if they can work for Argentina.
Recently we suffered a country-wide black-out. It was not the case but some speculated for the first time here that our country could be the target of a largescale attack. Is this a likely scenario or just sci-fi speculations?
They are possible any where. We had the ‘WannaCry’ attack in the UK and that was a global problem that caused infrastructure challenges, across many areas. One could easily look at Estonia, which has had such large-scale cyber attacks, that was a big learning experience. So you can never say never. At the challenge for everyone is that constant modification of the threat, and as the threats changes, we have to change our posture.
Argentina’s security minister recently suffered a so-called “phishing” – someone clicked the wrong link in a mailbox, and sensitive information was leaked onto the dark web. Is this something that could have happened in any country?
I don’t know the exact circumstances of the case, but I am aware of cases in the UK of a similar nature. And some of these phishing attacks can be quite sophisticated, quite convincing, so I think that it is a good example of the need to focus on that 80 percent of the cybercrime that is preventable. But it happens in every organisation, in every country.