Category Archives: Criminal

Flag it Up – How can solicitors work to identify and tackle the risk of money laundering in the UK?

Organised crime costs the UK more than £24 billion each year – that’s £1 a day per citizen. The fact that criminals are using the services of legal professionals in order to try to hide the origins of their illicit funds is nothing new, but there are important questions that solicitors must ask themselves to avoid becoming drawn in without their knowledge.

Criminals are likely to have built what appears to be an authentic business to avoid unwanted scrutiny and this makes you and your profession vulnerable to becoming unwittingly involved in serious and organised crime. For solicitors, the consequences of being involved in money laundering, are severe. These can range from loss of your practicing certificate, damage to your own and your businesses’ reputation, significant fines and even a prison sentence. The creation of the Participation Offence in the Serious Crime Act 2015 makes it a crime – punishable by up to five years in prison – to participate in activities which an individual “reasonably suspects” contribute to organised crime.

With this in mind, it is imperative that solicitors continue to take responsibility to comply with money laundering regulations, particularly the obligation to complete adequate due diligence on new and existing clients. By doing their due diligence and submitting quality Suspicious Activity Reports (SARs) where appropriate, solicitors can play a significant part in tackling the threat through identifying potential cases of money laundering before they enter the economic system.

Spotting the red flags

The most effective way to ensure that solicitors remain compliant and are able to spot the red flags of money laundering is to implement an effective and well-documented risk-based approach. This will not only protect a legal firm from criminals, but in the unfortunate event that there is an issue it will reassure law enforcement and the regulator that the appropriate precautions have been taken.

In the first instance, they should step back and consider whether there are any immediately apparent warning signs. By considering whether there are inconsistencies in the information clients provide, if the client runs a cash-rich business, if there are unusual amounts or sources of funds, or any discrepancies in previous transactions, solicitors can begin to assess whether there are any suspicious activities that could ultimately lead to them becoming implicated in a crime.

In order to identify these red flags, firms should always continue to undertake comprehensive due diligence checks on new and existing clients in order to sweep for any risks. But due diligence extends beyond obtaining a passport and utility bill, and adopting a merely tick-box approach. It should be risk based, include lateral and critical thinking, and may include scrutiny of all beneficial owners with a controlling interest of over 25%, in addition to the client. Conducting internet searches on a prospective client could help to pick up any obvious warning signs with regards to their professional credibility.

Asking the right questions

Ultimately, while those working in the legal profession certainly have an awareness of money laundering, and how drastic its impact can be, there can sometimes be a lack of recognition of how it affects them personally. In all cases, solicitors should be looking at the whole picture, in order to build as comprehensive a client profile as possible.

For instance, a solicitor approached by a potential client that differs from their normal client profile should always ask “why me?” irrespective of the size of their firm. If a client is atypical of the regular client demographic, whether due to factors such as scale, sector, jurisdiction or any other reason, they should look to establish why their firm has been approached.

If something doesn’t stack up, asking a direct question is usually the most efficient way to get to the bottom of the irregularity. If the client is subsequently evasive, or if the answer is vague and lacks detail, that should immediately trigger suspicion.

Applying any local knowledge is critical when considering whether a business is legitimate or not. It might be helpful to make a visit to their premises during normal working hours. Often a lot can be taken from an organisation’s place of business that helps to reveal how authentic it is, and it allows legal professionals to make judgments on the accuracy of the information they are providing. For instance, if a firm is asked to work on behalf of a retail outlet that is empty at peak time, this could be an indicator that all is not as it seems.

Taking action

If any due diligence checks call the credibility of the client into question, solicitors should ask themselves if this amounts to suspicious activity, and consider going through the proper reporting processes. As a starting point, they should educate themselves about how low the level of suspicion has to be in order to get to this point. It is critical to remember that this assessment is not about being beyond a reasonable doubt, or building a case against a client. In R vs. Da Silva (2006), it is simply defined as “a possibility, which is more than fanciful, that the relevant facts exist”.

If they decide that a particular client does meet this criterion, solicitors have a legal obligation to submit a suspicious activity report (SAR) in line with internal procedures. Submitting a SAR can be seen as a much more drastic move than it is, and can be a concern for legal professionals. Solicitors are trained to maintain the highest levels of client confidentiality, so there is often apprehension that if the information they have is vague or imprecise; it may appear as if they are taking an extreme step without possessing the requisite evidence.

However, it should always be remembered that submitting a SAR is confidential. And it is also worth noting that if a SAR is not submitted when there are grounds to, solicitors risk breaking the law under the Proceeds of Crime Act 2002, and potentially allow criminals to escape with the proceeds of their wrongdoing.

One additional consideration to take into account is the quality of SARs. If a solicitor is submitting a SAR, they should ensure that it is filled in honestly and correctly, without adopting a defensive tone. Bad quality SARs often lack the information needed to build a wider intelligence picture so it is important to get them right first time, every time. The National Crime Agency (NCA) has created guidance on submitting better quality SARs, and solicitors should review this regularly.

Making a difference

Money laundering is undoubtedly a pervasive influence on the UK economy, and as professionals that are often operating in the financial space, solicitors are at risk of being unwittingly caught up in criminal schemes.

However, by taking a risk-based approach to due diligence, being direct with clients about perceived discrepancies, and submitting SARs if they have suspicion, they can avoid becoming involved. Ultimately, solicitors are in a unique position when it comes to disrupting the risks of money laundering, and can play a huge role in ridding the UK of this threat.

The complications surrounding defendant anonymity

Whilst the anonymity of complainants in serious sexual offences has long been protected in English law, defendant anonymity has proved a far more contentious issue.  It was initially granted along with victim anonymity in the 1970s, but later abolished in 1988.  It was argued that, unlike the case for victims, there was no reason to make a special exception for defendants and in fact, by doing so, it could imply that rape complainants were less reliable. It has also been argued by both women’s groups and the police that such a law would prevent investigating officers’ calls for other complainants to come forward in serial cases, such as in the case of the taxi driver, John Worboys, the ‘black cab rapist’.

The issue has been raised a number of times over the last few years following a string of high-profile cases, affecting politicians and celebrities alike.  The media spotlight on these cases and the public sympathy towards individuals like Sir Cliff Richards has helped move the debate forward.  A YouGov poll in 2015 found that there was widespread opinion favouring the need to protect both complainant and defendant.  Speaking after the police dropped his case, Sir Cliff described a unique violation of his privacy by a sensationalist media.

In addition to the disproportionate attention these stories attract, the coverage is often of such a lurid and intrusive nature that it arguably leaves a stigma which goes beyond other crime.  In 2015 both Nigel Evans the conservative MP and the radio one DJ, Paul Gambaccini, gave evidence to the Home Affairs Select Committee about their personal suffering whilst subjected to protracted and highly publicised investigations by the police.   In his concluding remarks Committee Chairman, Keith Vaz, spoke of the destruction and irreparable damage to the reputation of defendants.

It now appears that we are moving towards ever tighter restrictions on press coverage in respect of sexual offence allegations.  The above committee report called for anonymity for sexual offence suspects, unless they were charged or police needed to name them. More recently in late 2016 the DPP, Alison Saunders, came out in favour of anonymity for defendants.  She was quoted in The Times as saying, “you don’t shout about it before you come to any conclusion”.

Building trust between police and complainants

Investigations into allegations of sexual abuse pose unique challenges for the police, especially in striking the right balance between their responsibilities to the complainant and to the accused.    The ongoing football abuse scandal serves to highlight some of these challenges.

The unfolding revelations that followed Andy Woodward’s decision to waive anonymity and speak out about his ordeal at Crewe Alexander, raised the spectre of widespread and systematic abuse reminiscent of that uncovered during the Saville investigation.  Similarly, the personal accounts we have heard from ex-footballers like Mr Woodward and Paul Stewart, the former England and Spurs star, served as a timely reminder of the psychological damage inflicted upon the victims of these crimes, and the unique challenges they face in coming forward.

It is essential that survivors have the confidence and reassurance to speak out, and the police undoubtedly have a role to play in this.  Days after Woodward’s revelations to The Guardian, Cheshire constabulary put out highly publicised appeals urging victims to contact them, and assuring them their reports will be taken ‘extremely seriously’.

Despite the seemingly compelling evidence that surfaced in relation to at least one sexual predator, police had to, and must continue to, remain vigilant against the risk of bias creeping into their conduct.   However, following the string of failed investigations in the wake of Saville, there is a growing concern that the impartiality and objectivity of the police has been found wanting.

It is widely accepted that Saville’s offending went undetected as long as it did because of a society-wide reluctance to speak openly about child abuse.  Police forces have taken it upon themselves to remedy this problem.   Operation Hydrant was set up in the wake of the Saville revelations to share good practice.  It emphasised the need to build trust and rapport with the complainant.  To this end, it was felt that anyone who came forward should be recognised and referred to as a victim. In explaining the new approach, the head of Operation Hydrant, Chief constable Simon Bailey, claimed that “if we don’t acknowledge a victim as such, it reinforces a system based on distrust and disbelief”.

 A Policy of ‘believing victims’

The end of 2016 saw the publication of Sir Richard Henriques’ report into the mishandling of Operation Midland, the 18 month investigation by Scotland Yard into allegations of historic abuse levelled against prominent members of the establishment including former head of military, Lord Bamell, and former conservative MP, Harvey Proctor.  Sir Richard’s report identified 43 separate failings by the police during the investigation.  The central criticism being that they were too ready to believe the complainant without sufficient scrutiny of the evidence. It attributed these failings directly to Operation Hydrant.  Sir Richard took aim at the police practice of labelling complainants as “victims”, (just as Cheshire constabulary did in the wake of Woodward’s revelations, saying that it was a cardinal principle of the justice system that a complaint maybe false. He stated that “the policy of ‘believing victims’ strikes at the very core of the criminal justice process” and warned that “it has and will generate miscarriages of justice on a considerable scale”.

It is now widely felt that in so many of the high profile investigations into abuse since Saville, such as Operation Midland and those levelled against Sir Cliff, Paul Gambaccini and Nigel Evans, the investigation was pursued in spite of the lack of credible evidence.

The real damage to these individuals is to do with the unique stigma attached to the suspects of sexual abuse and how in the above cases their reputations were trodden on by unscrupulous officers who were quick to name the accused in the hope that it would encourage others to come forward and bolster inherently weak cases.  In his evidence to the home affairs select committee, Mr Gambaccini described the way police hung his name up in public during a year-long investigation as being a ‘fly paper tactic’.   Sharing his grievance, conservative MP Nigel Evans said, “I don’t believe that people ought to be plastered all over every national newspaper just to fish other people out”.

It is the strength of these personal accounts that has driven a recent revival of debate around the issue.   As already mentioned, prominent figures like Keith Vaz, Sir Henriques and the DPP, Alison Saunders have now called for a change in the law to reintroduce defendant anonymity.

The Power of Reporting

However, there may be an occasion when naming a suspect is a necessary and proper adjunct to an investigation. The manner in which the recent football revelations unfolded speaks eloquently of the power of reporting.  Andy Woodward’s brave decision to waive anonymity brought media coverage and attention to his ordeal and acted as a rallying cry to others to come forward.  It is arguably the case that naming his attacker added further weight to the story and helped propel it onto the front-page news, thereby maximising its impact.  Cheshire police confirmed that a further 11 footballers came forward in the days following the stories publication, and the NSPCC reportedly received 50 calls to their helpline in the first two hours of its operation.  This domino effect of complaints is reminiscent of what happened in the Saville investigation, along with other serial abuse cases, and many see the police’s discretion to name the suspect as being a vital trigger in this process.

Furthermore, it should be appreciated that many of the footballers who have come forward have suppressed painful memories of their ordeals throughout their entire adult lives. Mr Stewart, for example, talked about the heartbreak he felt in sharing his story with close family members before its publication in the Mirror.  They need every reassurance that their claims will be taken seriously.  Some feel a blanket law protecting defendant anonymity in sexual abuse cases alone will set it apart from other types of criminal case and in doing so send the wrong message that complainants, like Mr Stewart, are less likely to be believed than complainants in other types of criminal cases.   Following the Home Affairs Select Committee’s report in 2015, rape victim’s campaigner, Jill Saward talking on the Today program described how the committees proposal were insulting and claimed that it implied victims are lying.  Peter Watt of the NSPCC also spoke out against the committees proposals arguing that the naming of suspects gave other victims the strength to speak out.

The matter has now gone to parliament following the tabled amendment of the Policing and Crime Bill and already the issue is proving to be as polarising within the house as it has been in the wider public.    During recent debate in the House of Lords, Lord Judge spoke out openly against a blanket protection of defendant’s anonymity invoking the overriding principle of open justice.  He said, “That is not how we work in this country. We do not want people locked up for any time at all without being able to say so.”   Lord Lamont on the other hand suggested that a lack of defendant anonymity, in the case of this crime, undermined the British understanding of ‘innocent until proven guilty’.

Responsibility of the Police and their relationship with the press

The debate within parliament must go further than a consideration of the rights of defendants against those of victims and pay heed to a wider issue; that of the public’s confidence in the police handling of abuse investigations and in particular their relationship with the media.

It is interesting that the highly controversial report produced by the Home Affairs Committee back in 2015 did little more than call for reform of the law in terms already set out in current police guidance.   In November 2012, Leveson LJ said in his Report on The Culture Practices and Ethics of the Press that ‘It should be made abundantly clear that save in exceptional and clearly identified circumstances (for example, where there may be an immediate risk to the public), the names or identifying details of those who are arrested or suspected of a crime should not be released to the press nor the public.’

In 2013, the College of Policing published ‘Guidance on Relationships with the Media’ which dealt with the issue of the police revealing the names of individuals suspected of committing serious crimes. It followed the principle set out by Leveson. The Guidance advocates that ‘police forces must balance an individual’s right to respect for a private and family life, the rights of publishers to freedom of expression and the rights of defendants to a fair trial. Decisions must be made on a case-by-case basis but, save in clearly identified circumstances, or where legal restrictions apply, the names or identifying details of those who are arrested or suspected of a crime should not be released by police forces to the press or the public.

The loss of impartiality and objectivity of the police, and the danger that unscrupulous officers are ignoring the above guidance and publishing the names of suspects in desperate attempts to attract others to come forward and bolster inherently weak cases is highly problematic.  The objections to defendant anonymity boil down to the argument that the police must retain operational independence.   However this argument in turn raises the question of whether the police can be trusted to pursue their investigations impartially and objectively. The opinion of some, such as Sir Henriques in his report on the failed Operation Midland is that currently they can’t.  His report concludes with the warning that “nobody is safe from false accusations and damaging exposure under present arrangements”.

The investigation into allegations of historic abuse raises particular challenges. The recent failures discussed, highlight the fundamental requirement upon police that their conduct remain objective and impartial, and that any derogation from this principle would constitute an abuse of their powers. The naming of suspects is such a power that has been too readily abused.  Perhaps we have now reached the stage where a change in the law to provide added protection to suspects is necessary where the police guidance has been so flagrantly disregarded in a long line of investigations.  However, as the recent football revelations highlight, there will be cases where the naming of a suspect maybe a necessary and proportionate step and just as the select committee first proposed back in 2015, rather than a blanket protection, any such change to the law must allow for the possibility of judicial intervention to waive defendant anonymity in such rare cases.

Recreational Marijuana’s Economic Advantages

As Seattle City Attorney Pete Holmes has famously touted, marijuana prohibition and the war on drugs has failed.[1] Evidence does not suggest that the War on Drugs reduced drug-use rates or drug dependency.[2] At any given time, there are at least 137,000 men or women locked in prison or held in jail on drug possession charges, according to the ACLU and Human Rights Watch.[3] Additionally, the ACLU and Human Rights Watch report, citing FBI data, suggests that police and local law enforcement nationwide make more arrests for marijuana possession alone than for all violent crimes combined.[4] The local evidence suggests the same; in the first two years, law enforcement saw a decrease in work load anecdotally attributed to lack of those possession arrests, and now the Washington State courts are seeing the same.

The Washington recreational marijuana market has now been in effect for three years, and while the law has changed rapidly during that time, the economic benefits have clearly proven themselves. As the Washington and Colorado markets expanded, being the first two states to legalize adult and recreational use of marijuana products, other states began to take notice of how lucrative the legalized marijuana market could be, as both Washington and Colorado generated nearly 70 million dollars in tax revenue alone in each their first complete fiscal years.[5] It is clear that recreational marijuana turned the tide of the War on Drugs, and forced it to become an economic benefit that is becoming increasingly enticing to the rest of the nation.

Washington State’s Weed Economy

While Initiative 502 was voted for in November of 2012, the first Washington state producer and processor licenses were not issued until March 5, 2014.[6] In the 2014 fiscal year[7], a total of 279 producer/processor licenses were issued, and the Washington State Liquor and Cannabis Board (WSLCB) only generated 1.78 million dollars in total marijuana related income, which is impressive for how small the industry was, and for only 3 months of revenue generated during that fiscal year.[8]

The 2015 fiscal year, however, as the first complete fiscal year after legalization, showed real promise for the legalized marijuana industry:  total shelf price[9] sales generated nearly $260 million dollars, and generated $64.63 million dollars in tax revenue alone, as well as $1.08 million in just licensing fees and other related costs while the state was operating at only a 25% excise tax.

The 2016 fiscal year for Washington compounded on industry success, nearing $1 billion dollars of total shelf price sales, and created a total tax obligation of almost $186 million.[10] Much of this increased tax revenue can be attributed to the implementation of Senate Bill 5052 and House Bill 2136 in July of 2015, which, among other things, changed the state excise tax from 25% to 37% at the point of sale, and merged the less regulated medical marijuana market with the regulatory system established by I-502.

As of October 12, 2016, the WSLCB has issued 172 producer licenses, 894 producer/processor licenses, 131 processor licenses, and 445 retail licenses, which have combined to generate nearly $500 million dollars of total sales in less than four months.[11] It stands to reason, then, that the Washington market will generate well more than $1 billion dollars in total sales, leaving the state with (if sales in Washington remain on this course for the rest of the year), with around $300 million dollars of tax revenue for this year alone.[12]

Washington is not the only state that has had incredible success with regulated marijuana. Colorado has seen similar sales numbers creeping on $1 billion dollars a year and generating around $70 million in tax revenue in 2015. With five states voting on recreational legalization and 4 voting on medicinal legalization this November, it is clear that the legalized marijuana market will be a multibillion dollar industry nationwide, and the lure of tax revenue in the hundreds of millions seems to be convincing even the most historically conservative states that legalization is not only valuable economically, but is a better system than prohibition.[13]

A Better Way

With the plethora of tax money created by the legalization market, grander steps toward reducing youth access to drugs, education, and crime have occurred in the last three years than the strategies implemented by the war on drugs. According to the I-502 Fiscal Note[14] produced by the state, over the five years from the implementation of I-502 in 2012 to 2017, only $5 million dollars will be used by the WSLCB for program administration, whereas $44 million is to be dedicated to marijuana public health education, $68 million on youth drug prevention, and a staggering $244 million on health care. In fact, the state estimates that the funds generated could provide for services for up to 600,000 patients per year, and could cover a five-year average for insurance for 83,000 enrollees.”[15]

Legalization has also had significant impacts on the reduction of crime: According to Washington State Administrative Office of the Courts, court filings for low level marijuana offenses for adults over 21 has dropped 98% since the approval of I-502.[16] Additionally, according to the Crime in Washington Report compiled by the Washington Association of Sheriffs and Police Chiefs, marijuana law violations decreased 63%, and the number of marijuana related convictions has dropped 81%.[17] Legalization of marijuana has not merely freed up police enforcement and the courts however; violent crime declined by 10% statewide, and the murder rate decreased by 13%.[18] [19] Youth access and use rates have also remained steady, despite legalization, and traffic fatalities involving marijuana reported by Washington Traffic Safety Commission have seen a 4% decrease.[20] [21]

As regulation in Washington becomes increasingly robust and license standard enforcement becomes more effective, these numbers should continue to decline and profits from the industry should continue to rise. While the market may eventually level out, the sky seems to be the limit, as the WSLCB plans to continue to accept applications for new businesses.

Washington’s first three years of legalized marijuana has certainly had its struggles (Washington remains the most highly regulated of all the states that have legalized recreational marijuana) but above all else, it seems that Washington voters may be right; legalization is a better way than prohibition, and the Washington economy proves that recreational marijuana has turned the War on Drugs into a very convincing economic equation.

Anne van Leynseele, founder of NWMJ Law, led the evolution of what legal services were needed in the newly formed cannabis industry and identified how to best use her business and legal abilities. A critical step was partnering with noted cannabis trial lawyer, Aaron Pelley. Their complimentary practices brought together the power of both litigation and transactional law experience and diversified what NWMJ Law now provides.  Anne shares the responsibility with a great team of lawyers, each of them skilled in their own practice areas.

 

[1] Pete Holmes has been recorded claiming that the war on drugs has failed, and that Seattle and Washington generally has shown that legalized marijuana is a better way, both at Hempfest 2011, and more recently at the King County Bar Association new attorney Swearing-in ceremony in 2016.
[2] Tess Borden of Human Rights Watch: Interview
[3] http://www.nola.com/crime/index.ssf/2016/10/police_arrest_more_people_for.html
[4] https://www.hrw.org/report/2016/10/12/every-25-seconds/human-toll-criminalizing-drug-use-united-states
[5] http://lcb.wa.gov/marj/dashboard; https://www.colorado.gov/revenue
[6] http://www.liq.wa.gov/publications/annual_report/2014-annual-report-final-web.pdf
[7] Please note that the WSLCB’s fiscal year runs from July 1 to June 30.
[8] http://www.liq.wa.gov/publications/annual_report/2014-annual-report-final-web.pdf
[9] The WLSCB considers shelf price as sales price and tax combined
[10] http://lcb.wa.gov/marj/dashboard
[11] http://lcb.wa.gov/marj/dashboard; accessed October 14, 2016.
[12] http://lcb.wa.gov/marj/dashboard
[13] California, Arizona, Maine, Massachusetts and Nevada are voting on recreational use, and Arkansas, Florida, Montana and North Dakota are voting on medicinal marijuana provisions.
[14] The I-502 Fiscal Note uses projected numbers and estimations based on the data available at the time to project budgets through 2017, so based on the success of the industry, these numbers could be even larger at present.
[15] http://vote.wa.gov/guides/2012/I-502-Fiscal-Impact.html
[16] https://www.drugpolicy.org/sites/default/files/Drug_Policy_Alliance_Status_Report_Marijuana_Legalization_in_Washington_July2015.pdf
[17] https://www.drugpolicy.org/sites/default/files/Drug_Policy_Alliance_Status_Report_Marijuana_Legalization_in_Washington_July2015.pdf
[18] https://www.drugpolicy.org/sites/default/files/Drug_Policy_Alliance_Status_Report_Marijuana_Legalization_in_Washington_July2015.pdf
[19] It is important to note, however, that the data does not establish causation, but it is significant evidence that legalization of marijuana did not increase crime rates, as opponents to legalization seemed to believe it would.
[20] https://www.drugpolicy.org/sites/default/files/Drug_Policy_Alliance_Status_Report_Marijuana_Legalization_in_Washington_July2015.pdf; http://www.ofm.wa.gov/reports/marijuana_impacts_2015.pdf

Legal firms in the Hackers Crosshairs

Despite a media backdrop of breaches and compromises, Legal organisations are not automatically a target for hackers. That does not mean they are exempt, just there needs to be sufficient motivation to threat actors enticing them to launch a virtual raid.

This first article, of a two-part series, looks at why some Legal firms may become a target and the hackers M.O. (modus operandi.)

What is the specific security challenge faced?

A law firm will only be targeted if there is sufficient motivation for attack. As, without motivation, there is no targeted threat.

As for any organisation, the nature of the firm’s business will determine which threat(s) it is at risk from. A large multi-national organisation that deals with the corporate interests of international businesses may find itself at risk from state-sponsored attack; in addition, firms specialising in M&A, IPO, High Net Worth Individuals or Intellectual Property may find themselves coveted by those seeking financial gain; a human rights lawyer or even those practicing criminal law may find hacktivists wishing to cause disruption.

Just as clients come and go so too does the hackers attention. If the firm acquires a new client or moves into a new area of interest, the threats facing the law firm can radically change in tandem, meaning the security strategy needs to evolve alongside the business strategy.

The key question the firm needs to ask itself is, ‘Is there any activity that my firm is involved in now, or planning for the future, that provides the necessary motivation for threat actors to attack?’

The Hackers M.O.

Recognising that they’re a target in the first place is a struggle for many organisations, not just those in the Legal sector. This is often accompanied by the misperception that threat actors need to utilise fully customised, expensively researched exploits to successfully target the infrastructure.

The evidence is that, rather than a ‘sophisticated’ attack, most firms are generally breached with a combination of reconnaissance, widely available commodity malware, and well known ex-filtration techniques.

That said, there are those more sophisticated threat actors who might deploy advanced techniques to facilitate their objectives either more ‘quietly’, or in a way that carries more impact.

The initial attack path

How a criminal may strike is the first stage to understanding, and mitigating, the attack path that the threat actor will aim to leverage.

The majority of the effort spent in a targeted attack is in early reconnaissance. There is nothing particularly advanced about this, other than the need for time, logic and discipline. Indeed, law firms tend to make it rather more straightforward than other industries by publishing the contact details of individual lawyers online, along with their practice area. This openness, combined with the constant clamour for publicity from marketing departments issuing articles and press statements, enables threat actors to determine three key pieces of information to assist in the attack:

1) To whom should I deliver my initial payload, and how can I make sure they open it?

This could be as straightforward as sending an HR administrator malware embedded in a CV (phishing). However, in an advanced case of reconnaissance, it’s more likely to take the form of a document sent to a lawyer, ‘spoofed’ to come from a known client or perhaps from a journalist, attaching a list of questions regarding a sensitive case.

Whichever the approach, thorough reconnaissance can all but guarantee an initial payload is opened somewhere within the infrastructure.

2) Who are the organisation’s System Administrators or security personnel?

IT staff are the highest-value target in law firms; if compromised, their credentials can be used to accomplish anything from standard data exfiltration, to hard drive wiping, to setting up legitimate remote access for a threat actor to come and go undetected.

Armed with the knowledge of their identities, an attacker will either target these staff from the outset (and in increasingly sophisticated ways), or make IT staff their first target when landing elsewhere on the network.

3) Who in the organisation has the credentials to access the information I want to steal?

This phase of reconnaissance is usually the trickiest requiring an initial foothold within a network to enable the further internal reconnaissance of such assets as the company intranet, which could well contain staff lists, groups and roles.

However, law firms tend to make this easier than most firms; once again, the company website, press releases and resources such as The Legal 500 enable attackers to map individual lawyers to practice areas and key accounts. This means that attackers can target law firms with both eyes open and a clear plan, rather than taking the usual ‘sit and observe’ approach that tends to be necessary once an initial foothold has been established.

Effective Security Controls

Once an attacker gains an initial foothold on one system inside a victim network he needs to work to expand his influence. This will typically involve gaining credentials and privileges which will enable him to move to other systems.

As an attack progresses, more systems are compromised and more credentials are gained along the way. Eventually the attacker will gain access to a high value, high privilege account and the victim network is now effectively ‘owned’ by the attacker.

So, what factors will hinder the progress of an attacker on his way to becoming domain admin and stealing all of the firm’s secrets? Here are five steps to consider:

  • The privilege level of the attacker when the first system is compromised. For this reason it is highly advisable to configure all users to run with the minimum level of privilege required to perform their job, and no more.
  • The design of the network itself. An attacker can only compromise those systems which he is able to communicate with over the network, so network segmentation will be a big factor in preventing lateral movement.
  • Attackers will use whatever tools are available to them to achieve their objective. If they discover network enumeration tools, port scanners or password cracking utilities on a system then they will likely use them against you. Many system administration tools (especially Sysinternals) can also be abused in this way, so best practice would be to remove such software if it is not required.
  • Implementing Software Restriction Policies or AppLocker will also cause a potential headache for any attacker trying to move around the network.
  • Multi-factor authentication for systems/applications of high value could prevent an attacker from reaching the firm’s crown-jewels if he is unable to authenticate.

Covering relevant attack paths is only half the equation. At some point an attacker may be successful in moving around the network, gaining access to sensitive data and ex-filtrating that data. In this event, the ability to detect and respond to the malicious activity is paramount.

The next article, in this two-part series, discusses effective detection controls focused around typical attack paths and will look at ways to achieve best practice in light of the legal sector’s specific challenges.

 

Some Justice for Timbuktu

On 27 September, Ahmad Al Faqi Al Mahdi was sentenced to nine years of imprisonment by Trial Chamber VIII of the International Criminal Court (ICC) for intentionally directing attacks against ten religious and historical monuments located in Timbuktu. The ICC Prosecutor had opened an investigation following the self-referral by Mali of its situation on 13 July 2012, immediately after the attacks took place. A week after an arrest warrant for Mr Al Mahdi had been issued by the Court, he was caught and surrendered to the ICC by the authorities of Niger on 26 September 2015.

This is the first time the ICC has prosecuted an individual for the war crime of attacking cultural heritage, which was also the only charge brought against Mr Al-Mahdi. It was also the first time that a person accused of a crime before the ICC admitted guilt, likely as a result of the large amount of evidence against him, including the public sermons and interviews he conducted with journalists before the attacks. His early admission of responsibility allowed for a swift judicial process, with a trial lasting just three days, sparing the Court not only time but also precious resources as the Prosecution did not have to prove the charge beyond reasonable doubt.

Since 1961, Mali has been a party to the 1954 Hague Convention for the Protection of Cultural Property in the Event of Armed Conflict, which obliges parties to an armed conflict to refrain from any act of hostility against monuments, including those of a religious nature, ‘of great importance to the cultural heritage of every people’, unless in case of imperative military necessity. The ICC Statute also considers that intentional attacks against such buildings,  ‘provided they are not military objectives’ constitute a war crime. In the case of the attacks perpetrated in Timbuktu, the buildings were not legitimate targets which would have offered a military advantage to their attacker if they were destroyed. In addition, the buildings in question, including nine mausoleums of saints and a mosque, were almost all listed as UNESCO World Heritage sites and were thus known as important cultural landmarks.

This obligation to respect monuments is applicable both in international and non-international armed conflicts. The ICC Statute also provides that intentionally directing attacks against buildings dedicated to religion or historic monuments constitute a war crime in those two types of armed conflicts. In late June and early July 2012, when the buildings in question were destroyed, Mali was clearly in a situation of non-international armed conflict, involving the Malian armed forces and non-state armed groups, which met the requirement of being sufficiently organised given that they took control over Timbuktu for a protracted period.  Therefore, members of a state armed force or a non-state armed group can be held criminally responsible for such attack. Mr Al-Mahdi has been associated with Ansar Dine and Al-Qaeda in the Islamic Maghreb, the Islamist militant groups for which he led the ‘Hesbah’, a morality brigade which sought to prohibit certain practices within the population of Timbuktu which were considered heretical, including the use of the mausoleums as places of prayer or pilgrimage. According to these groups’ beliefs, nothing should be built over a tomb and, as a consequence, the mausoleums had to be razed to the ground. Mr Al Mahdi led their destruction, even actively participating in five of the attacks. A witness in the case stated that “destroying the mausoleums, to which the people of Timbuktu had an emotional attachment, was a war activity aimed at breaking the soul of the people of Timbuktu.”

In her statement opening the trial, the Prosecutor underlined that “[T]he protection of cultural heritage is an essential part of the post-conflict social reconstruction and reconciliation process. This is because cultural heritage gives meaning as well as a sense of continuity and direction from the past to the future.” She added that Mr Al Mahdi’s recognition of criminal responsibility “is crucial for Timbuktu’s victims” and that “[I]t will also support the reconciliation process in the field.” In the course of the trial, the Chamber noted his remorse and empathy towards the victims, such as the imam of the Mosque which had its door destroyed. However, the longer term impact of this trial on the post-conflict situation in Mali will take some time to be properly evaluated.

In the meantime, the sentencing of Al-Mahdi will now be followed by a reparations phase, during which the scope and extent of any damage and loss to victims will be determined, with the assistance of experts called in to assess the harm caused to the international community by the destruction, as well as the monetary value of the damage caused to the monuments and the economic and moral harm caused to individuals or organisations. This process will allow the possible order of reparations, such as compensation, which should be decided during the course of next year.

This landmark trial, as the first of its kind focusing on attacks against cultural heritage before the ICC, delivers a clear message to those who may perpetrate this type of crime and could possibly serve as a deterrent in the future. It underlines that attacking cultural heritage is a serious international crime which affects not only the local populations, which were particularly attached to it, but all of us. While the ICC may in the future prosecute more individuals for such crime, it should be stressed that it functions on the basis of complementarity: it is only if domestic courts are unable or unwilling to prosecute the alleged perpetrators of crimes enshrined in its statute, that the ICC may open an investigation into such matter. The 1954 Hague Convention also provides that states must prosecute and impose penal or disciplinary sanctions upon individuals, of whatever nationality, who have committed (or ordered to be committed) an act of hostility against a monument of great cultural heritage importance. Therefore, this case will hopefully also have an effect on domestic proceedings as states should criminalise such unlawful conduct and prosecute the alleged perpetrators of such a serious crime.