Organised crime and critical national infrastructure
Michael Kolatchev and Lina Kolesnikova investigate the threat that organised crime poses to critical national infrastructure.
Last April, Karim Bouyakhrichan (alias Taxi), the “most wanted and dangerous criminal in the Netherlands”, was released by order of the Provincial Court of Málaga without the High Court activating an arrest warrant to extradite him. He’s known as one of the top capos of the Mocro mafia, a Dutch-Moroccan criminal network based in the Netherlands and Belgium, which has defied the state with threats to Princess Amalia, Prime Minister Rutte and some Belgian officials.
The Mocro mafia is one of Europe’s largest cocaine trafficking cartels, and is believed to have smuggled billions of Euros worth of drugs from South America into the EU through the Belgian and Dutch ports of Antwerp and Rotterdam over the past 15 years.
The level of infiltration and the operations of cartels at these ports appear, nowadays, to be beyond the capacity of authorities to control them. The scale and audacity of their operations pushed the mayors of Amsterdam and Rotterdam to warn of a “culture of crime and violence that is gradually acquiring Italian traits”. The buzzwords ‘narco state’ or ‘narco state 2.0’ filled the headlines in Dutch, Belgian and international mass media.
Organised crime groups – we are in business to be successful, not to be loved
Digital revolution, technological advances, globalisation, corruption and connection to governmental institutions opened new avenues for organised crime. Organised crime groups are always looking for opportunities to infiltrate into the legal economy (investments, public procurement etc).
We talk a lot about the risk of criminal activities to critical national infrastructure (CNI), typically, assuming threats come from outside of CNI. In recent years we have witnessed an increase in organised crime networks considering CNI as a means of use and mis-use of convenient, publicly available legitimate infrastructures to their benefit.
Sectors of CNI such as transportation (airports, ports, railway and road transport); the financial sector, telecommunications, government facilities (e-government), and security are becoming very attractive for local and international criminal groups.
Let us consider any organised crime group as a sort of an enterprise, which must be profitable. When we identify the needs and related capabilities of such an “enterprise”, we can map it into CNI to get some examples of what such entities would want to use and, potentially, to control.
Without trying to be exhaustive, there are several things an enterprise may need.
Internal operations - making up a product or a service to sell. This might be a real product (e.g. drugs or raw materials, arms and munitions, illegal content), material appropriated from someone else (e.g. a stolen piece of art or personal data), or a service of advice or facilitation of something (e.g. money laundering, fraud-oriented call centres or dispute resolution in the style of legitimate world’ arbitration arrangements).
In terms of internal operations, they may also need storage, distribution and logistics (physical/electronic or both); personnel and HR service; finance and accounting, the ability to disburse funds for internal purposes; security, risk and compliance; and internal management and operational systems.
They may also need external operations towards customers: sales channels, agents and partners; marketing, prospecting, and, ultimately, a customer service, including communication channels and the ability to collect funds. This also includes supply management and communication channels, and the ability to transfer funds as payment to suppliers.
Just like any enterprise, a criminal group would want to control its existing market, while looking for opportunities to enter other market(s). If we consider illegitimate activities as underground business, then, more often, such underground business directly or, rather, indirectly, will give rise to something pushing through to the legitimate side. The “upper world” activity is usually less risky compared to the underground activity. Communication, services and money flows between underground and above ground worlds should be assured.
Mapping enterprise needs to CNI
The next step is to see which needs of an enterprise could raise interest in particular CNI. A smaller enterprise may operate independently of critical infrastructures or almost independently. But the larger ones will not.
Let us consider the production activities which would typically need energy. Small remote locations can be served by local energy production. However, as an enterprise scales, local energy production might be far less cost-efficient than possible alternatives.
Cutting into existing gas pipelines or electrical grids gives access to a significantly higher supply at a significantly lower cost, especially, if such cutting in is hidden and the energy is stolen (taken free of charge). For the best efficiency and longer operation, an enterprise will want to achieve a higher degree of resilience by, potentially, building in some sort of redundancy in their access to these critical infrastructures, on one side, while having the ability to monitor, if not control.
Personnel of an enterprise, its customers and suppliers may use proprietary, fully controlled radio systems for communication. For scaling and international operations, an enterprise could even dream of building its own satellite communication platform, but that is going to be expensive and hardly cost-efficient, and, surely, a degree of resilience of such infrastructure will be limited. Here again, telecommunications infrastructure of the legitimate world brings a benefit of scale and the existing inter-connectivity across cities, countries and continents, giving the ability to reach both suppliers and customers wherever they need to.
An enterprise would build its own communication overlay or, and it happens all the time, misuse an existing legitimate overlay for its purposes (e.g. web and dark web, social networks and messengers). Just like in the case of energy infrastructures, an enterprise will look for possibilities to control or, at least, monitor and play out investigations or activities which might disrupt their communications. An interesting example would be fraud-oriented call centres that might appear legitimate businesses in their home countries as they do not commit crime against their own citizens. Manipulating calling numbers brings a benefit of hiding the cross-country nature of calls.
Victims then perceive attackers as calling locally, while they are not. Latency in identifying and reaching the source through two often significantly different legal systems make catching a calling fraudster very lengthy and costly process for any authority. There could be a political reluctance of such investigations etc. Thus, many such operations keep operating as dismantling them is too difficult, for as long as there is no close cooperation between two countries.
Beyond producing something and communicating, an enterprise will need to pay its suppliers and will need to get paid by its clients. Carrying a huge bulk of cash might still be possible, but this has serious costs and risks attached. Using modern financial infrastructures brings unprecedented advantages, with even instant transfer available in many countries, as well as simple international transfers. Keeping in mind that an enterprise usually needs funds in the legitimate world as well, the money launderers come in handy, facilitating untraceable or almost untraceable transfers from the underworld to the upper world, and vice versa.
UNODC estimates between two and 5 per cent of the global GDP is laundered each year. That’s between EUR 715 billion and 1.87 trillion. Risk and compliance requirements keep growing. Consequently, money launderers need more insight into financial infrastructures and associated legal disclosure and/or non-disclosure regimes to keep making money from money. One of the particularities is the risk and fraud monitoring capabilities. There is an ever-growing number of electronic payments, faster and immediate payments, in particular, there is an important dilemma of “block a payment and then investigate” versus “allow a payment and then investigate”.
One can expect that monitoring policies will shift more to blocking decisions, as with the proliferation of instant payments, even one second after the initial payment could be too late to remediate, funds will already be transferred somewhere else. Like in many other domains, shrinking time windows for risk decisions demand more and more automation of such decisions. Such automation runs a serious risk and, once there, infrastructure operators will have no other means to react.
That means such automation cannot be switched off anymore even if found faulty, as there might be no adequate compensatory mechanisms in place. Consequently, automation might be manipulated and mis-used to achieve specific objectives of those manipulating.
In the modern digitalised world, more and more data is collected in centralised databases, for example, government databases and the ones of large financial and infrastructural institutions. Such huge databases really are attractive targets as data is the new oil. Apart from selling data itself, access to it can bring improvements in various people and activities monitoring, for example, segmenting attack targets (victims) or closing on potential clients.
Apart from individual infrastructures, enterprises might make use of combining their access to several infrastructures at once. For example, e-government infrastructures often come with the ability to make instant electronic deals like selling a house or taking credit. Hack into e-government infrastructure and an enterprise could sell multiple houses or take out loans without the need to spend time and effort on tricking owners into such deals.
Another example would be stealing from someone’s account. In more advanced countries, financial institutions would notify their clients of any operations on their accounts by sending an SMS or a push notification to a mobile app. Intercepting, diverting or somehow manipulating such messages on telecommunications or other infrastructures, can assure a longer period for criminals achieving their objectives like emptying out a bank account.
A similar situation with breaking into information technology systems may permit working around customer authentication, which often relies on one-time access codes being pushed through as SMS, mobile app notification or an email, over telecommunication networks.
Organised crime groups have long focused on speeding up the transportation (logistics) of people, drugs and other illicit goods by using ships, containers or aircrafts and have been able to transport even larger amounts across the globe. There are determinants other than just passenger and trade volume, such as low risk of interdiction, shifts in criminal markets and the specific geolocation of transporatation hubs and nodes that enable criminal actors to exploit the “transportation business”.
Ports are part of national and international critical infrastructure. Some of them are enormous entities and, as they have restricted access, present parts of cities which are fertile ground for their “own” hidden activities.
But we have to consider that some ports ARE places of crime with a high level of infiltration by organised crime groups. Even more – ports have become one of the most valuable parts of complicated criminal schemes with billions at stake. Europe’s biggest ports – Antwerp, Rotterdam, Hamburg and Le Havre have become the El Dorado for drugs traffickers and contrabandists and, consequently, have contributed to the skyrocketing increase of drugs consumption, drugs-related crimes and urban violence in Europe.
(Almost) any good infrastructure is attractive
In the past, criminal enterprises used to create their own infrastructures to be independent from the legitimate world.
Nowadays, adequate service offerings are very costly and time-consuming to achieve, necessary infrastructures could be too large to be hidden. Therefore, criminals do not have an interest anymore in creating their own critical infrastructures. Instead, those legitimate critical (and non-critical) infrastructures which bring modern services, whatever the domain is, will be used more and more by criminals, leading to criminals needing a foot in such infrastructure, having influence, building a purposefully tailored overlay and even controlling position.
digital issue