EAASP 44th Conference May 2017
‘Developing a flexible and agile security capability that protects our ports in a changing threat environment’
(copies of most presentations are available to members in the member-only part of the website.)
Ali Darge, ExCo General Secretary
The General Secretary provided a security briefing and covered the domestic arrangements for the conference, including travel to and from the Mayor’s parlour and arrangements for the AGM on day two.
Peter van den Berg, President of the EAASP
Welcomed distinguished guests, especially Lt General Edward Davis, CBE Gibraltar’s First Minister, and The Honourable Fabian Picardo QC MP. He then welcomed all EAASP members and delegates conveying thanks to our hosts the Government of Gibraltar, the Collector of Customs (Mr John S Rodriguez ) and Commissioner of the Royal Gibraltar Police (Mr Eddie Yome).
The President asked “Why are we here” and indicated that we are facing evolving threats and we aim to strengthen seaports and airports and make them the safest in the world. He stated that freedom of movement and ECHR are embedded in our political structures and our role is to ensure that they can be implemented safely. He quoted “Be prepared for and expect the unexpected”. He emphasised that international cooperation and collaboration, working together and exchange of information is a core role of the EAASP.
The Honourable Fabian Picardo QC MP, First Minister
The First Minister said that today a 2nd liner is being docked as we start the conference, highlighting the importance of Gibraltar as a passenger destination. He stated that Gibraltar has 32,000 inhabitants and more than that arrive on some days across their land and sea borders. The population doubles especially in summer months. Gibraltar has an airport, a land border and of course the sea port. Gibraltar, while small, is a crucial transport hub for commerce and tourism. He pointed out that Gibraltar operates outside of the Schengen area.
He extended a warm welcome to the participants at the conference.
Session 1 – Cyber Threat
Dr Richard Chisnall, ExCo
He introduced the first session of the conference that focuses on cyber security and cybercrime as it affects physical infrastructure at airports and seaports in particular. He referenced the HISCOX survey published in April that claimed that "In 2016, cyber-crime cost the global economy over $450 billion [and] over 2 billion personal records were stolen". HISCOX describe this as “an epidemic of cybercrime, and yet 53 percent of businesses in the US, UK and Germany were ill-prepared."
He then introduced the speakers for this session.
Mr François Lavaste, CEO Airbus Cyber Security
Airbus has over 130,000 employees worldwide and 700 outward-facing cyber experts. Mr Lavaste is also the vice-chair of ECSO, the European Cyber Security Organisation, created in 2016 and supported by the European Commission. ECSO is a major European cyber security initiative and public private partnership with a €450M budget and over 200 members to date. He said that large and small business and users are members and it is growing quickly, providing research, innovation and developing expertise.
He highlighted the growth in threats with an illustration. In 2001 spam was just 17% of e-mail traffic. By 2004 75% of e-mail was spam. Small threats today can become very big tomorrow, he said.
In terms of trends: 4-5 years ago the focus was on IT security, people, network security and penetration testing. People provided end point protection and aimed to prevent attacks. Now we are building on the prevention approach but adding protection in depth. In addition there are two more dimensions taking effort and providing additional security: monitoring and preparation for crisis. This is being driven by rapid network growth fuelled by the IoT which enables more sophisticated attacks and, unfortunately, provides additional vulnerabilities for real-world physical systems.
He described that the focus is moving away from IT (information technology) security towards OT (operational technology). He covered SCADA systems and ‘smart’ products and added that industrial control systems, such as those found in industry and ports, are areas of concern. For IT systems one concentrated on CIA (Confidentiality, Integrity and Availability) but he identified that now there is a 4th dimension, safety. People’s lives may depend on these systems.
An emerging positive initiative is collaboration. The formation of ECSO is an example of this. All actors (suppliers and customers) have to work together. For example Airbus had formed a partnership with CETA to do just this. It addresses passenger registration and baggage handling to meet airports’ and airlines’ needs. Airbus has also entered into a partnership with Alstom, in the rail safety environment. This started with training and expertise to complement internal skills. It now extends to provision of a SOC to monitor products in addition to systems and even extends to connected cars.
Sharing threat information is needed but can be a challenge. People do not like to advertise that they have been attacked. One solution is the formation of ‘Trust Circles’. E.g. seaports, manufacturing, etc. It is in industry’s interest to share the threat intelligence among similar ‘targets’, be they collaborators, competitors or users. The boundaries between all these organisations are becoming blurred.
There are a range of attackers from "script kiddies" to state-sponsored actors and a vast range of targets. For example, TV5 Monde was attacked and almost shut down for a few hours and the attack extended to their web sites. ISIS was blamed but others were subsequently shown to be responsible. The political interest was such that four ministers were present, at different times, outside their offices the following day showing its importance but also that no single department had sole responsibility. In the event, a Russian group was flagged as the perpetrator so boundary between government, and civil business was completely blurred.
Users’ experience in one M.S. is valuable and can lead to implementations of best practice in another. Cyberattacks don’t respect national boundaries, he said. For example, they may spoof others, say, in pretending to be Chinese or North Korean, when they are actually from within the same country. Our internal organisational boundaries and international organisations are problems created by ourselves and not respected by our opponents.
Ports are targets in themselves and can also suffer collateral damage when others are the target, or create it if they are themselves attacked. Cyber threats need to be considered in the same light as physical attacks. Simultaneous attacks are likely to be seen.
Safety and Security need to be considered ‘by design’, i.e. at the outset not bolted on afterwards.
Marc van Oudheusden, Ministry of Infrastructure & Environment, The Netherlands
He concentrated on improving defence by understanding and thinking like a hacker. His own experience is in the crisis management coordination centre in the Netherlands but he has also been on an advanced hacking course. He said that conspiracy and hacking are similar in that no internationally agreed definitions exist for them.
The cyber domain has become all-embracing and includes infrastructure, high-level organisations, hardware, people and governance structures and it has introduced terms like “Ethical Hacking”. He partitioned the type of adversary into: Hackers; script kiddies; hackers tier 1, 2, 3; crackers; suicide hackers; cyber terrorists; state sponsored; and spy hackers. He then provided an overview of ethical hackers and how demanding and long training courses are in this area.
He asked, are we in the position of “never being safe again”? He highlighted that users need: security, user-friendly interfaces and functionality but they may not ask for or be willing to pay for security. He pointed out that the hacking process has been automated and deskilled and, as an illustration, showed a video advertising hacking tools for attacking aircraft.
He identified the steps undertaken by hackers including: Reconnaissance, active and passive. What are the internal and external domain names that the organisation uses? What are their networks? What can you find out about the systems that they use? As an outsider one can use job advertisements to determine the system descriptions of the employing organisation from the technical skills identified as being needed. Much of this information is on-line and easy to access. Passive reconnaissance uses search engines and organisation’s own websites. Further steps include e-mail phishing and using Google hacking tools (Commands) through to network, DNS, and social engineering. Even “dumpster diving” can be used (looking in the organisation’s trash bins). Users often leave profiles on social media, including Facebook, Twitter, YouTube, LinkedIn, Google+ and Pinterest. Large amounts of software are available to even a lazy hacker.
Moving to active reconnaissance a hacker may try and access the systems of the organisations. Hosts are often easy to discover by ICMP-ping, TCP three-way handshake, NMAP – gives IP addresses and firewalls. Attackers can then actively enter system, but often need to access or circumvent user IDs and passwords. Once inside, the attacker aims to: gain access, escalate privileges, executing apps, hiding files, covering tracks.
He himself is often involved in password breaking. There are several well-known ways of doing so: dictionary attack, brute force, hybrid, syllable, rule-based. Hacking tools include: Trinity, PasswordLastic, Stella, etc. The process is well supported by tools and weak security, e.g. allowing unlimited password attempts, make it easy.
Finally an attacker will aim to cover their tracks – remove the evidence.
He turned then to the threat landscape. The IoT is focussed on products not security. APTs, state sponsored attacks (critical Infrastructure is often attacked) and, of course, the "unknown unknowns". When an attack is underway, information is often hard to extract, for example when Euro-control was attacked, engineers were prohibited by contract from revealing what was going on until after it was over.
Ulrich Seldeslachts, CEO LSEC Leaders in Security, Belgium
He provided an overview of the breakout session that he would be leading but also added valuable oversights into developments in the cyber security arena that were affecting his 200+ member companies. He described a DDOS attack and provided a video of a DNS attack. LSEC itself has contributed to the Interpol-led, IOCTA 2016 (Internet organised crime threat assessment, 2016). He described a range of challenges that have emerged in trying to defend against attacks (see slide deck for full details). What should you know to be a competent user? How do you scale up for security incidents, as they are certain to occur at some time? He demonstrated the www.Botvrij.be site which showed a digital attack map. How does one improve managing an incident and the response? He stated that on average security incidents take 25 hours to address but it can be 11 hours before the effects are visible – what happens in those first 11 hours? He highlighted that in a data breach incident, even children’s toys are targets.
He described the values of a ‘Circle of Trust’ (a recurring theme in the conference) and how they can be of use and moved then to describe the TAKEDOOWN project in preparation for the breakout session.
Aviation Breakout Session
Led by Ulrich discussions had a practical focus on real time issues within Europe and beyond. The head of the SW Counter Terrorism Unit in the UK mentioned organised crime issues and terrorism plus availability of materials on the dark web. The police lead at Heathrow outlined cross agency work to respond to a Cyber incident and the link to the Insider Threat. Belgium colleague outlined the more robust work currently being undertaken by EUROPOL. The Gibraltar Customs IT advisor gave details of work they are progressing with data protocols following a Cyber-attack last autumn. The Moroccan police gave details of how radicalised youth use the internet and respond to on line recruitment.
Maritime Breakout Session
The subject of ‘Cyber Security as part of Critical Infrastructure Protection – Best Practices, checks and balances was discussed led by Marc van Oudheusden. Better management systems are the better tool to enhance cyber security, better than detailed security legislative arrangements especially whilst legislation is still catching up with advances in cyber threat. In the Netherlands there is new EU legislation which leans towards better management systems, creating awareness of risk and preparedness. Aviation is legislated. There was a debate as to whether governments should legislate hardening of systems and completing inspections and penalties. The conclusion was that better managements systems were preferred. There was then discussion on how to deal with exchange of confidential threat information and the public-private partnerships. There is a Cyber Information sharing partnership in the UK. Possible issues of some private companies not sharing details not wanting other competitors to know. In the Netherlands companies must share or may be fined. Security incidents bust be reported, analysed and distributed and there is a very open approach. Is it not the Governments responsibility to ensure that this environment exists? Critical Infrastructure assets not appropriately prepared for state sponsored attacks was discussed. Do companies have plans in place, likewise the public sector? It was recognised that to have government policies is essential. There is more legislation around critical infrastructure but a belief that not all are fully prepared. Should governments only focus on critical infrastructure? It was recognised that there needs to be a holistic approach and not just CNI, although CNI should be prioritised. In discussing whether critical infrastructure uses the right scenarios to test their systems it was noted that it was hard to simulate real scenarios on the live systems and there is a question of cost. Maybe exercises should be about management decision making. Lastly there was a discussion about the military’s long standing cyber experience and could this be exchanged to civilian authorities. The conclusion was yes, as part of the holistic approach to a relatively new area of concern in the private/public sector.
Simon Moore, Chief Exec Cybersecurity, DXC.technology
DXC.technology was formed in April from CSC and HP and is one of the world's largest global providers of IT systems and services with over 170,000 staff in 70 countries. He used a simple story of Bill and Ted escaping from a bear to illustrate his theme – the aim is to stay ahead (of the bear)! He drew analogies between piracy and cyber crime and coined the term “internet piracy”. For example Sir Francis Drake was essentially a state sponsored pirate. He “defied the queen” so was he a white-hat turned black, a gamekeeper turned poacher?
He highlighted the speed of the evolution of the threats but the organisational issues covering IT run at a much slower pace where, for example, contracts can be of 5-7 years duration and with fixed objectives. He cited the Yahoo attack where 500M accounts were stolen in 18 months and that spear phishing cost $2.1 Bn last year alone.
New vulnerabilities are coming from IoT. After a poll of the audience he recorded that one member present already had 96 IP connected devices. Ransomware is growing and Cryptolocker typically extorts $1000 per attack and 64% of victims pay. Can we disrupt operations, e.g. by using something like a toll road.
He touched on the dark web, an untrustworthy network of people and systems but which still undertakes $Bn of business. These partial-trust systems are highly advanced. He illustrated how now a $10 root kit that sold 100,000 copies would generate $1M. The encryption key could be released on a given day causing a deluge of attacks (with parallels to the subsequent global attack of 12th May).
In a second scenario, he described a real case where a 30% share price crash occurred after a fake report was released describing “fraudulent” activity. Ransomware was monetised by shorting the share price.
He recommended an organisational change to make systems more resilient by combining three budgets together: physical security, IT and IT security. Segment your security; make it hard on the outside and on the inside. Create sand-traps, monitor events. Concentrate on protecting the sensitive stuff and encouraging good user behaviours but only when necessary e.g. bank passwords should be different but a Costa Coffee password could be common with many applications. He finished with a description of a rule-rich approach similar to being a member of a golf club.
Jim Nye, (EAASP EXCO)
After the break out-workshops led by Ulrich Seldeslachts and Marc van Oudheusden, Jim Nye summarised the findings.
Lunch was hosted in the Mayor’s parlour by Her Worship the Mayor of Gibraltar, Kaiane Aldorino who welcomed conference attendees and to whom the EAASP President made a formal response.
Session 2 - Impact of changing political landscapes on the borders of Europe.
Stephan van Hauwe, ECSA OSINT
Mr van Hauwe runs open-source intelligence for his organisation. He said that he would talk about the strategic impact.
The contents of this talk have not been placed in the public domain.
Soufiane EL Hamdi, Moroccan Expert
He said that his background was focussed on the preventative aspects of terrorism; people smuggling; drug smuggling; arms smuggling and terrorist-smuggler Nexus. Of the 500 M inhabitants in Europe, 1.3M claimed asylum in 2015. Is this really a problem? As a percentage he stated that was much less than in other parts of the world.
He discussed the root drivers including: Economies; social migration; post Arab spring – conflicts; CT is a business; huge cigarette movements; terrorist groups in N Africa helping each other; and security is the responsibility of everyone. In the war against terrorism the person dies but not the ideology so we need to go to the root cause with a holistic approach. The hard approach results in a short term gain. In 2012 it was Iraq, Iran and Afghanistan. By 2014 it had spread across N Africa.
He mentioned the cyber aspects including internet, twitter and the Inspire magazine etc. Make a bomb in the kitchen of your mom. Lack of consistent government narrative driven by colonialism, oppression and youth marginalisation etc.
He proposed other possible ways to prevent violent extremism. Facilitate disengagement from violent groups. Produce and amplify new alternative narratives.
Aviation Breakout Session
Brexit and its possible impact on collaborative working was discussed. Ongoing issues such as information exchange to work properly needs political will and pan EU legislation. With other EU groups (AIRPOL, Europol etc) could develop legal frameworks / jurisdiction; less personal relationships; some nations considering national interests fist then EU and Global is a weakness. Differing Threat levels were discussed: same risk environment but national threat levels differ. Further discussion ensued around the benefits of professional relationships developed through bodies like the EAASP.
Maritime Breakout Session
This session covered a realistic scenario based on an escalating situation in a maritime environment involving exchange of intelligence between countries, and between the public and private sectors. The scenario developed into an incident and explored the handling of the incident response and aftermath. This was led by Bastian Maltha and Ville Patrikainen. A number of questions were asked, the first was ‘Are ferries soft targets’. Persons and freight was discussed along with sailings with Sea Marshalls and the risk of unchallenged items being taken on board. Access is controlled with good discipline but recognition that there could be more vetting applied at Port facilities. The scenario was discussed including actions to be taken by governments, operators and port facilities. The rise to SL2 was discussed and what this means. Initiatives such as ‘Portsafe’ developing in the UK, Run-Hide-Tell were discussed.
Captain Martin Drake, Airline pilot BALPA
Captain Drake covered the strategic and psychological issues arising from changing borders.
He covered their derivation from Stone Age times through to the evolution of the modern global national boundaries.
He highlighted that stereotypes abound, for example Pakistani immigration has existed since 1700 fuelled by the East India Company and is not a new issue. In the USA, Law Enforcement has a mantra to think globally but act locally. He highlighted that terrorists don’t recognise any of these borders.
He said that “borders are porous” and referred to Mr Rajib Karim who appeared as an IT worker. He applied as cabin crew during an industrial dispute. He was so sure that he would not be discovered. An investigation by GCHQ took a while and found vast terrorist resources.
He provided an amusing example of how terrorists see the police and also a Boston-box model showing permanent and temporary movement of people on one axis and regular and irregular flow on the other and how this can be used to assist screening. Whilst this is a vast simplification, tools like it are needed as, for example, at London Heathrow 60 M passengers traversed the airport in 2016 of whom 97% were low risk, 2% medium risk and 1% worth of closer scrutiny. He highlighted that an intelligence-led security process would allow one to concentrate on the 1 to 3% and would be both more effective and more cost-effective.
Turning to future challenges he highlighted information sharing.
For example Malaysian airlines flew over a war zone in Ukraine but British aviation had received a ‘notice to air men (NOTAM)’ not to fly there. Why was it not put on the ICAO website?
German Wings flight medical staff knew of the pilots mental health problems but Data Protection stopped this being transferred to the airline employer.
Jim Nye – (EXCO).
Summarised the first day. Participants then went on two external “cyber visits”.
Ali Darge, ExCo General Secretary
Welcomed delegates on their return outlined the business of the day and referred participants to the EAASP web site (www.eaasp.com).
Peter van den Berg, EAASP President
He informed the meeting that today was Dutch Remembrance Day for the 6M dead in WW II and that the Dutch would respect 2 minutes silence at 8 pm.
Session 3 – Terrorism
Commander Dean Haydon, Head of CT command at Scotland Yard, MPS
He indicated that his was a varied rôle and that yesterday he was being interviewed by BBC and he and his office has a full time role policing London. He said that he would talk about a mix of tactical issues with some strategic overlap. He is responsible for CT policing in London and also International operations, with CTPLOs embedded across various countries in the world.
He said that in the UK the Threat Level is ‘Severe’, meaning that an attack is highly likely, which has been at that level since 2014.
With recent events, his department has been at the highest tempo since 2012 actively managing and disrupting numerous attack plots, mainly focussed in London. 18 major terrorist plots have been disrupted since 2013. He runs three strands: CT policing in London, International operations and the national digital exploitation service.
Internet is a major source of information, used by others to radicalise and promote terrorist related propaganda. Communications are increasingly encrypted which adds an additional layer of complexity.
On the international front, CTPLOs are working with law enforcement and security service partners in various countries trying to stop the threat coming back to the UK, for example from Raqqa and Mosel. It is estimated about 850 UK Nationals have travelled to war zones, some have been killed on the battlefield and the risk now is those seeking to return. He said that for every one of them we need to have an action plan to manage the risk they pose on return, focussing on arrest and prosecution so evidence is essential. We are also seeing a growing trend of women and the young seeking to travel and also getting involved in terrorist acts, which is a concern.
On the regional front the UK is organised around regional CT and CTIU’s. The majority of threat is from Syria (42%).
Why is threat so high in London? Of individuals of interest, the largest percentage have a footprint in London, plus London is home to iconic sites and generally has the most crowded places. Of the 910 protected infrastructure sites, 594 are in London (64%).
Westminster Attack. Tarak Masoud, classic lone actor. Not on any radar. He had previous convictions for violence. He parked in bus lane outside St Thomas’ hospital then drove at speed across Westminster Bridge causing death and injury. He then used a kitchen knife to attack police in the Palace of Westminster. On 9 March he purchased knives, 16 March, he hired a vehicle. On the 21st he stayed at Preston Hotel Brighton. On 22nd March he conducted one-line research into PMQs then travelled from Brighton and sent a PDF to family and associates prior to the attack. He renewed the daily hire twice, but on the third day had no more credit so used the car in the attack. His team arrested 12 individuals, linked to Masoud after the attack.
In relation to aviation security, Commander Haydon gave an overview of various terrorist plots to include ; Richard Reid the shoe bomber; in 2006 Airline liquid plot; in 2009 Underpants bomb plot; in 2010 printer bomb plot at Birmingham, in 2013-15 Khorasan Group and in 2016 Daallo Airlines attack – bomb in wheelchair.
He gave the group an indication of the level of expert police resource he has under his command.
Finally he discussed the current concerns relating to aircraft threats.
Ann B, CPNI
She discussed disruptive effects in aviation security – an effective operational mitigation tool.
She works in the personnel and people security programme and in the R&D part of the business. (Cyber is now in NCSC.) One objective is in disrupting hostile reconnaissance, optimising people in security.
She then described project SERVATOR.
It provides disruptive effects for aviation security and a proof of concept operation has been running at Stanstead Airport for the outbound journey. It aims to be: Unpredictable, highly visible, with a wide range of assets, providing specially trained officers, covering media and public relations. 17 UK Police forces are adopting project SERVATOR for its disruptive effects. They include, NPCC (National Police Chiefs Council), BTP, Border force, Sellafield (CNC Civil Nuclear Constabulary) and the MOD Police.
Its aim is to ensure that normal site users will be informed, reassured, recruited while the hostiles will be deterred.
Professional Security Magazine and others have a series of articles on project SERVATOR. It claims improved public reassurance and confidence; enhanced deterrence and detection of hostile reconnaissance and wider crime; more effective utilisation and coordination of existing resources; improved officer motivation; development of officers skills.
Outcomes, Nov 16 to Mar 17. 463 deployments, 4,614 persons engaged, 662 tactical engagements, 2 arrested for theft, 5 positive stop and search, 6 fixed penalty notices. 9623 likes in Instagram, 1694 likes on Facebook, 465 re-tweets.
Aviation Breakout Session
AnnB assisted by Martin Drake ran a practical exercise ‘Understanding the mind of the terrorist’ – this was similar to an exercise commonly used in the UK to help security staff and police gain a greater awareness of the types of research terrorists will undertake when planning an attack; material on the internet such as photographs and site plans etc. It led to a discussion where ‘security minded communications’ would reduce their access and make a successful attack more difficult.
Session 4 Collaborative Working across the EU
Maritime Breakout Session
This session was led by Bruce Roberts and Bastian Maltha and there was discussion on Cruise Ship risk assessment processes including at ports. The definition of Threat was looked at and the components of risk. A threat scoring mechanism was worked through including Impact and mitigation. There was a debate about the threat v likelihood scoring and it identified that there was very different opinions which could impact on a risk assessment scoring. In the UK the National Risk Assessment (NRA) is produced which assists this process. A Cruise Ship security scenario was presented and discussed.
William Labruyere, Interpol
Mr Labruyere is based in Lyon, France. He worked initially in the French security service and has now been in Interpol for 4 years as a CT project manager. He holds a political science degree. Interpol operate from several locations worldwide addressing CT and cybercrime and have produced a Global Counter Terrorism publication covering strategy and organisation.
The Terrorist Networks sub-directorate covers identity, travel routes and firearms, social media, financing, etc. He described 65 global Identity projects in this area. They also provide 24 x 7 security communications to 190 member countries, 17 databases, notices, contact officers, regional and international working groups. Issued ‘Notices’ are colour coded as follows: red - arrest requests; blue - to gather information; yellow - missing persons; black - to seek information on unidentified bodies; orange - imminent threat; green - possible threat; purple – to provide information.
Interpol’s aim is to define and counter the foreign terrorist fighter threat. It is neutral by definition in its constitution. It has a series of databases of profiles which has grown to 14,315 entities. It comprises logically separate sections as below.
Foreign Fighter Project (FFP). Detect and identify, interdict and disrupt, respond. CAF (Criminal Analysis File) has contribution from LEA, OSINT and SOCMINT (Facebook etc.) – for example this identified that the Berlin Christmas market attacker was travelling under false papers from Tunisia. Biometric database has 170,000 fingerprints and 500 fingerprints. Interpol Facial Recognition System – IFRS as of Nov 2016, has 33,000 images 6000 images. 100,000 images expected. There is also a CT Biometric project FIRST (Facial Identification Recognition Searching Tracking).
Staffing includes an Integrated Border Management Task Force.
Tools and equipment include I-Batch and MIND. Interpol also provides stand-alone IBMFT kit and support with the Interpol I-CHECKIT programme. It operates the Interpol secure cloud SLTD and shares information with airline security, police forces and Interpol stations and this is also running in the maritime sector.
Jim Nye, EXCO
Provided a summary of the morning.
Session 4 – Collaborative Working Across the EU
Peter Vergauwen, Europol
He is a senior specialist and provided an overview of “Europol in a nutshell”, The European counter terrorism centre, EU PNR from an internal, Europol perspective.
He described the structure, governance, operations and capabilities of the Operation Pillar which is in 5 sections, O1 to O5. O1 provides the front office 24x7 for all inputs. O2 covers EU serious and organised crime, O3 - Cyber and O4 – CT. (05 provides horizontal operational services).
Europol are information brokers, not a police force. They are, however, an operational support organisation. In 90% of cases the information used is owned by one or more M.S. not by Interpol. So they view themselves as custodians (not owners) of EU information. They do own OSINT in their own rights however and can share that information in a 2 way process.
Europol is interested in geolocation of accounts to provide witnesses statements. O5 provides support to other parts of Europol, including for example, financial intelligence. Europol also has a bi-lateral agreement with the USA.
Europol provides a centre of expertise and support for law enforcement operations but has no executive powers. Their 100 criminal analysts are among the best trained in Europe. They have state of the art tools to support investigations and produce regular assessments including comprehensive, forward-looking analyses of crime and terrorism in the EU.
They run SIENA (Secure Information Exchange Network Application). It can share operational e-mails up to to Restricted or Confidential levels. They also run EIS (Europol Information System) a criminal regional database, EPE (Europol Platform of Experts) and AWF/FP (for Europol staff only and being phased out).
They handle 40,000 cases per year. The EU CT centre provides direct and immediate on-the-spot support. It was used after the Paris attack in both France and Belgium and Europol has a presence in Paris and in Brussels.
Finally Mr Vergauwen commented on PNR from a Europol perspective. Europol can offer cross-checks, on PNR data. It can use EAS (Europol Analysis System), EPE, EIS and SIENA to support enquiries. It is the focus for a sharing arrangement between the EU and US for PNR data. It has been used successfully in cash interception. The EPE (Europol Platform for Experts) is also open to academia.
Eric Schouten, Netherlands National Intelligence Services
Mr. Schouten works for the Ministry of the Interior and Kingdom Relations. He indicated that Dutch interests in Gibraltar go back to 1703/04.
There are 5 main tasks of AIVD: Investigating individuals and organisations, conducting security screenings, promoting the security of vital sectors, gathering international intelligence, compiling risk and threat analyses. They provide information to allow people to make their own threat assessments.
He indicated that they deal with airlines and also flight schools (for which there is no central list), pilots’ associations, General and Business Aviation, the Kmar (the airport police). They share information, for example Transavia cancelled flights to Sharm el-Sheikh after intelligence from this group which has identified that YouTube was showing a MANPADS threat from the region, which backed up the hard intelligence. He asked “who do you go to, to offer advice about a threat”? In practice one has to go to each airline separately at their premises.
He identified that sharing information and intelligence with other M.S. has not been easy. The Ministry of Foreign Affairs of the Netherlands is the national coordinator for security and counter terrorism and with airlines they issue threat assessments. However, after identifying and sharing a threat assessment in the Netherlands it appeared that other M.S. were still flying to that area. The Ministry announced that airspace about the Sinai is unsafe. It was after, not before, that warning that MH17 was shot down. No single government department deals with Dutch airlines flying in foreign airspace.
As a result we now identify “conflict zones” and share intelligence. It is an informal network, incident related, relevant threat information, covered by an official agreement (covenant) between Government, Corendon Dutch airlines, TUIfly, and the Airline Pilots Association.
Secret information was shared within 4 days, that MH17 incident was the result of a bomb visible in a metal detector.
Challenges include thinking about sharing (rather than gathering) intelligence.
In August 2016 a credible threat against Schiphol was identified. Classified intelligence information tends not to be shared but if you have it and don’t act what is the point of having it, he asked? If one receives Top Secret Instructions, how do you act on them and how can you communicate anything from them? Lack of information places operational staff in unmanageable positions as they are not informed about the true position.
Commercial users need to know how to participate and may or may not need to know the detail. What they do need to know is what action to undertake as a result. The organisation’s annual report for 2016 has been recently published and has further information www.aivd.nl. The report arising from the crash of flight MH17 contains further details and is also available on-line in CTIVD.nr.43 (document reference number)
Aviation Breakout Session
Commissioner Peter Nilsson (Sweden – Head of AIRPOL) outlined the work programmes they are currently undertaking. They have extensive reach across the EU (28 states & 40 organisations) Discussion followed regarding their COPPRA (Community Policing Preventing Radicalist Activity) guidance which is accessible to all. They have paid close attention to the SERVATOR/DEAS work CPNI are conducting in the UK. Further discussion included: Intel / Risk Analysis; Securing Airport Community Handbook; AIRPOL work with EAASP and US airports where workshop was held in NY with another planned for UK in August 2017; behaviour Detection conference in May (Brussels). A short presentation was given outlining improved ballistic protection capability for airports which was developed in collaboration with the Met Police at London City Airport.
Maritime Breakout Session
This was facilitated by Eric and the question of any difference between Maritime and Aviation Policies in relation to intelligence sharing was discussed including any sharing between the different sectors and the sharing of information between operators and the different approaches in countries across the EU and in the USA. A number of issues were discussed in relation to integration or lack of it. It was noted that there is no competition when it comes to sharing threat information across cruise companies and Dutch airlines. This may not be the case elsewhere but could be improved with further increases in industry participating in working groups and private companies sharing with government agencies. The principles of trust were discussed recognising that two way relationships are so important to build a true threat picture.
Richard Chisnall, EXCO
He outlined the strategic aims of the EAASP in getting involved as a “practitioner” in security research, especially, but not solely, in the Horizon 2020, Secure Societies programme but only were it supports the EAASP’s own organisational objectives and strategy. Following the decision at the AGM, the EAASP is now registered with the EC as a practitioner group. He then proceeded to outline two projects in which the EAASP is involved.
The project covering airport passenger screening, called CONSORTIS, was described first. This is a technically challenging project designed to provide a sensitive walk through passenger screening system for airports, capable of reliable detection of metallic and non-metallic threat objects or, more accurately, anomalies. The project is running about 12 months late but significant progress has been made and high through-put walk-by detection has been demonstrated and stand-off detection at ranges of tens of metres is possible with the active sensor. Video footage was shown of the system component parts in operation. The system will be demonstrated as a whole in Helsinki in Q4 of 2017 and conference attendees can receive an invitation to attend by contacting any ExCo member.
He then covered a new project, launched on 1 May this year, which is associated with the protection of maritime ports against combined cyber/physical threats. This project has a number of stakeholders and some EAASP members have already expressed interest in steering the project and in monitoring its progress. The project will run for 3 years and conclude with the demonstration of specific use-cases in two European ports in 2020.
Closure - Peter van den Berg, President of the EAASP
The EAASP President thanked all participants, the speakers and facilitators, the Government of Gibraltar and the hotel management and staff. He reiterated the great appreciation of the EAASP to the hands-on input from the Collector of Customs, Mr John S Rodriguez, and to the Commissioner of the Royal Gibraltar Police, Mr Eddie Yome, for their diligent work behind the scenes.
Following election at the AGM, the rôle of EAASP President passed to Mr James Douglass and other elections to ExCo rôles were also made at the AGM.