Rob Wainwright, Director of Europol HARDtalk

In every aspect of our public and private life we have become

dependent on the power of the Internet and computing. That makes

us vulnerable to those who would do us harm. Look at the widespread

ransomware WannaCry. It shut down public institutions around the

world. My guess is Rob Wainwright head of Europol. Part of the

cyber-criminals steps ahead of the cyber cops?

Rob Wainwright, welcome to heart talk. For the last few days you have

been somewhat preoccupied with WannaCry, this ransomware which has

spread across the world. How seriously should we be taking it? It

is one of 200 high profile investigations against cyber crime

and including that there has been this trend of these growing threat

from ransomware we have never seen anything on this scale spreading

across 150 countries, over 200,000 victims. It is unique characteristic

combining ransomware with a wormlike function. Another very stark warning

to many years that is that we have to take cybersecurity seriously. We

have been aware of it for 72 hours, your team have been working on it

since then. Is it still spreading? We saw over the weekend, it was

spreading quite quickly. As we started the working week, new

infections in the hands of thousands in parts of Asia and Russia but not

in Europe. What that shows is that those responsible for security in

companies have heeded our warning and they patched their systems so

when the working week begins again they will not all victim to it. It

has been a good exercise in public-private partnership to get

the message out. EC three, top quality computer experts on the

case, where is it from? We do not know yet. A lot of the focus of the

attention by national agencies across the world has been really

about disaster recovery. We are starting to peace together some

samples and we are hoping many authorities around the world now

will look at what this looks like. I will talk to you a lot about

co-ordination and intelligence sharing across Europe but how about

globally? Oettl into America, China, the Russians? In the global

co-ordination is absolutely needed. Our focus is on protecting the

European space. To do that we have the huge trans- Atlantic engagement.

The Americans, the FBI are with us on fighting cyber-terrorism... I

wanted to ask you about the Russians because Russia is a cyber threat but

on this occasion it is fair to say that it was not originated in

Russia. Are you working closely with the Russians? We do not know where

it originated and we are not working closely with China or rush at...

Because you do not trust them? -- Russia. A relationship is different.

Interpol are helping to do that but it is true, this is the landscape we

are working in. There is no single view on how to deal with cyber

crime. Vladimir Putin has gone on the record saying he believes this

is something that originated in the United States and pointed the finger

at the US government. We know that Microsoft and we know that this

ransomware attacks Microsoft windows. Microsoft says that as far

as they are concerned, this ransomware was developed by the

National Security Agency in the US and they were then hacked by the

people who propagated this is ransomware. Can you confirm that is

what happened? No, I have no Independent evidence of that. I have

seen what Microsoft had said and what Vladimir Putin has said. We

have no confirmation. It is a massive exploitation of the flaw

within the Microsoft operating system by a criminal group stop who

developed that flow? That is my question as well. You have just told

me what close ties you have with US sister agencies say he would know if

the NSA was indeed responsible for storing knowledge about the

vulnerabilities in some Windows Microsoft operating systems. We are

still working to get to the bottom of this. Cannot answer that question

today. If I to say someone like that better know my facts were not a year

telling me you cannot tell me all you generally do not know... We have

had 4080 hours during which our focus has been stopping the

spreading of this. The investigation is a high priority but it will take

some time. A different point, the chief officer at Microsoft said

State Security agencies spent a lot of time actually working out the

vulnerabilities of all operating systems but they do not tell us what

they discover and they do not tell us what knowledge say is boring

about vulnerabilities in our systems and it is about time to come clean

about these. Has he got a point? To be honest, and I am sorry to dodge

the question, but you should be asking the security agencies. They

have a job to protect our security. My job is to help police agencies

about criminals. State sponsored actors can be criminals. There is a

blurring of the lines, absolutely, but our primary focus of about those

who are in it for commercial gain. Let's move on, if that is the limit

you can tell me right now to your investigation into the ransomware we

have seen spread around the world. Looking wider at cyber crime, there

are people around the world who look at the scale of it at the moment and

its origins and they point the finger at the Dikili at Russia. --

particularly. At Europol be prepared to echo what has been set in the US,

the National Father Security Centre in the UK, both saying Russia is

responsible for a huge surge in cyber crime at liberty? We see

criminals originating for several countries in the world but we do see

a large proportion coming from Russian speaking places. Not just

Russia. There are a number of regions of concern for art. The

Russian speaking world is one of them. We are speaking where we can

with police agencies around the world. You make a difference between

state-sponsored cyber attacks and criminal cyber attacks but a

comeback to this point you can often described state-sponsored activity

is criminal. Case in point, the allegations of Limerick and may

about Russians cyber meddling in their elections. -- the Americans

made. The Germans are now saying they are braced for Russian activity

in their election as well. Is this something that you are looking at?

No, it is not. I made it clear I working against criminal actors. In

this case it is state sponsored activity against the National

security of those countries and be security agencies in those countries

will lead those investigations. I am concerned about the million-dollar

ransom crime. The multibillion-dollar hacking attempts

on the global banking system is by sophisticated cyber crime groups

developing banking Trojans and other aspects in which Internet technology

has transformed the criminal world. Tell me whether you think important

institutions, both private and public, whether they have made

anything like the right sort of protective measures and actions to

safeguard themselves from what you describe the surge of cyber

criminality? For the banking that which has been in the firing line of

most cyber attacks in recent years, they have learnt through painful

lessons of that they should take this as a top level responsibility

and they have committed to the right kind of investment and strategic

framework and they are still in the firing line and still getting caught

by their protection is much higher and that is why you saw on the

weekend that very few banks in Europe were caught up cause their

defences were quite high. In other sectors, public services, the health

sector, there is a lesson. Many years still using Windows XP which

is very old. We paid this picture of cyber-criminals being these

futuristic geeks that can hit us anywhere and any time. They prey on

the fact that we have vulnerabilities that we do not fix,

that we make stupid mistakes, that we recycle old cyber tools and they

catch us out. They are getting the ASICS right. How is your digital

hygiene at Europol? I think it is a strong. You had to think about that

and that is slightly alarming. You are an agency that is trying to

achieve trust. I am wondering whether your hygiene in this field

of data collection storage is as good as it could be. I think it is.

I pause because I will be honest, there is no organisation that can

get the threat down to zero because of the nature of the cyber-criminal

activity depends on technological advances, a Kishore staff members

are suitably aware of the threat and so on. For the moment we have no

concerns. We take this practice readings from the UK and other

governments. But I am not going to say we're absolutely safe. D using

government cut corners because they cannot or will not afford the

investment to upgrade their cyber defence. I do not think in the end

it is about money but responsibility. It does not take a

lot of money to take systems of XP. The patch older systems. It takes a

recognition that this is a responsibility to put in place a

security framework, to reach out to law enforcement and so on. There are

institutions that give good advice. Follow that and that is 90%... Many

public institutions in the UK have not in following that, why it do you

think it is? It is frustrating, frankly, because in the health

sector there have been multiple ransomware attack in the United

States and Europe long before WannaCry came along. There are

complexities to the IT systems in the health sector which I understand

and are difficult to work around but in the end, this is really about

taking responsibility and sorting this out in the way most global

banks have been doing in many respects.

To you think Europol is capable of keeping up with the abolition of

more criminal activity on the Internet? If a challenge every day

because we see the way in which the Internet helps to conceal the

identity and communication of the offenders, particularly on the dark

net. With see this wonderful technological advances coming out

which is fabulous for society, we all know that. But of course, being

exploited by ever more enterprising criminals and to a certain extent,

terrorists. We are in this difficult challenge, I have to say. But that

is why yielding... Is the gap between what you can do

realistically to police the Internet and you just talked about the

Duckworth and I would like to talk about that some more -- dark Web.

The gap between what you can do and what the bad guys can do, is it

getting wider? The river gap because we are working within legal

constraints, of course we are, and they not. -- there is gap. We have

the combined resources of some of the best investigators around the

world and not to mention some of the wonderful partnerships we have with

the private sector. If we can get that right and exercise that kind of

interconnection between these different communities, we have a lot

of power and we are beginning to show that. A lot of power but

whatever kind of talks you have got, there are places that you can't

shine its -- porch. The dark Web, it has become a huge underground

criminal environment. You talk about the ways in which people, terrorists

or straightforward committals can buy a British passport via the dark

Web, untraceable, for 750 British pounds, about 850 US dollars. You

can't keep up, that's the problem. Well, we find a particular it

difficult to do that, I will be honest with you, particularly on the

dark Web. It is transforming the nature of how criminal markets

function. It has changed the way in which drugs are bought and sold

because it protects the identity of the buyer and seller. We found one

major crypto market on the dark Web back in 2015. Today it is 20.

Selling hundreds of listings of drugs and other commodity. It is

growing and it is very difficult for us to track it. We have had a number

of successes, most recently regarding a major sexual

exploitation network that was operating on the dark web. We are

updating our side that we are in a race with those guys. Is anything

you can see collectively to close down this criminalised dark net or

dark Web? It's difficult to legislate against the dark net. Not

to mention, there is a good part of it that is used for good purposes

are round the world. Those people living in some countries that try to

exercise freedom of speech for example. It will be difficult to ban

the dark Web. What we need to make sure is that the police services and

public security have better capability to investigate this. This

means, I think, especially, having better partnerships with the tech

sector. Are you a fan of governments, and am thinking at

about the British government in the wake of the recent terrible

Westminster attack, you a fan of governments that say, "As a result

of what we learn of the way terrorists operate, using, as they

do, encrypted communications", the politicians' response is that we

need to make sure the people behind those services give us a state

backed door into their system so that when required we can to survey

all people, even on these supposedly encrypted systems. You a fan of

that? I'm not sure the British government asked for a backdoor but

they express some frustration at apps like that do not offer the

ability to monitor the communications of potential

terrorists. We have a means of communication, we can intercept a

telephone call between two people but we cannot interrupted their

WhatsApp messages. So you want total surveillance? No, not absolutely. --

absolutely not. I want to give police investigators around the

world at the right kind of proportionate control and

supervision, the right means by which to protect our public from

terrorism. That isn't the problem the public don't trust a

state-sponsored organisations, people, frankly, such as yourself,

to find the right balance. It is too easy for state actors such as

yourself to use it what you might portray as a 1-off right to turn it

into something which it looks as very much like 20 four sevenths

surveillance, electronically, of everybody, all the time. Rola Winnie

to avoid that. It is clearly not a proportionate way to manage the

balance between privacy and security in a technocratic societies. -- we

need to avoid that. There is something needs to be drawn within

some parts of society and not in others. It is proportionate which is

difficult to do in the Internet because of the technological design.

What are your relationships like with the bosses of successful into

-- Infotech companies? I'm asking because the head of Twitter said

this recently, "Yeah, of course security services in each to keep

people say -- safe but these disproportional surveillance they

are seeking have no place in a democratic society." He will take

that view, I respect that. What I will say is that Twitter is one of

those companies we have an excellent partnership with in terms of

removing terrorist content online. This is a voluntary code of conduct

between us, Twitter, Facebook and many of the other partners, 50 of

them in fact, who have helped us more aggressively take away this

terrorist content in the online space. I applaud Twitter for doing

that. Not every social media company is doing that but most of them are.

It is an example of where sometimes, I think, public and private sector

partners, even in this space, can come together and find their

interests meeting in a way that supports the general public 's'

good. I must ask you, something that has happened since we last spoke to

each other, and that is Brexit. He used it as the director of Europol,

as a Brit. You will be the last British director of Europol, that's

quite obvious. You said to me when we spoke more than a year ago,

fighting crime and terrorism in the UK will be more costly and much less

affective if the country leaves the EU. Are you feeling that today

still? I still feel the uncertainty about what will happen, Stephen.

What I certainly see in the ransomware events of the last few

days, terrorist incidents we have seen, make the point even strongly

than what I was making a year ago. Writing crime and terrorism has

become an international game. We need the closest possible

collaboration in Europe. The extent to which Britain will continue to

have access to it is rather dependent upon and depends upon the

outcome of the negotiations. That sounds somewhat like to read the May

when she presented that Article 50 letter to her colleagues in Europe

saying this, "In security terms, a failure to reach an agreement will

mean our ability to fight against crime and terror will be weakened."

-- Theresa May. Many in Europe thought that was a form of blackmail

and you seem to be playing the same game. You're didn't read the letter

that way and I'm not sure most of those in Britain and read it that

way --. She was steeply stating the reality that co-operation in Europe

is growing because of cross-border threats -- she was simply stating.

Even if you couldn't get a trade agreement or anything else, why are

you conflating and putting the two together? I'm not here to be the

Prime Minister's spokesman that the way I read her letter, she was

simply setting out her strategic objectives under the Article 50

process and she is quite right as putting security is one of those top

line objectives as well as trade. Simply stating the fact that this is

in the common interest of the UK and the rest of the EU to get the right

kind of security deal because of the way in which what it takes these

days to fight terrorism. Let me put it bluntly. Who loses out more if

Britain cannot do a full-fledged security agreement with the 27

remaining members of the EU in the future? Who loses out more, Britain

or the EU member states? This is about the collective security

interests of Europe and I think both sides understand that and we're go

into negotiations with that in mind. We have two went there. Rob

Wainwright, thank you for being on HARDtalk. -- we have to end there.

Here in the UK, winter and spring have been drier than normal.

But could May be the month that bucks the dry trend?