UK’s National Cyber Crime Unit Speeds Searches by 10x with Analytics Platform Powered by AWS

Cybercrime costs the United Kingdom (UK) billions of pounds each year. Leading the fight against this constantly evolving threat is the National Cyber Crime Unit (NCCU), part of the National Crime Agency (NCA). The NCCU supports law enforcement partners with specialist capabilities and coordinates the national response to the most serious cybercrime threats.

For more than four years, the NCCU has been developing a cloud-based platform for data analytics, built on Amazon Web Services (AWS) with the help of Contino, an AWS Premier Consulting Partner. Shifting from on-premises infrastructure to the cloud has allowed the NCCU to focus more on its mission and less on procuring hardware and managing infrastructure and licenses. Compared to its on-premises infrastructure, the AWS platform offers a tenfold increase in search performance while removing the cost of maintaining the hardware.

An NCCU spokesperson says, “Previously, we had on-premises infrastructure, which required a lot of management and prevented us from doing the data science we wanted
to do. Our small tech team spent a considerable amount of time building and managing infrastructure. This was a problem, because our recruitment and retention are based
on providing people with engaging and challenging work fighting cybercrime, not administering IT.”

The analytics platform at the NCCU began with a small data analytics pilot using services including Amazon Elastic Compute Cloud (Amazon EC2) and Amazon Relational Database Service (Amazon RDS). Within a year, the NCCU found ways to free up even more time for its data scientists by introducing advanced managed services like the Amazon EMR big data platform and AWS Glue, a serverless data integration service.

Contino was instrumental in this progression. An NCCU spokesperson says, “We relied on Contino’s years of experience in developing an AWS Landing Zone for customers working in public safety. Contino brought a unique perspective that included both the delivery of cloud capabilities and upskilling of our officers to build on AWS.”

Security of the platform is essential, and Amazon GuardDuty helps protect it against malicious activity. As a law enforcement agency, the NCCU conducts rigorous due diligence of its suppliers, especially those who will be handling sensitive and potentially harmful data.

“Moving data outside of our perimeter is not a decision we take lightly. The transparency of AWS, its shared security model, and the access we had to documentation and experts assisted us on that journey considerably,” says an NCCU spokesperson.

The platform’s capabilities soon became known across the NCA. When the agency gained access to a criminal communication network as part of a multinational operation of 10,000 UK users—where the sole use was for coordinating and planning the distribution of illicit commodities, money laundering, and plotting to kill rival criminals—it had to act quickly to process incriminating messages.

“For us, it’s about preventing harm and protecting the public,” says a spokesperson. “We had a flood of unstructured data and had to operate swiftly to reduce harm to the public.”

The NCA tasked the NCCU because it knew the NCCU data platform had the capability to start segmenting data into categories for human investigators to analyze, plus the scalability to expand from tens of users in the agency to 300—more than ever before. The team had just two weeks to prepare for what would become the UK’s largest criminal investigation.

Because the platform was already approved from a security and compliance perspective, and because all infrastructure existed as code, reproducing parts of it was a straightforward exercise.

To automate the preprocessing of data, NCCU experts used AWS services including Amazon Textract to pull data from written or scanned text and Amazon Comprehend for natural language processing. The NCCU relies on Amazon Simple Storage Service (Amazon S3), in particular its write-once, read-many Object Lock feature that’s useful when segmenting data and storing it securely from an evidential perspective.

“Our data scientists could probably have devised ways of analyzing this data themselves,” says a spokesperson. “But when we have more than 200 threats to life, we can’t afford to spend time doing that. Using off-the-shelf services from AWS enabled us to go from a standing start to a full capability in the space of hours. If we were to build it ourselves from scratch, that might have taken over a month of effort.”

As of July 2020, the criminal operation has led to more than 750 arrests as well as the seizure of $74 million (£54 million) in criminal cash, 77 firearms, and more than 2 metric tons of Class A and B drugs.

Thanks to AWS machine learning and artificial intelligence capabilities, plus Contino’s continued support and enablement, much of the data processing work required in the investigation could be reused from other projects.

Senior staff were therefore free to focus on hard-to-solve issues that have a higher mission impact.

The success of the project has given the NCA confidence to collaborate in the development and use of capability with the regional organized crime units—making better use of the combined resources of the UK’s law enforcement community.