Hong Kong-Based Security Expert Talks Early Cyber-Crime, Career Path

On Sept. 17, “Task Force 7 Radio” host George Rettas was joined by former Hong Kong Police Force officer and the current Managing Director of Kroll’s Asia Pacific Cyber Risk practice, Paul Jackson. Rettas discussed the guest’s storied background, and the overall state of forensics, espionage and incident response.

The program began with a discussion of Jackson’s move into law enforcement in the 1980s. The “TF7 Radio” guest said that after answering a newspaper advertisement, he moved to Hong Kong in 1988 to join the Royal Hong Kong Police Force.

Emergence of Technology

It was an interesting time to get his start, as technology “opened up” in the 1990s, and the British handed the territory over in 1997. Jackson moved from maritime police boat chases to the intelligence bureau (telephone tracing) to early-stage cyber-crime, and at a time of great political importance.

Explaining the police force, Jackson said that as one central unit, Hong Kong was charged with combating smuggling crimes – due to gaps in legislation which made it easy to stash goods, luxury cars and more items. For years, Jackson fought comparable street crime with the unit.

He said shortly thereafter, the “time was right” to move toward technology. Because the mobile phone market opened up in Hong Kong in about 1995, the police needed a way to understand the technology they were using. Jackson was asked to head up a team to interface with the telecom industry, which was his first move from uniform policing. In the Criminal Investigation Department (CID), he was able to rely on his technical background (having studied it).

By 1998, Jackson was a part of a team educating people how to properly use the Internet, as more and more companies and consumers got onboard. This move led him into the world of forensics, which was also emerging in the late 1990s and early 2000s. He said he was “fascinated” by the space, seeing as there were “no manuals,” and law enforcement had to learn as it went.

Jackson also cited a monumental murder case with having solidified computer security as a component of criminal investigation. The case of note: Robert Kissel, who was murdered by his wife in 2003; the trial leaned on computer activity to build a case against his wife. Jackson said without forensics and computer evidence, it would have been harder to prove it was murder rather than manslaughter.

See Related: Security Execs Talk Facebook CSO, 'Single Pane' & Strategy

Next Steps

Due to the law enforcement structure, in order to get a promotion, Jackson said he would have had to pivot away from technology crime. This led to his decision to leave police work.

However, he had some wise words for policemen combating cyber-crime today. “Computer crime is transnational,” he said. “The key to successfully solving crime is when you can pick up the phone with somebody (located) on the other side of the world, inform them that a crime is occurring now and that the nexus is in their country, and get it done quickly.”

Jackson transitioned from police work to a large financial institution (JPMorgan Chase). “I found that I could hold my own,” he said. “It was daunting when I first moved across (to Asia) and joined the police force as a leader, at 22. You learn the hard way, you sink or swim. You don’t quite get that in the corporate world. So bringing that to the table was important, and went a long way. Also, (I brought) technical knowledge, as we (in Hong Kong) were leaders in training courses… I was surprised at how much I could bring to the table.”

Jackson was ultimately tasked with coming to New York for the role. He called it “daunting” and “bold,” but since he had also retained his sense of adventure, he opted to come to the Big Apple.

“It was a battle,” he added. “This was a major bank in the U.S., and I was coming to it as a foreigner… But in the time I was there, we built one of the world’s best capabilities, and I left with my head held high when I went back to Asia.”

See Related: Onfido CTO Discusses Identity Verification, Blockchain, ML

Consulting Work

Jackson spent additional time with JPMorgan Chase abroad, but again opted for a change – this time toward consulting. The move came because he said within the financial organization, things ran fairly smoothly in the regions, so not being a part of the “mothership” meant not as many high-priority cases. He told Rettas it was time for a “new challenge.”

“I haven’t regretted it since,” Jackson added. “Everyone has their own way of dealing with things. It’s nice to come in with my experience and guide (them) with decisions when in crisis.”

On being a consultant, Jackson said one “sees so much,” but typically once the problem is fixed, you move on to a new challenge. So, you don’t necessarily get to see the long-term stability. However, on the governance side – in acting as a virtual CISO or Data Protection Officer (DPO) – you’re helping to build frameworks and sustain security controls. He called this practice “quite satisfying.”

Having served as a consultant in the region, Jackson was also able to provide his assessment of cyber-crime capabilities abroad. He said that in Asia, many companies were “slow to catch up” and some issues were “swept under the carpet.” However, he said that dynamic is changing now, as more reporting obligations are driving transparency in the enterprise.

The “TF7 Radio” guest said that the most systemic problem is still widespread cyber-crime – and the same challenges that folks in the U.S. face (e.g., business email compromise (BEC) leading to wire fraud), plus espionage concerns in China.

Asked about allegations against China of lifting trade secrets, intellectual property and more for a competitive edge, Jackson said, “I see what other people see… I have fabulous connections in China. I’ve worked with the Chinese police for many years.  Staying connected with people, and building networks around the globe, including China, is priceless when fighting crimes.”

He said espionage concerns are a piece of that, but wider cyber-crime is equally as concerning, and police forces up and down the country are struggling to fight it.

The "Task Force 7 Radio" recap is a weekly feature on the Cyber Security Hub.

To listen to this and past episodes of "Task Force 7 Radio," click here.

Connect with Jackson on LinkedIn, here.

Be Sure To Check Out: Security Expert Defines Privileged Threat In CSHub Webinar