A Conversation with David Silva Ramalho: Cybercrime, Incident Response and the Legal Challenges that Businesses Cannot Afford to Ignore

We spoke to David Silva Ramalho, a member of the firm’s Criminal, Regulatory Offences and Compliance Team who coordinates the Digital Defence Team. We asked him about the most common mistakes made in the hours immediately following a cyberattack, how technologies such as cryptocurrencies and encrypted communications are transforming criminal investigations, and how a truly integrated approach — combining legal and technical expertise — differs from a purely technological response.

1. What is the most common mistake made by companies when they discover that they have fallen victim to cyber fraud or a cyberattack, and how could this jeopardise the investigation or future defence?

The response to cybercrime varies depending on the specific type of attack. The requirements differ in the case of cyber fraud (also known as CEO fraud or business email compromise) from those encountered in ransomware or hacking attacks. While it is important to act immediately to freeze funds in the destination account in the case of fraud, involving the originating bank, the destination bank and the authorities, the response to infiltration of the IT system is more complex. The response to this type of attack is based on three pillars: containment, decision-making, and communication.

The first pillar involves adopting urgent measures to ensure that the attack has stopped, i.e. that it is not continuing or spreading. The second pillar involves immediately securing specialist legal and IT support for incident response, as well as establishing a direct line of contact between the support team and decision-makers within the organisation. It is through this coordination that the response plan will be defined, including rapid response and crisis management measures. These measures may include decisions regarding internet access management and its impact on business continuity, or even, in some cases, contact management with the attacker. I am well aware that best practice dictates that one should neither speak to nor negotiate with attackers.

However, this is easier said than done, for example, when a ransomware attack locks down an organisation's entire IT system. In such cases, the choice is between following best practice and ensuring the survival of the business. Thirdly, the necessary communication channels must be established: internal (within the organisation), external (with stakeholders, data subjects, and potentially affected entities), with the relevant authorities (e.g. the Public Prosecutor’s Office, the National Data Protection Commission, the National Consumer Protection Commission, ANACOM, and the Portuguese Securities Market Commission), and, if necessary, with the public, via the publication of statements and responses to the media. The most common mistakes occur within these areas: when the attack is not effectively contained and persists or spreads during the response; when there is no solid decision-making structure or legal and technical support, leading to delayed or incorrect decisions; and when there is no proper communication, exposing the company to serious regulatory and reputational risks.

2. Has the use of cryptocurrencies, encrypted communications and dark web platforms made investigations more difficult structurally, or merely made them more sophisticated?

A well-known author on these matters has cited a passage from a US Supreme Court ruling handed down in 1925 which states: 'It is well known to all that the radical change in the transport of people and goods brought about by the introduction of the motor car, the speed at which it travels, and the ease with which malicious individuals can evade capture, have increased significantly and encouraged the commission of crimes'.

What can be said about that decision is not very different from what I will say next. When this judgement was handed down a century ago, the question was whether the widespread adoption of cars would change the nature of crime, since criminals would now be able to move more quickly, and owners of these vehicles, driven by a hope of impunity, could evade the police more effectively. Today, the question is the same, as is the answer: yes, technology used for good can also be used for criminal purposes, making investigations more difficult. The result is the same as ever: investigations must be conducted differently.

This adaptation of investigations to crime takes three forms: improving the law, particularly by reducing the bureaucracy of international judicial cooperation, as is being done with the e-Evidence Regulation and the Second Additional Protocol to the Cybercrime Convention; training the authorities to understand technology and the criminal phenomenon, and to know how to investigate and distinguish between crime and legitimate use of these technologies; and investing in technology.

For example, investigations involving crypto-assets in 2010 and subsequent years were particularly challenging, and individuals using crypto-assets for criminal activities had a reasonable expectation of short-term impunity. Nowadays, however, tracing assets on the blockchain can be easier than tracing fiat currency, provided one has the appropriate tools and knowledge.

The Dark Web provides anonymity and allows illicit markets to proliferate in plain sight. For a long time, it was considered a haven of impunity, but almost every month, we see news of these markets being taken down, which shows that investigations have adapted. Encryption hinders investigations, which is indisputable. Yet the reality is that even platforms designed for encrypted communications, such as Telegram, have cooperated with the authorities and have been hacked by them. Cybercrime drives the sophistication of criminal investigations, so it is only natural that it remains one or two steps ahead. But sooner or later, one way or another, the investigation gets there.

3. In proceedings involving the mass collection of messages, such as in the Encrochat and Sky ECC cases, what evidential issues are currently being discussed in court, and what impact might they have on the defence?

The Encrochat and Sky ECC cases introduced novel problems to criminal proceedings. The Anom case, in turn, introduced further, perhaps more serious, problems of a different nature, but these will be discussed at a later date. The wide-ranging problems that have arisen in the first two cases stem from the fact that these proceedings were based on intrusive conduct by the authorities.

This conduct was not fully disclosed to the public and involved the infiltration of smartphones and servers, as well as the analysis and sifting through of a vast number of messages. Apart from the exploitative nature of the investigation — an unspecified group of people were targeted on the basis of generic, probabilistic suspicions regarding the criminal nature of their communications, without detailed, individualised assessments — there are problems arising from the lack of transparency regarding the methods used. Others arise from the fact that the means used to gather evidence are not admissible in many legal systems, raising doubts as to whether such evidence can be imported. Yet more problems arise from doubts about the reliability of the evidence, particularly regarding Encrochat, given reports of missing messages in exported conversations.

These issues have been raised in numerous national, European and American courts, and it is anticipated that the Court of Justice of the European Union will also examine them from a different angle. However, in the overwhelming majority of cases, the courts have ruled that the evidence is valid. Yet decisions to the contrary are beginning to emerge.

4. Many companies continue to respond to digital incidents solely from a technological perspective. What legal risks does this isolated approach pose?

Incident response is, by definition, at least both legal and IT-related. The IT department identifies the attack's vectors, characteristics, and technical impact, blocks it, and prevents its recurrence by implementing technical cybersecurity measures. Meanwhile, the legal department establishes the terms of the response, manages the attack's impact, mitigates the company's and its leaders' liabilities, helps determine the responsibilities of internal or external parties, controls risk, intervenes in the decision-making process, and essentially protects the business, its people, and its reputation. The two aspects are complementary and indispensable.

5. Morais Leitão created the Digital Defence practice to address these challenges in a coordinated manner. How does this integrated approach work in practice, and when is it crucial to involve a specialist team?

There are two things that distinguish this approach: the way it was conceived and the way it adapts. Digital Defence is not simply a service created to respond to cybercrime and cybersecurity issues. Rather, it emerges from the realisation and structuring of an existing reality. We have been working on these issues for many years, attending national and international events where the best solutions are often discussed behind closed doors. We have been involved in all aspects of these matters for a long time. We design and implement cybersecurity solutions, respond to incidents, liaise with authorities and clients, and manage crises. We also represent both victims and defendants in almost all types of cybercrime in criminal proceedings.

We deal not only with cyberattacks, but also criminal proceedings involving hacking, fraud, ransomware, money laundering using crypto-assets (such as bitcoins, altcoins and memecoins), DDoS attacks, cyberstalking and computer fraud, to name but a few. We are familiar with national and international practices and have practical experience in prevention, response and enforcement. We have used this experience to set up a comprehensive service addressing all the challenges arising in these areas and to constantly update the way we create solutions and solve problems.

The most recent example is that of crypto-assets. We started handling cases where we needed to trace crypto-assets to identify either the destination of funds unlawfully taken from victims or the legitimacy of crypto-assets seized from defendants in criminal proceedings. Initially, we carried out this tracing using open-source tools, but then we specialised in the field and sought certification and the right tools to do this work more effectively.

Similarly, when we needed to find a way to reliably collect digital evidence in accordance with the best forensic practices so that its validity would not be questioned at trial, we sought out and implemented the appropriate technological solution. It is our practical experience and participation in the right forums that help us adapt our solutions.

There is an old joke, featured in some films, that illustrates our approach well: a lost tourist asks a musician in New York how to get to Carnegie Hall. The musician replies: 'Practice, practice, practice'.

Digital Defence is a cross-disciplinary practice area at Morais Leitão, developed through many years of experience in cybercrime, cybersecurity, and crisis management. Find out more about the work of our team.