The Rush To Fix Britain’s Cyber Police
Exclusive: TechWeekEurope FOIs expose patchy methods in cyber policing across Britain, as officials start to fret over the impending formation of the National Cyber Crime Unit
When I ask Charlie McMurdie, head of the Met’s Police Central e-Crime Unit (PCeU), if she’s worried about the formation of the National Cyber Crime Unit, her hands cover her eyes in despair, half-mocking, half-genuine.
She knows that in the next nine months, she will be tasked with completing the merger of the PCeU with the cyber arm of the Serious Organised Crime Agency(SOCA), to form Britain’s lead cyber police squad, the NCCU. McMurdie knows this is going to take a monumental effort, one that will see the end of the PCeU, which she helped set up in 2008. She’s fretting over the fact that the NCCU doesn’t even have a proper home yet, nor a boss to lead British cyber policing into a new era. And she doesn’t even know if she’ll still be policing cyber crime at the end of it all.
British cyber police
Freedom of Information (FOI) requests sent out by TechWeekEurope to every police force in the UK have revealed stark differences in records of cyber crime across the UK.
The Metropolitan Police, unsurprisingly, has seen the most action. It saw a rise in Computer Misuse Act offences from 11,181 in 2010 to 12,817 in 2012 (up to November). Yet 997 individuals were charged, less than in either 2010, when 1291 were charged, or 2011, when the number was 1262. Why the drop in charges when the number of offences has risen by over 1,000 in the London area alone? Have the police failed to improve their handling of cyber cases over the last three years? The data may indicate so.
Elsewhere, the police are seeing little cyber-related action, in comparison to other common crimes such as burglary, or vandalism. Indeed, it appears to be declining in many areas, whilst just a handful of individuals have been charged in the last three years.
In Leicestershire, Internet-based fraud offences went down from 298 in 2010 to 167 in 2011 and 143 in 2012, up to November. In Hertfordshire there were just 189 cyber-related offences and 21 charged from 1 Jan 2010 to 1 November 2012. Lancashire recorded 19 Internet-based offences over the same time frame, six under the Computer Misuse Act. Just one was charged – they received a prison sentence, but it involved other connected offences.
Strathclyde reported 466 cyber crimes in 2010, 543 in 2011 but then only 143 between January and October in 2012. Surrey has seen a decline in Computer Misuse Act offences, from 45 in 2010 to 17 in 2012, and it’s only charged one person.
In all FOI responses, there was either a decline or very modest growth in records of cyber crime. That’s despite indications from many sources showing Internet crime is on the rise. Recent figures from the British Retail Consortium showed the overall cost of retail crime in the UK jumped 15.6 percent in a year. E-crime rose to become the most costly of all retail crimes, accounting for 37 percent of the total £1.6 billion lost in one year.
In some cases, police defer recording of cyber crime to the National Fraud Intelligence Bureau (NFIB), but that doesn’t account for the lack of any notable rises in e-crime records across UK forces.
But what do all these figures tell us? They indicate a national patchiness in cyber policing, where forces outside of the Met just don’t have enough capability or willingness to up their efforts, security experts believe. The map below highlights this patchiness, showing differences in the levels of cyber crime and in the quality of records within police forces (those forces not on the map were unable to provide data):
View TechWeekEurope‘s Cyber Crime Map of Britain in a full screen map
“Nationally it is very, very patchy,” says Ross Anderson, professor of security engineering at the University of Cambridge, a man who’s been watching the cyber crime space for over quarter of a century and continues to be an expert witness during court cases.
“I see some very large differences in capability between different forces… but even in the Metropolitan Police I’ve got one or two shocking cases on my desk at the moment for expert witness work, with completely clueless detective constables in outlying police stations.
“Even within the Met it’s a curate’s egg… there are some detective constables who, quite frankly, should be sent back to school.”
Anderson believes a major problem stems from advice handed out by the Association of Chief Police Officers (ACPO) in 2005. The body said victims of cyber fraud should go to their banks when something was amiss, not the police. Police simply don’t have to deal with a lot of cyber crime, because the banks are supposed to be dealing with it, Anderson tells TechWeekEurope.
This has spawned two negative consequences, he says. First, the banks don’t effectively deal with the problem, consumed as they are with other issues, and customers have a torrid time trying to recover their funds and seek justice. Second, the police don’t invest in their digital divisions, and so aren’t effective when they are tasked with investigating a hacking offence.
“If you’re the victim of a scam you can’t even find someone to talk to, let alone get your money back,” he adds. “And the police are unsympathetic.”
Big Data = Big Problems
Big Data, it seems, is also presenting a challenge to police. Amassing information in major criminal cases, where sleuths have to trawl through terabytes on terabytes of information, and then present it effectively as evidence, is something many forces have not gotten to grips with. Indeed, lack of digital forensics capability is perhaps the most concerning gap in cyber policing today. As Anderson puts it, “they’re not wading, they’re drowning” in data.
Peter Sommer (pictured), a digital forensics specialist and another expert witness often called upon in criminal cases, including those on terrorism and hacking, believes all detectives should have at least a basic grasp of handling digital evidence.
“The front-line detective needs to be able to interact and work with forensic technicians. Because of the ever-changing nature of computer hardware and software, and the rapid development of new criminal methods, basic training for all detectives cannot be a one-off exercise but requires relatively frequent refreshment,” Sommer told the Home Affairs Committee carrying out an inquiry into e-crime in December.
“Because of the quantities of digital material available – numbers of computers, mobile phones, tablets etc, plus the ever-increasing storage capacity each holds – selections have to be made. Police refer to this process as triage but insufficient thought has been given to how it is executed – and by whom.”
Sommer believes police need more regional hubs of digital forensic expertise who can assist local forces as and when they’re needed, as part of a tiered approach. And forces should be wary of outsourcing to private groups – if an officer doesn’t quite know what he wants from digital evidence, the tender will be flawed, and the whole process broken from the start, he says.
There’s also a major issue in defining cyber crime and recording it within police forces. The FOI results above, perhaps obviously, don’t cover every kind of cyber crime, as many forces could not supply any data outside of Computer Misuse Offences.
In many cases, crimes that could be deemed as cyber offences are counted as Fraud Act breaches. But many forces don’t have a system where they can log a cyber element, meaning the digital side drops out of the statistics.
McMurdie (pictured below) admits forces are still incompetent at this. “I’ve been banging on about this for the last three or four years – we don’t actually record particularly well within law enforcement, the cyber aspect of our investigations or bespoke cyber attacks,” she tells TechWeek.
This is why, in many of the FOI responses, police forces said they couldn’t trawl through all cases to find crimes with a cyber element. Those who responded with full figures including non-CMA offences, like the Met, clearly had proper recording in place.
But why does recording even matter? As anyone who’s been watching the Big Data boom in the private sector will know, pulling valuable information out of piles of data can provide significant benefits. With a well organised data warehouse – or enough muscle to search unorganised data - organisations can mine information to see where their strengths and weaknesses lie. Keeping proper records, Sommer argues, can help police see what resources are available and in turn improve the effectiveness of cyber investigations.
The NFIB, which gets its data from Action Fraud, a “one-stop national reporting centre” for fraud which works with various organisations as well as the police, should help with the fraud recording. But elsewhere forces have much to improve on when it comes to taking advantage of the reams of data they have access to.
Losing the war
Even police chiefs admit they are losing the fight on cyber crime. At that same inquiry where Sommer raised his qualms, Commissioner Adrian Leppard, of the City of London Police, which is home to the NFIB, admitted the tug of war was being won by the crooks.
“We are not winning. I do not think we are winning globally, and I think this nature of crime is rising exponentially, which is clearly why you are here and asking these questions today,” Commissioner Leppard said. “As a country, we are as far advanced as any other European country, and indeed anywhere else in the world, but we are new in our development.”
Another sign the police are losing the war on cyber crooks came from the NFIB. It recorded 47,543 cyber related crimes in 2012, according to another FOI response. The NFIB found the largest sum reported lost was £600,000 of which just £7,000 was recovered. Crooks are making off with a lot of money and it’s to the detriment of the British economy.
McMurdie is far from naive on the nature of the battle with crooks in the online realm. “You only have to speak to industry to see how much they’re suffering and losing to cyber crime attacks. We haven’t got the capability to respond to all that,” she says.
“I think criminals are moving online – it is far easier for them to move online faster, share knowledge, share how to conduct criminal attacks, or exploit the uses of technology. They don’t have the same barriers and hurdles as us.
“We have done a great job of integrating capabilities, bringing in partners to work with us … but we need to pick up the pace even more so now.”
And that’s why the government is attempting to fix the problem with one body that will deal with high-level cyber crime posing a threat to Britain. It’s also why various hubs are being set up across the UK to work with the National Cyber Crime Unit, hopefully making cyber policing at a local level more effective.
But it is going to be a chaotic next nine months, pregnant with worry about whether SOCA and PCeU forces will combine effectively. SOCA has been charged with tackling the intelligence capabilities for major cyber investigations, PCeU will be on the operational side, taking on investigations and assisting other police forces across the UK.
Anderson worries the high-quality PCeU capability is going to be kiboshed when it is merged with SOCA. “It’ll become useless… this could have dire effects,” he claims.
In McMurdie’s office, she isn’t so downbeat, but there’s a nervousness in the air. “There are loads of issues to consider and manage to make sure that transition is successful and is delivered smoothly without losing our operational capability.”
On 1 October, the NCA and the NCCU will be formally launched. Over the next two to three months, a “shadow capability” will be up and running, showing what the new force will look like. A handful of employees have made the move over to the as-yet non-existent NCCU, but others may decide they’re happier in the Met, which needs to retain cyber skills.
Thankfully, there shouldn’t be any job cuts. The plan is to retain the number of staff at both the PCeU and SOCA, whilst adding another 70 workers. What about McMurdie herself? “Maybe I shouldn’t go into that… there will be a new head appointed for the NCCU, they are doing interviews.”
The logistics of the grand merger will provide significant new challenges. But old ones remain, ones that need eradicating before British police can become truly modern.
One of the biggest is attitude. Cyber operations just do not inspire the same respect as “mainstream” crimes, like burglary or murder. That’s something John Austen experienced in the early 1990s, as a pioneer of cyber policing.
Austen made the first ever arrest for illegal access to a computer system, when he apprehended Robert Schifreen (now a well-regarded author and consultant) on a cold night in 1985, for gaining the login details to Prince Phillip’s BT Prestel Mailbox.
Along with his co-defendent Steve Gold, Schifreen took on the courts for two years, before eventually being acquitted. At the time, there was no law covering computer hacking, so the pair were initially charged and found guilty of forgery. On appeal they proved that hacking was not forgery and were acquitted.
The lack of a legal framework drove governmental and police forces to draw up the Computer Misuse Act – a process in which Austen was a driving force. If the CMA had existed in the 1980s, Schifreen would most likely now have a criminal record.
Austen worked as chair of the Interpol Computer Crime Committee from 1991 to 1996 while, in Britain, he set up the Computer Crime Unit at New Scotland Yard in 1994,and ran it until September 1996.
In the early days of the CMA, judges hadn’t quite grasped what this law was all about. “We had very funny cases at the start – the judges didn’t follow what the legislation was about,” Austen tells TechWeekEurope. “We ended up explaining this new law to them.
“We actually didn’t lose many cases at the start, but we did lose a few where the evidence wasn’t that strong.”
Twenty years on, McMurdie admits that her her team still suffers similar struggles surrounding perception today. “I think it is a lack of understanding… the cyber component isn’t the visible sort of crime that a mugging is.
“It’s why we need this tiered approach. We need mainstream knowledge, understanding, capability, then we need that higher-level regional capability to take on the complex investigations, or those where you need that international aspect. Then you need the National Cyber Crime Unit within that to deal with the sort of cases the PCeU is taking on – high-level stuff.”
Funding is another persistent problem, one that Austen described as “huge” in his day. The PCeU is currently drawing up business plans, asking for more money to accelerate the spread of cyber policing across the UK, bidding for additional regional hubs. Of the nine hubs established thus far, just three have full cyber capability, so the PCeU wants to see more of a monetary commitment from those in Whitehall.
And PCeU has earned it. In 2011, the Coalition asked the division to save the country £504 million over four years by either preventing cyber crimes or recovering funds. To do that, PCeU was given just £30 million. At the start of 2013, the PCeU has achieved well over £800 million in savings.
It’s clear the government is, to some extent, taking the threat seriously. It has invested £650 million of additional funds, although the police get comparatively little of this (see chart for a breakdown of where money has gone thus far), attempting infrastructural reform and talking openly about the problem, as well as joining pan-European and global initiatives to take on cyber crooks. But it’s also clear much, much more can be done.
The formation of the NCCU cyber squad over the next nine months, which hopefully won’t be as rushed as has been indicated, will be crucial to the government’s plans to take on cyber crooks. Yet until greater respect for Internet-based investigations is inculcated across UK police forces, and across Whitehall, this country will continue to be on the losing side of the war on cyber crime.
Are you a security expert? Try our quiz!