Partners against crime How can industry help the police to fight cyber-crime? October 2015

Transcription

1 Partners against crime How can industry help the police to fight cyber-crime? October 2015

2 Contributors to the report techuk would like to thank the following individuals and organisations who contributed to this report: Alasdair MacFarlane, Royal Bank of Scotland Brian Quinn, Her Majesty s Inspectorate of Constabulary Commissioner Adrian Leppard, City of London Police Detective Sergeant Nick Court, City of London Police Craig Jones, South East Regional Organised Crime Unit David Tucker, College of Policing DCC Peter Goodman, National Police Chief s Council DCI Andrew Gould, Metropolitan Police (FALCON) National Cyber Crime Unit, (National Crime Agency) Giles Herdale, National Police Chief s Council Karen Froggatt, Victim Support Mandy Haeburn Little, Scottish Business Resilience Centre Stephen Proffitt, Action Fraud techuk would also like to thank our Justice and Emergency Services Management Committee for all their hard work and involvement in this paper, in particular we would like to thank our Chair and Vice Chairs, Colin Akhurst, Robert Leach, and Chris Jamieson.

3 Report Methodology To inform this report, techuk issued a series of Freedom of Information (FOI) requests to police forces in England and Wales to gather data on the nature of cyber-crime in the UK and police capabilities to deal with the threat. We also undertook a stakeholder interview programme with police leaders and other organisations involved in leading the UK s response to cyber-crime. This was supplemented by desk based research.

4 Contents Executive Summary Introduction Chapter 1. Cyber-crime: what is it and what will this paper focus on? Low impact cyber-crime Summary of recommendations Chapter 2. The current challenges facing policing when tackling cyber-crime Is it really a volume crime? How is cyber-crime recorded? Are cyber-crime incidents being reported? Are victims being supported? Case Study: How is cyber-crime reported and processed? Chapter 3. How has policing attempted to deal with the problem of volume cyber-crime? National Cyber-Crime Unit (NCCU) National Policing Leads Regional Organised Crime Units (ROCUs) The College of Policing Chapter 4. How can industry and policing co-ordinate an effective response to cyber-crime? A new lexicon for cyber-crime reporting Increasing obligations for industry to report cyber-crime incidents Can industry do more to prevent cyber attacks? A renewed focus on victim support A new commercial partnership with industry - service management and accreditation for industry partners Upskilling the workforce: standardised training for police forces The allocation of funding to tackle cyber-crime Industry Working Groups Recommendations Conclusion References

5 Executive Summary THE NATURE OF CRIME HAS CHANGED Digital technology is revolutionising the way in which criminals operate, with nearly all types of crime now having a digital aspect. Whilst traditional crimes like burglary and car theft are falling, those with a digital element, commonly referred to as cyber crimes, are expected to rise. Despite this changing landscape, limited information exists as to the levels of cyber-crime affecting the UK. Until this year, official crime statistics have not recorded cyber-crimes as a separate type of crime. Online fraud, for example, would have been recorded simply as fraud without an acknowledgement of any digital element. Recently, the Home Office has tried to improve this by introducing an online flag that can be used when recording a cyber-crime such as an online fraud. As a result, it is anticipated that the first set of crime figures which include cyber-crimes will show an increase in crime for the first time in 20 years, raising the issue up the political agenda. The limited information we do have suggests that UK policing faces a number of significant challenges when attempting to tackle the problem of high volume, low impact cyber-crime. This is typically defined as vast quantities of unsophisticated cyber attacks directed at individuals and small businesses, from bank fraud to ransomware. This is a challenge that the police cannot be expected to meet on their own and businesses, consumer groups and the cyber security industry all have a responsibility to help tackle the threat. This paper examines the current capability of police forces to deal with low impact cyber-crime and recommends a number of changes to the response landscape, focused on partnerships with the cyber security industry. We believe this offers the skills, capacity and reach that the police desperately need. 1

6 Introduction The UK Cyber Security Strategy 1 identified tackling cyber-crime as one of its top priority objectives, in order to make the UK one of the most secure places in the world to do business in cyber space. This objective committed the Government to: 1. Dedicating resources to train law enforcement about cyber-crime 2. Launching Action Fraud, the UK s first 24/7 fraud and cyber-crime reporting centre 3. Setting up the National Crime Agency (NCA) and the National Cyber Crime Unit (NCCU) to bring together existing specialist law enforcement capability to investigate cyber-crime 4. Improving the response at a local level for those who are victims of cyber-crime 5. Promoting greater levels of international co-operation and shared understanding on cyber-crime Despite these initiatives, cyber-crime remains a strategic problem for policing due to a range of factors, including a lack of capacity and financial resources as well as suitably qualified and experienced personnel. Police forces cannot meet these challenges on their own nor should they be expected to do so. Police forces must play a vital role, but the ability to effectively tackle cyber-crime remains the collaborative responsibility of civil society as a whole including businesses, consumers and the technology industry. This paper will assess the way policing has been working to fight cyber-crime to date, and the current impact this has had. It will also suggest ways in which a closer partnership with industry could help yield more effective results. 2

7 Chapter 1. Cyber-crime: what is it and what will this paper focus on? Cyber-crime is a nebulous term that means different things to different people. The Home Office, along with the NCCU s Strategic Governance Group (SGG), has agreed on definitions to reflect the scope of cybercrime. 2 It has recommended that these terms are adopted by all 43 police forces in England and Wales: Figure 1.0 Home Office cyber-crime definitions From the results of Freedom of Information (FOI) requests we issued to local police forces in England and Wales, techuk found that the use of this terminology was widespread. 95% of the forces that responded use, loosely, the above definitions. However, many of the policing stakeholders that we interviewed felt that using the term cyber to describe these crimes has been unhelpful as it is often not well understood and does not begin to fully unpack the different crimes that can fall under the definition. Financially motivated crimes such as fraud and theft; online stalking, child sexual exploitation, denial of service attacks and unauthorised intrusion into computer systems are just some examples of the wide variety of crimes that can be cyber-enabled or cyberdependent. Although this paper is focused on the response to financially motivated cyber-crime, many of the themes and recommendations running through it will be highly suited to helping the police improve their response to other types of cyber-crimes, such as sexually motivated crimes. Due to the wide use of the term, this paper will continue to use the term cyber-crime to denote cyberenabled and cyber-dependent crimes those crimes that are significantly altered by use of the internet (cyber-enabled) and those that are dependent on digital devices as both the means of committing the crime and its target (cyber-dependent). 3

8 Low impact cyber-crime Over the years, both cyber-enabled and cyber-dependent cyber-crime have become high volume in nature. According to the National Fraud Intelligence Bureau (NFIB), 70% of frauds are now cyber-enabled. It is also estimated that more than a third of UK businesses suffered a Distributed Denial of Service (DDoS) attack in The UK has developed internationally recognised capabilities within the NCCU to deal with the most serious incidences of cyber-crime. 3 The NCCU focuses on investigating: Serious and organised criminal networks operating from overseas that target victims in the UK. Criminals producing products and services which make it easy for criminal networks with little technical knowledge to perpetrate cyber-crimes (the cyber-crime as a service market). However, when it comes to addressing crimes committed by smaller criminal networks or lone criminals, especially those operating from within the UK, the police response will usually be carried out at a regional or local level where the capacity and capability to respond is highly variable. This paper will focus on the cyber-crimes that are addressed at a regional and local level, which we term low impact cyber-crimes. By the use of the term low impact we do not intend to imply that the effect of these crimes on victims is not significant, merely that the financial loss and criminal machinery responsible are considered as being below the threshold to merit a national level policing response. We have applied this term in the absence of any formal categorisation by the police. Summary of recommendations: 1. A new lexicon for cyber-crime reporting A new lexicon for cyber-crime reporting needs to be created to enable the recording of accurate information about the crimes that have taken place and establish what cyber related content contributed to the incident/crime. 2. Increasing obligations for industry to report cyber-crime incidents Companies need to be encouraged to report cyber breaches. More awareness can be made of the current reporting mechanisms so that individuals and businesses know where they should go to report cyber-crime incidents. Bulk reporting tools also need to be made more readily available to large businesses. 3. Businesses should be encouraged to adopt Cyber Essentials Initiatives like Cyber Essentials should be encouraged for companies that hold personal or sensitive information. 4. A joined up approach to Victim Support Consumer groups, the technology industry, policing leads and Victim Support need to form a working group with leading banks, social media companies and retailers to establish ways in which easy to understand, preventative advice can be integrated into peoples ordinary everyday activity online. Funding for Victim Support should also be better co-ordinated across different police forces. 5. A new commercial partnership with industry The establishment of a Managed Service Provider model would help the police contract the specialist cyber skills that they need, on a short or long term basis, from a variety of companies that are accredited and managed by the Managed Service Provider. 6. Enhanced role for the College of Policing The College of Policing, working with the Managed Service Provider, can play a national role in accrediting private training providers and courses in order to ensure that there are national standards for cyber-crime training courses. 7. Increase funding that law enforcement receives to tackle cyber-crime Government should review the allocation of funding that is given to law enforcement to tackle cyber-crime via the National Cyber Security Programme (NCSP). 8. The creation of joint police/cert-uk and industry working groups More industry/law enforcement joint working groups should be created, in conjunction with the Computer Emergency Response Team (CERT-UK), for key sectors such as online retail, critical national infrastructure and oil & gas. This will help share cyber threat information in real time, creating dynamic investigative capabilities within key business sectors. 4

9 Chapter 2. The current challenges facing policing when tackling cyber-crime Cyber-crime in the UK is rapidly increasing and placing a strain on policing resources. Whilst larger police forces, such as the Metropolitan Police Service (MPS), have dedicated cyber-crime units that can tackle volume cyber-crime, other smaller forces do not have the capacity or resources to address the growing problem. 5 Other threats have also emerged, such as modern slavery, which have demanded the attention of local police chief s and Police and Crime Commissioners (PCCs). This, coupled with problems in the way in which cybercrime was previously reported, along with significant under-reporting of cyber incidents, has made it even more difficult for police forces to complete a comprehensive picture of cyber-crime in their local area. This chapter will look at the challenges for policing in tackling cyber-crime in the UK through analysing: The growing number of cyber-crime reports that are reported both to Action Fraud and disseminated to local police forces; Whether previous cyber-crime recording mechanisms have helped police forces fully understand the scale of the local threat; Whether cyber-crime is being properly reported by businesses and individuals; The difficulties in giving support to victims of cyber-crime. Is it really a volume crime? techuk issued 25 FOI requests to local police forces to assess the number of cyber-crime incidents that were reported to them in The statistics that we received show that, despite issues with the under-reporting of cyber-crime (which will be addressed later), the number of cyber-crime reports made to Action Fraud and local police forces are increasing year on year. Due to the increasing number of cyber-crime reports that are made and the lack of capacity at a local level to deal with the problem, only crimes that have a reasonable line of investigative enquiry get passed on to local forces to investigate and therefore result in a judicial outcome. 6 5

10 Figures 1.1 and 1.2 below show the amount of cyber-crime reports that Action Fraud received in the financial years of 2013/14 and 2014/15. As these figures show, the number of cyber-crime reports made is increasing, from 230,845 cyber-crime reports in 2013/14 to 248,200 in 2014/15. Figure 1.1 Crime reports received and processed by Action Fraud in the financial year 2013/14 Figure 1.2 Crime reports received and processed by Action Fraud in the financial year 2014/15 6

11 Local police forces are also experiencing high levels of cyber-crime reports, with a large majority of fraud cases now being cyber-enabled. For example, in Warwickshire, 3,204 reports of fraud were made by victims living in the force area covered by Warwickshire Police between January 2013 and March 2014, with 2,037 of those cases estimated to be cyber-enabled. The majority of these complaints were from online shopping and auctions (18%), retail fraud (11%) and advance fee frauds (11%). 7 Similar figures of cyber-crime reports were witnessed by West Mercia Police. Of the 4,952 incidents of fraud reported from April 2013 March 2014, 3,466 were estimated to be cyber-enabled. In Avon and Somerset, 2,345 cyber-enabled crime incidents were recorded in From the small sample of figures highlighted above, and through feedback that we received through our stakeholder interview programme, it is clear that cyber-crime is increasing and should be regarded as a volume crime. 8 How is cyber-crime recorded? The way in which cyber-crime has historically been recorded has not, up until recently, helped police chiefs understand the growing nature and full extent of the volume of cyber-crime offences being committed. This has made it challenging for some local forces to accurately assess the scale of the problem they face and to allocate resources accordingly. Out of the 25 forces that techuk issued FOI requests to, around 50% surveyed could not supply us with accurate figures of cyber-crime reports without manually analysing every crime in their recording systems. This is because, until recently, there was no mechanism on police recording systems for local forces to highlight that a cyber-enabled or cyber-dependent crime had taken place. The other commonly used source of crime statistics is the Crime Survey for England and Wales (CSEW). This measures the extent of crime in England and Wales by asking people whether they have experienced any crime in the past year and records crimes that may not have been reported to the police. This is intended to provide a picture of crime trends and be used as a useful benchmark against police recorded crime. The CSEW has, however, also previously been unable to help police chiefs understand the full extent of cyber-crime because, up until this year, it did not ask respondents about a host of cyber-crimes. When compared to a victimisation survey commissioned by the London Assembly, which specifically asked respondents about online experiences, there are discrepancies. For example, a higher proportion of people surveyed by the London Assembly had been a victim of online crime than more traditional crimes like burglary 9, a statistic that is not currently reflected in official police records. Since 1st April 2015, the Home Office has sought to rectify this problem through requiring police forces to highlight cyber-crimes by means of issuing a mandatory flag against offences carried out online. The scope for this online flag is wider than either cyber-enabled or cyber-dependent crimes and also includes internet facilitated crimes and crimes with a digital footprint. 10 This years CSEW has, for the first time, included questions on cyber-crime. The statistics which take into account these new questions were released in October 2015 as part of a regular quarterly update from the Office of National Statistics (ONS). 11 These developments resulted in crime figures increasing. 12 Since 2013, Action Fraud has also attempted to help local forces build a comprehensive picture of cybercrime by sending them detailed information of all the crimes reported by victims in their local area, regardless of whether these crime reports had been formally disseminated or not. This information, along with the recent developments in cyber-crime recording flags and the additions to the CSEW, will help local forces build a more accurate and comprehensive understanding of volume cyber-crime at a local level. This will help build a better intelligence picture of the threat and facilitate more informed decisions on the allocation of resources. 7

12 Are cyber-crime incidents being reported? Despite the reporting mechanism highlighted on page 9, under-reporting of cyber-enabled and cyber-dependent crimes amongst both the public and businesses continues to create challenging problems for police forces. 13 In a City of London Police submission to the London Assembly s Online Crime Working Group, it was estimated that more than 1.5 million cyber-crimes (costing around 12 billion) were not reported by individuals and businesses in 2013/14. This meant that, in , about 85% of fraud and cyber-crime offences were not reported to the police. 14 According to a survey by Get Safe Online, only a third of cybercrime victims reported the offence to the relevant authorities. 15 Under-reporting of cyber-crime is a major issue for police forces and occurs for a variety of reasons: 16 Cyber-crimes were seen as too trivial and/or dealt with internally by businesses; Individuals and businesses not realising that they had been the victim of a crime; Not knowing where to report a cyber-crime report to; Not believing that the police can do anything about a cyber-crime report; Fear of the reputational damage that reporting a cyber breach may have on an organisation. This presents a number of challenges for the police. If police forces are not receiving reports of cybercrime incidents in their area, they are less likely to fully understand the scale of the local problem and less likely to consider cyber-crime within their Strategic Threat and Risk Assessments (STRA). 17 This is significant as the STRAs support tasking and co-ordinating processes and ensure that operations are not conducted in isolation. They give local forces an idea of what level of cyber-crime training they should provide, what resources they should allocate to tackle cyber-crime and what specialist capabilities they need to procure to help deal with the threat. Therefore, under-reporting of cyber-crime is having a material effect on policing s response and the resources applied to the problem. Are victims being supported? The significant effects that cyber-crime has on victims are well documented, with factors such as stress and anxiety listed as known common effects. Victim Support, a charity that provides emotional and practical support to victims of cyber-crime, has found that cyber-crime can have long lasting impacts, the scale of which is underappreciated. The charity works closely with the Get Safe Online campaign, a leading source of online safety information, to whom they signpost victims for practical advice. 18 The level of support on offer for victims however is variable. Victim Support receives separate funding from all 41 different Police and Crime Commissioners (PCC), all of whom dictate different priorities. 19 Whilst the charity continues to have a national reach it no longer provides local victim services in some parts of the country, such as Staffordshire and Cambridge, where the local PCC has contracted other providers. This can lead to disparities in the care provided to victims depending on where they live. Organisations such as Action Fraud have cultivated a relationship with Victim Support, which has gone some way in starting to ensure consistency in the level of support available to victims. Victim Support does not however have a central point of contact within law enforcement for non-financially motivated cybercrime, which is significant in order to provide a co-ordinated service of care for victims. The support that is given to victims is important in not only helping victims form accurate witness statements, which can be crucial for a prosecution case, but also in increasing confidence in the police and encouraging further reporting of cyber-crime incidents. Effective victim support can also include preventative advice on how people can stay safe online, reducing the number of cyber-crime incidents and alleviating the volume of cyber-crimes that are reported to police forces. 8

13 Case Study: How is cyber-crime reported and processed? Figure 1.3 below shows the different routes that victims of cyber-crime can use to make a report to the police and how the report is subsequently investigated. As evidenced in the diagram, cyber-crime can be reported in either one of two ways either through a local police force (who would then refer the cyber-crime report to Action Fraud) or directly through Action Fraud, depending on the crime type and circumstance. Figure 1.3 Cyber-crime reporting routes Members of the public and businesses can report financially motivated cyber-crime to their local police force or online and over the phone to Action Fraud. If the crime is reported to a local force, the force would refer it to Action Fraud. Action Fraud then pass on all fraud cases to the National Fraud Intelligence Bureau (NFIB). After the report has been analysed it will either be: Disseminated to / back to the victim s local police force to investigate or to the force where the suspect is believed to reside. The local force may then decide to formally escalate the specific case to the NCA should they feel the need to. Not referred for investigation but kept as intelligence if it is judged that there is not sufficient evidence to investigate the crime. Cases can be retained for intelligence in order that they can be referred to at a later date for instance if they link to cases which are reported afterwards. The cases retained for intelligence can also be used to disrupt criminal enablers such as bank accounts, websites and telephone numbers 167,000 requests to remove such services from criminals were made to industry by Action Fraud in 2014/ Since 2013, Action Fraud also send detailed information to local police forces on all cyber-crimes reported by victims living in their force area, irrespective of whether they have been disseminated or not. 9

14 Chapter 3. How has policing attempted to deal with the problem of volume cyber-crime? In order to address the challenges outlined above, there has been a concerted effort over the past three years across policing to deal with the approach to volume cyber-crime at national, regional and local levels. National Cyber-Crime Unit (NCCU) At a national level this effort has resulted in the creation of the National Cyber Crime Unit (NCCU), located within the National Crime Agency (NCA). The NCCU leads the UK s national response to organised cybercrime groups and provides a specialised investigative response to the most serious incidents of cyber-crime. The NCCU s remit is primarily to look at the higher end of the threat spectrum, including disrupting the tools that enable cyber-criminals to execute attacks and communicate with one another (such as socalled bullet-proof hosting and forums). The NCCU therefore establishes good working relationships with international partners to tackle cyber-crime. The NCCU does have a strategic co-ordination function, leading cyber partnerships across law enforcement through its work on the Cyber Crime Strategic Governance Group. The Strategic Governance Group brings together policing leads, industry representatives and cyber experts; providing oversight of all strategic partners operational activities and campaigns. The NCCU also has a role in looking at criminals and victims based in the UK, in particular in response to emerging threats. It does this in part through supporting partners with specialist capabilities, or Cyber Specials ; volunteers from the private sector with expert computer skills who can be called in by the police or the NCA to tackle a specific cyber threat. National Policing Leads The national landscape for tackling cyber-crime and building policing capabilities is complex as digital pervades the majority of crime types and policing activities. In recognition of this, the National Police Chief s Council (NPCC) has brought together existing work within the Digital Investigation and Intelligence (DII) framework, developed and led by Chief Constable (CC) Stephen Kavanagh. This addresses the spectrum of digital criminality from internet facilitated crime (anti-social behaviour online) to cyber-enabled crime (fraud and indecent images of children) through to cyber-dependent crimes (malware). It also recognises that the digital footprint left by users of digital services is a vital investigative tool that all police officers need to be aware of, as well as the specialists who will need specific skills and tools to undertake complex investigations. This agenda builds on and includes work on cyber-crime and social media, as well as digital forensics, communications data and open source intelligence. 21 Deputy Chief Constable (DCC) Peter Goodman, in his capacity as the National Lead for Cyber-Crime, has also been tasked by the NPCC to ensure that cyber-crime is at the forefront of local force s strategic assessments. Working with the City of London Police, DCC Goodman has been commissioned to provide a force-by-force analysis of what cyber-crime looks like in different areas. 22 This work is intended to help Chief Constables make informed investment decisions and help local forces to build a picture of the volume of cyber-crime in their particular area. The NPCC, together with the College of Policing, NCA and Home Office has also established the DII Capabilities Management Group (CMG), chaired by CC Kavanagh, to co-ordinate and align the work to build digital capabilities across policing. Working closely with DCC Goodman and Deputy Chief Constable (DCC) Ian Hopkins (National Police Lead for Digital Engagement) the CMG programme works to address the skills, knowledge, processes, tools and partnerships that policing needs in a digital age, and as such is informing Spending Review and Strategic Defence and Security Review (SDSR) planning. The CMG includes a specific workstream to build collaboration with industry and academia, in recognition of the reality that policing needs different partners to address digital challenges

15 Regional Organised Crime Units (ROCUs) At a regional level, policing has expanded regional cyber operations within Regional Organised Crime Units (ROCUs). The ROCUs have been set up across England and Wales, with joint funding from local police forces and the Home Office, to provide stronger specialist policing capabilities to local law enforcement, of which cyber-crime investigation is one. DCC Goodman approached the Home Office in 2014 and put forward a business case for creating cybercrime investigative capabilities within ROCUs through the creation of regional cyber units. The remit of these units within the ROCUs is to support regional forces by investigating the most serious incidents of cyber-crime impacting their respective regions, provide a networked response to national cyber incidents and support NCCU campaigns. Where cyber-crime incidents cross-geographical boundaries, the ROCU s co-ordinate investigations and provide expertise to local forces. 24 Acting as the single point of contact to support local police forces in dealing with cyber-crime and helping victims, the cyber investigators within the ROCUs increase the level of investigative skills of local police forces. The ROCUs now have a total of around 70 cyber specialists working within these units across nine regions. 25 DCC Goodman is also in the process of installing Cyber Protect officers within each of the ROCUs and an equivalent in CERT-UK, the National Computer Emergency Response Team, who will draw on latest intelligence and send weekly updates to the ROCUs. These officers will be responsible for the creation of Regional Cyber Security Information Sharing Partnerships (CiSPs), the first of which was opened in the East Midlands in 2014 and brings together regional businesses, academia and law enforcement in order to share information and increase threat intelligence. Some of the ROCUs also have representatives from industry or academia supporting their work. For example, both the East Midlands and South West ROCUs have relationships with the University of Warwick and Bournemouth University respectively, with lecturers sitting on their regional cyber capability teams. Cyber Security Information Sharing Partnership (CiSP) The Cyber Security Information Sharing Partnership was launched in March 2013 and is a joint industrygovernment initiative that faciliatates greater information sharing of cyber threats and vulnerabilities between members. The platform is part of CERT-UK, the National Computer Emergency Response Team, and its aims is to increase overall situational awareness of the cyber threats and therefore reduce the impact on UK businesses. As of June 2015, over 1000 organisations and 2900 individuals are members of the CiSP. Members are able to exchange cyber threat information in real-time whilst operating on a platform that protects confidentiality. In August 2014, the East Midlands saw the creation of the first regional CiSP, which brings together regional businesses and academia with police and government to share and report cyber security information. The College of Policing The College of Policing, as the professional body for policing, has also taken steps to ensure that cybercrime knowledge is seen as a core part of any investigator s knowledge. In 2014, the College produced a framework on capability which regional forces could use to assess their progress in establishing resources, practices, processes and skills to tackle cyber-crime. 26 Following on from this, eight e-learning packages were designed to help develop cyber skills; four awareness raising training programmes designed for all officers and four targeted at those whose role it is to investigate cyber-crime. The aim was to set out to train 6,000 Detectives throughout the year with its Mainstream Cyber Crime training course, which was based mainly on exploiting open source intelligence and will give officers a basic understanding of local, regional and national capabilities. 27 This new training forms part of the development of the College s Authorised Professional Practice (APP) on cyber-crime. This will draw on existing best practice and offer guidance to forces that are lagging behind. It is, however, worth noting that APPs are not mandatory and police forces are able to deviate away from the guidance. 11

16 Chapter 4. How can industry and policing co-ordinate an effective response to cyber-crime? As the previous chapter shows, there has been a concerted approach nationally, regionally and locally by policing leads over the past few years towards more effective tackling of volume cyber-crime. Policing cannot, however, be expected to meet this challenge alone. Both industry and civil society has a role to play in order to help stem the volume of cyber-crime from continuing to rise year on year. This chapter will look at the structural changes that can be made both within and between industry and policing in order to have a co-ordinated, effective response to the threat of cyber-crime. This chapter will recommend changes that can be made to the: Language used when recording cyber-crime: Many senior officers feel that the current definitions used for cyber-crime are not properly understood by frontline officers. A new lexicon for cyber-crime reporting can help to avoid further confusion. Obligations on industry to report cyber-crime incidents and share threat intelligence: Cyber- Crime is significantly under-reported, particularly by businesses. More can be done to encourage further reporting and threat intelligence sharing, from new bulk reporting tools to the creation of new reporting apps. Preventative measures put in place by industry: Some businesses are still not putting basic preventative measures in place to halt the rise in cyber attacks. Initiatives like Cyber Essentials should be encouraged for companies that hold personal or sensitive information. Support that is given to victims: A joined up approach between businesses, police forces and organisations like Victim Support needs to be at the forefront of any new cyber-crime strategy. Way in which police source capability and work with industry to ensure availability of specialist skills: Police forces need a more flexible mechanism to contract specialist skills, on a short and long-term basis, which enables small specialist suppliers to contribute their skills and experience in a more flexible commercial relationship than has existed to date. Standardisation of cyber-crime training: The College of Policing should work with industry in accrediting private training providers to ensure that there are national standards that training courses meet before they are purchased by local forces. The College of Policing s Authorised Professional Practice (APP) on cyber-crime should also be mandatory. Funding that law enforcement receives to tackle cyber-crime: Government should review the allocation of funding that is given to law enforcement via the National Cyber Security Programme (NCSP). A new lexicon for cyber-crime reporting Although the Home Office definitions of cyber-crime are used by the majority of police forces across the country, the responses we received during our interviews indicated that many senior officers feel that the definitions for the different types of cyber-crime are not properly understood by some frontline officers, which could lead to disparities both in how cyber-crime is recorded and in the support given to victims. This can cause difficulties for cyber security providers, who need to understand the different threats affecting a local area in order to supply the police with the correct specialist services and tools. If a police officer filing a crime report does not understand a particular crime from a technical cyber perspective, they are more likely to change the charge to something that they do understand in order to progress an action against the perpetrator of the crime, i.e. a cyber theft of intellectual property from a business may end up as asset misappropriation fraud. techuk recommends that: A new lexicon for cyber-crime reporting is developed; Analytical tools, provided by industry, are used to help understand the different types and trends of cyber-crimes for each force and/or region. Industry can work with the College of Policing to develop a new lexicon for cyber-crime reporting, enabling the recording of accurate information about the crimes that have taken place and how they have been perpetrated. This will build an accurate intelligence picture of criminal activity and also an accurate profile of the skills that are needed by policing to fight cyber-crime. 12

17 Increasing obligations for industry to report cyber-crime incidents As seen in Chapter 2, there are a number of reasons why cyber-crime is significantly under-reported, from victims not knowing where to submit a cyber-crime report, to businesses afraid of reputational damage. In order to encourage more reporting of cyber-crimes, particularly amongst industry, techuk recommends that: Awareness of current reporting mechanisms and reporting tools is increased; Action Fraud, in partnership with industry, create reporting apps for PCs and mobile devices; Bulk reporting tools are made available to large businesses; Industry makes a commitment to sharing cyber threat information with law enforcement through working groups like the Virtual Task Force. Awareness of the current reporting mechanisms for cyber-crime needs to be increased so that individuals and businesses know where they should go to report cyber-crime incidents. Studies have shown that the reluctance to report a cyber-crime stems in part from the, often mistaken, belief that a cyber-crime report will not be properly investigated. 28 Making more people aware of Action Fraud and its business reporting tool is therefore essential. Members of the public also need to be made aware of the fact that even cybercrime cases that are not resolved are used for investigative purposes. This will help encourage more people to report cyber-crime incidents. Action Fraud, with support from industry, can go further and develop reporting apps for PCs and mobile devices that provide an easy interface for the public and SMEs to report cyber-crime and to provide digital evidence to the police. These apps could also be developed in different languages in order to assist victims that do not have sufficient proficiency in English and face difficulties in reporting through Action Fraud s telephone operator or online portal. Bulk reporting tools also need to be made more readily available to large businesses who often face multiple attempts by criminals. These online tools can allow businesses to report multiple instances of cyber-crime more efficiently by submitting multiple cyber-crime reports at a time. This is important as it would reduce the time that it takes for a business to report a breach. Action Fraud is currently piloting a bulk reporting tool that will allow businesses to report attacks via a CSV file. 29 The launch of this tool should be publicised via industry bodies such as the British Chambers of Commerce (BCC) and the Confederation of British Industry (CBI) and should make it easier for businesses to report multiple incidents of cyber-crime. Can industry do more to prevent cyber attacks? Despite high profile cyber-crimes occurring every month, some businesses are still unaware of the need to protect themselves from cyber attacks, whilst larger businesses still do not align their cyber security strategies with their overall risk appetite and risk tolerance. 30 According to Government figures, 60% of small businesses experienced a cyber breach in Despite this, it is estimated that two thirds of small and medium sized businesses (SMEs) do not consider themselves to be vulnerable to an attack. Furthermore, only 16% see cyber-security as a top priority for techuk recommends that: Businesses put in basic preventative cyber security measures and adopt Cyber Essentials and Cyber Essentials Plus ; The London Digital Security Centre model, a resource for businesses that provides cyber security guidance, is rolled out across the country in conjunction with the roll out of regional CiSPs. Businesses themselves can do more to help the police deal with volume cyber-crime. To start with, all businesses should put into place proportionate cyber security measures to make sure that, whether large or small, they are resilient against the 80% of cyber attacks that could be prevented by basic security controls. 33 Some of these measures are inexpensive and easy to implement, such as strong passwords, updating software and deleting suspicious s. In order to lessen the burden on policing, companies should also be encouraged to adopt frameworks such as Cyber Essentials and Cyber Essentials Plus. The Cyber Essentials framework is already a requirement for any company that wants to supply to central Government. The technology industry should work with government to consider how more businesses could be made aware of these frameworks and be encouraged to adopt them. 13

18 Cyber Essentials Cyber Essentials offers a foundation of basic cyber hygiene measures that all types of organisations can implement to significantly reduce its vulnerability. Although it is not designed to address advanced targeted attacks, Cyber Essentials defines a focused set of controls which will provide cost-effective, basic cyber security for organisations of all sizes. The Assurance Framework, leading to the awarding of Cyber Essentials and Cyber Essentials Plus certificates for organisations, has been designed to be achievable at low cost. The two options give organisations a choice over the level of assurance they wish to gain and the cost of doing so. It should be noted, however, that Cyber Essentials is only a minimum level of protection and not a checklist for complete safety. Further preventative work can also be done with both the public and businesses to help minimise cyber incidents and highlight the importance of cyber-security. In London, for example, the Mayor s Office for Policing and Crime (MOPAC) has set up the London Digital Security Centre (LDSC). The centre offers a range of core, subsidised cyber-security services to SMEs along with advice and awareness raising about the importance of strong digital security. Industry is a key supporter and partner of the LDSC, providing premises and resources for the centre to use and representation on its steering group. More SMEs could be reached by rolling out the LDSC model to major cities in conjunction with the NPCC s regional roll-out of the Cyber Security Information Sharing Partnership (CiSP). In order for any roll-out to be effective, the support that industry has given to the LDSC has to be replicated across the country. London Digital Security Centre The London Digital Security Centre (LDSC) is a resource for businesses of all sizes, but mainly aimed at small and medium sized enterprises (SMEs), that provides the latest cyber security guidance. The LDSC was set up by the Mayor s Office for Police and Crime (MOPAC) in June 2015 in order to provide a one stop shop for businesses to gain cyber-security guidance, skills and expertise. Funded jointly by the mayor s office and the private sector, the organisation is modelled on the successful Scottish Business Resilience Centre. The model brings industry together with the Metropolitan Police Service, the National Crime Agency and the City of London Police, with MOPAC overseeing its programme of activities. The organisation will be fully operational in October 2015 and will include secondments from the police and industry. A renewed focus on victim support As highlighted in Chapter 2, support for victims varies by police force area and is not currently co-ordinated. In order to provide a consistent service to victims a joined up approach between police forces, businesses and organisations like Victim Support needs to be at the forefront of any new cybercrime strategy. Funding for Victim Support also needs to be better co-ordinated across all of the different police forces that fund it. techuk recommends that: Funding for Victim Support is better co-ordinated; Diagnostic question sets are developed for police officers to use with victims of cyber-crime; More preventative work is carried out to help individuals stay safe online. More focus needs to be placed in developing diagnostic question sets for police officers to use when taking statements from victims and witnesses who are not cyber-literate, to help form accurate witness statements. Currently, some prosecution cases can fail because victims and witnesses are not cyber literate enough to effectively communicate to an officer the exact nature of the crime that has been committed. 34 Such advice will help officers gain the right information from witnesses and produce accurate witness statements for use in court. These can be developed with the help of industry training providers. As well as helping those who have become victims, more effective preventative work needs to be done to raise awareness about how individuals can stay safe online. Although there is a lot of good information available, like current reporting channels, it currently relies on people finding it rather than integrating into platforms that are already widely used. Consumer groups and policing leads need to form a working group with leading banks, social media companies, retailers and the wider technology industry to establish ways in which easy to understand, preventative advice can be integrated into peoples ordinary everyday activity online. Industry support for initiatives like Cyber Streetwise need to also continue. 14

19 A new commercial partnership with industry - service management and accreditation for industry partners Many of the senior police officers we interviewed highlighted a lack of resources and capacity as a key obstacle to tackling cyber-crime. Many a time, the decision as to whether to pursue a cyber-crime case came down to an issue of capacity. As well as a lack of funding, a shortage of appropriate skills at a local level was also one of the main barriers to effective investigation. Currently there is no national framework used by the police to contract cyber security suppliers. Police forces are often tied into long term contracts with one supplier, which leads to the technology that they hold becoming outdated as the market moves on. 35 Small specialist suppliers, who typically hold innovative solutions, are often locked out of contracts and are unable to supply the police. techuk recommends that: The Home Office creates a Managed Service Provider (MSP) that would help the police contract the relevant skills that they need; The MSP accredits cyber security companies, consultants and training providers. In order to help the police access specialist services from innovative cyber security providers, what is required is a new way of thinking about the supplier/buyer relationship. The police should be able to easily access a flexible range of specified capabilities and skills from local, regional and national companies. techuk proposes that the Home Office sets up a model whereby forces can contract for the skills they need, on a short or long term basis, from a variety of companies both large and small that are accredited and managed by a Managed Service Provider (MSP). The MSP would create templated work packages based on a proper assessment of local force demand against the lexicon of cyber/digital crimes and incidents. All suppliers who have services that can match these demands will be able to apply for accreditation to supply cyber security services to the police through the MSP. The police will hold sensitive and confidential data related to a particular investigation. Under the strict governance and security rules, which will be implemented by the MSP, access to data (which may be required by the supplier in order to solve the problem), will be properly secured according to the new security policy framework. The diagram below sets out how techuk envisages this model could work as a partnership between police forces and specialist suppliers, in which a middle component the MSP - exists to manage interactions and maintain the flexibility and agility that is needed to tackle a crime as dynamic as cyber. The MSP will provide the co-ordination between the buyer and supplier, vetting (both financially and security-wise) and accrediting suppliers according to strict rules laid down by the Home Office. The recommendation is that the MSP should comprise appropriate representation from the buy and supply side. Figure 1.4: Potential structure for a Managed Service Provider 15

20 The MSP will maintain a technology capability to enable relevant datasets to be copied and accessed securely by the successfully commissioned supply side organisation(s). The MSP will be formed by and comprised of representatives from both police forces and industry. It will form, apply and run a formal governance body which would be responsible for managing the legal and commercial framework underpinning the relationship between buyer and supplier. It will also apply quarterly checks on the accredited suppliers, particularly relating to their financial position and resource availability, so as to prevent police forces from entering into unproductive, long term contracts with companies. There are many potential advantages to using such a model. The bulk of evidence gathering and analysis could be outsourced to industry experts, freeing up police officers to pursue investigatory work. Forces would also have access to cutting edge techniques and better visibility of the market. Specialisms sit within industry and policing needs a flexible framework to draw on these in a way that offers value for money. A particular example could be in the field of digital forensics, where policing has a skills shortage. Currently, senior offices feel that industry services in this area are expensive and slow. Through a model based on the one outlined above, the MSP could provide a cloud based digital forensics centre through which forces could purchase solutions from a number of suppliers. This could provide a cheaper and easier solution to the way in which digital forensics cases are currently outsourced. Similarly, policing could also use such a model to engage consultants with expertise in fields that they temporarily have a high demand for, such as network investigations (the monitoring and analysis of a network after an intrusion has occurred). The MSP could be responsible for verifying the accreditations of such consultants and acting as the forum through which they could supply their services to police forces. THE MSP MODEL IN PRACTICE: HOW IT WOULD WORK A police force has identified a significant exposure in a residential area where a number of homes have reported repeated small monthly losses from bank accounts. Action Fraud is made aware of some of these instances and in this case has referred matters back to the local force. The local force does not have the resources to investigate but takes part in the newly established MSP model whereby a pre-agreed and secure managed framework exists through which they can access assistance from pre-accredited local and/or regional suppliers. The force describes the problem via a template-based process which ensures that only relevant local/ regional suppliers that have been pre-qualified to address the particular type of issue respond to the request for assistance. A number of organisations bid, quoting pre-agreed day rates against resources whose skills meet the criteria for resolving the problem described in the template. The force then selects the company they wish to work with. 16