WIREDGOV

techUK hosts roundtable discussion with Commissioner Adrian Leppard QPM, City of London Police

The City of London Police, the UK's lead for economic crime, has called for change in the way the Government responds to high volume cyber-crime.

On Tuesday 10th March, techUK was delighted to welcome Commissioner Adrian Leppard QPM, of the City of London Police, to update its Justice and Emergency Services Group on the forces' expanded responsibility for economic crime and its role in tackling the growing cyber threat. In what was an engaging session, the Commissioner was keen to gauge what service providers could provide to the police. He spoke about the evolution of the cyber threat, the need to adopt a change in the mind-set of response and how industry might help. It became clear that given both the scale and fast paced development of the threat, and law enforcement's capability gap in responding, there is a need for both industry and the wider public to take action.

A growing problem

The City of London Police hosts a small territorial force with jurisdiction over the Square Mile. However, it is the national lead for economic crime, and hosts the National Fraud Intelligence Bureau. The force is therefore very well placed in assessing threats posed by cyber-crime. Via memorandums signed with banks, together with data from the National Fraud Agency, the force has estimated that 80% of cyber-crime goes unreported to the police. This is primarily because banks are happy to write off incidents as costs, thereby costing the consumer collectively and funding ongoing cyber-criminality. The Commissioner reported that the scale of the threat is much greater than we think, so much so that it may have even surpassed what drugs have delivered to the criminal economy.

Having outlined the scale of the threat, the Commissioner turned his attention to its nature. There is increasing sophistication seen in attacks. Malware intrusion can now take place over longer periods of time with perpetrators 'spear-phishing' administrators and installing anonymous software routines via their 'insider', thereby going under the radar of operating systems. Conversely, another trend is the lack of technical skill required by organised criminals to conduct attacks. It is now relatively easy to procure hacking services on anonymised networks online, usually from abroad where UK law enforcement has no territorial reach.

Changing the 'mind-set of response'

The police are severely hampered in their ability to respond to cyber-crime and require a fundamental change in mind-set. All forces recognise the threats posed and are trying to develop cyber skills. The College of Policing, for example, has introduced learning modules specifically focusing on cyber skills. Among those already employed by the police, there was only a 2% take-up on this training and with ongoing cuts to the sector, it is unlikely the police can fully address the cyber security skills gap. The force has estimated that of the 20% that actually goes reported, only a further 20% of cases receive an adequate response from law enforcement.

The dearth in the police's capacity to respond to cyber-crime is compounded by its extraterritorial nature. The Commissioner acknowledged the role Europol and Interpol can play in forming a coherent trans-national response but this can only go so far; there will always be those operating beyond our jurisdiction.

Further complicating the domestic picture is the willingness of banks to write off incidents of fraud as costs, making it harder to gain an accurate reported figure behind the volume of cyber-crime.

Given these capability gaps, and the diffusion of power from law enforcement, the Commissioner called for changing our collective mind-set concerning a response to cyber-crime. Traditionally the police have been governed by a mantra of precision; they seek to understand the nature of a problem before putting specific actions in place to prevent it from occurring. It has become clear that this approach cannot be extended to the threat of cyber-crime and, as such, the Commissioner advocated a return to thinking of a defence in terms of 'who has the biggest castle'. This approach would prioritise victim support and crime prevention measures, accepting the infeasibility of prosecution in many cases.

How can industry help?

From the offset the Commissioner was keen to engage with industry on what support it might provide the police in its response to the high volume of cyber-crime, particularly as it plays host to much of the vulnerability enabling cyber-crime. He welcomed industry and government standards on vulnerability such as the UK Government Information Assurance Maturity Model, ISO27001, CESG's 10 Steps to Cyber Security and Government's Cyber Essentials scheme. By adhering to and promoting these standards, industry can improve the UK's collective defence against cyber-crime. techUK will therefore continue to advocate public-private collaboration in this space. Members have the chance to get actively involved in the London Digital Security Centre (LDSC), a public-private initiative focused on helping businesses protect themselves from cyber-crime. The LDSC will be the "go to" resource, providing the latest cyber industry guidance for all sizes of business but providing particular support to the SME market. It will launch in May 2015 after techUK members are briefed at the end of April.

It was widely agreed however that due to the increasing reporting of cyber-crime, and the widening capability gap, prevention alone will not be enough. In line with the growing appetite from both industry and the Commissioner to collaborate better, he welcomed the development of proposals to explore how industry might be able to respond to the gap in capability for the investigation of low-level cybercrime. This would involve granting industry partners access to law enforcement data to identify cases that should be prioritised for pursuit. The detail of this would need to be worked through and developed. techUK looks forward to working with the Commissioner as it develops a whitepaper on this issue for publication in June.