E-crime - Home Affairs Committee Contents

3  Law enforcement and legislation

New national law enforcement landscape

46. RSA told us that it was necessary "for the government to start taking a more proactive approach to tackling e-crime, rather than relying on the largely reactive structures currently in place". They noted that one "notable exception" was the highly successful Child Exploitation and Online Protection Centre which actively sought to prevent the sexual abuse of children and catch those involved perpetrating these crimes. RSA suggest that the Government consider expanding "this pre-emptive policing framework to confront other forms of cyber crime head on".[48]

47. In response to such criticism, the Government has proposed changes to the national law enforcement e-crime landscape. The National Crime Agency (NCA) will be established by the end of 2013 under provisions granted by the Crime and Courts Act 2013 and will sit the centre of the reformed law enforcement landscape.

48. As part of the NCA, it is proposed to establish a National Cyber Crime Unit (NCCU), to focus on tackling two types of cyber crime:

a)  crimes that can only be committed by using computers and the internet, and that occur where a digital system is the target as well as the means of attack. This includes attacks on computer systems to cause disruption (for example Distributed Denial of Service (DDoS) attacks[49]), and the stealing of data over a network often to enable further crime (for example through the spread of viruses and other malware, or computer and network intrusions (hacking).

b)  "existing" or traditional crimes that have been transformed in scale or form by the use of the internet, such as fraud or the sharing of indecent images of children. The growth of the internet has opened up a new (often global) market for these crimes, which allows for a degree of anonymity, operation on an industrial scale, and has created new opportunities for organised criminal groups to finance their activities.

49. The Home Office told us that by focusing on these two categories of cyber crime the NCCU will use its resources and skills to tackle the most sophisticated areas of cyber crime, whilst supporting the NCA and wider law enforcement in taking responsibility for tackling cyber-enabled crime. This principle of supporting general law enforcement to assume responsibility for tackling cyber enabled crime, rather than looking to a specialist cyber unit to lead, will underpin the work of the NCCU. It will bring together the national law enforcement response to cyber crime under one roof. This single capability to work closely with other partners, such as GCHQ, is intended to strengthen the UK's overall resilience and incident response to cyber threats. [50]

50. The Government intends that the third type of cyber crime, that of crimes that are facilitated by the internet, will be tackled by usual policing. The Police are mainstreaming cyber awareness, capacity and capabilities throughout their service.[51]

51. The Home Office argues that the National Cyber Crime Unit will deliver a range of benefits to the current law enforcement response to cyber-enabled crime, including:

  • A single, high-profile law enforcement lead dedicated to combating organised cyber criminals;
  • A more targeted focus on the most serious incidents of cyber crime, removing the criminals who facilitate cyber-enabled crime further downstream;
  • A stronger, more cohesive response to the most serious cyber-enabled crime;
  • Dedicated resources to drive a step-change in cyber capabilities across law enforcement, police service and wider partners;
  • Stronger partnerships at all levels, including delivery of a single point of contact for rapid response to dynamic threats and closer engagement with industry and academia;
  • Closer joint working with the Security and Intelligence Agencies through improved ICT connectivity and intelligence sharing.[52]

The diagram below illustrates the key changes envisaged to the law enforcement under the NCSP.

52. In its evidence to our inquiry, RSA cautioned that the Government that:

    "must ensure that NCA's remit, and the boundaries and inter-relationships with other agencies involved with e-rime, are well understood by all. Furthermore, it is imperative for the agencies currently involved in the response to e-crime to continue functioning at their optimum level throughout the transition process to prevent criminals taking advantage of any potential lapses in effectiveness or increased vulnerability".[53]

53. We welcome the steps being taken by Government to bring together different cyber crime units into the NCA to form a single National Cyber Crime Unit. This rationalises the current confusing plethora of different agencies and police organisations involved and should enable a more co-ordinated approach, strong strategic leadership and development of the elite level of skill required to tackle this cyber war.

54. We were concerned however that the National Fraud Reporting Centre and the National Fraud Intelligence Bureau based in the City of London Police were not being transferred into the NCA. In our view it makes sense to concentrate the national reporting, investigative and intelligence structures for e-crime in one organisation. We were surprised at the decision given the formation of the new economic crime command in the NCA and given we were told that the UK was the main online target of gangs in 25 countries.

55. The Committee's report on grooming published earlier this year found that sexually exploited children were still being failed by statutory agencies, and the recent court cases of Mark Bridger and Stuart Hazell have highlighted the role of online indecent images in child abuse. An NSPCC Freedom of Information request revealed that five police forces alone had seized 26 million indecent child images and 2,312 people were arrested for such offences last year. CEOP also estimates there 50,000 indecent child images on Peer2Peer networks. We are therefore alarmed that CEOP is having its budget cut by 10% over 4 years, its experienced Chief Executive is leaving and it could lose its laser-like focus when merged with the NCA.

56. We also note DCS McMurdie's comments that e-crime sentences are too lenient. We were surprised by the fact Anonymous hackers who cost Paypal over £3.5m were given sentences of 7 and 18 months and do not believe they would have received such sentences had they physically robbed a bank of £3.5 million. The DPP should review the sentencing guidance and ensure e-criminals receive the same sentences as if they had stolen that amount of money or data offline.


Regional hubs

57. One of the key aims of the Government's Cyber Security Strategy is to improve the understanding of e-crime and the skills to investigate it across the police service. The Strategy commits the police to:

a)  Mainstream cyber awareness, capacity and capabilities throughout its service;

b)  Encourage the use of 'cyber specials' to bring in those with the required specialist skills; and

c)  Increase law enforcement agency capability on e-crime and develop new training to do so.

58. Police Central e-Crime Unit has delivered three regional e-crime hubs to build on its national capability and improve regional capability and response times. The hubs were launched in February 2012 and are based in the North West, East Midlands and Yorkshire and Humber.[54]

59. We welcome the establishment of regional hubs to support and develop local capacity and skills. Mainstreaming e-crime investigative skills throughout the police force is key to improving capacity across the board. We welcome the work currently being undertaken by Police Central e-crime Unit and others in this area.

60. However commitments to improve mainstream skill levels have been around for years and practice has not so far matched rhetoric. We hope to see clear evidence that the work promised is being undertaken and clear benchmarks to measure if skills are improving.

Processing Digital evidence - digital forensics

61. The profusion data and the multiplication of devices upon which it is stored make it impossible for the police to examine all data and devices which may contain information relevant to investigations. The police refer to the process by which they decide what potential digital evidence to seize and examine as triage. Some of our witnesses suggested that insufficient attention was paid to how and by whom such triage was conducted.

62. In her evidence to the Committee, DS McMurdie said that work was being done to train all front line officers in the search and seizure of digital material and that the option of training digital scenes of crime officers was also being considered.[55] Andy Archibald, the Deputy Director of SOCA's Cyber Crime Unit, told us that SOCA were training officers as Digital Forensics Officers.[56]

63. Professor Peter Sommer, who acts as an expert witness in digital forensics, supported the move to improve digital forensics in-house. He reasons that it is vital that the forensic team work with the investigating officer in order to reconstruct events accurately. Both Professor Sommer and Professor Anderson assessed current capacity in the police as patchy. They found pockets of excellence, in SOCA and the Police Central e-crime Unit, but more widely there was still a considerable lack of necessary skills.

64. We welcome the development of specialist Digital Scenes of Crime and forensic officers and note that the search and seizure of digital material should only be done when it is proportionate.

International capacity and cooperation: working in partnership and obtaining evidence from overseas

65. The majority of cyber criminals operate outside of the UK's jurisdiction, SOCA told us that this hindered identification and prosecution. Criminal groups were able to base themselves in a number of different jurisdictions and could therefore operate from countries with weak criminal sanctions for online offences. The Police Central e-crime Unit found it difficult to obtain evidence from countries with whom the UK had no established relationship.[57] Andy Archibald, Deputy Director, Cyber and Forensics, Serious Organised Crime Agency, told us that "relationships had to be worked at and worked at hard. We need to identify those countries that have the greatest impact on the UK, and how we can leverage some assistance or some co-operation from them". [58] In order to do this, he explained, placing staff in international partnerships was pivotal:

    We have relationships in a number of areas internationally-with Interpol, with Europol, with the Commonwealth Cyber Initiative-and we have liaison officers in some key locations overseas. In relation to the EU, we have a member of staff with a cyber skill background embedded in the development of the European Cybercrime Centre, which will go live in January. We want to influence the direction and the vision for that unit to ensure it complements the UK approach..[59]

66. In its one year report on the Cyber Security Strategy 2011, the Cabinet Office highlight international cooperation as being crucial to building 'a vibrant and secure cyberspace'. It says the UK has worked towards this by:

  • Encouraging wider adoption of the Budapest Convention on cyber crime, putting in place compatible frameworks of law that enable effective cross-border law enforcement and deny safe havens to cyber criminals
  • Building a wide network of international partners
  • Strengthening relationships with traditional allies and building relationships with a 'broad range' of countries
  • Improved international cooperation to tackle cybercrime through legislation and operation work
  • Established the Cyber Capacity Building Fund

67. DAC Hewitt argued that the most important tool for getting results internationally was establishing a strong relationship between law enforcement agencies:

    'primarily from our perspective the Police Central e-Crime Unit, which is the main operational unit that is hosted currently within the Metropolitan Police, has developed very strong relationships with most of the key countries and law enforcement in the key countries with which we work, and the Crown Prosecution Service does likewise with the prosecuting authorities'.[60]

The Cabinet Office's forward plan for the Cyber Security Programme included the objective of building cooperation between the UK and international law enforcement agencies including more joint operations.

Obtaining digital evidence from overseas

68. Increasingly, the police require access to digital evidence held outside UK jurisdiction. In evidence to us SOCA and Police Central e-crime Unit described the difficulties associated with established processes for obtaining such evidence. For example, obtaining evidence through Multi-Lateral Assistance Treaties (MLATS) was described as being extremely slow (with it often taking months for them to get the evidence they needed) and resource intensive. Detective Chief Superintendent Charlie McMurdie, Head of the Police Central e-Crime Unit, commented:

    One of the issues around that is the timeliness of the response and the volumes of data that we are looking for, and then the legislation for that country to be able to approach the service provider to get the data on our behalf or for them to progress that.[61]

69. We were alarmed to hear from police witnesses that they often experienced difficulty in retrieving data from sites based abroad. We hope that such companies will adopt a more constructive attitude going forward and be willing to engage with public authorities. They reap huge financial benefits from the public entrusting them with their data and they should be willing to be open and accountable for the actions they take with it.

EU Justice and Home Affairs measures

70. Under Protocol 36 of the Lisbon Treaty the UK has the option to opt out of police and criminal justice measures adopted under the Maastricht Treaty, provided it does so before December 2014 when the measures will be adopted under the Lisbon framework, thus giving the Court of Justice of the European Union jurisdiction. The Home Secretary has signalled her intention to opt out of these measures. The option applies to all measures en masse. The UK will then be able, subject to agreement by the EU, to opt back in to any of the measures it decides will be of use.

71. There are at present 133 such measures. They can be divided roughly into the following groups: instruments intended to influence substantive criminal law; instruments intended to influence criminal procedure; instruments relating to police co-operation; and instruments designed to secure mutual recognition.[62] A number of instruments that fall into the last two categories could effect on the UK's ability to tackle e-crime.[63]

72. The international scope of e-crime provides a strong argument that the UK should focus on increasing cooperation between police forces in other states and making these mechanisms as effective as possible. As the proportion and volume of crime with an online element increases, we expect more police investigations to straddle international boundaries, and more evidence relating to the offences against the UK and its residents to be located in overseas jurisdictions.

73. To this end, we cannot understand why the UK has refused to support funding for the new Europol CyberCrime Centre C3 which facilitates vital cross-Europe information sharing. E-crime does not recognise country borders and it is essential that we have strong international cooperation to ensure offenders are brought to justice and citizens protected. Strengthening our defences and international investigation capacity will save money in the long term and we recommend that the UK supports additional EU funding for the Centre.

74. We are deeply concerned that EU partner countries are not doing enough to prevent cyber attacks from criminals within their countries on the UK. We will return to this matter in our inquiry into the proposal to opt out of the EU police and criminal justice measures which were adopted before the Treaty of Lisbon entered into force.

Reporting and recording e-crime


75. Currently only violations of the Computer Misuse Act 1990 are recorded as electronic crimes. Crimes that are carried out using the internet defined as offences in other Statutes are recorded as an offence under the substantive legislation.[64] There is no central recording of crime under the method by which it was committed. For example online frauds such as lottery and dating scams are recorded as violations of the Fraud Act 2006 and not as e-crimes. The Home Office told us that it is taking steps to improve the identification of e-crimes within recorded crimes and crime surveys.

76. Some of our witnesses stated that even crimes that violate the Computer Misuse Act 1990 are usually recorded according to the criminal's intent. For example, a Denial of Service Attack would probably be recorded as extortion if its perpetrator was using it to blackmail the website owner. A phishing attack could also be recorded as fraud or money laundering. Witnesses say this is largely due to the Crown Prosecution Service's perception that the Computer Misuse Act 1990 exists to fill in gaps in other forms of legislation.[65]

77. Indeed, some of our witnesses also raised concerns regarding the recording and reporting of fraud. The Foundation for Internet Policy Research said that the previous Government's policy change which saw victims of fraud reporting the crime to their banks in the first place rather than to the police meant that the rate of recorded instances of fraud understates the reality. FIPR points to the British Crime Survey which shows that UK households are twice as likely to be victims of fraud than of traditional acquisitive crime.[66] It added that the 2005 policy change had:

    "caused the fraud statistics to go down, but it opened up an even larger gap than is usually the case between the crimes reported through the police, on the one hand, and the crime levels reported through victim surveys on the other. Now, for most practical purposes, official recorded crime is useless in determining the level of fraud"[67]

78. The National Trading Standards Board has also questioned the utility of the current reporting and recording system:

    It is fair to say that the current recording mechanisms probably are not adequate because you tend to find that the illicit activity would get recorded as a general fraud or a consumer protection legislation issue in terms of, for example, a trademarks offence if they were counterfeit goods. They tend to get classified under those areas, but the e-crime element is not necessarily always picked up. Therefore, it is fair to say that there is probably a large-scale under-reporting of e-crime and its true economic impact.[68]

79. The British Retail Consortium says that one of the main problems faced by its members in reporting e-crime was the lack of clarity about case acceptance criteria for reporting online fraud or crime to national agencies. It told us that that its members often spent time preparing detailed reports expecting the relevant agency to accept the case but then found that their case had fallen short of the acceptance criteria and needed to be reported locally.[69]

Action Fraud

80. The Government has made 'Action Fraud', the single national reporting centre for financially motivated online crime. Since August 2011 Action Fraud has had the capability to record the enablers of fraud in fraud reporting. Between its launch in August 2011 and April 2012 49,037 reports of fraud were made to Action Fraud, of which 45% were enabled online. The City of London Police say that the majority of traditional frauds have been eclipsed by fraud with an online element.[70]


81. A number of our witnesses recommended the introduction of a new field on crime reporting forms to indicate whether or not there is digital evidence related to the reported crime. This would enable the police to build a clearer picture of where digital evidence was important and to allocate resource accordingly. It would also inform decisions about the amount of resource needed in the field of digital forensics.[71] When we put this to Deputy Associate Commissioner Martin Hewitt, the ACPO lead for e-crime, he acknowledged that more information would enable the police to build a better intelligence picture but he doubted that victims and the person receiving the report would have the level of knowledge needed to accurately record details about how the crime was carried out.

    "The more information we have the better. Recording the method relies on a level of knowledge within the victim and a level of knowledge within the person who is receiving the report to do that effectively, but I think we are trying to get towards that.... The more information the better, but I don't think necessarily the answer is going to be just having more expansive MO submissions on the crime reports ".[72]

82. We welcome the online Action Fraud reporting function. We recommend that a clear link to the Action Fraud website is placed on websites where people are likely to experience attempted fraud or visit when they believe they have been a victim of online fraud such as police forces, banks, email providers, trading standards.

83. Current recording practises are inadequate to give an accurate picture of the extent to which reported crime is committed over the internet. We recommend the introduction of an additional field on crime reporting forms to indicate whether or not there was digital evidence relating to a crime. This would help the police to understand the extent of the problem they were facing and to make sure they have the appropriate resources in place.

84. We are very concerned that there appears to be a 'black hole' where low-level e-crime is committed with impunity. Criminals who defraud victims of a small amount of money are often not reported to or investigated by law enforcement and banks simply reimburse victims. Criminals who commit a high volume of low level fraud can still make huge profits. Banks must be required to report all e-crime fraud to law enforcement and log details of where attacks come from. The perceived untouchable nature of these low-level criminal acts is exemplified by the adverts RSA noted on Facebook advertising 'fraud as a service'.

48   Ev 88, para 21 Back

49   See glossary Back

50   Ev 63, para 30 Back

51   Ev 62, para 29 Back

52   Ev 63, para 31 Back

53   Ev 88, para 22 Back

54   More detail on the role of regional hubs can be found in Peter Goodman's evidence from 20 November 2012. Back

55   Q 90 [DCS McMurdie] Back

56   Q 90 [Andy Archibald]


57   Q 99 Back

58   Q 99 Back

59   Q 97 Back

60   Q 368 Back

61   Q 94 Back

62   CELS, Opting Out of EU Criminal Law: What is actually involved?, September 2012 Back

63   One measure in the first category 'Measures intended to influence substantive criminal law' relates to e-crime 'Council Framework Decision 2005/222/JHA of the 25 February 2005 on Attacks against Information Systems'. However this has is likely to soon be replaced by a new Directive and the UK has already opted in to the proposal for it. Council Decision 2000/375/JA to combat child pornography on the internet is also a substantive measure but the UK's domestic law already criminalises child pornography on the internet. Back

64   Ev 61 [Home Office] Back

65   Ev 102 [Peter Sommer] Back

66   Ev 75  Back

67   Q 127 Back

68   Q 138 Back

69   Ev 70  Back

70   Ev 81 Back

71   Q 116 Back

72   Q 380 Back

previous page contents next page

© Parliamentary copyright 2013
Prepared 30 July 2013