3 Law enforcement and legislation
New national law enforcement landscape
46. RSA told us that it was necessary "for the
government to start taking a more proactive approach to tackling
e-crime, rather than relying on the largely reactive structures
currently in place". They noted that one "notable exception"
was the highly successful Child Exploitation and Online Protection
Centre which actively sought to prevent the sexual abuse of children
and catch those involved perpetrating these crimes. RSA suggest
that the Government consider expanding "this pre-emptive
policing framework to confront other forms of cyber crime head
on".[48]
47. In response to such criticism, the Government
has proposed changes to the national law enforcement e-crime landscape.
The National Crime Agency (NCA) will be established by the end
of 2013 under provisions granted by the Crime and Courts Act 2013
and will sit the centre of the reformed law enforcement landscape.
48. As part of the NCA, it is proposed to establish
a National Cyber Crime Unit (NCCU), to focus on tackling two
types of cyber crime:
a) crimes that can only be committed by using
computers and the internet, and that occur where a digital system
is the target as well as the means of attack. This includes attacks
on computer systems to cause disruption (for example Distributed
Denial of Service (DDoS) attacks[49]),
and the stealing of data over a network often to enable further
crime (for example through the spread of viruses and other malware,
or computer and network intrusions (hacking).
b) "existing" or traditional crimes
that have been transformed in scale or form by the use of the
internet, such as fraud or the sharing of indecent images of children.
The growth of the internet has opened up a new (often global)
market for these crimes, which allows for a degree of anonymity,
operation on an industrial scale, and has created new opportunities
for organised criminal groups to finance their activities.
49. The Home Office told us that by focusing on these
two categories of cyber crime the NCCU will use its resources
and skills to tackle the most sophisticated areas of cyber crime,
whilst supporting the NCA and wider law enforcement in taking
responsibility for tackling cyber-enabled crime. This principle
of supporting general law enforcement to assume responsibility
for tackling cyber enabled crime, rather than looking to a specialist
cyber unit to lead, will underpin the work of the NCCU. It will
bring together the national law enforcement response to cyber
crime under one roof. This single capability to work closely with
other partners, such as GCHQ, is intended to strengthen the UK's
overall resilience and incident response to cyber threats. [50]
50. The Government intends that the third type of
cyber crime, that of crimes that are facilitated by the internet,
will be tackled by usual policing. The Police are mainstreaming
cyber awareness, capacity and capabilities throughout their service.[51]
51. The Home Office argues that the National Cyber
Crime Unit will deliver a range of benefits to the current law
enforcement response to cyber-enabled crime, including:
- A single, high-profile law enforcement lead dedicated
to combating organised cyber criminals;
- A more targeted focus on the most serious incidents
of cyber crime, removing the criminals who facilitate cyber-enabled
crime further downstream;
- A stronger, more cohesive response to the most
serious cyber-enabled crime;
- Dedicated resources to drive a step-change in
cyber capabilities across law enforcement, police service and
wider partners;
- Stronger partnerships at all levels, including
delivery of a single point of contact for rapid response to dynamic
threats and closer engagement with industry and academia;
- Closer joint working with the Security and Intelligence
Agencies through improved ICT connectivity and intelligence sharing.[52]
The diagram below illustrates the key changes envisaged
to the law enforcement under the NCSP.
52. In its evidence to our inquiry, RSA cautioned
that the Government that:
"must ensure that NCA's remit, and the
boundaries and inter-relationships with other agencies involved
with e-rime, are well understood by all. Furthermore, it is imperative
for the agencies currently involved in the response to e-crime
to continue functioning at their optimum level throughout the
transition process to prevent criminals taking advantage of any
potential lapses in effectiveness or increased vulnerability".[53]
53. We welcome the steps being taken by Government
to bring together different cyber crime units into the NCA to
form a single National Cyber Crime Unit. This rationalises the
current confusing plethora of different agencies and police organisations
involved and should enable a more co-ordinated approach, strong
strategic leadership and development of the elite level of skill
required to tackle this cyber war.
54. We were concerned however that the National
Fraud Reporting Centre and the National Fraud Intelligence Bureau
based in the City of London Police were not being transferred
into the NCA. In our view it makes sense to concentrate the national
reporting, investigative and intelligence structures for e-crime
in one organisation. We were surprised at the decision given
the formation of the new economic crime command in the NCA and
given we were told that the UK was the main online target of gangs
in 25 countries.
55. The Committee's report on grooming published
earlier this year found that sexually exploited children were
still being failed by statutory agencies, and the recent court
cases of Mark Bridger and Stuart Hazell have highlighted the role
of online indecent images in child abuse. An NSPCC Freedom of
Information request revealed that five police forces alone had
seized 26 million indecent child images and 2,312 people were
arrested for such offences last year. CEOP also estimates there
50,000 indecent child images on Peer2Peer networks. We are therefore
alarmed that CEOP is having its budget cut by 10% over 4 years,
its experienced Chief Executive is leaving and it could lose its
laser-like focus when merged with the NCA.
56. We also note DCS McMurdie's comments that
e-crime sentences are too lenient. We were surprised by the fact
Anonymous hackers who cost Paypal over £3.5m were given sentences
of 7 and 18 months and do not believe they would have received
such sentences had they physically robbed a bank of £3.5
million. The DPP should review the sentencing guidance and ensure
e-criminals receive the same sentences as if they had stolen that
amount of money or data offline.
REGIONAL AND LOCAL CAPABILITY
Regional hubs
57. One of the key aims of the Government's Cyber
Security Strategy is to improve the understanding of e-crime and
the skills to investigate it across the police service. The Strategy
commits the police to:
a) Mainstream cyber awareness, capacity and capabilities
throughout its service;
b) Encourage the use of 'cyber specials' to bring
in those with the required specialist skills; and
c) Increase law enforcement agency capability
on e-crime and develop new training to do so.
58. Police Central e-Crime Unit has delivered three
regional e-crime hubs to build on its national capability and
improve regional capability and response times. The hubs were
launched in February 2012 and are based in the North West, East
Midlands and Yorkshire and Humber.[54]
59. We welcome the establishment of regional hubs
to support and develop local capacity and skills. Mainstreaming
e-crime investigative skills throughout the police force is key
to improving capacity across the board. We welcome the work currently
being undertaken by Police Central e-crime Unit and others in
this area.
60. However commitments to improve mainstream
skill levels have been around for years and practice has not so
far matched rhetoric. We hope to see clear evidence that the work
promised is being undertaken and clear benchmarks to measure if
skills are improving.
Processing Digital evidence -
digital forensics
61. The profusion data and the multiplication of
devices upon which it is stored make it impossible for the police
to examine all data and devices which may contain information
relevant to investigations. The police refer to the process by
which they decide what potential digital evidence to seize and
examine as triage. Some of our witnesses suggested that insufficient
attention was paid to how and by whom such triage was conducted.
62. In her evidence to the Committee, DS McMurdie
said that work was being done to train all front line officers
in the search and seizure of digital material and that the option
of training digital scenes of crime officers was also being considered.[55]
Andy Archibald, the Deputy Director of SOCA's Cyber Crime
Unit, told us that SOCA were training officers as Digital Forensics
Officers.[56]
63. Professor Peter Sommer, who acts as an expert
witness in digital forensics, supported the move to improve digital
forensics in-house. He reasons that it is vital that the forensic
team work with the investigating officer in order to reconstruct
events accurately. Both Professor Sommer and Professor Anderson
assessed current capacity in the police as patchy. They found
pockets of excellence, in SOCA and the Police Central e-crime
Unit, but more widely there was still a considerable lack of necessary
skills.
64. We welcome the development of specialist
Digital Scenes of Crime and forensic officers and note that the
search and seizure of digital material should only be done when
it is proportionate.
International capacity and cooperation:
working in partnership and obtaining evidence from overseas
65. The majority of cyber criminals operate outside
of the UK's jurisdiction, SOCA told us that this hindered identification
and prosecution. Criminal groups were able to base themselves
in a number of different jurisdictions and could therefore operate
from countries with weak criminal sanctions for online offences.
The Police Central e-crime Unit found it difficult to obtain
evidence from countries with whom the UK had no established relationship.[57]
Andy Archibald, Deputy Director, Cyber and Forensics, Serious
Organised Crime Agency, told us that "relationships had to
be worked at and worked at hard. We need to identify those countries
that have the greatest impact on the UK, and how we can leverage
some assistance or some co-operation from them". [58]
In order to do this, he explained, placing staff in international
partnerships was pivotal:
We have relationships in a number of areas internationally-with
Interpol, with Europol, with the Commonwealth Cyber Initiative-and
we have liaison officers in some key locations overseas. In relation
to the EU, we have a member of staff with a cyber skill background
embedded in the development of the European Cybercrime Centre,
which will go live in January. We want to influence the direction
and the vision for that unit to ensure it complements the UK approach..[59]
66. In its one year report on the Cyber Security
Strategy 2011, the Cabinet Office highlight international cooperation
as being crucial to building 'a vibrant and secure cyberspace'.
It says the UK has worked towards this by:
- Encouraging wider adoption
of the Budapest Convention on cyber crime, putting in place compatible
frameworks of law that enable effective cross-border law enforcement
and deny safe havens to cyber criminals
- Building a wide network of international partners
- Strengthening relationships with traditional
allies and building relationships with a 'broad range' of countries
- Improved international cooperation to tackle
cybercrime through legislation and operation work
- Established the Cyber Capacity Building Fund
67. DAC Hewitt argued that the most important tool
for getting results internationally was establishing a strong
relationship between law enforcement agencies:
'primarily from our perspective the Police Central
e-Crime Unit, which is the main operational unit that is hosted
currently within the Metropolitan Police, has developed very strong
relationships with most of the key countries and law enforcement
in the key countries with which we work, and the Crown Prosecution
Service does likewise with the prosecuting authorities'.[60]
The Cabinet Office's forward plan for the Cyber Security
Programme included the objective of building cooperation between
the UK and international law enforcement agencies including more
joint operations.
Obtaining digital evidence from overseas
68. Increasingly, the police require access to digital
evidence held outside UK jurisdiction. In evidence to us SOCA
and Police Central e-crime Unit described the difficulties associated
with established processes for obtaining such evidence. For example,
obtaining evidence through Multi-Lateral Assistance Treaties (MLATS)
was described as being extremely slow (with it often taking months
for them to get the evidence they needed) and resource intensive.
Detective Chief Superintendent Charlie McMurdie, Head of the
Police Central e-Crime Unit, commented:
One of the issues around that is the timeliness
of the response and the volumes of data that we are looking for,
and then the legislation for that country to be able to approach
the service provider to get the data on our behalf or for them
to progress that.[61]
69. We were alarmed to hear from police witnesses
that they often experienced difficulty in retrieving data from
sites based abroad. We hope that such companies will adopt a more
constructive attitude going forward and be willing to engage with
public authorities. They reap huge financial benefits from the
public entrusting them with their data and they should be willing
to be open and accountable for the actions they take with it.
EU Justice and Home Affairs measures
70. Under Protocol 36 of the Lisbon Treaty the UK
has the option to opt out of police and criminal justice measures
adopted under the Maastricht Treaty, provided it does so before
December 2014 when the measures will be adopted under the Lisbon
framework, thus giving the Court of Justice of the European Union
jurisdiction. The Home Secretary has signalled her intention to
opt out of these measures. The option applies to all measures
en masse. The UK will then be able, subject to agreement by the
EU, to opt back in to any of the measures it decides will be of
use.
71. There are at present 133 such measures. They
can be divided roughly into the following groups: instruments
intended to influence substantive criminal law; instruments intended
to influence criminal procedure; instruments relating to police
co-operation; and instruments designed to secure mutual recognition.[62]
A number of instruments that fall into the last two categories
could effect on the UK's ability to tackle e-crime.[63]
72. The international scope of e-crime provides
a strong argument that the UK should focus on increasing cooperation
between police forces in other states and making these mechanisms
as effective as possible. As the proportion and volume of crime
with an online element increases, we expect more police investigations
to straddle international boundaries, and more evidence relating
to the offences against the UK and its residents to be located
in overseas jurisdictions.
73. To this end, we cannot understand why the
UK has refused to support funding for the new Europol CyberCrime
Centre C3 which facilitates vital cross-Europe information sharing.
E-crime does not recognise country borders and it is essential
that we have strong international cooperation to ensure offenders
are brought to justice and citizens protected. Strengthening our
defences and international investigation capacity will save money
in the long term and we recommend that the UK supports additional
EU funding for the Centre.
74. We are deeply concerned that EU partner countries
are not doing enough to prevent cyber attacks from criminals within
their countries on the UK. We will return to this matter in our
inquiry into the proposal to opt out of the EU police and criminal
justice measures which were adopted before the Treaty of Lisbon
entered into force.
Reporting and recording e-crime
CURRENT UK CRIME RECORDING PRACTISES
75. Currently only violations of the Computer Misuse
Act 1990 are recorded as electronic crimes. Crimes that are carried
out using the internet defined as offences in other Statutes are
recorded as an offence under the substantive legislation.[64]
There is no central recording of crime under the method by which
it was committed. For example online frauds such as lottery and
dating scams are recorded as violations of the Fraud Act 2006
and not as e-crimes. The Home Office told us that it is taking
steps to improve the identification of e-crimes within recorded
crimes and crime surveys.
76. Some of our witnesses stated that even crimes
that violate the Computer Misuse Act 1990 are usually recorded
according to the criminal's intent. For example, a Denial of Service
Attack would probably be recorded as extortion if its perpetrator
was using it to blackmail the website owner. A phishing attack
could also be recorded as fraud or money laundering. Witnesses
say this is largely due to the Crown Prosecution Service's perception
that the Computer Misuse Act 1990 exists to fill in gaps in other
forms of legislation.[65]
77. Indeed, some of our witnesses also raised concerns
regarding the recording and reporting of fraud. The Foundation
for Internet Policy Research said that the previous Government's
policy change which saw victims of fraud reporting the crime to
their banks in the first place rather than to the police meant
that the rate of recorded instances of fraud understates the reality.
FIPR points to the British Crime Survey which shows that UK households
are twice as likely to be victims of fraud than of traditional
acquisitive crime.[66]
It added that the 2005 policy change had:
"caused the fraud statistics to go down,
but it opened up an even larger gap than is usually the case between
the crimes reported through the police, on the one hand, and the
crime levels reported through victim surveys on the other. Now,
for most practical purposes, official recorded crime is useless
in determining the level of fraud"[67]
78. The National Trading Standards Board has also
questioned the utility of the current reporting and recording
system:
It is fair to say that the current recording
mechanisms probably are not adequate because you tend to find
that the illicit activity would get recorded as a general fraud
or a consumer protection legislation issue in terms of, for example,
a trademarks offence if they were counterfeit goods. They tend
to get classified under those areas, but the e-crime element is
not necessarily always picked up. Therefore, it is fair to say
that there is probably a large-scale under-reporting of e-crime
and its true economic impact.[68]
79. The British Retail Consortium says that one of
the main problems faced by its members in reporting e-crime was
the lack of clarity about case acceptance criteria for reporting
online fraud or crime to national agencies. It told us that that
its members often spent time preparing detailed reports expecting
the relevant agency to accept the case but then found that their
case had fallen short of the acceptance criteria and needed to
be reported locally.[69]
Action Fraud
80. The Government has made 'Action Fraud', the single
national reporting centre for financially motivated online crime.
Since August 2011 Action Fraud has had the capability to record
the enablers of fraud in fraud reporting. Between its launch in
August 2011 and April 2012 49,037 reports of fraud were made
to Action Fraud, of which 45% were enabled online. The City of
London Police say that the majority of traditional frauds have
been eclipsed by fraud with an online element.[70]
IMPROVING RECORDING PRACTISES
81. A number of our witnesses recommended the introduction
of a new field on crime reporting forms to indicate whether or
not there is digital evidence related to the reported crime. This
would enable the police to build a clearer picture of where digital
evidence was important and to allocate resource accordingly. It
would also inform decisions about the amount of resource needed
in the field of digital forensics.[71]
When we put this to Deputy Associate Commissioner Martin
Hewitt, the ACPO lead for e-crime, he acknowledged that more information
would enable the police to build a better intelligence picture
but he doubted that victims and the person receiving the report
would have the level of knowledge needed to accurately record
details about how the crime was carried out.
"The more information we have the better.
Recording the method relies on a level of knowledge within the
victim and a level of knowledge within the person who is receiving
the report to do that effectively, but I think we are trying to
get towards that.... The more information the better, but I don't
think necessarily the answer is going to be just having more expansive
MO submissions on the crime reports ".[72]
82. We welcome the online Action Fraud reporting
function. We recommend that a clear link to the Action Fraud
website is placed on websites where people are likely to experience
attempted fraud or visit when they believe they have been a victim
of online fraud such as police forces, banks, email providers,
trading standards.
83. Current recording practises are inadequate
to give an accurate picture of the extent to which reported crime
is committed over the internet. We recommend the introduction
of an additional field on crime reporting forms to indicate whether
or not there was digital evidence relating to a crime. This would
help the police to understand the extent of the problem they were
facing and to make sure they have the appropriate resources in
place.
84. We are very concerned that there appears to
be a 'black hole' where low-level e-crime is committed with impunity.
Criminals who defraud victims of a small amount of money are often
not reported to or investigated by law enforcement and banks simply
reimburse victims. Criminals who commit a high volume of low level
fraud can still make huge profits. Banks must be required to report
all e-crime fraud to law enforcement and log details of where
attacks come from. The perceived untouchable nature of these low-level
criminal acts is exemplified by the adverts RSA noted on Facebook
advertising 'fraud as a service'.
48 Ev 88, para 21 Back
49
See glossary Back
50
Ev 63, para 30 Back
51
Ev 62, para 29 Back
52
Ev 63, para 31 Back
53
Ev 88, para 22 Back
54
More detail on the role of regional hubs can be found in Peter
Goodman's evidence from 20 November 2012. Back
55
Q 90 [DCS McMurdie] Back
56
Q 90 [Andy Archibald]
Back
57
Q 99 Back
58
Q 99 Back
59
Q 97 Back
60
Q 368 Back
61
Q 94 Back
62
CELS, Opting Out of EU Criminal Law: What is actually involved?,
September 2012 Back
63
One measure in the first category 'Measures intended to influence
substantive criminal law' relates to e-crime 'Council Framework
Decision 2005/222/JHA of the 25 February 2005 on Attacks against
Information Systems'. However this has is likely to soon be replaced
by a new Directive and the UK has already opted in to the proposal
for it. Council Decision 2000/375/JA to combat child pornography
on the internet is also a substantive measure but the UK's domestic
law already criminalises child pornography on the internet. Back
64
Ev 61 [Home Office] Back
65
Ev 102 [Peter Sommer] Back
66
Ev 75 Back
67
Q 127 Back
68
Q 138 Back
69
Ev 70 Back
70
Ev 81 Back
71
Q 116 Back
72
Q 380 Back
|